Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000
Program (Testimony, 02/24/99, GAO/T-AIMD-99-85).

Pursuant to a congressional request, GAO discussed the Customs Service's
progress in addressing the year 2000 computing problem, focusing on
Customs': (1) progress to date; (2) program management; and (3) future
challenges.

GAO noted that: (1) as of January 1999, Customs reported that it had met
milestones recommended by the Office of Management and Budget for
renovating and validating most of its mission-critical systems; (2) it
reported that it had completed renovation, validation and systems
acceptance testing of all five of its mission-critical systems; (3) it
plans to complete end-to-end testing for these systems and associated
telecommunications systems by March 1999; (4) Customs reported that 95
percent of the information technology products assessed is compliant, 4
percent requires renovation or replacement and one percent is to be
retired; (5) Customs' program management structures and processes are
entirely consistent with GAO guidance, and Customs' good progress to
date is largely attributable to this program management capability; (6)
Customs has done the following: (a) established a year 2000 Program
Office and designated a year 2000 Program Manager in May 1997 and
charged the office with authority over and responsibility for agencywide
year 2000 efforts, including such functional areas as year 2000
contracting, budgeting and planning, technical support to project teams,
quality assurance, auditing and reporting; (b) engaged its senior
executives in the year 2000 effort by charging the agency's Executive
Council with approving and overseeing the implementation of the year
2000 strategy and resolving such issues as institutional year 2000
priorities; (c) developed a year 2000 Strategic Plan and year 2000
Operational Program Management Plan in June 1998; and (d) issued
policies, guidelines, and procedures for managing and implementing the
year 2000 program, including guidance on quality assurance,
configuration management, and testing, as well as business continuity
and contingency planning; (7) Customs still needs to conduct end-to-end
testing of the systems that support important trade missions; (8)
additionally, Customs still needs to complete its contingency plans for
ensuring continuity of its core business areas in the event of year
2000-induced system failures; (9) Customs faces serious risks outside of
its control; (10) given the number of Customs ports of entry throughout
the United States, localized disruptions in infrastructure-related
services could seriously impact Customs business operations; and (11) as
Customs works to develop, test, and complete its contingency plans, it
must ensure that these localized event scenarios are adequately
addressed.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-85
     TITLE:  Year 2000 Computing Crisis: Customs Is Effectively Managing 
             Its Year 2000 Program
      DATE:  02/24/99
   SUBJECT:  Y2K
             Internal controls
             Information resources management
             Strategic information systems planning
             Data integrity
             Information systems
             Systems conversions
             Computer software verification and validation
IDENTIFIER:  Y2K
             Customs Service Automated Commercial System
             Treasury Enforcement Communications System
             Customs Service Seized Assets and Case Management Tracking 
             System
             Customs Service Automated Export System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
ai99085t.boo(T85cov~1.fm) GAO

United States General Accounting Office

Testimony Before the Committee on Ways and Means, House of
Representatives

For Release on Delivery Expected at 9 a.m. Wednesday, February 24,
1999

YEAR 2000 COMPUTING CRISIS

Customs Is Effectively Managing Its Year 2000 Program

Statement of Randolph C. Hite Associate Director, Governmentwide
and Defense Information Systems Accounting and Information
Management Division

GAO/T-AIMD-99-85


Page 1 

GAO/T-AIMD-99-85

Page 1   GAO/T-AIMD-99-85

Mr. Chairman and Members of the Committee: Thank you for inviting
me to participate in today's hearing on the challenges faced by
the Customs Service in responding to the century date problem. If
this problem is not addressed in time, key automated systems
affecting trillions of dollars in trade between the United States
and other countries could malfunction, resulting in delayed trade
processing, lost trade revenue, and increased illegal activities,
such as narcotics smuggling, money laundering, and commercial
fraud. Fortunately, Customs has made good progress to date
addressing its Year 2000 problem, thanks in large part to the
effective Year 2000 program management structures and processes
that it has in place for doing so. Nevertheless, Customs faces
certain Year 2000 challenges, such as completing end- to- end
testing, before it will be ready to cross into the new millenium.
My testimony today will address these three areas: progress to
date, program management effectiveness, and future challenges.
Additionally, I will comment on how Customs can benefit from its
Year 2000 experience in strengthening its management of
information technology.

This testimony is based on our ongoing review of the effectiveness
of Customs' Year 2000 management and reporting controls. We are
performing this review at the request of this Committee's
Oversight Subcommittee and its Trade Subcommittee. In short, we
have reviewed Customs' Year 2000 management and reporting
structures and processes, including those relating to testing,
contingency planning, risk management, and quality assurance, and
we have compared these to our Year 2000 guidance 1 to determine
whether key internal controls are in place and functioning as
intended. We have also traced the reported status of selected
system components back to supporting systems documentation to
verify the reported information's accuracy. We conducted our work
in collaboration with the Treasury Inspector General and in
accordance with generally accepted government auditing standards
from July 1998 through January 1999.

