Rock-Solid Life Insurance Inc.:
Auditing Year 2000 Compliance Projects (A)
Prepared by Janis Gogan and Ashok Rao
Introduction
In June 1997 Peter King met with Ben Scott to discuss a recent meeting of the Rock-Solid Life
Insurance Inc. Audit Committee of the Board of Directors. In January 1997 King had been
appointed Vice President and Internal Auditor. One of his first steps in this role had been to audit
each of three country offices’ (United States, Canada, and Europe) year 2000 compliance projects
as of April 1, 1997. As Assistant Vice President for Internal Audit, Ben Scott was responsible for
corporate-wide IT auditing.
At the June Audit Committee meeting, King reported: “No plans are sufficiently detailed for me
to be able to comment on whether adequate progress is being made.” The Audit Committee then
requested that King update them at every meeting (in November, February, April, June and
September) henceforth.
Company Background
Rock-Solid Life Insurance Inc. headquartered in Topeka, Kansas, was founded in 1892. Its
16,000 employees worldwide were organized into three country offices: United States, Canada,
and Europe.
Rock-Solid’s 105th Annual Report, 1996 stated:
Today’s business environment is shaped in large part by technological advances in
information systems and telecommunications. This presents significant challenges
to long-established companies such as Rock-Solid; specifically, technology enables
new competitors to enter our traditional business more quickly and easily. We are
Professors Janis Gogan and Ashok Rao, with the assistance of Bruce Feinstein, prepared this disguised case solely
to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling
of a managerial situation.
The statements and opinions contained in this case are those of the individual contributors or advertisers, as
indicated. The Publisher has used reasonable care and skill in compiling the content of this case. However, the
Publisher and the Editors make no warranty as to the accuracy or completeness of any information on this case and
accept no responsibility or liability for any inaccuracy or errors and omissions, or for any damage or injury to persons
or property arising out of the use of the materials, instructions, methods or ideas contained on this case. This case
may not be downloaded, reproduced, stored in a retrieval system, modified, made available on a network, used to
create derivative works, or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except (i) in the United States, as permitted under Section 107 or 108 of the 1976
United States Copyright Act, or internationally, as permitted by other applicable national copyright laws, or (ii) as
expressly authorized on this case, or (iii) with the prior written permission of the Publisher. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue,
New York, New York, 10158-0012, USA, (212) 850-6011, fax (212) 850-6008, email: permreq@wiley.com. Copyright
© 2001 by John Wiley & Sons, Inc. All rights reserved.
responding to these pressures by investing in an extensive range of business
transformation activities.
The “business transformation activities” included establishing new lines of business in financial
services, as well as extensive reengineering of many core business processes (such as policy
writing and claims processing). Virtually every initiative gave rise to new or modified
information systems.
Many of Rock-Solid’s transaction-processing systems (such as for claims processing and
accounting) ran on mainframe and midrange computers that were operated by a corporate data
center (General Services) in Topeka. A corporate IS Planning group was responsible for
identifying opportunities for common hardware, software applications and data standards across
country offices. It took a leadership role on common systems initiatives for the three country
offices, involving accounting and operations. Although it offered guidelines for hardware and
software acquisition, data administration, and systems development, General Services had
limited authority. With the exception of those systems operated by General Services, in recent
years each country office had considerable autonomy regarding their information systems tools
and applications. As a result, each had developed, acquired and operated many systems without
consideration of other country offices’ choices. In addition, both the U.S. and Canadian country
offices had also taken a highly decentralized approach to information systems in their business
units, giving them considerable autonomy to develop or purchase those systems that best met
their needs.
Total
Corporate
General
Services
United
States
Canada
Europe
Employees
16,140
750
n/a
7,150
4,930
3,310
Revenue
$11.4 billion
n/a
n/a
$4.5 billion
$4.2 billion
$2.7 billion
Net Income
Total number
of applications1
$517 million
n/a
n/a
$237 million
$98 million
$182 million
1898
318
710
458
334
78
Initial Year 2000 Compliance Audit: Spring, 1997
Internal Audit’s role was to “provide an objective appraisal of business systems, procedures, and
controls, and to assist management in identifying business risks.” As Vice President and Internal
Auditor, Peter King reported to Rock-Solid’s Chairman and CEO, Jeremy Mason. Each of the
three country offices had a Chief Internal Auditor who reported both to their President and to
King. Exhibit A1 outlines the roles of internal auditors, external auditors, and the Audit
Committee of the Board.
1
Does not include all user-developed applications.
Rock-Solid Life Insurance (A)
Page 2
Soon after he moved into his new role in January 1997, Peter King met with Ben Scott, who
expressed concern that the three country offices had not yet put much effort into bringing their
systems into year 2000 compliance. He explained:
Most older transaction-processing systems, and many newer systems, have a
problem: dates are coded with 2-digit year fields (i.e., “1997” equals “97”). Those
2-digit years will represent 2000 as “00,” which in turn can cause various
calculation problems. For example, in 1999, the age of a person born in 1949 would
properly be recorded as “50,” but in 2000, their age would be calculated as a
negative 51! The job of fixing this problem involves millions of lines of code, so it
will be very time-consuming. The country offices don’t seem to realize how
widespread the Year 2000 problem is, or how much time and effort will go into its
resolution.
Scott explained that Corporate Information Systems had established a Worldwide Year 2000
Project Management Office, headed by Don Meyer, the Vice President for IS Planning. Each
country office was responsible to establish their own Year 2000 project management office and
to formulate their own year 2000 compliance project plan with guidance from Meyer. Scott felt
that the country offices did not fully appreciate the urgent need to make progress on their year
2000 compliance initiatives. They did not seem to realize that the corporate deadline for
compliance was December 31, 1998 (in order to allow an entire year to fix problems revealed in
testing converted systems), and might have an incomplete understanding of the steps that needed
to be taken.
Having attended a Year 2000 Awareness seminar conducted by the Institute of Internal Auditors,
King agreed with Scott’s suggestion that the country offices should be audited to determine
whether they had an adequate organizational structure and project plan in place for achieving
year 2000 compliance. King also felt that the Audit Committee of the Board of Directors should
be informed of progress on year 2000 compliance. In a meeting with Jeremy Mason, he
expressed the view that Don Meyer should provide regular updates to the Audit Committee.
Instead, Mason asked King to provide such an update at the Committee’s meeting in June 1997.
Each IS organization in the three country offices (as well as Corporate MIS and General
Services) was notified in January that they should provide Internal Audit with their year 2000
project plans no later than April 1, 1997. Accompanying this memo was a list of items that Audit
planned to review (Exhibit A2).
In April, Scott and King reviewed the plans2. Corporate MIS and General Services had jointly
established a year 2000 project office, conducted an impact analysis on their systems, and begun
the process of code renovation. General Services had also purchased a separate mainframe for
conducting large-scale simulation testing (in which a system clock is set ahead to 1/1/2000).
However, they had neither established a testing methodology nor begun to schedule the testing
(country offices would also use this mainframe for their final testing).
2
Rock-Solid Insurance Inc. has not released publication of their year 2000 plans.
Rock-Solid Life Insurance (A)
Page 3
The United States had initiated a year 2000 compliance effort in June 1996, but it had not made
much progress before Jan Weber was hired as the new CIO. Weber served as a CIO at another
firm for five years, before which she was a consultant and contract programmer. Before she
arrived in October 1996, each of eight business units had its own IS organization, and the central
U.S. information systems organization (USIS) had little influence over them. When Weber
learned that USIS was having difficulty getting the business units to appreciate the urgency of the
year 2000 problem, she convinced the U.S. president to strengthen the role of USIS. A strongly
worded December 1996 memo from the president placed responsibility for year 2000 compliance
with the business units, with oversight by USIS. Weber controlled a $1.5 million budget for the
USIS portion of the project, and another $3.5 million was divided among the eight U.S. business
units. A full-time year 2000 project manager was hired in January 1997, and a new matrix
reporting structure was established, as Weber explained to King:
Before, we were quite decentralized; now each systems manager reports both to a
unit head and to me. They set their own priorities, but they are accountable to me in
terms of ensuring year 2000 compliance and in the use of common technologies.
This is the first time in many years that business units have had to deal with a
project that is closely monitored from the center.
The April audit revealed that USIS had posted a systems inventory on a Lotus Notes database,
but it did not appear to fully include end-user computing, nor did it include all external interfaces
(such as to trading partners utilizing EDI). A detailed project plan had not yet been developed,
resource requirements had not yet been delineated, and actions for retaining those resources had
not yet been identified. King also observed that the U.S. plan relied heavily on a strategy of
replacing old software with new that would be year-2000 compliant. Since detailed plans were
not provided, he could not determine whether USIS was realistic in assuming that replacement
systems would be developed in time.
King was more concerned about the Canada office, which had not yet established a Year 2000
project office by April 1, despite having an extensive applications portfolio. The European office
was in much better shape, having already established a project management office, along with
clear milestones and reporting requirements.
In June 1997, King reported his findings and concerns to the Audit Committee of the Board of
Directors:
I expected that the country offices would have prepared a detailed year 2000
compliance project plan. To do that, they should have analyzed their software to
determine how many lines of date-sensitive code needed to be fixed, and used that
information to generate an estimate of their resource requirements. Instead, the best
we got was an accountability listing: here’s our project manager, here is an
inventory of our systems an assessment of whether each system is high, medium or
low priority, and a disposition of which systems will be renovated, replaced, or
retired. Those are useful steps, but they should have been taken in 1996!
Rock-Solid Life Insurance (A)
Page 4
Ben Scott represented Internal Audit at quarterly meetings of a Corporate-Wide Year 2000
Steering Committee, comprised of country office year 2000 project managers and the CIOs of
each country office. Following the June meeting of the Audit Committee of the Board, he and
King were scheduled to attend a meeting of this steering committee. “Before the next Audit
Committee meeting in November, we need to provide the steering committee members with a
more detailed year 2000 project planning audit checklist,” King told Scott. To that end, Scott
provided King with an outline of the elements that he thought should be included (Exhibit A3).
“This is an excellent start,” King noted. “Let’s develop a set of detailed guidelines within this
framework.”
Rock-Solid Life Insurance (A)
Page 5
Exhibit A1
Report of Management’s Responsibility*
The financial statements and all other information in
this annual report are the responsibility of
management. Management is also responsible for
selecting appropriate accounting policies and making
estimates and other judgments consistent with
statutory accounting practices prescribed or permitted
by insurance regulatory authorities and generally
accepted accounting principles.
Rock-Solid is committed to maintaining a strong
system of internal control that provides reasonable
assurance that financial information is reliable, all
transactions are properly authorized, assets are
safeguarded, and that the Company adheres to
legislative and regulatory requirements.
The control environment is reinforced by a Code of
Ethical Conduct that specifies that the highest level of
integrity be maintained by employees as they carry
out their duties. The corporate organizational
structure provides for segregation of duties, and
management provides ongoing communication
regarding accounting and operating procedures
throughout the company.
Internal controls are reviewed and evaluated by the
Company’s professional staff of internal auditors,
who conduct periodic reviews and tests of the control
Jeremy Mason
Chairman and Chief Executive Officer
aspects of accounting, financial, and operating
activities.
The company employs an independent auditor, [Big 6
name withheld, due to disguised case] to examine the
financial statements and conduct an audit, in
accordance with generally accepted accounting
principles, of the system of internal accounting
controls. The external auditor discusses its findings in
separate meetings with management and the Audit
Committee. Their report to policyholders can be
found on page 55.
The Board of Directors monitors management’s
fulfillment of its responsibilities for safeguarding
assets and producing accurate financial statements.
An Audit Committee, comprised solely of outside
directors, is appointed by the Board of Directors to
review the financial statements and various reports
regarding the control reviews performed by both
internal and external auditors.
As a result of the reviews conducted by the internal
and external auditors and the Audit Committee of the
Board, management believes the enclosed financial
statements fairly present the financial position and
operations of Rock-Solid Life Insurance Inc.
Suzannah Overtree
Vice President, Finance
Peter L. King
Vice President and Internal Auditor
Topeka, Kansas
February 10, 1997
*
Source: Rock-Solid Insurance Inc. Annual Report, 1996.
Rock-Solid Life Insurance (A)
Page 6
Exhibit A2
ROCK-SOLID Y2K PLANS AUDIT PROGRAM: Country Office Coordination
Audit Objectives: To ensure that the Country Office coordination of the Y2K planning process:
1.
Properly assigns responsibility for effecting Y2K compliance; and
2.
Provides for appropriate management and monitoring mechanisms with respect to the attainment of Y2K project
objectives.
Scope: This audit program reviews the Country and Corporate Y2K planning coordination and project management
practices. It does not include the planning process of individual business units, nor individual business unit project
management practices related to Y2K.
Section 1 - Planning Coordination
1.1 Has responsibility for coordination of the Y2K effort at the Country Office been assigned to an individual
(hereafter, the “coordinator”)?
1.2 Does the coordinator or project office have sufficient authority to ensure that business units develop appropriate
Y2K plans and the necessary resources to meet the Corporate-Wide completion date goal?
1.3 Are regular status reports based on a common format being provided to the coordinator or project office?
1.4 Does the coordinator report to the President of the Subsidiary on a regular basis concerning the status of Y2K
efforts?
1.5 Does the individual attend the Worldwide Y2K Steering Committee meetings?
1.6 Has a standard Y2K methodology been developed for use by each business unit?
Section 2 - High Level Assessment
If a high level assessment has been performed of Y2K preparedness, obtain a copy and review recommendations
made. Determine the nature of the action plans as a result of the assessment.
2.1 Has management implemented the recommendations by the high-level assessment?
Section 3 - Software Vendor/Business Partner Management
3.1 Has an appropriate process been put in place to ensure that certification of Y2K compliance is obtained from all
packaged application vendors, system management vendors, operating system vendors and business partners
with whom electronic commerce is conducted (EDI, EFI, etc.)?
3.2 Has Y2K compliance protection been built into all future software contracts with vendors and business partners?
Rock-Solid Life Insurance (A)
Page 7
Exhibit A3
ROCK-SOLID Y2K PLANS AUDIT PROGRAM: Strategic Business Unit Y2K PLANNING (First Draft, June 1997)
Audit Objectives: The Y2K plans:
1. Properly assign responsibility for effecting Y2K compliance;
2. Properly scope the extent of the Y2K problem;
3. Ensure the acquisition and retention of the resources required to effect Y2K compliance;
4. Establish appropriate target dates and project milestones in order to achieve the corporate-wide goal; and
5. Provide for appropriate management and monitoring mechanisms for the Y2K effort.
The Corporate-Wide goal is that all applications be Y2K compliant by December 31, 1998.
Section 1 - Plan Coordination
1.1 Has responsibility for preparation of the Y2K plan for a business unit been assigned to an individual?
1.2 Is the individual required to provide regular status reports to a central coordinating individual within the Country
Office or project office based on a common format?
1.3 Has an appropriate process been put in place to ensure that certification of Y2K compliance is obtained for all
packaged application vendors, system management vendors, operating system vendors, and business partners
with whom electronic commerce is conducted (EDI, EFI, etc.)?
1.4 Has Y2K compliance protection been included in all future software contracts?
1.5 Has an inventory been completed? If YES, complete Section 2.
1.6 Has an initial assessment been made? If YES, complete Section 3.
1.7 Has the impact analysis been completed? If YES, complete Section 4.
1.8 Has a Y2K plan been developed? If YES, complete Section 5.
Section 2 - Inventory Taking
2.1 Have appropriate steps been taken to ensure that all end user applications (including PC/desktop) are identified
and included in inventory?
2.2 Do application inventories include the necessary elements that will allow the assessment of risk, cost and time
horizons surrounding the Y2K challenge?
Section 3 - Initial Assessment/Scoping
3.1 Have the inventories been segmented into Logical Application Segments? (LAS comprise applications,
databases, runtime components and interfaces to be made compliant at the same time. These can be subportions of an application, the application itself, multiple applications, etc.)
Section 4 - Impact Analysis
4.1
Have Lines of Code (LOC) estimates been developed for each Logical Application Segment (LAS)?
Section 5 - Y2K Plan
5.1
Does the plan assign accountabilities for the following project deliverables?
 Redevelopment/Modification
 Testing
 Implementation
 Data Conversion (data bases, master files)
Rock-Solid Life Insurance (A)
Page 8