Interagency Statement on Year 2000 Project Management Awareness
The Federal Financial Institutions Examination Council (FFIEC) on
May 5, 1997, issued the attached press release and interagency
statement providing guidance on the scope of the activities
necessary for insured financial institutions to make all
information-processing systems capable of recognizing dates in
the Year 2000 and beyond.
The attached statement updates the FFIEC's statement "The Effect
of Year 2000 on Computer Systems," issued in June 1996, and it
reflects the federal agencies' concerns about the industry's
readiness for the Year 2000. The statement outlines the
agencies' supervisory strategy to ensure an orderly transition
into the next century.
Financial institutions should be well into the "assessment" phase
of their Year 2000 project management plan. As noted in the
statement, mission-critical systems should be identified and
priorities set for Year 2000 work by the end of the third quarter
of 1997. For mission-critical applications, the agencies
strongly recommend that programming changes be largely completed
and testing well underway by December 31, 1998. This time line
for testing critical applications has been accelerated since the
June 1996 interagency statement to ensure that system
interdependencies are not disrupted. Reprogramming for other
applications should also be completed by December 31, 1998, to
allow a full year for testing and adjustments.
The statement discusses three Year 2000-related issues requiring
reliance on vendors,
risks posed by exchanging data with external parties, and
the potential effect of Year 2000 noncompliance on corporate borrowers.
Other operational issues related to Year 2000 planning are also
The FDIC and state banking authorities will review the conversion
efforts of all FDIC-supervised banks in 1997, using the attached
examiner questionnaire and examination procedures or similar
tools. Meanwhile, management is encouraged to use these
examination tools to assess the adequacy of its own efforts in
addressing Year 2000 issues. If you foresee significant problems
meeting the target time lines in this guidance, please notify
your Division of Supervision regional office.
The attached interagency statement and related information on
Year 2000 issues are available on the Internet via the World Wide
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center, 801 17th
Street, N.W., Room 100, Washington, D.C. 20434 (800-276-6003 or
(703) 562-2200). Electronic versions are available at:
Federal Financial Institutions Examination Council Press Release
Federal Bank Regulators Outline Year 2000 Project Management Goals
The Federal Financial Institutions Examination Council's
Task Force on Supervision today issued an Interagency Statement
for the banking industry and federal examiners, intended to focus
their attention on the critical issues financial institutions
need to address quickly to resolve Year 2000 computer problems
and avoid major service disruptions.
The FFIEC Task Force first alerted the industry to the Year
2000 problem in June 1996, and recommended that institutions
perform risk assessments and plan a strategy to address
Today's Statement outlines a project management process
that strongly encourages federally insured depository
institutions to complete an inventory of core computer functions
and set priorities for Year 2000 goals by September 30, 1997.
Banks are expected to largely complete programming changes, and
have testing well underway for mission critical systems by
December 31, 1998.
In an appendix to the Statement, the Task Force included an
examiner questionnaire to help regulatory agencies conduct
assessments of financial institution planning efforts, which are
expected to be completed shortly. Based on the results of these
assessments, regulators will prioritize supervisory reviews,
using examination procedures contained in a second appendix to
the Statement. The regulators expect to complete examinations of
conversion efforts by mid-1998.
Federal financial regulators are concerned that systemic
disruptions and potential failures could result if computers used
by financial institutions cannot properly read date-sensitive
information when the calender year changes to 2000. For this
reason, an institution's reprogramming planning should include
consideration of the vendors whose products and services a
financial institution uses; the other banks, clearing houses and
customers with whom it exchanges data electronically; and,
corporate borrowers, whose creditworthiness might be diminished
by significant service disruptions.
In a statement today, the Task Force said, "The Year 2000
presents a number of very difficult challenges for the financial
services industry, which relies heavily on effective computer
communications between banks, external data networks and data
processing centers, and their customers. The Interagency
Statement adopted today emphasizes the important issues that
banks, thrifts and credit unions need to address right now to
meet critical deadlines in preparation for the Year 2000."
