Y2K Examination Procedures

Federal Financial Institutions Examination Council Image


Year 2000 Examination Procedures Introduction The following examination procedures are for general use in all federally supervised financial institutions and data centers that service these financial institutions. The examination procedures will help the examiner to determine if the institution has addressed the Year 2000 problems inherent in many computer software and hardware systems. The examination procedures are designed to focus on the state of Year 2000 preparedness of each examined institution. The Tier I section represents general procedures designed for all institutions. Examinations of small institutions, particularly those that have purchased or leased their hardware and/or software systems from an external vendor, normally will stop at the end of the Tier I examination procedures. The examiner will then proceed to the examination conclusions section. The Tier II section includes more rigorous and detailed examination procedures designed for larger institutions, particularly those with in-house software development capabilities. In these environments, examiners normally will use both the Tier I and Tier II examination procedures, as appropriate. Examination Objectives
1.	To determine whether the organization has an effective plan for identifying, renovating, testing, and implementing solutions for Year 2000 processing.
2.	To assess the effect of Year 2000 efforts on the organization's strategic and operating plans.
3.	To determine whether the organization has effectively coordinated Year 2000 processing capabilities with its customers, vendors, and payment systems partners.
4.	To assess the soundness of internal controls for the Year 2000 process.
5.	To identify whether further corrective action may be necessary to assure an appropriate level of attention to Year 2000 processing capabilities.
Examination Planning and Control
1.	Determine the organization's source of information systems (IS) support for hardware (mainframe, mid-range, networks, personal computers) and related applications and operating system software. Note whether information systems processing is provided internally, externally, or a combination of both.
2.	Review previous examination, audit, or consultant findings relative to Year 2000 issues.
3.	Review management's responses to any significant Year 2000 findings.
4.	Review responses to the Year 2000 Examiner Questionnaire.
5.	Review the supervisory strategy and scope memorandum prepared for this organization relative to Year 2000 issues.
6.	Determine the scope of the Year 2000 examination based on findings from the previous steps and discussions with the examiner-in-charge (EIC).
Select from the following examination procedures the steps necessary to meet the examination objectives. Note: Examinations do not require completion of all steps.
Tier I Procedures
1.	Determine whether the organization's board of directors and senior management are aware of and understand the risks and complexities of the Year 2000 issue by:
	Obtaining and reviewing minutes of board of directors meetings for discussions of Year 2000 issues. Obtaining and reviewing minutes of committees established to address Year 2000 issues.
2.	Determine whether management has developed a plan to ensure that the organization's computer systems are Year 2000 compliant.
3.	Determine whether the organization's Year 2000 assessment includes computer controlled systems, such as telecommunications systems, ATMs, audio response systems, and other environmental systems with embedded microchips, such as vaults, security and alarm systems, elevators, telephones, FAX machines, and HVAC.
4.	Determine whether the institution's management conducts continuing communications with its vendor(s) and/or servicer(s) to determine their progress toward implementing Year 2000 solutions.
5.	Determine whether the organization has:
	Performed a "third party" software contract review to identify risks associated with licensing and maintenance agreement protections for Year 2000 processing. Reviewed all data processing outsourcing agreements to determine if the vendors have Year 2000 maintenance obligations. Included Year 2000 leap year considerations in their contract reviews. Established a process to certify that a vendor(s) and product(s) are Year 2000 compliant. If so, describe.
6.	Determine whether management has assessed the financial and operational capabilities of its hardware and software vendors to provide Year 2000 processing capabilities. Note the results of this assessment.
7.	Determine the status of the institution's Year 2000 project, including any anticipated barriers and how management plans to address them.
8.	If it is evident that the institution's or vendor's/servicer's systems are not fully Year 2000 compliant, determine:
	Whether all affected applications will have Year 2000 renovation complete with testing well under way for mission critical systems by December 31, 1998. The significant applications that will not have Year 2000 renovation complete by December 31, 1998. Whether management has anticipated the effect to the organization's strategic and operating plans should all systems not be Year 2000 compliant by December 31, 1998. Management's contingency plans to assure the institution's ongoing operations if the institution's systems will not be Year 2000 compliant by December 31, 1998. Whether the institution has contingency plans should hardware or software systems not function correctly on January 1, 2000, because of the millennium date change.
9.	Determine whether management has discussed the effect of the Year 2000 issue with its large corporate borrowing customers to ensure the customers' ability to meet financial and informational obligations to the institution.
10.	Determine whether the organization has assessed the effect of Year 2000 processing capabilities, as applicable, with its payment systems providers, including:
	Wire transfer systems. Automated clearing houses. Check clearing providers. Credit card merchant and issuing systems. Automated teller machine networks. Electronic data interchange systems. Electronic benefits transfer systems.
11.	Determine whether management has employed internal or external audit functions to assess the soundness of internal controls associated with the Year 2000 effort.
12.	Determine whether management is aware of or contemplates any litigation related to the Year 2000 issue.
Generally, examinations of small financial institutions and those that rely on data service providers should proceed to the Examination Conclusions section.
Tier II Procedures Audit
1.	Assess internal and external audit personnel's independence and involvement in reviewing the organization's Year 2000 efforts.
2.	Review audit plans and budgets through 1999 and determine whether they identify specific audit resources necessary to address Year 2000 issues. Determine whether these plans are based on a formal inventory of all critical systems affected by Year 2000 issues. Also, determine the adequacy of audit resources allocated to Year 2000 issues.
