How to Prepare for the Year 2000
Problem |
| A strong
intervention plan is necessary to avoid a catastrophic
disruption in an organizations computer operations on January 1,
2000. Internal auditors and management can be better prepared by
addressing the questions below. (For more on this subject, see
pages 33-44) |
| |
| |
| ORGANIZATIONAL
AWARENESS |
 | Are all areas of the organization aware of the
potential ramifications? |
| | Has management communicated this awareness to
employees? |
| | Is the board of directors aware of the
organizations vulnerability? |
| |
| RISK ASSESSMENT |
| | Is there an inventory of systems within the
organization? |
| | Has management conducted a detailed risk
assessment for each system? |
|
| Is management able to identify the extent
of the problem? |
| | When could the first Y2K problem occur? |
| | Has a risk assessment of the legal liabilities
been made? |
| | Has the risk assessment addressed business
partners and their systems preparations? |
|
|
| RESOURCES |
| | What financial resources are needed? |
| | What staff and systems resources are needed? |
| | Are there control procedures for outsourced or
contracted services? |
| |
| PROJECT PLANNING |
| | Has a Y2K project been developed, written and
communicated? |
| | Have project standards been developed? |
| | What priorities and timetables have been
established? |
| | Has overall responsibility for the project as well
as for each segment of the project been assigned? |
| | Are users actively involved in the project? |
| | Have business partners been contacted? |
| | Have vendors provided assurances that their
products are in compliance? |
| |
| TESTING |
| | Has the information systems (IS) department
developed a test plan for critical applications, systems
software and communications? |
|
| Does the organization have an adequate
test environment that mirrors the production environment? |
| | Has the IS department conducted tests to ensure
the Year 2000 compliance system can correctly operate both
before and after 2000? This should be completed by the end of
1998. |
| | Have auditors evaluated the test plan and planned
to conduct an audit review of Year 2000 testing by the end of
1998? |
| |
| MONITORING |
| | Are reporting mechanisms in place to allow for
periodic monitoring of the project? |
| | Do senior management and the board of directors
receive periodic updates on the status of the project? |
| | What additional internal auditing requirements are
needed? |
| |
| Source: The Institute of Internal Auditors.
|