1 Year 2000 Computing Crisis: An Assessment Guide (GAO/ AIMD-
10.1.14, issued as an exposure draft in February 1997, issued
final in September 1997); Year 2000 Computing Crisis: Business
Continuity and Contingency Planning (GAO/ AIMD- 10.1.19, issued as
an exposure draft in March 1998, issued final in August 1998); and
Year 2000 Computing Crisis: A Testing Guide (GAO/ AIMD- 10.1.21,
issued as an exposure draft in June 1998, issued final in November
1998).

Page 2 GAO/T-AIMD-99-85

Customs Relies Extensively on Automated Systems

Addressing the Year 2000 problem in time is critical for the
Customs Service because it relies extensively on information
technology to help enforce trade laws and collect and account for
duties, taxes, and fees on imports. 2 As the following
illustrates, Customs has five mission- critical systems that run
over 20 million lines of application code and are used by
thousands of users within Customs, other government agencies, and
the trade community.

 The Automated Commercial System (ACS) tracks, controls, and
processes all commercial goods imported into the United States.
Over 97 percent of the data filed for imported cargo entries are
sent through ACS and more than 15,000 trade and other government
agency users have access to this system.  Customs' Treasury
Enforcement Communications System (TECS)

interfaces with the Federal Bureau of Investigation's National
Crime Information Center and a number of other law enforcement
systems and is the major automation component of the Interagency
Border Inspection System, which serves as a clearinghouse for law
enforcement data. Some 27,000 users, including Customs;
Immigration and Naturalization Service; Internal Revenue Service;
Bureau of Alcohol, Tobacco, and Firearms; and the State Department
rely on TECS.  The Seized Asset and Case Tracking System (SEACATS)
processes and

tracks activity associated with seizures for the initial law
enforcement interest in the property to its final disposition.
This system is used by more than 16,000 Customs employees, and it
interfaces with the Justice Department and Internal Revenue
Service systems.  Customs' Automated Export System (AES) collects
export- related data

from exporters and carriers and is used to help target export
violators. More than 28,000 users nationwide rely on this system.
ADMIN is Customs' primary administrative system supporting
financial

and human resource functions. It consists of 40 separate systems
that interface with each other and with ACS, AES, and TECS.

In addition to fixing and testing its systems, Customs must assess
and remediate a wide range of telecommunications equipment and
noninformation technology (non- IT) assets installed in over 900
facilities. This non- IT equipment includes check- writers;
scanners; optical readers; security systems, such as badge
readers, x- ray systems, cameras, secured

2 During 1997, Customs collected $22.1 billion in revenue at more
that 300 ports of entry.

Page 3 GAO/T-AIMD-99-85

doors and safes; fire alarms; heating and air conditioning
systems; planes; and automobiles.

Customs Is Making Good Progress in Addressing Its Year 2000
Problem

As of January 1999, Customs reported that it had met milestones
recommended by the Office of Management and Budget (OMB) for
renovating and validating most of its mission- critical systems. 3
Specifically, it reported that it had completed renovation,
validation and

systems acceptance testing 4 of all five of its mission- critical
systems. Moreover, it plans to complete end- to- end testing 5 for
these systems and associated telecommunications systems by March
1999.

Customs has also renovated most of its telecommunications
equipment. Specifically, as of January 1999, Customs reported that
it had assessed all of its national data center- related
telecommunications systems and renovated, validated, and
implemented 92 percent of the inventory requiring Year 2000 work.
It had also assessed telecommunications equipment in its field
offices and completed 68 percent of needed renovations.
Additionally, Customs had completed about half of the work needed
on headquarters and field office voice communications equipment,
including telephone and voice mail systems.

Customs reported that it has assessed about 82 percent of its
missioncritical non- IT products. It reported that 95 percent of
the products assessed is compliant, 4 percent requires renovation
or replacement, and 1 percent is to be retired. It expects to
complete this work by May 1999.

To help ensure that the information it reports on Year 2000
progress is reliable, Customs has implemented reporting controls.
For example, quality review teams review the information reported
for (1) consistency (by comparing it to previously reported
information), (2) completeness (by

3 OMB requires that agencies complete renovation of their mission-
critical systems by September 1998, validation by January 1999,
and implementation by March 1999. 4 The purpose of system
acceptance testing is to verify that the complete system (i. e.,
the full complement of application software running on the target
hardware and systems software infrastructure) satisfies specified
requirements (functional, performance, and security) and is
acceptable to end users.