3.	Determine whether audit is actively involved in Year 2000 efforts to assess and monitor the effectiveness of the project management process and whether audit management communicates this information to the board of directors.
4.	Review Year 2000 project audit reports and determine the adequacy of their scope and the timeliness and completeness of management responses. Also assess the appropriateness of audit follow-up on actions taken in response to Year 2000 project audit findings.
Management
5.	Based on discussions with management and reviews of the minutes of committees established to address Year 2000 issues, evaluate the completeness of the project management process to assure the institution's computer systems are Year 2000 compliant. Note whether management has:
	Inventoried all hardware and software systems, including international locations. Identified hardware and software systems that require modifications for Year 2000 processing. Evaluated various alternatives for dealing with Year 2000 processing issues. Prioritized software and hardware systems to ensure that the most critical applications are addressed first. Considered all software systems, including core banking, investments, fiduciary, management information, retail delivery, and operating systems. Considered the effect of Year 2000 issues on mergers/acquisitions. Reviewed and approved milestones to ensure the timely completion of Year 2000 efforts. Developed a testing strategy for Year 2000 modifications. Ensured that any new systems are Year 2000 compliant. Addressed the establishment and review of an effective system of internal controls over the Year 2000 effort. Determined the groupings of systems for conversion. Considered the role of the quality assurance function. Determined the role of end users. Determined the need for a configuration management plan. Required thorough project management techniques, including periodic senior management and board project updates.
6.	Determine whether management considered the availability of adequate resources for the Year 2000 initiative by identifying:
	The type of technical expertise that will be needed. The amount of time needed for corrective action. The type and amount of financial resources that will be needed and whether the organization has sufficient financial resources to make all hardware (mainframe, mid-range, networks, personal computers) and related application and operating system software Year 2000 compliant. Whether any other resources are required. The effect of the Year 2000 project on earnings, capital, and liquidity and whether the assessment appears reasonable.
7.	Determine whether the organization has persons or access to persons that have sufficient technical expertise to make all hardware/software systems Year 2000 compliant, and:
	If outside resources will be used, whether these resources are under contract. If not, what assurances management has that these resources will be available, when needed.
8.	Determine how the board of directors and senior management are kept informed on the progress of Year 2000 efforts, particularly of any problems encountered during the validation and implementation phases.
9.	Determine whether the board of directors and/or senior management have established clear lines of authority and responsibility for the Year 2000 effort.
10.	Determine whether Year 2000 project teams receive sufficient support from the board of directors and senior management.
11.	Review, as applicable, the selection process for any Year 2000 service provider(s) and whether the process appears adequate.
12.	Evaluate the adequacy of the institution's Year 2000 conversion management process.
Systems and Programming
13.	Determine whether the organization has assessed the ability of its computer systems to handle any needed software changes. If so, describe.
14.	Determine the method(s) the organization uses or will use to resolve Year 2000 date calculations (e.g., conversion to four position year fields, windowing and others).
15.	Evaluate whether the organization has/will devote(d) appropriate time to testing and error checking of all software changes.
16.	Determined the programming languages and tools that the institution will use.
17.	Identify whether a common application development platform is required.
18.	Describe how the organization will maintain sound internal controls over the software change process for Year 2000 issues.
19.	Determine whether the organization is coordinating modification and testing activities with vendors, servicers, and organizations with whom critical data is received or sent.
Computer Operations
20.	Review management's assessment of the anticipated additional systems resources required specifically for operating systems, telecommunications (including ATM) networks, and security software, to handle Year 2000 processing. Describe the results of the assessment.
21.	Evaluate the organization's Year 2000 assessment of the adequacy of computer resources for testing Year 2000 changes while performing day-to-day processing activities.
22.	Describe management's assessment of the effect of any changes in operating practices resulting from the Year 2000 effort.
23.	Determine whether any interim work procedures are required as part of the Year 2000 effort.
24.	Review and describe the organization's assessment of the impact of Year 2000 efforts on business continuity/recovery planning.
25.	Determine whether the organization compromised sound internal controls over operations as a result of addressing Year 2000 issues.
Examination Conclusions
26.	Prepare examination report comments noting:
	The computer system's Year 2000 processing capability. Management's effectiveness in managing the Year 2000 process, including an assessment of the adequacy of resources devoted to Year 2000 problems. The adequacy of the organization's plans for identifying, correcting, testing, and implementing solutions for Year 2000 processing. The date methodologies selected to provide Year 2000 processing (in situations with in-house programming capabilities). The status of the organization's plan and the capability to complete necessary changes with testing well underway for mission critical systems by December 31, 1998. Management's effectiveness in coordinating Year 2000 processing capabilities with its hardware and software vendors, corporate borrowing customers, and payment systems providers. The effect of the Year 2000 effort on the organization's strategic and operating plans, including earnings, capital, and liquidity. The effectiveness of the audit function and its assessment of internal controls for the Year 2000 process.
27.	Prepare recommendations, as appropriate, for the EIC and/or other appropriate supervisors on any additional actions necessary to ensure the organization's safety and soundness associated with its Year 2000 processing capabilities.
28.	Summarize the Year 2000 plan's strengths and weaknesses and describe the extent of the organization's Year 2000 readiness.
29.	Discuss conclusions with the appropriate level of management and document responses.

Last Updated: May 6, 1997