Executive Summary

Objectives and Scope

Background

Results

Detailed Objectives and Scope of Review

As part of our audit coverage of the Service’s Year 2000 conversion effort, we conducted a follow-up review on the corrective actions associated with the century Date change (cDc) Project Office’s Phase III implementation. These corrective actions resulted from management’s response to Internal Audit recommendations as well as management initiatives undertaken after the Phase III implementation. We examined actions scheduled for completion by June 30, 1998.

Our review identified 32 corrective actions. Of these, 21 were completed on time. Nine other actions were not completed by June 30, 1998 while two others were completed by June 30, 1998, but after a delay of three months. Those actions that we considered critical are discussed below.

Our analysis identified three significant issues that still need to be resolved. One of these concerns the standard for the use of PIc(9) for date fields. In our initial review, we found components with the date field defined as a character field (‘PIc X’) and not as a numeric field (‘PIc 9’). The cDc Project Office is aware of the delay in issuing this standard and discussed the issue at the Executive Steering committee meeting in July 1998. There are two additional issues requiring management attention.

In a memorandum dated December 3, 1997, Internal Audit recommended that the cDc Project Office coordinate the development and issuance of documented procedures for recompiling all Service programs after related system macros are modified. Management, in its response to the memorandum, agreed to deal with this issue as part of an analysis of the process for developing and disseminating Systems Information Bulletins (SIB). This analysis was to be conducted during their internal review of the century Date change Phase III Implementation. The actions resulting from this effort did not, however, provide any additional guidance regarding the recompiling of Service programs after related system macros are modified.

The cDc Project Office has requested an additional four months to ensure that all Service functions develop test plans, test results, Source code compliance Forms and Unit Test checklists for all Tier I, II and III cOTS products. The original implementation date for this corrective action was June 1, 1998. The effective date for this corrective action has been postponed until October 1, 1998, to coincide with the completion of a self-certification process introduced by Product Assurance on July 8, 1998. Although Product Assurance plans to review a 5% sample of the self-certification documents before October 1, this review will focus on the existence of documents and is not directed at evaluating the quality of the documentation and the effectiveness of the testing. Because of the schedule for the end-to-end test (Test 1 in July/August 1998 and Test 2 in November 1998), the offices responsible for systems and cOTS products need to provide adequate evidence before October 1, 1998, that vital cOTS products included in the end-to-end test have been tested for Year 2000 compliance.

The following recommendations require additional attention to correct the original condition.

At the time of this final report we had not received management’s response. We were informed that management is developing actions to address our concerns and will provide us with a written description of their proposed corrective actions at a later date.

Due to the criticality of the Service’s Year 2000 effort, we conducted a follow-up review on the corrective actions in association with the century Date change (cDc) Project Office’s Phase III implementation. We examined actions scheduled for completion by June 30, 1998. This list of actions includes those resulting from recommendations made by Internal Audit, Booz, Allen and Hamilton, and a self assessment conducted by the cDc Project Office. With the January 31, 1999 deadline for conversion approaching, the need for timely implementation of corrective actions is imperative.

The overall objective for this review was to assess the initial efforts of the cDc Project Office to implement corrective actions in response to various Year 2000 related reviews. The review followed generally accepted government auditing standards.

At the time of this final report we had not received management’s response. We were informed that management is developing actions to address our concerns and will provide us with a written description of their proposed corrective actions at a later date.

As part of our ongoing evaluation of the Year 2000 testing and conversion efforts, Internal Audit conducted a code review of components scheduled for conversion in Phase III of the century Date change (cDc) Project Office’s five phase plan. In April 1998, Internal Audit issued a draft report on the Phase III code review, Review of the Service’s Year 2000 conversion and Testing for Phase III. Also in April 1998, the cDc Project Office issued its report Review of century Date change Phase III Implementation. Both of these reports resulted in recommendations agreed to by the cDc Project Office. 

We tracked 32 corrective actions that were scheduled for completion by June 30, 1998.We identified 32 corrective actions due by June 30, 1998, resulting from Internal Audit memoranda and the draft report Review of the Service’s Year 2000 conversion and Testing for Phase III , the cDc Project Office’s Review of century Date change Phase III Implementation, and the Booz, Allen & Hamilton assessment. A summary of the results of our review follows:

• 2 of the 32 corrective actions were incomplete and late. These are corrective actions not completed and without any request or consideration for an extension or revision of the planned implementation date.
• 9 of the remaining 30 corrective actions were not completed by the original implementation date. These included two corrective actions that were completed at the time of our review but were three months past the original implementation date. Also in this group are seven corrective actions that the Project Office has requested additional time to complete, three require an additional five weeks and four will require an additional four months.
• The remaining 21 corrective actions were complete and on-time.

