U.S. Securities and Exchange Commission
Division of Market Regulation Year 2000 (Y2K) Work Program
On January 1, 2000, the internal date in all of the world's computers will roll-over from "12/31/99" to "01/01/00." In that moment the program logic, as it exists today in the vast majority of these computer systems, will begin to produce erroneous results, because the systems will erroneously read the dates as beginning in the year 1900, or other similarly incorrect dates. These results, if left uncorrected, will have negative repercussions across the financial community. Comparisons and arithmetic calculations will be inaccurate. The problem manifests itself in many areas including, databases, reports, files, screens, sorts, backups, imbedded coding and historical data. The fact that this situation exists cannot be avoided. The damage, however, can be minimized or avoided if procedures are implemented to ensure all current and future applications recognize and address the issue. The problem arises because most business application software programs (mainframe, client/server, and personal computer) have written since the early stages of automation were using two digits to specify year, rather than four. The typical date standard format has been "MM/DD/YY". Therefore 2000 is stored as the two digit "00". Failure to append the correct century to the value after input results in an inability to distinguish between 1900 and 2000.
The other complicating factor in the millennium problem is the leap year calculation. Leap year occurs in all years divisible by 400 or evenly divisible by 4 and not evenly divisible by 100. For example, the year 1996 was a leap year since 1996 is divisible by 4 and not evenly divisible by 100 and the year 2000 will be a leap year since 2000 is divisible by 400.
The purpose of this work program is to determine whether the securities industry is complying with the expectations of the SEC in preparation for the Year 2000 computer problem. Broker-Dealers, Transfer Agents, and the SROs, have numerous proprietary trading, information dissemination systems, and clearance and settlement systems. The technology within the industry is complex in that the institutions may have numerous hardware platforms and operating systems, numerous terminals and networks, have its information technology systems provided in-house, by a service bureau, or some combination of these two alternatives, as well as numerous connections to customers, SROs, transfer agents, banks, and the Internet.
In developing this work program, we have reviewed our two previous Y2K Work Programs for the SROs, reviewed the SIA's Year 2000 Industry Project Plan, reviewed the Federal Financial Institutions Examination Council's ("FFIEC") Year 2000 Examination Procedures, and reviewed the GAO's Year 2000 Assessment guide. We have also researched a number of web sites on the internet for Year 2000 work programs, and have incorporated questions from them as appropriate, such as ISACA's Year 2000 audit program, and others.
II. Objectives and Scope
The scope of our review for Year 2000 inspections is to interview senior management and technology staff and review technical documentation to determine whether or not the organization has an adequate Year 2000 program, and is meeting SIA timelines. We will review securities organizations plans, resources, and methodologies to provide reasonable assurance that the organization will be ready for Year 2000 processing. The objectives of our review have been derived from a number of sources, our primary source being the SIA Year 2000 Project Plan, GAO's Year 2000 Assessment Guide, and other industry Year 2000 documents. The objectives are:
- Management Responsibilities and Oversight
- Third-Party Vendors
- Configuration Management
- Validation and Testing
- Contingency Planning
- Internal/External Audit Involvement
III. Reference Reading
In preparing to perform the Year 2000 compliance exam, you may want to review the following source materials:
- The Commission's Year 2000 response to Congressman Dingell, dated June 2, 1997 - available on the Commission's website.
- The SIA's Year 2000 Plan for all securities organizations. See SIA's web site at www.sia.com for related Year 2000 materials.
- The banking regulators, especially the FFIEC, perform EDP audits of the banks on Year 2000 issues on a regular basis. Review its web page (www.ffiec.gov) for Year 2000 issues.
- GAO's Year 2000 Assessment Guide, issued in February 1997.
- ISACA's Year 2000 audit materials at its web site at www.isaca.org.
IV. Objectives and Work Steps
A. Management Responsibilities and Oversight
In planning and implementing Year 2000 corrective actions, senior management and the Board of Directors play an important role to ensure completion of these tasks in a timely manner. Commitment of adequate resources is essential to completing the project. The Awareness Stage, which encompasses the establishment of a budget and project team, should have been completed in 1996. However, these resources and Board involvement should be on-going through-out the project. The commitment of resources should come from the Board and senior management to devote adequate personnel to identify and complete tasks. One of the first things the Board and/or senior management should do is appoint a project leader and a project team.
