oversight

Year 2000 Computing Crisis: Federal Reserve Has Established Effective Year 2000 Management Controls for Internal Systems Conversion

Published by the Government Accountability Office on 1999-04-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to Congressional Requesters




April 1999
                 YEAR 2000
                 COMPUTING CRISIS

                 Federal Reserve Has
                 Established Effective
                 Year 2000 Management
                 Controls for Internal
                 Systems Conversion




GAO/AIMD-99-78
GAO
      United States
      General Accounting Office
      Washington, D.C. 20548                                                                                      Leter




      Accounting and Information
      Management Division


      B-280502                                                                                               Letter



      April 9, 1999

      The Honorable Robert F. Bennett
      Chairman, Subcommittee on Financial
       Institutions
      Committee on Banking, Housing, and
       Urban Affairs
      United States Senate

      The Honorable James A. Leach
      Chairman, Committee on Banking and
       Financial Services
      House of Representatives

      This report addresses the Federal Reserve System’s (FRS) efforts to
      remedy the Year 2000 problem 1 for its internal computer systems and is the
      latest in a series of reports and testimonies responding to your requests to
      review federal financial regulatory agencies’ Year 2000 efforts. 2
      Established by the Federal Reserve Act of 1913, FRS is instrumental to our
      nation’s economic well-being by providing depository institutions and
      government agencies services, such as (1) processing checks,
      (2) transferring funds and federal securities, and (3) auctioning, issuing,
      servicing, and redeeming Treasury securities. If FRS does not effectively
      manage its Year 2000 program, key systems that process trillions of dollars
      could malfunction or fail, potentially causing serious national and
      international financial disruptions.

      The objective of our review was to determine whether FRS has established
      effective management structures and processes for managing and reporting
      on its internal Year 2000 program. To satisfy our objective, we analyzed
      FRS’ Year 2000 program management structures and processes against our



      1
        The Year 2000 problem is rooted in the way dates are recorded and computed in automated
      information systems. For the past several decades, systems have used two digits to represent the year,
      such as “99” representing 1999, to conserve electronic data storage and reduce costs. With this two-
      digit format, however, the Year 2000 is indistinguishable from 1900, or 2001 from 1901, etc. As a result,
      system or application programs that use dates to perform calculations, comparisons, or sorting may
      generate incorrect results or not function at all.

      2
        We previously reported and testified on the Year 2000 oversight efforts of the Federal Deposit
      Insurance Corporation, Federal Reserve System, National Credit Union Association, Office of the
      Comptroller of the Currency, and Office of Thrift Supervision. (See appendix III for a list of these
      products.)




      Page 1                       GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
                   B-280502




                   Year 2000 guidance3 to determine if important management controls for
                   increasing Year 2000 readiness and reducing Year 2000 risks were in place.
                   For eight mission-critical systems that support the processing and
                   movement of trillions of dollars in checks, funds, and securities in a
                   majority of FRS’ core business processes used by depository institutions
                   and the federal government, 4 we reviewed supporting documentation to
                   verify that the controls were functioning as intended. Appendix I provides
                   a description of FRS’ core business functions and systems environment.

                   On February 25, 1999, we provided the Chairman of the Board of Governors
                   of the Federal Reserve System with a draft of this report for review and
                   comment. FRS’ comments are discussed in the “Agency Comments”
                   section of this report and are included in appendix II.



Results in Brief   FRS’ Year 2000 progress reports and plans show that its Year 2000 program
                   is on schedule with Office of Management and Budget (OMB) milestones.
                   Further, we found that FRS has effective controls to help ensure that its
                   Year 2000 progress is reported accurately and reliably. We also found that it
                   is effectively managing the renovation and testing of its internal systems
                   and the development and planned testing of contingency plans for
                   continuity of business operations.