5 The purpose of end- to- end testing is to verify that a defined
set of interrelated systems, which collectively support an
organizational core business area or function, interoperate as
intended in an operational environment, either actual or
simulated.

Page 4 GAO/T-AIMD-99-85

comparing it to reporting standards), and (3) accuracy (by
validating it through observation, inquiry, or review of
supporting documentation). Our review of quality review team
results, as well as our independent review of the reliability of
the information reported in selected system components, disclosed
no discrepancies between what was being reported and what
supporting system documentation showed actual progress to be.

Effective Management Structure and Processes Are Key to Customs'
Success

Our Year 2000 guides provide a framework for effective Year 2000
program management. Collectively, they define a comprehensive set
of program management controls for planning, directing,
monitoring, and reporting on Year 2000 efforts.

Customs' program management structures and processes are entirely
consistent with our guidance, and Customs' good progress to date
is largely attributable to this program management capability.
Along these lines, Customs has done the following.

 Established a Year 2000 Program Office and designated a Year 2000
Program Manager in May 1997 and charged the office with authority
over and responsibility for agencywide Year 2000 efforts,
including such functional areas as Year 2000 contracting,
budgeting and planning, technical support to project teams,
quality assurance, auditing, and reporting.  Engaged its senior
executives in the Year 2000 effort by charging the

agency's Executive Council 6 with approving and overseeing the
implementation of the Year 2000 strategy and resolving such issues
as institutional Year 2000 priorities.  Developed a Year 2000
Strategic Plan and Year 2000 Operational

Program Management Plan in June 1998, which (1) identified
organizational roles and responsibilities, (2) established
schedules for completing each program phase and described the
tasks to be completed under each phase, (3) established reporting
requirements to track progress in the various phases, (4) defined
performance measures, and (5) estimated and allocated resources
for the tasks and system activities within these phases.  Issued
policies, guidelines, and procedures for managing and

implementing the Year 2000 program, including guidance on quality
6 The Council is co- chaired by the Chief Information Officer and
the Chief Financial Officer and includes the Year 2000 project
managers as members.

Page 5 GAO/T-AIMD-99-85

assurance, configuration management, and testing as well as
business continuity and contingency planning.

To ensure that the plans, policies, and guidelines are being
implemented, the Year 2000 program manager is (1) holding weekly
status meetings with the Year 2000 Program Office staff and the
project teams, (2) tracking, prioritizing, and managing the risks
associated with the IT and non- IT system conversion efforts, (3)
overseeing and managing budget- related issues, and (4) conducting
internal audit reviews to monitor and assess the implementation of
established Year 2000 procedures. The Program Office is also
tracking progress against plans and identifying issues that may
affect its strategy using a central database it developed.

Structured and disciplined processes have also been implemented
for the testing phase of Customs' Year 2000 effort. This is
important since Customs' key mission- critical systems run
hundreds of interdependent applications, and must interface with
thousands of external systems. In particular, Customs designated a
Year 2000 test manager for missioncritical IT systems and assigned
this manager authority and responsibility for key testing
activities, such as defining exit criteria, designing and planning
the tests, and executing the tests. It also established in its
Year 2000 Application Testing Strategy and Plan an agencywide
definition of Year 2000 compliance; engaged an independent
verification and validation (IV& V) agent to ensure that process
standards have been followed and that software products perform as
intended; provided for ensuring that vendorsupported IT and non-
IT products have been tested and that they are Year 2000
compliant; and established a Year 2000 test environment. These
controls and processes have enabled Customs to meet milestones
recommended by OMB for renovating and validating mission- critical
systems and to allow time to conduct end- to- end tests.

Finally, Customs has implemented sound management processes for
developing business continuity and contingency plans that help
Customs to mitigate the risks associated with unexpected internal
and uncontrollable external failures. Specifically, Customs
established a business continuity work group; developed a high-
level business continuity planning strategy; developed a master
schedule and milestones; implemented a risk management process and
established a reporting system; and implemented quality assurance
reviews. It then performed a business impact analysis to determine
the effect that failures of mission- critical information systems
have on the viability and effectiveness of agency core business
processes. By defining disruption scenarios and assessing
business, legal, and

Page 6 GAO/T-AIMD-99-85

regulatory risks for major business processes, this analysis
provided Customs the information needed to develop contingency
plans for continuity of operations. Customs is now in the
processes of testing its contingency plans and it plans to
complete contingency plan testing, including plans for non- IT
systems, by June 1999.