The Interagency Statement outlines five management phases
necessary to complete a computer conversion program: awareness,
assessment, renovation, validation, and implementation. During
the final stage, systems should be certified as compliant and
accepted by business users. Federal regulators intend to work
closely with institutions that face unusual difficulties.
The Interagency Statement is attached.
Federal Financial Institutions Examination Council
YEAR 2000 PROJECT MANAGEMENT AWARENESS
May 5, 1997
Officers of all federally supervised financial institutions, providers
of data services, senior management of each FFIEC agency, and all
This Interagency Statement is intended to emphasize the need to make all
information processing systems Year 2000 compliant and identify specific
concerns that should be considered in managing a conversion program. The
FFIEC first alerted the industry in June 1996 of the Year 2000 problem.
At that time, we recommended that financial institutions perform a risk
assessment of their processing systems and begin developing an action plan
to address vulnerable systems. This Interagency Statement expands on
those topics and stresses a number of areas which may need special
attention. It also describes the supervisory strategy that the federal
banking agencies will pursue in monitoring Year 2000 conversion efforts of
financial institutions, as well as third-party data processing servicers,
and software suppliers servicing insured financial institutions.
The Year 2000 poses serious challenges to the industry. Many experts
believe that even the most prepared organizations may encounter some
implementation problems. The federal banking agencies want to ensure that
financial institutions avoid major disruptions and will work with the
industry to reach that goal. They will implement a supervisory plan
designed to: heighten awareness of the Year 2000 problem within the
industry; perform an assessment of the planning efforts of financial
institutions for Year 2000; conduct a supervisory review of all
institutions for Year 2000 preparedness; and work with institutions that
face difficulties. The agencies will undertake follow-up activities to
ensure institutions focus on problem areas and take appropriate
supervisory action if they are unable to encourage a financial institution
to devote adequate attention to achieving Year 2000 compliance.
This Statement has four major parts: an outline of the Year 2000 project
management process; identification of three external risk issues that the
Year 2000 conversion plan should consider; other operational issues that
may be relevant to an institution's Year 2000 planning; and a description
of the federal banking agencies' supervisory strategy.
Year 2000 Project Management:
The Year 2000 problem presents a number of difficult challenges to
financial institution management. Information systems are often complex
and have been developed over many years through a variety of computer
languages and hardware platforms. For many financial institutions,
correction of those problems will be costly and complex. A lack of
skilled mainframe programmers and system experts compounds the problem.
Year 2000 conversion projects will require executive management
sponsorship and an effective project management process. The project
management process begins with an awareness of the issue and an assessment
of the extent of Year 2000 problems within financial institution systems.
This includes identification of affected applications and databases.
Mission critical applications should be identified and priorities set for
Year 2000 work by the end of the third quarter of 1997. Financial
institutions and service providers should be well into this phase of the
project. Code enhancements and revisions, hardware upgrades, and other
associated changes follow the assessment phase and should be largely
completed by December 31, 1998.
Since the 1996 Interagency Statement, it has become clear that testing
mission critical system interdependencies, particularly those with
external systems, will be time consuming and could take up to at least one
year in more complex data processing environments. Accordingly, for
mission critical applications, the federal banking agencies strongly
encourage the industry to assure that programming changes are largely
completed and that testing be well underway by December 31, 1998. This is
a change from the June 1996 Interagency Statement due to the importance of
fully testing connectivity between major servicers and other financial
Year 2000 project management processes are expected to be more formalized
in financial institutions with complex systems or which rely on in-house
application development. In all financial institutions, regardless of
size or complexity, strong leadership, effective communication, and
accountability are necessary to ensure that Year 2000 initiatives will be
successful. The following describes the discovery, planning, and
implementation process in managing an institution's conversion program:
Awareness Phase - Define the Year 2000 problem and gain executive
level support for the resources necessary to perform compliance
work. Establish a Year 2000 program team and develop an overall
strategy that encompasses in-house systems, service bureaus for
systems that are outsourced, vendors, auditors, customers, and
suppliers (including correspondents).