One of the actions not yet completed is a standard defining the use of PIc(9) for date fields. In our initial review, we found components with the date field defined as a character field (‘PIc X’) and not as a numeric field (‘PIc 9’). The cDc Project Office is tracking this action and is aware of the missed implementation date. The Director, cDc Project Office notified the Executive Steering committee of the delay in July 1998.

There are two other issues requiring management’s attention:

In a memorandum dated December 3, 1997, Internal Audit recommended that the cDc Project Office coordinate the development and issuance of documented procedures for recompiling all Service programs after related system macros are modified. The cDc Project Office agreed to the finding and proposed February 26, 1998, as an implementation date for corrective action. In addition, the Project Office agreed to review the development and dissemination of Systems Information Bulletins (SIB) as part of their Review of century Date change Phase III Implementation. In discussions with Project Office personnel, we found that the SIB process was discussed as part of the Review of century Date change Phase III Implementation. However, the SIB process is only considered as an issue within a section entitled "Development coordination" (2.1.8 Issue M8). No specific guidance on system macros is discussed in the report. In addition, outside of the cDc Project Office report, a SIB was not issued regarding the recompiling of Service programs after related system macros are modified. 

Because macros are being converted across the Year 2000 phases, problems with the programs invoking these macros may not be identified until a major Service tax processing system fails to operate correctly. For example, if programs operating these tax processing systems and databases are invoking non-compliant macros, the programs may be erroneously interpreting date information when program calculations require a four digit century date. These problems could exist until the programs are recompiled.

The cDc Project Office has requested an additional four months to ensure that all Service functions develop test plans, test results, Source code compliance Forms and Unit Test checklists for all Tier I, II and III cOTS products. The original implementation date for this corrective action was June 1, 1998.

The cDc Project Office has requested the change in order to align the corrective action date with the due date for internal certification of Phase III components. In a memorandum dated July 8, 1998, the Director, cDc Project Office, and the Director, Product Assurance Division issued a request for the completion of the Year 2000 component self-certification. Attached to that memo were instructions for completing the certification and the self-certification form.

When we initially attempted to review the testing deliverables for Tier I, II and III cOTS products, we were unable to obtain sufficient evidence to assure us they were being tested. Although cOTS products will be tested as part of a system-wide test, each cOTS product should be tested separately to ensure each product is Y2K compliant. The Y2K certification teams could face numerous delays during their system certification efforts if testing of discrete cOTS products is not conducted. Unless test documentation is developed and maintained for the Service’s cOTS products, it is impossible to verify the extent and effectiveness of the testing.

We feel that the completion of testing documentation for Phase III cOTS products should not be tied to the schedule for certifying cOTS products. Although Product Assurance plans to review a 5% sample of the self-certification documents before October 1, 1998, this review will focus on the existence of documents and is not directed at evaluating the quality of the documentation and the effectiveness of the testing.

Because of the schedule for the end-to-end test, the offices responsible for systems and cOTS products need to provide adequate evidence, before October 1, 1998, that cOTS products vital for the end-to-end test have been performed for Year 2000 compliance. Test I of the end-to-end test has already begun (July/August 1998) and will include some of the Phase III cOTS products. Test II, which is scheduled to begin in November 1998, will require a broader range of tested cOTS products. Product Assurance officials have stated they assume all cOTS products will be fully tested by systems owners prior to end-to-end testing.

1. The cDc Project Office should revisit the original Internal Audit recommendation and coordinate the development and issuance of documented procedures for recompiling all Service programs after related system macros are modified.
2. The testing and certification of all cOTS products should be made a priority because of the potential impact these products could have on the end-to-end testing effort currently underway.

Audit Manager

Anthony Knox, IT Auditor

At the request of the chief Inspector, we conducted a follow-up review on the corrective actions scheduled for completion by June 30, 1998. The overall objective of this review was to assess the initial efforts of the century Date change Project Office to implement corrective actions in response to Internal Audit’s report on the Phase III code review. Specifically, during this review we:

1. Determined whether timely action was taken on the corrective actions scheduled for completion by June 30, 1998.

 

2. Determined whether actions taken adequately met the requirements of the recommendations and corrective action.