Rock-Solid Life Insurance Inc.: Auditing Year 2000 Compliance Projects (A) Prepared by Janis Gogan and Ashok Rao Introduction In June 1997 Peter King met with Ben Scott to discuss a recent meeting of the Rock-Solid Life Insurance Inc. Audit Committee of the Board of Directors. In January 1997 King had been appointed Vice President and Internal Auditor. One of his first steps in this role had been to audit each of three country offices’ (United States, Canada, and Europe) year 2000 compliance projects as of April 1, 1997. As Assistant Vice President for Internal Audit, Ben Scott was responsible for corporate-wide IT auditing. At the June Audit Committee meeting, King reported: “No plans are sufficiently detailed for me to be able to comment on whether adequate progress is being made.” The Audit Committee then requested that King update them at every meeting (in November, February, April, June and September) henceforth. Company Background Rock-Solid Life Insurance Inc. headquartered in Topeka, Kansas, was founded in 1892. Its 16,000 employees worldwide were organized into three country offices: United States, Canada, and Europe. Rock-Solid’s 105th Annual Report, 1996 stated: Today’s business environment is shaped in large part by technological advances in information systems and telecommunications. This presents significant challenges to long-established companies such as Rock-Solid; specifically, technology enables new competitors to enter our traditional business more quickly and easily. We are Professors Janis Gogan and Ashok Rao, with the assistance of Bruce Feinstein, prepared this disguised case solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The statements and opinions contained in this case are those of the individual contributors or advertisers, as indicated. The Publisher has used reasonable care and skill in compiling the content of this case. However, the Publisher and the Editors make no warranty as to the accuracy or completeness of any information on this case and accept no responsibility or liability for any inaccuracy or errors and omissions, or for any damage or injury to persons or property arising out of the use of the materials, instructions, methods or ideas contained on this case. This case may not be downloaded, reproduced, stored in a retrieval system, modified, made available on a network, used to create derivative works, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except (i) in the United States, as permitted under Section 107 or 108 of the 1976 United States Copyright Act, or internationally, as permitted by other applicable national copyright laws, or (ii) as expressly authorized on this case, or (iii) with the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, New York, 10158-0012, USA, (212) 850-6011, fax (212) 850-6008, email: permreq@wiley.com. Copyright © 2001 by John Wiley & Sons, Inc. All rights reserved. responding to these pressures by investing in an extensive range of business transformation activities. The “business transformation activities” included establishing new lines of business in financial services, as well as extensive reengineering of many core business processes (such as policy writing and claims processing). Virtually every initiative gave rise to new or modified information systems. Many of Rock-Solid’s transaction-processing systems (such as for claims processing and accounting) ran on mainframe and midrange computers that were operated by a corporate data center (General Services) in Topeka. A corporate IS Planning group was responsible for identifying opportunities for common hardware, software applications and data standards across country offices. It took a leadership role on common systems initiatives for the three country offices, involving accounting and operations. Although it offered guidelines for hardware and software acquisition, data administration, and systems development, General Services had limited authority. With the exception of those systems operated by General Services, in recent years each country office had considerable autonomy regarding their information systems tools and applications. As a result, each had developed, acquired and operated many systems without consideration of other country offices’ choices. In addition, both the U.S. and Canadian country offices had also taken a highly decentralized approach to information systems in their business units, giving them considerable autonomy to develop or purchase those systems that best met their needs. Total Corporate General Services United States Canada Europe Employees 16,140 750 n/a 7,150 4,930 3,310 Revenue $11.4 billion n/a n/a $4.5 billion $4.2 billion $2.7 billion Net Income Total number of applications1 $517 million n/a n/a $237 million $98 million $182 million 1898 318 710 458 334 78 Initial Year 2000 Compliance Audit: Spring, 1997 Internal Audit’s role was to “provide an objective appraisal of business systems, procedures, and controls, and to assist management in identifying business risks.” As Vice President and Internal Auditor, Peter King reported to Rock-Solid’s Chairman and CEO, Jeremy Mason. Each of the three country offices had a Chief Internal Auditor who reported both to their President and to King. Exhibit A1 outlines the roles of internal auditors, external auditors, and the Audit Committee of the Board. 