Y2K and the IS Auditor

By Cathy Mugford

Management's responsibilities in addressing the Y2K problem can be summarized into six main areas:

Identification: Prepare an inventory of all items that are date-impacted and determine which of these are not Y2K-compliant.

Prioritization: Rank all items on the inventory for criticality. Examples of ratings include fatal (production process will be halted, business will be gravely impacted); critical (interruption will severely impact business but will not stop production); and marginal (interruption can be tolerated up to a few weeks).

The IS auditor's primary role is to assess the completeness of his or her organization's Y2K plan, and the ability and availability of resources to implement the plan.


In this area, the auditor's concerns are tools and the size of the inventory of date-impacted items. We must verify that appropriate tools were used to develop the inventory. Tools consist of date search utilities or software, vendor representations, and physical inspection by knowledgeable users or product experts (particularly helpful in a manufacturing environment where embedded processors are used). Another concern is that inventory is reasonable for the size of the organization and the complexity of the data-processing environment.


In this area, our concern is that all components of the plan have been assigned a reasonable priority. Because the auditor may not have adequate training in manufacturing and other non-IS areas, it's essential that qualified personnel be involved in identifying problems and assigning priorities.

Cost/Benefit Analysis

The auditor's concern is that decisions made for replacing or repairing items (machinery, software, and hardware) are based on financial analysis. It's important to consider the cost of resources in the repair option. The longer companies wait to address the problem, the scarcer and more expensive the resources will become. The challenge in the manufacturing environment is resource availability from distributed computing systems (DCS) and programmable logic controller (PLC) vendors.


In replacement mode, the auditor's concern is that the new software contains similar or improved controls to what existed in the software being replaced. Examples include data integrity, system and data access, and implementation controls. In repair mode, the auditor is concerned with adherence to established change control processes. It's very tempting for organizations to bypass standard change processes for Y2K fixes because those processes may add time delays in the change/test activities. Organizations with a compelling business reason for bypassing change control processes must obtain management approval for exceptions.


Y2K presents the greatest-ever challenge to testers and auditors. The auditor's concern in this area is that testing is thorough and adequate. Y2K testing is of a magnitude greater than anything tested before because of the:

The auditor should assess the creation of adequate test data, inclusion of interface testing between systems, adequate test tools to aid in performing the testing, and the completeness of the test plan. In addition to these concerns, the auditor must play a role in project management.

Correcting the Y2K problem is an enormous task for most companies. It is the auditor's responsibility to ensure management has adequately defined and implemented a sound solution for correcting the date components so that business will not be adversely impacted on 01/01/2000 and beyond.

Cathy is a certified information systems auditor (CISA) for a Fortune 100 manufacturing organization. She can be contacted at