A.1 Has the Board of Directors and/or senior management appointed a project leader?
A.2 Has the project leader identified staffing needs?
A.3 Has the project leader developed a Project Plan (e.g., a timeline or chart noting major tasks and due dates)? If so, does the plan include a descriptive explanation of major tasks, number of staff per task, expected due dates, and note any slippage in meeting those expected dates?
A.4 Has the project leader, with the support of the Board and senior management, established a Steering Committee? If so, obtain a description of the role of the Year 2000 Steering Committee and membership of the committee. Obtain copies and review minutes of last six months of committee meetings. Provide a description of how the status of the project is communicated to the committee. If the organization uses progress reports, obtain copies for the last six months.
A.5 Has the project leader established a Budget? If so, obtain a copy of the detailed budget. Has the Board and senior management approved the budget? Are there sufficient resources to complete all tasks within SIA timeframes? Review the budget and determine if it contains a breakdown of the estimated costs to complete and commitment by senior management and/or the Board of Directors to fully support those costs.
A.6 Prepare a write-up of your conclusions as to whether or not the organization has adequate senior management and/or Board support, project tracking, and reporting.
Please note we have bypassed the "Awareness" stage as this should have been completed in 1996. The Assessment stage should have been completed no later than the first half of 1997. If the organization is still in the awareness or assessment stages, they have a major deficiency and we should notify Commission management immediately.
We need to know, however, what activities were used during the Assessment stage. The Assessment stage is when the organization begins the actual process of identifying all of its systems (preparing an inventory) and individual components of the systems. An organization can decide to review all systems components for Year 2000 compliance or, through a risk analysis, identify only mission-critical systems to check for compliance.
B.1 Obtain a description of the activities taken to identify and inventory all software and hardware components within the organization. This can include obtaining an inventory of total lines of code for the organization, lines of code with date requirements, the number of application programs, and other valuable statistics.
B.2 Determine if the organization has identified which systems are mission critical.
B.3 Identify mission-critical systems, include as a minimum operating systems, utilities, and trading/order execution, back-office, clearance and settlement, and transfer systems.
B.4 Prepare a write-up of your conclusions on whether the organization has adequately addressed assessing its systems.
The Remediation Stage should be on-going at this time (second half of 1997) and may run concurrently with the validation or testing phase. Remediation is the stage during which changes to systems are actually made. This stage deals primarily with the technical issues of converting existing systems, or migrating to compliant systems. During the Remediation stage, decisions are made on how to make the systems/processes Y2K compliant and implemented. Several methods are available to make systems Y2K compliant such as expanding date fields; sliding scale, windowing, or procedural workaround; relative dates; or other methods. Although we are not going to "second-guess" the organizations Y2K method decision, we do need to gain an understanding of how it is being used, especially that it is being used as effectively as possible.
C.1 Identify the method used by the organization for conversion. What verification is used to ensure that the conversion method is accurate?
C.2 Describe the efforts to identify and correct the Year 2000 problem in mainframe systems, client/server systems, inter/intranet systems, corporate LANs, and interfaces with outside entities, especially SROs and/or SIAC (there may be different Y2K conversion methods for each platform). Obtain an estimate of percentage of completion to date. Attempt to verify this percentage of completion through interviews with technology staff and review of documentation. Obtain milestones for completing upcoming major tasks.
C.3 Prepare a write-up of your conclusions on the adequacy of the organizations remediation efforts.
D. Third-Party Vendors
Third-party vendors are external providers of software and/or hardware products used by the organization under review. Although the organization does not have direct control over when and how a vendor will issue upgrades to become Y2K compliant, it is the organization's responsibility to verify vendor Y2K compliance. It is also the organizations responsibility to set enough flexibility into its schedule that should a vendor fail to become compliant, these vendor's products can be replaced with compliant vendor packages.
D.1 Has the organization developed or adopted a definition of Year 2000 compliance? If so, obtain a copy of the definition. For example, has it adopted language, such as "By Year 2000 compliance, we mean that each application and systems product, program, file, data base, and functionality correctly performs processing which is dependent upon usage of calendar dates, including dates before, on, and after January 1, 2000."