1 Does not include all user-developed applications. Rock-Solid Life Insurance (A) Page 2 Soon after he moved into his new role in January 1997, Peter King met with Ben Scott, who expressed concern that the three country offices had not yet put much effort into bringing their systems into year 2000 compliance. He explained: Most older transaction-processing systems, and many newer systems, have a problem: dates are coded with 2-digit year fields (i.e., “1997” equals “97”). Those 2-digit years will represent 2000 as “00,” which in turn can cause various calculation problems. For example, in 1999, the age of a person born in 1949 would properly be recorded as “50,” but in 2000, their age would be calculated as a negative 51! The job of fixing this problem involves millions of lines of code, so it will be very time-consuming. The country offices don’t seem to realize how widespread the Year 2000 problem is, or how much time and effort will go into its resolution. Scott explained that Corporate Information Systems had established a Worldwide Year 2000 Project Management Office, headed by Don Meyer, the Vice President for IS Planning. Each country office was responsible to establish their own Year 2000 project management office and to formulate their own year 2000 compliance project plan with guidance from Meyer. Scott felt that the country offices did not fully appreciate the urgent need to make progress on their year 2000 compliance initiatives. They did not seem to realize that the corporate deadline for compliance was December 31, 1998 (in order to allow an entire year to fix problems revealed in testing converted systems), and might have an incomplete understanding of the steps that needed to be taken. Having attended a Year 2000 Awareness seminar conducted by the Institute of Internal Auditors, King agreed with Scott’s suggestion that the country offices should be audited to determine whether they had an adequate organizational structure and project plan in place for achieving year 2000 compliance. King also felt that the Audit Committee of the Board of Directors should be informed of progress on year 2000 compliance. In a meeting with Jeremy Mason, he expressed the view that Don Meyer should provide regular updates to the Audit Committee. Instead, Mason asked King to provide such an update at the Committee’s meeting in June 1997. Each IS organization in the three country offices (as well as Corporate MIS and General Services) was notified in January that they should provide Internal Audit with their year 2000 project plans no later than April 1, 1997. Accompanying this memo was a list of items that Audit planned to review (Exhibit A2). In April, Scott and King reviewed the plans2. Corporate MIS and General Services had jointly established a year 2000 project office, conducted an impact analysis on their systems, and begun the process of code renovation. General Services had also purchased a separate mainframe for conducting large-scale simulation testing (in which a system clock is set ahead to 1/1/2000). However, they had neither established a testing methodology nor begun to schedule the testing (country offices would also use this mainframe for their final testing). 2 Rock-Solid Insurance Inc. has not released publication of their year 2000 plans. Rock-Solid Life Insurance (A) Page 3 The United States had initiated a year 2000 compliance effort in June 1996, but it had not made much progress before Jan Weber was hired as the new CIO. Weber served as a CIO at another firm for five years, before which she was a consultant and contract programmer. Before she arrived in October 1996, each of eight business units had its own IS organization, and the central U.S. information systems organization (USIS) had little influence over them. When Weber learned that USIS was having difficulty getting the business units to appreciate the urgency of the year 2000 problem, she convinced the U.S. president to strengthen the role of USIS. A strongly worded December 1996 memo from the president placed responsibility for year 2000 compliance with the business units, with oversight by USIS. Weber controlled a $1.5 million budget for the USIS portion of the project, and another $3.5 million was divided among the eight U.S. business units. A full-time year 2000 project manager was hired in January 1997, and a new matrix reporting structure was established, as Weber explained to King: Before, we were quite decentralized; now each systems manager reports both to a unit head and to me. They set their own priorities, but they are accountable to me in terms of ensuring year 2000 compliance and in the use of common technologies. This is the first time in many years that business units have had to deal with a project that is closely monitored from the center. The April audit revealed that USIS had posted a systems inventory on a Lotus Notes database, but it did not appear to fully include end-user computing, nor did it include all external interfaces (such as to trading partners utilizing EDI). A detailed project plan had not yet been developed, resource requirements had not yet been delineated, and actions for retaining those resources had not yet been identified. King also observed that the U.S. plan relied heavily on a strategy of replacing old software with new that would be year-2000 compliant. Since detailed plans were not provided, he could not determine whether USIS was realistic in assuming that replacement systems would be developed in time. King was more concerned about the Canada office, which had not yet established a Year 2000 project office by April 1, despite having an extensive applications portfolio. The European office was in much better shape, having already established a project management office, along with clear milestones and reporting requirements. In June 1997, King reported his findings and concerns to the Audit Committee of the Board of Directors: I expected that the country offices would have prepared a detailed year 2000 compliance project plan. To do that, they should have analyzed their software to determine how many lines of date-sensitive code needed to be fixed, and used that information to generate an estimate of their resource requirements. Instead, the best we got was an accountability listing: here’s our project manager, here is an inventory of our systems an assessment of whether each system is high, medium or low priority, and a disposition of which systems will be renovated, replaced, or retired. Those are useful steps, but they should have been taken in 1996! Rock-Solid Life Insurance (A) Page 4 Ben Scott represented Internal Audit at quarterly meetings of a Corporate-Wide Year 2000 Steering Committee, comprised of country office year 2000 project managers and the CIOs of each country office. Following the June meeting of the Audit Committee of the Board, he and King were scheduled to attend a meeting of this steering committee. “Before the next Audit Committee meeting in November, we need to provide the steering committee members with a more detailed year 2000 project planning audit checklist,” King told Scott. To that end, Scott provided King with an outline of the elements that he thought should be included (Exhibit A3). “This is an excellent start,” King noted. “Let’s develop a set of detailed guidelines within this framework.” Rock-Solid Life Insurance (A) Page 5 Exhibit A1 Report of Management’s Responsibility* The financial statements and all other information in this annual report are the responsibility of management. Management is also responsible for selecting appropriate accounting policies and making estimates and other judgments consistent with statutory accounting practices prescribed or permitted by insurance regulatory authorities and generally accepted accounting principles. Rock-Solid is committed to maintaining a strong system of internal control that provides reasonable assurance that financial information is reliable, all transactions are properly authorized, assets are safeguarded, and that the Company adheres to legislative and regulatory requirements. The control environment is reinforced by a Code of Ethical Conduct that specifies that the highest level of integrity be maintained by employees as they carry out their duties. The corporate organizational structure provides for segregation of duties, and management provides ongoing communication regarding accounting and operating procedures throughout the company. Internal controls are reviewed and evaluated by the Company’s professional staff of internal auditors, who conduct periodic reviews and tests of the control Jeremy Mason Chairman and Chief Executive Officer aspects of accounting, financial, and operating activities. The company employs an independent auditor, [Big 6 name withheld, due to disguised case] to examine the financial statements and conduct an audit, in accordance with generally accepted accounting principles, of the system of internal accounting controls. The external auditor discusses its findings in separate meetings with management and the Audit Committee. Their report to policyholders can be found on page 55. The Board of Directors monitors management’s fulfillment of its responsibilities for safeguarding assets and producing accurate financial statements. An Audit Committee, comprised solely of outside directors, is appointed by the Board of Directors to review the financial statements and various reports regarding the control reviews performed by both internal and external auditors. As a result of the reviews conducted by the internal and external auditors and the Audit Committee of the Board, management believes the enclosed financial statements fairly present the financial