Assessment Phase - Assess the size and complexity of the problem and
detail the magnitude of the effort necessary to address Year 2000
issues. This phase must identify all hardware, software, networks,
automated teller machines, other various processing platforms, and
customer and vendor interdependencies affected by the Year 2000 date
change. The assessment must go beyond information systems and
include environmental systems that are dependent on embedded
microchips, such as security systems, elevators and vaults.
Management also must evaluate the Year 2000 effect on other
strategic business initiatives. The assessment should consider the
potential effect that mergers and acquisitions, major system
development, corporate alliances, and system interdependencies will
have on existing systems and/or the potential Year 2000 issues that
may arise from acquired systems.
The financial institution or vendor should also identify resource
needs, establish time frames and sequencing of Year 2000 efforts.
Resource needs include appropriately skilled personnel, contractors,
vendor support, budget allocations, and hardware capacity. This
phase should clearly identify corporate accountability throughout
the project, and policies should define reporting, monitoring, and
notification requirements. Finally, contingency plans should be
developed to cover unforeseen obstacles during the renovation and
validation phases and include plans to deal with lesser priority
systems that would be fixed later in the renovation phase.
Renovation Phase - This phase includes code enhancements, hardware
and software upgrades, system replacements, vendor certification,
and other associated changes. Work should be prioritized based on
information gathered during the assessment phase. For institutions
relying on outside servicers or third-party software providers,
ongoing discussions and monitoring of vendor progress are necessary.
Validation Phase - Testing is a multifaceted process that is
critical to the Year 2000 project and inherent in each phase of the
project management plan. This process includes the testing of
incremental changes to hardware and software components. In
addition to testing upgraded components, connections with other
systems must be verified, and all changes should be accepted by
internal and external users. Management should establish controls
to assure the effective and timely completion of all hardware and
software testing prior to final implementation. As with the
renovation phase, financial institutions should be in ongoing
discussions with their vendors on the success of their validation
Implementation Phase - In this phase, systems should be certified as
Year 2000 compliant and be accepted by the business users. For any
system failing certification, the business effect must be assessed
clearly and the organization's Year 2000 contingency plans should be
implemented. Any potentially noncompliant mission-critical system
should be brought to the attention of executive management
immediately for resolution. In addition, this phase must ensure
that any new systems or subsequent changes to verified systems are
compliant with Year 2000 requirements.
Our discussions with Year 2000 experts, bankers, and field examiners
indicate some financial institutions have not yet considered all the
implications of the Year 2000 problem or lack conformance to time critical
dates. More specifically, management should begin immediately to consider
the following areas in its project planning process:
Reliance on Vendors - The agencies find that some financial
institutions, relying on third-party data processing servicers or
purchased applications software, have not taken a proactive approach
in ensuring Year 2000 compliance by their vendors. Management
should evaluate vendor plans and actively monitor project
milestones. Institutions should determine if vendor contract terms
can be revised to include Year 2000 covenants. Management should be
aware of vendor specific responsibilities and their institution's
vulnerability if the vendor cannot meet contractual obligations.
Alternate service or software providers should be considered if
vendor solutions or time frames are inadequate. If purchased
products or services belong to larger, integrated systems, financial
institutions' testing and certification processes will have to be
fully coordinated with their vendor's Year 2000 testing. Management
must also ensure that vendors have the capacity (both financial and
personnel) to complete the project and are willing to certify Year
Data Exchange - The Year 2000 problem also poses a risk to the
quality of information that institutions exchange with other firms.
Large volumes of date sensitive data are transferred electronically
between financial institutions, their customers, and their
regulators. Institutions will need to know how methods of data
exchange differ among financial institutions, across vendors, and
between other institutions. Therefore, Year 2000 planning should
allow sufficient time to assess the effect that Year 2000 solutions
will have on data transfers. The project plan should also include
testing and verification, as appropriate, of data exchanges with
clearing associations, governmental entities, customers and
international financial institutions.