Important Challenges Still Face Customs in Months to Come

Notwithstanding either Customs' good progress to date or the
effectiveness of its program management controls, Customs still
has very important and challenging tasks to complete to
effectively reduce its chances of serious business disruptions. In
particular, Customs still needs to conduct end- toend testing of
the systems that support important trade missions. These tests
will be particularly challenging since Customs has hundreds of
business partners and their respective systems. Additionally,
Customs still needs to complete its contingency plans for ensuring
continuity of its core business areas in the event of Year 2000-
induced system failures. For Customs, this is especially
challenging because it involves 42 distinct lines of business that
cut across Customs' organization units, and it involves over 300
organizational units that are located throughout the United
States, each with its own unique and localized Year 2000 readiness
issues.

Moreover, Customs, like most organizations, faces serious risks
outside of its control. For example, Customs' depends on public
infrastructure systems, such as those that provide power, water,
transportation, and voice and data telecommunications. Given the
number of Customs ports of entry throughout the United States,
even localized disruptions in infrastructurerelated services could
seriously affect Customs business operations. As Customs works to
develop, test, and complete its contingency plans, it must ensure
that these localized event scenarios are adequately addressed.

Customs Recognizes That Management Improvements Made to Address
the Year 2000 Problem Can Provide Future Benefits

For federal agencies, the lessons to be learned from the Year 2000
problem are significant. Long- standing organizational weaknesses
in managing information technology contributed to both the size of
the federal government's Year 2000 problem and agencies' ensuing
difficulties in addressing it. That is, agencies' unsuccessful
attempts to modernize their information systems over the last 5
years have forced them to continue to maintain and rely on
antiquated, poorly documented, noncompliant systems. The result
was large inventories of noncompliant systems that the agencies
had to quickly repair, replace, or retire in order to be century
date ready. The Internal Revenue Service, with its well-
chronicled history of

Page 7 GAO/T-AIMD-99-85

modernization difficulties and its mammoth Year 2000 problem,
vividly illustrates this point.

Additionally, to address the Year 2000 problem, agencies chose to
employ the same weak information technology management structures
and processes that have contributed to their system modernization
problems. Our reports and testimonies over the last 5 years have
highlighted these weaknesses in major modernization programs. 7
These weaknesses include the lack of chief information officer
authority over agencies' IT resources, the absence of complete and
enforced systems architectures, the lack of mature software
development and acquisition processes, and the failure to make
informed IT investment decisions. Because of these weaknesses, we
have designated certain modernization efforts, such as the Federal
Aviation Administration's air traffic control modernization and
the Internal Revenue Service's tax systems modernization, as high-
risk federal programs. 8

Customs did not adopt a business- as- usual approach to solving
the Year 2000 problem. Using our Year 2000 guidance, Customs
defined and implemented effective management structures and
processes, as this testimony has described. The result is a Year
2000 program that is on schedule and has plans and management
controls in place for completing remaining tasks. As important,
Customs' Commissioner has also committed to leveraging the
agency's Year 2000 experience by extending the level of project
management discipline and rigor being employed on Year 2000 to
other information technology programs and projects. By doing so,
Customs could greatly strengthen its information technology
management capabilities.

In conclusion Mr. Chairman, we are cautiously optimistic about
Customs' Year 2000 program. We are optimistic because of Customs'
progress to date

7 Tax System Modernization: Management and Technical Weaknesses
Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156,
July 26, 1995); Tax Systems Modernization: Actions Underway but
IRS Has Not Yet Corrected Management and Technical Weaknesses
(GAO/AIMD-96-106, June 7, 1996); and Tax Systems Modernization:
Blueprint Is a Good Start but Not Yet Sufficiently Complete to
Build or Acquire Systems (GAO/ AIMD/ GGD- 98- 54, February 24,
1998); Air Traffic Control: Immature Software Acquisition
Processes Increase FAA System Acquisition Risks (GAO/AIMD-97-47,
March 21, 1997); Air Traffic Control: Complete and Enforced
Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30,
February 3, 1997); and Air Traffic Control: Improved Cost
Information Needed to Make Billion Dollar Modernization Investment
Decisions (GAO/AIMD-97-20, January 22, 1997).

8 High- Risk Series: An Update (GAO/HR-99-1, January 1999); High-
Risk Series: Information Management and Technology (GAO/HR-97-9,
February 1997); and High- Risk Series: An Overview (GAO/HR-95-1,
February 1995).

Page 8 GAO/T-AIMD-99-85

and its effective program management controls. We are cautious
because important tasks remain, and because Customs, like all
organizations, depends on others in order to fulfill its mission
responsibilities.

This concludes my statement. I would be glad to respond to any
questions that you or other Members of the Committee may have at
this time.

(511139) Letter

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to:

info@ www. gao. gov or visit GAO's World Wide Web Home Page at:
http:// www. gao. gov

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***