                   Despite its progress, FRS has much to accomplish before it is fully ready
                   for January 1, 2000, such as completing validation and implementation of
                   all its internal systems and completing its contingency plans to address
                   both unexpected internal system failures and potential external business
                   partner and public infrastructure system failures. However, FRS has plans
                   for completing remaining tasks, and has implemented management
                   controls to ensure that they are accomplished. While there is no way to
                   guarantee that significant Year 2000-induced business failures will not



                   3
                     Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
                   February 1997; issued in final in September 1997); Year 2000 Computing Crisis: Business Continuity and
                   Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998; issued in final in
                   August 1998); Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure
                   draft in June 1998; issued in final in November 1998).

                   4
                     Integrated Accounting System, Bulkdata File Transfer System, Check Processing System for the Dallas
                   Reserve Bank, Funds Transfer System, National Book Entry System, Treasury Direct, Electronic Tax
                   Application, and Fed Automated Clearing House. (See the scope and methodology section of this
                   report for a description of these systems.)




                   Page 2                      GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
                         B-280502




                         occur, if FRS implements its plans, it will have effectively reduced the risk
                         of such failures.



FRS Has Reported         FRS’ reported status of its Year 2000 efforts meets OMB milestones. As of
                         December 1998, FRS reported that renovation of mission-critical internal
Meeting OMB Year         systems was complete and that over 75 percent of these systems have been
2000 Milestones          validated as Year 2000 compliant. FRS’ plans call for implementing all of its
                         validated mission-critical systems, i.e., moving them back into production,
                         by OMB’s Year 2000 implementation milestone of March 31, 1999. FRS also
                         plans to develop (1) contingency plans for ensuring continuity of business
                         operations and (2) plans for supporting event management by the end of
                         March 1999--and to test these plans beginning in April 1999.



FRS Is Effectively       FRS has established and implemented effective Year 2000 management
                         controls, including structures and processes for overall program
Managing Its Year 2000   management, system renovation and testing, and contingency planning for
Program                  continuity of business operations, as described in our Year 2000 guides.
                         For example, FRS (1) has assigned management authority and
                         responsibility for Year 2000 activities, (2) has defined Year 2000 compliance
                         criteria, (3) is engaging independent verification and validation agents,
                         (4) has issued Year 2000 test guidance specifying, among other things, the
                         types of tests to be conducted (e.g., unit, integration, system acceptance,
                         and end-to-end), (5) is actively managing risks, and (6) is analyzing existing
                         emergency and disaster recovery plans and augmenting them to address
                         Year 2000 contingencies. FRS is also ensuring that its management
                         controls are operating as intended. Specifically, our analysis of renovation
                         and testing activities on selected components of the eight aforementioned
                         mission-critical systems demonstrated that FRS’ Year 2000 policies,
                         procedures, and guidance governing such things as test plans, conditions,
                         outputs, and documentation, were being satisfied.



FRS Has Established      FRS has established and implemented effective controls to help ensure that
                         its Year 2000 reports are accurate and reliable. For example, FRS has
Effective Structures     defined the frequency, format, and content of the Year 2000 information to
and Processes for Year   be reported. Also, the program office periodically reviews the reports’
                         contents to determine that the reporting requirements are satisfied and that
2000 Reporting           inaccurate or obsolete data are removed. In addition, the general auditors
                         at each reserve bank independently review the status and reported



                         Page 3               GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
              B-280502




              progress of Year 2000 projects at their banks for compliance with the
              program office policies, procedures, guidance, and plans. For example, the
              general auditor’s compliance review of the Electronic Tax Application at
              the Minneapolis Reserve Bank disclosed only two minor documentation
              issues that the bank subsequently resolved.

              To determine if FRS’ reporting controls were functioning as intended, we
              analyzed internal reports on the status of selected components of the eight
              aforementioned mission-critical systems against FRS’ reporting
              requirements and found that the reports were complete. Also, we traced
              the reported status information back to supporting documentation and
              found no discrepancies or inaccuracies.



Scope and     To assess FRS’ management structures and processes, we reviewed FRS'
              Year 2000 program management plans, guidance, procedures, and
Methodology   organizational structures relating to Year 2000 renovation, testing,
              contingency planning, reporting, quality assurance/independent
              verification and validation, and risk management, and compared them to
              GAO’s Year 2000 guides. In particular, we analyzed the following: Year 2000
              project plan, test strategy, technical reference manual, risk assessment,
              guiding principles, contingency policies and guidelines, business
              resumption plan guidance, and a variety of documents maintained on the
              FRS Year 2000 intranet web site.

              We then reviewed system documentation to determine whether
              remediation and reporting requirements specified in FRS' plans,
              procedures, and guidance were being satisfied for selected components of
              eight of FRS’ mission-critical systems. More specifically, we judgmentally
              selected at least 10 software components for each of the 8 systems and
              compared internal Year 2000 status reports on each to supporting project
              documentation.5 For these system components, we reviewed relevant Year
              2000 documentation, including project plans, schedules, and status reports;
              test plans, test scripts, and test results; source code; configuration
              management plans; quality assurance plans and reports; audit reports; and
              approvals for moving renovated code back into production.



              5
                We did not statistically sample FRS system components. Instead, we selected components that
              satisfied one or more of the following criteria: critical to the system’s ability to function as intended,
              large in terms of software size, and recently completed testing.




              Page 4                        GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
B-280502




The systems that we reviewed were:

• Integrated Accounting System, the system that maintains the general
  ledger and processes all accounting entries for FRS;
• Bulkdata File Transfer System, the file transfer utility used by FRS to
  exchange data between FRS applications and with depository
  institutions and government entities;
• Check Processing System for the Dallas Reserve Bank, one of the 12
  unique FRS check systems;
• Fedwire Funds Transfer System, an electronic payment system used by
  depository institutions and the U.S. Treasury for the transfer of large-
  dollar6 amounts, including certain federal government receipts and
  disbursements;
• National Book Entry System, a consolidated book-entry securities 7
  processing system that (1) maintains the commercial book-entry
  securities accounts of depository institutions and certain governmental
  entities and (2) transfers securities to and from participating
  institutions, including the U.S. Treasury;
• Treasury Direct, a system of book-entry securities accounts for
  institutions and individuals that allows individuals and institutions to
  hold their securities directly with the Treasury;
• Electronic Tax Application, an automated system by which businesses
  report and pay federal taxes on the day they are due through their
  depository institutions, which forward the data to the Treasury through
  the reserve banks; and
• Fed Automated Clearing House, a nationwide system designed for the
  electronic exchange of low-dollar, repetitive retail payments between
  participating depository institutions as a substitute for paper checks.

We selected these systems because they are mission-critical systems that
support a majority of the FRS core business processes used by depository
institutions and the federal government. Collectively these processes
provide cash; process checks; make electronic payments and settlements;
receive tax receipts; maintain accounts; and issue, transfer, and redeem
federal securities.


6
  According to FRS, the average 1998 funds transaction was about $3.35 million, with daily averages of
about 390,000 transactions totaling over $1.3 trillion.

7
  Book-entry securities are marketable securities in electronic form issued primarily by the federal
government. According to FRS, the 1998 average book-entry transaction was about $13.8 million, with
daily averages of over 57,000 transactions totaling nearly $785 billion.




Page 5                      GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
                  B-280502




                  To supplement our documentation review, we also interviewed officials
                  from the Board of Governors of the FRS and at the Federal Reserve Banks
                  of Boston, Dallas, New York, Minneapolis, Philadelphia, and San Francisco.
                  Interviewees included staff from audit, program management, project
                  management, reserve bank management, and technical services.

                  Our audit work was performed from May 1998 through March 1999 in
                  accordance with generally accepted government auditing standards.



Agency Comments   In its comments on a draft of this report, FRS agreed with the report’s
                  findings and conclusions. FRS also stated that during the remainder of
                  1999, its highest priority is to complete and rigorously test its contingency
                  plans.


                  We are sending copies of this report to Senator Richard Bryan, Senator
                  Christopher Dodd, Senator Phil Gramm, Senator Paul Sarbanes,
                  Representative Stephen Horn, Representative John LaFalce, and
                  Representative Jim Turner, in their capacities as the Chair, Vice Chair, or
                  Ranking Minority Member of Senate and House Committees and
                  Subcommittees. We are also sending copies to: The Honorable Robert
                  Rubin, Secretary of the Treasury; The Honorable Alan Greenspan,
                  Chairman, Board of Governors of the Federal Reserve System; The
                  Honorable John D. Hawke, Jr., Comptroller of the Currency; The Honorable
                  Donna Tanoue, Chairman, Federal Deposit Insurance Corporation; The
                  Honorable Ellen Seidman, Director, Office of Thrift Supervision; The
                  Honorable Norman E. D’Amours, Chairman, National Credit Union
                  Administration; The Honorable John Koskinen, Chair, President's Council
                  on Year 2000 Conversion; The Honorable Jacob Lew, Director, Office of
                  Management and Budget; and The Honorable Barry Snyder, Inspector
                  General, Federal Reserve Board. Copies will also be made available to
                  others upon request.




                  Page 6               GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
B-280502




If you or your staffs have any questions about this report please contact me
at (202) 512-6240 or by e-mail at hiter.aimd@gao.gov. Major contributors to
this report are listed in appendix IV.




Randolph C. Hite
Associate Director
Governmentwide and Defense
  Information Systems




Page 7              GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Contents



Letter                                                                                                1


Appendix I                                                                                           10
Description of FRS’
Core Business
Functions and Systems
Environment

Appendix II                                                                                          12
Comments From the
Federal Reserve
System

Appendix III                                                                                         13
GAO Reports and
Testimonies on Federal
Depository Institutions
Regulators’ Year 2000
Preparations

Appendix IV                                                                                          14
Major Contributors to
This Report


                          Abbreviations

                          FRAS     Federal Reserve Automation Services
                          FRS      Federal Reserve System
                          OMB      Office of Management and Budget



                          Page 8           GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Page 9   GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Appendix I

Description of FRS’ Core Business Functions
and Systems Environment                                                                                                   AppIexndi




               FRS’ mission is to provide a safe, flexible, and stable monetary and
               financial system for the country. To accomplish its mission, FRS has
               established core business functions and organized its operations to
               (1) conduct monetary policy, (2) maintain the stability of financial markets,
               (3) provide services to financial institutions and other governmental
               agencies, and (4) supervise and regulate banks and bank-holding
               companies. Each of these business functions is described below.

               • In conducting monetary policy, the Federal Reserve carries out activities
                 to influence the money supply and credit conditions in pursuit of full
                 employment and stable prices. For example, FRS affects the money
                 supply by buying and selling U.S. securities in the open market (known
                 as open-market operations). FRS also buys and sells foreign currencies
                 and securities to affect the dollar’s exchange rate and help stabilize
                 financial markets internationally.
               • In maintaining the stability of financial markets, FRS increases the
                 liquidity of markets by temporarily supplying extra reserves to the
                 banking system through open-market operations and lends funds to
                 financial entities through its discount window operations. FRS also
                 safeguards the integrity and efficiency of the nation’s payment systems.
               • In assisting financial institutions, FRS provides such services as check-
                 clearing and processing and electronic funds transfers between
                 financial institutions. For example, FRS reported in 1998, that it made a
                 daily average of about 390,000 Fedwire electronic funds transfers--
                 totaling over $1.3 trillion--between financial institutions. FRS also
                 provides services for the U.S. Department of the Treasury and other
                 agencies. For instance, it distributes and receives Federal Reserve
                 notes (paper money) and coins, holds U.S. securities to back its notes,
                 and ensures that enough currency and coins are in circulation to meet
                 public demand. It also auctions, issues, and redeems Treasury securities
                 (e.g., bills, notes, and bonds) used to fund federal government
                 operations.
               • In supervising and regulating financial institutions, FRS oversees
                 (1) more than 5,000 U.S. bank-holding companies, (2) 994 state
                 chartered banks that are members of the Federal Reserve, (3) 15 Edge
                 Act1 and agreement corporations, (4) the foreign activities of member
                 banks, and (5) the U.S. operations of 256 foreign banks. It does this by


               1
                 Edge Act corporations are corporations chartered by FRS to engage in international banking activities.
               The Board of Governors of FRS reviews and approves the applications to establish Edge Act
               corporations and also has supervisory responsibility for examining the corporations and their
               subsidiaries.