Corporate Customers - Many corporate customers (borrowers) depend on
computer systems that must be Year 2000 compliant. Corporate
customers, who have not considered Year 2000 issues, may experience
a disruption in business, resulting in potentially significant
financial difficulties that could affect their creditworthiness.
Financial institutions should develop processes to periodically
assess large corporate customer Year 2000 efforts and may consider
writing Year 2000 compliance into their loan documentation. Loan
and credit review officers should consider in their credit analysis
of large corporate customers whether the borrower's Year 2000
conversion efforts are sufficient to avoid significant disruptions
Other Year 2000 Operating Issues:
The following issues should also be considered in addressing Year 2000
Replacement vs. Repair - Cost and timing considerations will affect
a financial institution's decision to replace or repair strategic
systems. Those factors may dictate that some systems will be
repaired in the short term and strategically replaced sometime after
January 1, 2000. Conversely, it may be more cost effective to
accelerate the replacement of strategic systems.
Cost and Monitoring - As the Year 2000 approaches and the urgency
of fixing problems increases, the costs of obtaining/retaining
qualified staff to address the problems will undoubtedly rise,
perhaps significantly. Some experts believe that the limited
availability of technical support will be a major obstacle to making
systems Year 2000 compliant. Knowledge of market conditions for
skilled programmers and developing programs to retain key personnel
may be necessary to ensure that adequate resources are available
throughout the project's life.
Mergers and Acquisitions (M&As) - The extent of Year 2000 conversion
efforts will bear directly on corporate M&As' strategies since
conversions resulting from M&As will compete for project managers
and technical resources. Acquisition strategies should include the
institution's Year 2000 assessment to the extent possible.
Remote Locations - Remote or overseas operations also need to devote
attention to Year 2000 issues. In particular, management
information systems for businesses that run semi-autonomously from
the head office must be included in the financial institution's
system inventory and plans. To the extent that such systems serve
as critical controls for business operations, they could expose the
financial institution to significant undetected vulnerabilities.
Appropriate staff members throughout the organization must be aware
of the risks associated with the Year 2000 issue and how they might
Contracts - Legal issues may arise from the lack of specificity in
contract terms dealing with Year 2000 issues. Financial
institutions should modify existing contracts which do not
specifically address Year 2000 compliance by the vendor. Otherwise,
conflicts may result regarding the commitment and responsibility to
assure Year 2000 compliance. Current and future purchases should
require Year 2000 certification. If contract changes or
modifications are refused, then the institution should consider
replacing the service or product.
Leap Year - All Year 2000 plans need to address the leap year -
February 29, 2000 - issue. All date and calculation routines need
to be reviewed to ensure that leap year calculations are Year 2000
The federal banking agencies plan to conduct a supervisory review of all
financial institutions' Year 2000 conversion efforts by mid-1998. They
will soon complete an assessment of financial institutions' Year 2000
planning efforts. The appropriate regulatory agency may use the examiner
questionnaire in Appendix A, or a similar tool, to help conduct this
assessment. Financial institutions will be provided with specific
instructions from your agency about this part of their supervisory
strategy. The agencies will use the results of their assessment to
prioritize on-site examinations and will target first those institutions
that have not actively begun a Year 2000 conversion program.
The federal banking agencies will utilize uniform examination procedures
to facilitate Year 2000 examinations (Appendix B). Management is
encouraged to use these examination tools to perform internal reviews or
self-evaluations in connection with their own efforts to address the Year
2000 problem. Examiners will work with institutions that encounter
significant problems addressing Year 2000 issues.
Focusing on financial institutions alone will not prevent Year 2000
disruptions. The federal banking agencies will work cooperatively to
ensure that supervisory reviews include data processing service providers
and third-party software vendors who provide services to federally insured
financial institutions. This effort will include vendors who are a part
of the Multiregional Data Processing Servicer program and the Shared
Application Software Review program.
Year 2000 Examiner Questionnaire
This questionnaire is designed to capture macro-level information on Year
2000 preparations from financial institutions and their information
systems vendors. The information will help examiners prioritize their
Year 2000 reviews. The questions are presented in a "yes - no" answer
format. However, examiners may also ask open-ended questions to develop a
thorough understanding of the institution's/vendor's Year 2000
1. Are the institution's/vendor's information processing (hardware and
software) and delivery (telecommunications) systems capable and
ready to handle Year 2000 processing?
2. Does the institution/vendor have a Year 2000 problem resolution
process that includes these basic phases:
Awareness of the problem.
Assessment of complexity.
3. Has the institution/vendor prioritized internally and externally
maintained systems (hardware, software, and operating systems)?
4. Has the institution considered the impact of the Year 2000 on
internal, environmental systems that are dependent on embedded
microchips, such as vaults, security and alarm systems, elevators,
telephones, FAX machines, and HVAC (heating, ventilation, and air
5. Has the institution/vendor established a budget for the year 2000
6. Has the institution/vendor determined whether it has sufficient
resources (hardware, people, and dollars) necessary to ensure Year
2000 processing capabilities?
7. Has the institution/vendor assigned overall responsibility for the
Year 2000 effort to a senior manager?
8. Has the institution/vendor established project target dates and
deliverables for the Year 2000 effort?
9. Does the process include regular reporting to and monitoring by
10. Does the institution's/vendor's Year 2000 plan call for the
renovation of all mission critical systems to be largely completed
by December 31, 1998?
11. Will the institution's/vendor's testing for Year 2000 renovations be
well under way, for mission critical applications, by December 31,
Year 2000 Examination Procedures
The following examination procedures are for general use in all federally
supervised financial institutions and data centers that service these
financial institutions. The examination procedures will help the examiner
to determine if the institution has addressed the Year 2000 problems
inherent in many computer software and hardware systems. The examination
procedures are designed to focus on the state of Year 2000 preparedness of
each examined institution.
The Tier I section represents general procedures designed for all
institutions. Examinations of small institutions, particularly those
that have purchased or leased their hardware and/or software systems from
an external vendor, normally will stop at the end of the Tier I
examination procedures. The examiner will then proceed to the examination
conclusions section. The Tier II section includes more rigorous and
detailed examination procedures designed for larger institutions,
particularly those with in-house software development capabilities. In
these environments, examiners normally will use both the Tier I and Tier
II examination procedures, as appropriate.
1. To determine whether the organization has an effective plan for
identifying, renovating, testing, and implementing solutions for Year
2. To assess the effect of Year 2000 efforts on the organization's
strategic and operating plans.
3. To determine whether the organization has effectively coordinated Year
2000 processing capabilities with its customers, vendors, and payment
4. To assess the soundness of internal controls for the Year 2000
5. To identify whether further corrective action may be necessary to
assure an appropriate level of attention to Year 2000 processing
Examination Planning and Control
1. Determine the organization's source of information systems (IS)
support for hardware (mainframe, mid-range, networks, personal
computers) and related applications and operating system software.
Note whether information systems processing is provided internally,
externally, or a combination of both.
2. Review previous examination, audit, or consultant findings relative to
Year 2000 issues.
3. Review management's responses to any significant Year 2000 findings.
4. Review responses to the Year 2000 Examiner Questionnaire.
5. Review the supervisory strategy and scope memorandum prepared for this
organization relative to Year 2000 issues.
6. Determine the scope of the Year 2000 examination based on findings
from the previous steps and discussions with the examiner-in-charge
Select from the following examination procedures the steps necessary to
meet the examination objectives. Note: Examinations do not require
completion of all steps.
Tier I Procedures
1. Determine whether the organization's board of Directors and senior
management are aware of and understand the risks and complexities of
the Year 2000 issue by:
Obtaining and reviewing minutes of board of Directors meetings
for discussions of Year 2000 issues.
Obtaining and reviewing minutes of committees established to
address Year 2000 issues.
2. Determine whether management has developed a plan to ensure that the
organization's computer systems are Year 2000 compliant.
3. Determine whether the organization's Year 2000 assessment includes
computer controlled systems, such as telecommunications systems, ATMs,
audio response systems, and other environmental systems with embedded
microchips, such as vaults, security and alarm systems, elevators,
telephones, FAX machines, and HVAC.
4. Determine whether the institution's management conducts continuing
communications with its vendor(s) and/or servicer(s) to determine
their progress toward implementing Year 2000 solutions.
5. Determine whether the organization has:
Performed a "third party" software contract review to identify
risks associated with licensing and maintenance agreement
protections for Year 2000 processing.
Reviewed all data processing outsourcing agreements to determine
if the vendors have Year 2000 maintenance obligations.
Included Year 2000 leap year considerations in their contract
Established a process to certify that a vendor(s) and product(s)
are Year 2000 compliant. If so, describe.
6. Determine whether management has assessed the financial and
operational capabilities of its hardware and software vendors to
provide Year 2000 processing capabilities. Note the results of this
7. Determine the status of the institution's Year 2000 project, including
any anticipated barriers and how management plans to address them.
8. If it is evident that the institution's or vendor's/servicer's systems
are not fully Year 2000 compliant, determine:
Whether all affected applications will have Year 2000 renovation
complete with testing well under way for mission critical
systems by December 31, 1998.
The significant applications that will not have Year 2000
renovation complete by December 31, 1998.
Whether management has anticipated the effect to the
organization's strategic and operating plans should all systems
not be Year 2000 compliant by December 31, 1998.
Management's contingency plans to assure the institution's
ongoing operations if the institution's systems will not be Year
2000 compliant by December 31, 1998.
Whether the institution has contingency plans should hardware or
software systems not function correctly on January 1, 2000,
because of the millennium date change.
9. Determine whether management has discussed the effect of the Year 2000
issue with its large corporate borrowing customers to ensure the
customers' ability to meet financial and informational obligations to
10. Determine whether the organization has assessed the effect of Year
2000 processing capabilities, as applicable, with its payment
systems providers, including:
Wire transfer systems.
Automated clearing houses.
Check clearing providers.
Credit card merchant and issuing systems.
Automated teller machine networks.
Electronic data interchange systems.
Electronic benefits transfer systems.
11. Determine whether management has employed internal or external
audit functions to assess the soundness of internal controls
associated with the Year 2000 effort.
12. Determine whether management is aware of or contemplates any
litigation related to the Year 2000 issue.
Generally, examinations of small financial institutions and those that
rely on data service providers should proceed to the Examination
Tier II Procedures
1. Assess internal and external audit personnel's independence and
involvement in reviewing the organization's Year 2000 efforts.
2. Review audit plans and budgets through 1999 and determine whether
they identify specific audit resources necessary to address Year
2000 issues. Determine whether these plans are based on a formal
inventory of all critical systems affected by Year 2000 issues.
Also, determine the adequacy of audit resources allocated to Year
3. Determine whether audit is actively involved in Year 2000 efforts to
assess and monitor the effectiveness of the project management process
and whether audit management communicates this information to the
board of Directors.
4. Review Year 2000 project audit reports and determine the adequacy of
their scope and the timeliness and completeness of management
responses. Also assess the appropriateness of audit follow-up on
actions taken in response to Year 2000 project audit findings.
5. Based on discussions with management and reviews of the minutes of
committees established to address Year 2000 issues, evaluate the
completeness of the project management process to assure the
institution's computer systems are Year 2000 compliant. Note whether
Inventoried all hardware and software systems, including
Identified hardware and software systems that require
modifications for Year 2000 processing.
. Evaluated various alternatives for dealing with Year 2000
Prioritized software and hardware systems to ensure that the
most critical applications are addressed first.
Considered all software systems, including core banking,
investments, fiduciary, management information, retail delivery,
and operating systems.
Considered the effect of Year 2000 issues on
Reviewed and approved milestones to ensure the timely completion
of Year 2000 efforts.
Developed a testing strategy for Year 2000 modifications.
Ensured that any new systems are Year 2000 compliant.
Addressed the establishment and review of an effective system of
internal controls over the Year 2000 effort.
Determined the groupings of systems for conversion.
Considered the role of the quality assurance function.
Determined the role of end users.
Determined the need for a configuration management plan.
Required thorough project management techniques, including
periodic senior management and board project updates.
6. Determine whether management considered the availability of adequate
resources for the Year 2000 initiative by identifying:
The type of technical expertise that will be needed.
The amount of time needed for corrective action.
The type and amount of financial resources that will be needed
and whether the organization has sufficient financial resources
to make all hardware (mainframe, mid-range, networks, personal
computers) and related application and operating system software
Year 2000 compliant.
Whether any other resources are required.
The effect of the Year 2000 project on earnings, capital, and
liquidity and whether the assessment appears reasonable.
7. Determine whether the organization has persons or access to persons
that have sufficient technical expertise to make all hardware/software
systems Year 2000 compliant, and:
If outside resources will be used, whether these resources are
If not, what assurances management has that these resources will
be available, when needed.
8. Determine how the board of Directors and senior management are kept
informed on the progress of Year 2000 efforts, particularly of any
problems encountered during the validation and implementation phases.
9. Determine whether the board of Directors and/or senior management have
established clear lines of authority and responsibility for the Year
10. Determine whether Year 2000 project teams receive sufficient
support from the board of Directors and senior management.
11. Review, as applicable, the selection process for any Year 2000
service provider(s) and whether the process appears adequate.
12. Evaluate the adequacy of the institution's Year 2000 conversion
Systems and Programming
13. Determine whether the organization has assessed the ability of its
computer systems to handle any needed software changes. If so,
14. Determine the method(s) the organization uses or will use to
resolve Year 2000 date calculations (e.g., conversion to four
position year fields, windowing and others).
15. Evaluate whether the organization has/will devote(d) appropriate
time to testing and error checking of all software changes.
16. Determined the programming languages and tools that the institution
17. Identify whether a common application development platform is
18. Describe how the organization will maintain sound internal controls
over the software change process for Year 2000 issues.
19. Determine whether the organization is coordinating modification and
testing activities with vendors, servicers, and organizations with
whom critical data is received or sent.
20. Review management's assessment of the anticipated additional
systems resources required specifically for operating systems,
telecommunications (including ATM) networks, and security software,
to handle Year 2000 processing. Describe the results of the
21. Evaluate the organization's Year 2000 assessment of the adequacy of
computer resources for testing Year 2000 changes while performing
day-to-day processing activities.
22. Describe management's assessment of the effect of any changes in
operating practices resulting from the Year 2000 effort.
23. Determine whether any interim work procedures are required as part
of the Year 2000 effort.
24. Review and describe the organization's assessment of the impact of
Year 2000 efforts on business continuity/recovery planning.
25. Determine whether the organization compromised sound internal
controls over operations as a result of addressing Year 2000
26. Prepare examination report comments noting:
The computer system's Year 2000 processing capability.
Management's effectiveness in managing the Year 2000 process,
including an assessment of the adequacy of resources devoted to
Year 2000 problems.
The adequacy of the organization's plans for identifying,
correcting, testing, and implementing solutions for Year 2000
The date methodologies selected to provide Year 2000 processing
(in situations with in-house programming capabilities).
The status of the organization's plan and the capability to
complete necessary changes with testing well underway for
mission critical systems by December 31, 1998.
Management's effectiveness in coordinating Year 2000 processing
capabilities with its hardware and software vendors, corporate
borrowing customers, and payment systems providers.
The effect of the Year 2000 effort on the organization's
strategic and operating plans, including earnings, capital, and
The effectiveness of the audit function and its assessment of
internal controls for the Year 2000 process.
27. Prepare recommendations, as appropriate, for the EIC and/or other
appropriate supervisors on any additional actions necessary to
ensure the organization's safety and soundness associated with its
Year 2000 processing capabilities.
28. Summarize the Year 2000 plan's strengths and weaknesses and
describe the extent of the organization's Year 2000 readiness.
29. Discuss conclusions with the appropriate level of management and