D.2 Obtain a description of the efforts to obtain vendor certification for Y2K
compliance and what plans the organization has in case a critical vendor is not ready.
D.3 Review the vendor correspondence file asking for Y2K compliance assurance, and vendor responses. Determine adequacy of assurances of compliance. Determine what tests have been established to verify vendor compliance.
D.4 Determine how the organization tracks the implementation of necessary upgrades.
D.5 Provide a description of any data processing outsourcing agreements (e.g., service bureaus). If so, describe what obligations the vendors have to comply with Year 2000 and what plans your organization has in case a critical vendor is not ready.
D.6 Prepare a write-up of your conclusions on the adequacy of third-party Y2K compliance.
E. Configuration Management
Configuration management ("CM"), also known as library management or version control, consists of tools and processes that administer the source code and object libraries containing the components of business applications, systems software, and utilities, including interfaces with outside entities. This activity should be done in conjunction with the Remediation activities noted above. The most important function of configuration management is to keep track of all the versions of all the source code components that compose an application. Strong version and release controls are essential in a century-date compliance project because almost every component of every application must be modified to some extent. These measures should coincide with the Remediation stage of the project.
E.1 Obtain a description of the current configuration management process (manual or automated). Are there separate environments for development of code, testing of code, and production ? Verify that all platforms (mainframe, client/server, and PCs) and systems (including operating systems and utilities) are incorporated into the CM process.
E.2 Does the organization have a control point, such as assigning someone as CM manager? Do all changes have to be approved by the CM manager? Obtain a hardcopy of how changes to systems are tracked. Determine if the CM and tracking process appear adequate.
E.3 Prepare a write-up of your conclusions on the adequacy of CM.
Validation determines that no errors were introduced during the conversion process. The development of test data and test scripts, running test scripts, and the review of test results, is crucial for this phase of the conversion process to be successful. If the testing results show anomalies, the tested area must be corrected and re-tested. In addition to testing code changed, the entire system should be tested to ensure nothing has been introduced into the code that would adversely affect the program - i.e., regression testing. Industry publications estimate that at least 50% of the Year 2000 effort will be in the area of testing.
F.1 Obtain a description of the testing of systems. Determine how the organization expects to complete testing of internal systems by December 31, 1998.
F.2 Obtain a description of the testing method(s) and tool(s) selected by the organization. Describe the test environment (i.e. hardware and software systems) provided for Y2K testing. Determine how the organization has implemented (e.g., provided adequate training on its use) the testing method and does it appear to be helping the organization to meet critical milestones.
F.3 Determine how the organization has provided adequate systems production capacity for both normal program running and for the testing process.
F.4 Describe how a system is tested and whether or not its independent certification from a quality assurance group and end users are required.
F.5 Describe the efforts to meet SIA "beta testing", if selected, in mid-1998, and "street-wide" testing in 1999.
F.6 Prepare a write-up of your conclusions
on adequacy of validation / testing.
G. Contingency Planning
Despite the best efforts of management, problems will arise requiring the organization to quickly respond while there is still enough time. The contingency scenarios could include relatively minor issues, such as individual sub-systems falling behind schedule, or vendors not meeting deadlines, up to catastrophic events such as mission-critical systems not being ready in time. Management should have contingency plans to meet various problem scenarios to ensure continuation of processing.
G.1 Obtain a copy of the Year 2000 contingency plan. Obtain a description of the possible actions the organization could take should a major hardware/software component fail or not be ready.
G.2 Prepare a write-up of your conclusions on adequacy of contingency planning.
H. Internal/External Audit
Internal and External auditors can play a key role in preparing for the Year 2000. They provide the Board and senior management with an independent and objective view of the adequacy of the overall project plan and progress made. Lack of involvement by Internal/External auditors may indicate lack of commitment by the Board or senior management to ensure Year 2000 compliance.
H.1 Describe whether management has employed Internal or External auditors to assess the soundness of internal controls associated with Year 2000 efforts. If so, provide copies of auditor memos or reports.
H.2 Prepare a write-up of your conclusions on auditor involvement.
I.1 Prepare a report following the format of this work program. State your conclusions and note deficiencies.