position and operations of Rock-Solid Life Insurance Inc. Suzannah Overtree Vice President, Finance Peter L. King Vice President and Internal Auditor Topeka, Kansas February 10, 1997 * Source: Rock-Solid Insurance Inc. Annual Report, 1996. Rock-Solid Life Insurance (A) Page 6 Exhibit A2 ROCK-SOLID Y2K PLANS AUDIT PROGRAM: Country Office Coordination Audit Objectives: To ensure that the Country Office coordination of the Y2K planning process: 1. Properly assigns responsibility for effecting Y2K compliance; and 2. Provides for appropriate management and monitoring mechanisms with respect to the attainment of Y2K project objectives. Scope: This audit program reviews the Country and Corporate Y2K planning coordination and project management practices. It does not include the planning process of individual business units, nor individual business unit project management practices related to Y2K. Section 1 - Planning Coordination 1.1 Has responsibility for coordination of the Y2K effort at the Country Office been assigned to an individual (hereafter, the “coordinator”)? 1.2 Does the coordinator or project office have sufficient authority to ensure that business units develop appropriate Y2K plans and the necessary resources to meet the Corporate-Wide completion date goal? 1.3 Are regular status reports based on a common format being provided to the coordinator or project office? 1.4 Does the coordinator report to the President of the Subsidiary on a regular basis concerning the status of Y2K efforts? 1.5 Does the individual attend the Worldwide Y2K Steering Committee meetings? 1.6 Has a standard Y2K methodology been developed for use by each business unit? Section 2 - High Level Assessment If a high level assessment has been performed of Y2K preparedness, obtain a copy and review recommendations made. Determine the nature of the action plans as a result of the assessment. 2.1 Has management implemented the recommendations by the high-level assessment? Section 3 - Software Vendor/Business Partner Management 3.1 Has an appropriate process been put in place to ensure that certification of Y2K compliance is obtained from all packaged application vendors, system management vendors, operating system vendors and business partners with whom electronic commerce is conducted (EDI, EFI, etc.)? 3.2 Has Y2K compliance protection been built into all future software contracts with vendors and business partners? Rock-Solid Life Insurance (A) Page 7 Exhibit A3 ROCK-SOLID Y2K PLANS AUDIT PROGRAM: Strategic Business Unit Y2K PLANNING (First Draft, June 1997) Audit Objectives: The Y2K plans: 1. Properly assign responsibility for effecting Y2K compliance; 2. Properly scope the extent of the Y2K problem; 3. Ensure the acquisition and retention of the resources required to effect Y2K compliance; 4. Establish appropriate target dates and project milestones in order to achieve the corporate-wide goal; and 5. Provide for appropriate management and monitoring mechanisms for the Y2K effort. The Corporate-Wide goal is that all applications be Y2K compliant by December 31, 1998. Section 1 - Plan Coordination 1.1 Has responsibility for preparation of the Y2K plan for a business unit been assigned to an individual? 1.2 Is the individual required to provide regular status reports to a central coordinating individual within the Country Office or project office based on a common format? 1.3 Has an appropriate process been put in place to ensure that certification of Y2K compliance is obtained for all packaged application vendors, system management vendors, operating system vendors, and business partners with whom electronic commerce is conducted (EDI, EFI, etc.)? 1.4 Has Y2K compliance protection been included in all future software contracts? 1.5 Has an inventory been completed? If YES, complete Section 2. 1.6 Has an initial assessment been made? If YES, complete Section 3. 1.7 Has the impact analysis been completed? If YES, complete Section 4. 1.8 Has a Y2K plan been developed? If YES, complete Section 5. Section 2 - Inventory Taking 2.1 Have appropriate steps been taken to ensure that all end user applications (including PC/desktop) are identified and included in inventory? 2.2 Do application inventories include the necessary elements that will allow the assessment of risk, cost and time horizons surrounding the Y2K challenge? Section 3 - Initial Assessment/Scoping 3.1 Have the inventories been segmented into Logical Application Segments? (LAS comprise applications, databases, runtime components and interfaces to be made compliant at the same time. These can be subportions of an application, the application itself, multiple applications, etc.) Section 4 - Impact Analysis 4.1 Have Lines of Code (LOC) estimates been developed for each Logical Application Segment (LAS)? Section 5 - Y2K Plan 5.1 Does the plan assign accountabilities for the following project deliverables? Redevelopment/Modification Testing Implementation Data Conversion (data bases, master files) Rock-Solid Life Insurance (A) Page 8