menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

Year 2000 Audit Guideline

In an effort to provide direction regarding Year 2000 control issues, along with demonstrating an application of the COBIT® framework to specific issues, the following is a sample audit guideline in the COBIT format for ensuring Year 2000 compliance. It is not meant to be a complete review of Year 2000 issues but is offered for guidance. Contributed by Mr. Robert Parker, Past ISACA International President and excerpted from COBIT.

Year 2000 Compliance

Control Objectives:

  1. Ensure that all application programs are Year 2000 compliant
  2. Ensure that all hardware and systems software is Year 2000 compliant
  3. Ensure that plans are in place to monitor Year 2000 compliance and effect timely response where necessary

Both high level and detailed control objectives are audited by:

Obtaining an understanding by:

interviewing:

  • Chief Financial Officer
  • Chief Information Officer
  • Selected members of the Information Services Function Steering Committee
  • Chair of the organization's Year 2000 special sub-committee
  • Information Services Function management responsible for Year 2000 initiatives
  • Information Services Function personnel responsible for hardware, system software and application systems
  • Information Services Function personnel responsible for implementing, and delivering on, the Year 2000 initiatives
  • Users responsible for electronic commerce applications

obtaining:

  • The organization's Year 2000 plan including specific timing and budgeted costs
  • The organization's Year 2000 assessment report
  • Information Services Function's analysis of the effort required to become Year 2000 compliant, categorized by application, systems program and utility and hardware device
  • Information on vendor Year 2000 compliance certification and anticipated compliance date, if not yet compliant
  • Minutes of the Year 2000 special sub-committee meetings
  • Relevant industry initiatives to address industry-wide issues (i.e., electronic commerce)

Evaluating the controls by:

Considering whether:

  • The organization has conducted a review of their use of information technology, including preparing an appropriate inventory, and adequately assessed potential and specific Year 2000 problems
  • The organization has established a plan for ensuring that their systems are Year 2000 compliant and has provided sufficient time for complete compliance
  • The organization has developed specific plans to assess legacy systems which may not have sufficient documentation or source code to enable their modification to become Year 2000 compliant
  • The organization deals electronically with suppliers (EDI, EFI, etc.) and whether they require them to become Year 2000 compliant, including appropriate certification
  • The quality of the existing documentation is sufficient to enable the organization to become Year 2000 compliant
  • The operating systems and other software are certified as Year 2000 compliant.
  • The organization has used '99' as a default in designing systems, particularly retention policies (i.e., 99365 to specify non-delete retention of archived files)
  • The organization has adopted a policy requiring all new software to be certified Year 2000 compliant
  • The organization has ensured that software license agreements permit them to use the software at alternate sites for Year 2000 testing
  • The organization has sufficient skills to undertake and complete the planned Year 2000 initiatives, including validation testing, in the required time
  • The organization has acquired and validated software products to assist in implementing their Year 2000 program
  • The organization is or will rely of outside resources to complete their Year 2000 plan and whether such resources are already under contract
  • The organization's Year 2000 plan includes computer controlled devices, such as doors, alarms, elevators, security codes, passes, fax machines. etc.
  • The organization will likely avoid a 'growing concern' problem given the current Year 2000 plan and the status of any Year 2000 initiatives
  • The organization will likely avoid corporate governance reporting problems given the organization's current Year 2000 plan and the status of any Year 2000 initiatives

Assessing the compliance by:

Testing that:

  • The inventory of applications, utilities, APIs, etc., is complete and accurate and that the status of Year 2000 compliance is correct
  • The Year 2000 plans are complete, reasonable and achievable and are appropriately managed.
  • Electronic interfaces with suppliers are Year 2000 compliant
  • Documentation is adequate to enable the organization to assess, update and test all programs required to make the organization Year 2000 compliant
  • Manufacturers, vendors and other suppliers have certified their products as being Year 2000 compliant and records of such certification maintained
  • For Year 2000 certified products, the organization has conducted appropriate tests in their regular/usual processing environment, including communications
  • The use of '99' defaults has been appropriately addressed
  • The organization's policies, procedures and standards reflect Year 2000 requirements and are complied with
  • All current software and hardware license agreements specify Year 2000 compliance and/or a Year 2000 compliance target date has been specified by the vendor/supplier
  • The organization has included sufficient training time for all Information Services Function employees to ensure they have the skills to support the organization's Year 2000 initiatives
  • Software license agreements permit the organization to perform Year 2000 tests at sites other than the primary license location
  • The organization's Year 2000 initiatives include appropriate testing and validation, including a complete systems test, and that appropriate remote sites have been secured for simulating remote processing and communications environments, and the conduct of such a test
  • The plan encompasses devices in addition to the computer systems
  • The plan is likely to enable the organization to continue its regular business activities uninterrupted, after the Year 2000

Substantiating the risk of control objectives not being met by:

Performing:

  • Benchmarking of Year 2000 plans, initiatives and current status against similar organizations or appropriate reasonableness criteria
  • A detailed review of the various Year 2000 initiatives, including an assessment of the estimated time, resources provided, skills available and the established budget
  • Reviews of vendor and supplier contracts to assess the degree of Year 2000 compliance
  • Reviews of the organization's Year 2000 tests to assess the compliance of individual systems to meet the organization's Year 2000 requirements
  • Reviews of Year 2000 outsourced contracts and assess the contract terms and deliverables

Identifying:

  • Unrealistic or over ambitious Year 2000 plans and initiatives
  • Insufficient Year 2000 funding, resource allocations, personnel and skills
  • Inadequate or inappropriate contracting in the area of Year 2000 requirements
  • Inadequate or inappropriate testing of the systems and application programs which have been modified to become Year 2000 compliant
  • Inadequate or inappropriate contracting terms, conditions or timing for vendor supplied software to be made Year 2000 compliant
  • Inadequate or inappropriate testing of third party vendor software which has been 'vendor certified' as being Year 2000 compliant
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA