Year 2000 Computing Crisis: Actions Needed to Address Credit Union
Systems' Year 2000 Problem (Letter Report, 01/07/98, GAO/AIMD-98-48).
GAO did further research on its testimony on the National Credit Union
Administration's (NCUA) efforts to ensure that credit union computer
systems are ready for the upcoming year 2000 date change.
GAO noted that this report: (1) officially transmits recommendations to
assist NCUA in addressing the Year 2000 problem; (2) responds to
comments on GAO testimony; and (3) recognizes actions NCUA has taken in
response to GAO recommendations.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-98-48
TITLE: Year 2000 Computing Crisis: Actions Needed to Address
Credit Union Systems' Year 2000 Problem
DATE: 01/07/98
SUBJECT: Credit unions
Data integrity
Internal controls
Bank examination
Computer software
Systems conversions
Strategic information systems planning
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to the Chairman of the National Credit Union Administration
January 1998
YEAR 2000 COMPUTING CRISIS -
ACTIONS NEEDED TO ADDRESS CREDIT
UNION SYSTEMS' YEAR 2000 PROBLEM
GAO/AIMD-98-48
NCUA Year 2000 Challenges
(511109)
Abbreviations
=============================================================== ABBREV
NCUA - National Credit Union Administration
Letter
=============================================================== LETTER
B-278831
January 7, 1998
The Honorable Norman E. D'Amours
Chairman
National Credit Union Administration
Dear Mr. D'Amours:
On October 22, 1997, we submitted testimony to the Senate
Subcommittee on Financial Services and Technology, Committee on
Banking, Housing, and Urban Affairs on the National Credit Union
Administration's (NCUA) efforts to ensure that credit union computer
systems are ready for the upcoming Year 2000 date change.\1 In our
testimony, we reported that while NCUA had made some progress in
addressing Year 2000 compliance issues, more needed to be done to
ensure that credit unions adequately mitigate Year 2000 risks. This
report (1) officially transmits recommendations to assist NCUA in
addressing the Year 2000 problem, (2) responds to your comments on
our testimony, and (3) recognizes actions NCUA has taken in response
to our recommendations. Our testimony, which includes our objective,
scope, and methodology, and findings, conclusions, and
recommendations, is reprinted in appendix I. Your response to our
testimony is reprinted in appendix II.
--------------------
\1 Year 2000 Computing Crisis: National Credit Union
Administration's Efforts to Ensure Credit Union Systems Are Year 2000
Compliant (GAO/T-AIMD-98-20, October 22, 1997).
RECOMMENDATIONS
------------------------------------------------------------ Letter :1
As stated in our October 22, 1997, testimony, we recommend that NCUA
-- accelerate its efforts to complete the assessment of the state
of the industry, collect the necessary information to determine
the exact phase of each credit union and vendor in addressing
the Year 2000 problem, and require credit unions to report the
precise status (phase) of their efforts on at least a quarterly
basis, including progress in addressing system interfaces;
-- document its contingency plans;
-- require credit unions to implement the necessary management
controls to ensure that these financial institutions have
adequately mitigated the risks associated with the Year 2000
problem, including (1) requiring credit union auditors to
include Year 2000 issues within the scope of their management
and internal control work and report serious problems and
corrective actions to NCUA immediately and (2) providing
auditors with the procedures developed by NCUA for its examiners
to use in assessing Year 2000 compliance and any other guidance
that would be instructive;
-- require credit unions to establish processes whereby credit
union management would be responsible for certifying Year 2000
readiness including credit union compliance testing by a
qualified independent third party; and
-- determine (before the end of 1997) the level of technical
capability needed to allow for a thorough review of credit
unions' Year 2000 efforts and hire or contract for this
capability.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :2
In your October 30, 1997, letter response to our testimony, you
stated that the testimony contained useful recommendations and
described actions that NCUA is taking or has taken to implement our
recommendations. These actions included (1) implementing quarterly
credit union reporting of Year 2000 status that includes having
credit union officials certify their level of progress, (2)
developing written contingency plans to augment current processes for
administrative actions, and (3) using a contractor to perform
technical reviews of 10 electronic data processing vendors. You also
stated that, depending on the outcome of these reviews, NCUA would
consider contracting for additional reviews of other electronic data
processing vendors, credit unions that develop and maintain their own
systems, and large credit unions. In addition, in a November 12,
1997, letter to the Congress, you said NCUA would be issuing a letter
to credit unions in December 1997 to describe the potential problems
and develop information on steps credit unions should take to manage
the interface issue. Finally, on December 1, 1997, you issued a
letter, including examination procedures, to the credit union
supervisory committees notifying them of the need for internal and
external auditors to review Year 2000 plans and testing processes.
However, you also raised a concern with one of our recommendations.
Specifically, you stated that, as part of its quarterly reporting
process, NCUA plans to require credit union managers to certify their
progress in addressing the Year 2000 problem. You also stated that
independent third party certification of progress would be
unnecessarily burdensome to a majority of credit unions. By
requiring credit unions to certify their progress, NCUA is
effectively alerting credit unions that they are responsible and
accountable for addressing the Year 2000 problem and, as such, is a
step in the right direction. However, without independent
verification that credit union systems are Year 2000 compliant, NCUA
will be relying solely on management assertions and therefore will
not have assurance that credit unions are progressing as reported.
To effectively mitigate this risk, NCUA needs to ensure that the
information being reported to it is accurate and reliable.
Consequently, we reiterate our recommendation that the certification
process include credit union compliance testing by a qualified
independent third party and allow sufficient time for NCUA to review
the results and take appropriate action, if needed, before the year
2000.
---------------------------------------------------------- Letter :2.1
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. 720 to submit a written statement on
actions taken on these recommendations to the Senate Committee on
Governmental Affairs and the House Committee on Government Reform and
Oversight not later than 60 days after the date of this report. A
written statement also must be sent to the House and Senate
Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of this report.
We are sending copies of this letter to the Chairmen and Ranking
Minority Members of the Senate Committee on Banking, Housing, and
Urban Affairs; the House Committee on Banking and Financial Services;
the Senate and House Committees on Appropriations; the Senate and
House Committees on the Budget; the Senate Committee on Governmental
Affairs; and the House Committee on Government Reform and Oversight.
We are also sending copies to the Director of the Office of
Management and Budget, the Chairman of the Federal Reserve System,
the Comptroller of the Currency, the Chairman of the Federal Deposit
Insurance Corporation, and the Director of the Office of Thrift
Supervision. Copies will also be made available to others upon
request.
Please contact me on (202) 512-6240 if you or your staff have any
questions on this report. Major contributors to this report are
listed in appendix III.
Sincerely yours,
Jack L. Brock, Jr.
Director, Information Management Issues
(See figure in printed edition.)Appendix I
GAO'S OCTOBER 22, 1997 TESTIMONY
============================================================== Letter
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)Appendix II
COMMENTS FROM THE NATIONAL CREDIT
UNION ADMINISTRATION
============================================================== Letter
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================= Appendix III
ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION, WASHINGTON,
D.C.
Gary N. Mountjoy, Assistant Director
John B. Stephenson, Assistant Director
Ronald L. Hess, Senior Information Systems Analyst
Sabine R. Paul, Senior Information Systems Analyst
Keith A. Rhodes, Technical Director
Cristina T. Chaplain, Communications Analyst
*** End of document. ***