               Page 10                     GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Appendix I
Description of FRS’ Core Business Functions
and Systems Environment




    establishing standards for the safe and sound operation of financial
    institutions and examining institutions to ensure these standards are
    followed. As part of this effort, FRS ensures that institutions are
    adequately mitigating Year 2000 risks. 2

To perform these functions, FRS relies extensively on information
technology and has a Federal Reserve Automation Services (FRAS)
organization to provide mainframe data processing and network services to
the 12 Federal Reserve Banks. FRAS operates three data centers—located
at the New York, Richmond, and Dallas Federal Reserve Banks—
supporting 61 applications that are used by all Reserve Banks, such as the
Fedwire Funds Transfer System. These data centers also support another
50 applications that are used by selected Reserve Banks. Depository
institution and Reserve Bank users access these applications and data via
the FEDNET telecommunications system, which is controlled and
operated by FRAS’ primary network operations center in Richmond,
Virginia, and its alternate network operations center in Chicago, Illinois.




2
  Our work on FRS’ Year 2000 oversight of financial institutions found that FRS was taking the Year 2000
problem very seriously and had devoted considerable resources and effort to ensure that the
institutions it oversees mitigate Year 2000 risks. (See Year 2000 Computing Crisis: Federal Reserve Is
Acting to Ensure Financial Institutions Are Fixing Systems, But Challenges Remain (GAO/AIMD-98-248,
September 17, 1998).)




Page 11                     GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Appendix II

Comments From the Federal Reserve System                                               ApIpexndi




              Page 12   GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Appendix III

GAO Reports and Testimonies on Federal
Depository Institutions Regulators’ Year 2000
Preparations                                                                                      AIpIexndi




               Year 2000 Computing Crisis: Federal Depository Institution Regulators Are
               Making Progress, but Challenges Remain (GAO/T-AIMD-98-305,
               September 17, 1998).

               Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure Financial
               Institutions Are Fixing Systems, But Challenges Remain (GAO/AIMD-98-
               248, September 17, 1998).

               Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure Financial
               Institution Systems Are Year 2000 Compliant (GAO/T-AIMD-98-116,
               March 24, 1998).

               FDIC’s Year 2000 Preparedness (GAO/AIMD-98-108R, March 18, 1998).

               Year 2000 Computing Crisis: Office of Thrift Supervision’s Efforts to Ensure
               Thrifts’ Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102, March 18,
               1998).

               Year 2000 Computing Crisis: Federal Deposit Insurance Corporation’s
               Efforts to Ensure Bank Systems are Year 2000 Compliant (GAO/T-AIMD-98-
               73, February 10, 1998).

               Year 2000 Computing Crisis: Actions Needed to Address Credit Union
               Systems Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998).

               Year 2000 Computing Crisis: National Credit Union Administration’s Efforts
               to Ensure Credit Union Systems Are Year 2000 Compliant (GAO/T-AIMD-
               98-20, October 22, 1997).




               Page 13             GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Appendix IV

Major Contributors to This Report                                                                        ApV
                                                                                                           Ienxdi




Accounting and         Keith Rhodes, Technical Director
                       Gary Mountjoy, Assistant Director
Information            Ronald Hess, Assistant Director
Management Division,
Washington, D.C.

Atlanta Field Office   Carl Higginbotham, Assistant Director
                       Tonia Brown, Senior Evaluator




(511124)      eL
               rtet    Page 14            GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls
Ordering Information
The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail:
U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013
or visit:
Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC
Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.
Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.
For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:
info@www.gao.gov
or visit GAO’s World Wide Web Home Page at:
http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested