|
klein (250x250 max)
gemiddeld (500x500 max)
groot
Extra Large
groot ( > 500x500)
Hoge Resolutie
|
|
EY 00342 Audit Alert 4: The millennium issue This is a translation of the official Dutch version of the Audit Alert. In the event of a dispute, the Dutch version shall prevail. 19 December 1997 N IV V\ Koninklijk NIVRA 2060 018 8065 1 KON::'-'|J JK NEDERL/.VDS r'" r VAN R£G1STERACC0UNÏA.^, ^. BIBLIOTHEEK Audit Alert 4: The millennium issue This is a translation of the official Dutch version of the Audit Alert. In the event of a dispute, the Dutch version shall prevail. 19 December 1997 To the members of the Royal NIVRA Introduction This Audit Alert is intended for use by registeraccountants working as auditors. However, information contained in this document may be of relevance to all registeraccountants. The aim of an Audit Alert is to provide information on topical issues and developments in the field of auditing. Background From various publications about the millennium, it would appear that the millennium problem is not being taken as seriously as i t should, and that a new expectation gap could well develop between the auditor and society in general as well as between the auditor and his/her client. This Audit Alert is intended to reduce the likelihood of an expectation gap emerging. By means of good written communication with the client (for example, in engagement letters, management letters and long-form reports to the Supervisory Board), the auditor can make clear the scope of his or her responsibility and expertise as well as the responsibility of the organisation's management. The auditor can assist his/her client for example by promoting awareness, helping to collect information and listing risks, advising on and assessing the project approach (and implementation) and engaging the services of experts. However, in principle, the auditor does not assume the role of a technical expert. Status of the Audit Alert The Audit Alert should be seen as a offering helpful guidance to the auditor in relation to the technical aspects of the millennium issue and is not part of the auditing standards generally accepted in the Netherlands. This does not detract from the fact, however, that auditors are recommended to consider the matters addressed in this Audit Alert. Essence of the problem The millennium problem stems from the fact that in the past in computer software, generally with the efficient use of memory and storage capacity in mind, only two digits, instead of four, were set aside to indicate the year element of the date function. As a result, with effect from 1 January 2000 (or earlier in some cases), the electronic data processing may become unreliable and in some cases even unusable. Unless action is taken to avoid the problem, such computer systems will read the year 2000 as the year 1900. This problem can arise in all computerised systems which use data fields. mi ftua, cu 1 ., r o i J a I J KONINKLIJK NEDERLANDS IV"^" "' " T VAN REGISTERACCOUNTAIs,;. B I B L I O T H E E K A practical example: The use-by date of medicines is, in many cases, already extending beyond the year 2000. A wholesaler in medicines discovered that the new supplies of medicines with a use-by date on or after the year 2000, were repeatedly being placed at the front of the warehouse, instead of the medicines with a shorter shelf life (1998, 1999). If this situation is discovered too late in computerised warehouses, large stock writedowns (due to obsolescence) could occur. In addition, there is a chance that the stocks (with a use-by date of 2000 or later) will be destroyed due to the fact that the computer recognises them as old, i.e. to be used until 1900 or shortly thereafter It is not only the accounting and logistical processes in which this risk occurs, but also, for example, in the support processes (process computers and computers in aeroplanes, trains, etc.). In practice, it appears that embedded software (such as in heating systems, process control systems, access systems, alarm and telephone installations and communication systems) can also create wide-scale problems. In the context of the millennium issue, an organisation needs to be aware of a wide range of potential risks. These include: • Disruption or breakdown of business processes. In extreme situations, this can lead to the closure of all or part of the organisation; • Legal risks, such as the risk of being held liable (product liability or liability based on guarantees given). Furthermore, there is a risk that statutory obligations, purchase or supply commitments cannot be met; • Risks as a result of the chain effect. On the one hand, problems can arise as a result of interfaces with third party systems, in which the millennium problem has not been anticipated. On the other hand, important business relations (for example, component suppliers and customers) may not meet their "commitments" due to an inadequate approach, or in the worst case, the business fails; • The risk that the statutory obligations relating to the storage of data (e.g. State Taxes Act) cannot be complied with because data from past years can no longer be accessed; • Financial risk, such as where excessively high project expenditure is incurred in making the organisation millennium-proof and the costs of consequential damage if systems fail; ^ • The risk that the problem is not adequately or promptly addressed because of the scale of its scope and impact. There is expected to be a large shortage of experts. With regard to the legal risks, the following matters deserve consideration. Auditors should take account of the fact that the millennium problem can affect the products supplied by organisations, for example, Millennium-proof can be defined as follows: "A product is millennium-proof if the functioning, quality and performance of the project is not affected in any way by ttie processing of dates before, during and after the year 2000. This means (but is not restricted to): • at no time shall the applicable value for the actual date influence the proper operation and performance of the product; • functionality which is based on dates should remain unchanged irrespective of whether the dates are before, during or after the year 2000; • the century in each date should be specified in all storage media, interfaces with other systems and/or people and the processing units, either explicitly or by using unambiguous algorithms or rules, so that no en'ors can arise as a result of an incorrect interpretation; • the year 2000 should be recognised and processed as a leap year." Source: Government Prosecutor; prepared for the Government. 2 organisations which supply software products and/or hardware (components) with embedded software. It is often unclear as to who should bear the costs of modification or replacement. It is not inconceivable that these costs will be charged to the supplier and/or the producer. Account should also be taken of the risk of claims for damages if software and/or hardware (components) previously supplied no longer function reliably prior to, during and after the turn of the century. Advice given by the Government Prosecutor indicates that it is not possible to make general statements as to the circumstances in which a supplier can be held liable. The liability question quickly collapses in personalised contract relationships. According to this advice, in all probability it will not be possible to obtain clarity beforehand on the issue of liability by means of emergency legislation (Lower House, parliamentary session 1997-1998, 25 674, no. 1, annex 2). Responsibility for the approach to the millennium problem The management of the organisation is responsible for the approach to the millennium problem, from the time it becomes aware of it through to the search for possible solutions, the implementation of the chosen solution and the aftercare. This applies, among other things, to systems (own systems and systems belonging to third parties on which the organisation depends) and for the assessment of the extent to which a business relation is millennium-proof (for example, suppliers and customers). The role of the auditor in the context of the (statutory) audit of the annual accounts In the context of the audit of the annual accounts, it is the responsibility of the auditor to issue an audit report on these accounts. The audit of the annual accounts does not imply that any degree of assurance is given on the ability of the systems or all or part of the organisation to deal with the millennium problem. This fact should be clearly understood by all parties involved. By use of clear (preferably written) communication it is possible to set out the respective responsibilities of the management of the organisation and that of the auditor. This applies, for example, to the letter of engagement, but also to the management letter and the long-form report to the Supervisory Board. The auditor should avoid giving any impression that he/she is making a statement on the extent to which the organisation is millennium-proof. The auditor should also be aware that, in principle, he/she does not have sufficient technical expertise in relation to the millennium problem (Section 11, GSR, 1994). Pursuant to Article 393 (4) of Book 2 of the Netherlands Civil Code, the auditor (in the context of the audit of the annual accounts of medium- and large-sized legal entities) issues a report to the Board of Supervisory Directors and to the Board of Directors (the long-form audit report). According to the second sentence of this article, the auditor "at least reports his findings on the reliability and continuity of the electronic data processing". It is considered vitally important that the auditor informs the Supervisory Board and the Management Board on the approach of the millennium problem by the management. The information to be included can focus on the risk awareness and the approach by the management. Depending on the circumstances in each case, the auditor can make reference to these matters either in writing in the long-form report to the Supervisory Board or in the management letter, or verbally. If information is given verbally, a note of the meeting should preferably be placed on the audit file. 3 Annex 1 provides an example of the matters which an auditor might consider in assessing the management's level of awareness and approach in relation to the millennium issue. Annex 2 provides an example of the wording which could be included in the management letter for 1997 and/or the 1997 long-form report to the Supervisory Board. The role of the auditor in the context of "audit-related engagements" As with audit engagements, when accepting audit-related engagements, the auditor should be aware that, in principle, he/she has insufficient technical expertise in relation to the millennium problem (Section 11, GBR, 1994). Clear (preferably written) communication between the management of the organisation and the auditor should set out the respective responsibilities of each party. For each type of engagement it should be considered whether the letter of engagement should state that carrying out the engagement does not imply that any degree of assurance will be given on the extent to which the systems or all or part of the organisation are millennium-proof. The auditing standards generally accepted in the Netherlands (guideline 120) divide "audit-related engagements" into review engagements, engagements to perform agreed upon procedures and compilation engagements. The same areas of attention apply to review and compilation engagements as to the audit of the annual accounts. For this reason, it is strongly recommended to address the millennium problem in the reports for such engagements. With respect to engagements to perform agreed upon procedures , the due diligence investigation can serve as an example. In consultation with the client, the auditor will normally determine whether, and to what extent, work will be carried out on the risk awareness of, and the approach by, the management to the millennium problem. The value of an organisation in the case of an acquisition, for example, may be considerably lower if it appears that the millennium problem is insoluble, or cannot be solved within the available time, or only at considerable expense. The role of the auditor in the context of specific millennium engagements For specific millennium engagements, also, the auditor should be aware that in principle, he/she has insufficient technical expertise on the millennium problem (Section 11, GBR, 1994). In practice, experts often do not consider it possible, given the nature and scope of the problems, to make a statement efficiently and with a high degree of assurance on the extent to which systems and/or organisations are millennium-proof. As is the case for audit engagements and audit-related engagements, clear communication (preferably written) is important. It should also be realised that the management of organisations requires assurance about the solution of the problem and that auditors (for example, in co-operation with registered EDP auditors or other experts) certainly can provide added value. Examples include promoting awareness, collecting information, assisting in listing risks, advising on and reviewing the project approach (and implementation) and engaging technical experts. 4 Directives from regulators Regulatory bodies may have already issued directives on the millennium problem, which may also have consequences for the work of the auditor. An example of this is the directives issued by the Dutch Central Bank (DNB memorandum of 12 September 1997). The publication of such directives, which are often directed at the client, could lead to a change in the conditions of the engagement previously agreed between the client and the auditor. Updating the Audit Alert It is currently being investigated whether an updated Audit Alert should be issued in the course of 1998. This update would specifically address the consequences for the type of audit report and the text of the report in the 1998 accounts, particularly in connection with any going concern issues that may arise as a result of a possible millennium problem. The valuation of assets and liabilities in the annual accounts is made on the assumption that the organisation will continue in operational existence for the foreseeable future, unless this assumption is not valid or there is doubt concerning the ability of the organisation to continue its operations (the going concern assumption). Given that, in many cases, experts have been unable, due to the nature and scope of the problem, to provide an opinion that carries a high degree of assurance as to the extent to which organisations are millennium-proof, the millennium problem carries with it the risk that the going concern assumption may not longer be appropriate for a particular organisation. This issue will be addressed specifically in the updated Audit Alert. Final comments This Audit Alert has been prepared by the Millennium Working Group. In this working group, the Royal Nederlands Instituut van Registeraccountants (Royal NIVRA) cooperated with the Nederlandse Orde van Register EDP Auditors (NOREA) and the Nederlandse Orde van Accountants-Administratieconsulenten (NOvAA). A joint NIVRA/NOREA/NOvAA meeting is scheduled to take place on 12 January 1998 for registeraccountants, registered EDP auditors and accounting consultants, at which the members will be given the opportunity to obtain more detailed information in relation to the problem. Furthermore, a brochure is expected to be published in February 1998 (also a joint effort of the Royal NIVRA, NOREA and NOvAA), in which the millennium problem will be discussed in more detail. Further information on this Audit Alert in particular and the millennium problem in general can be obtained from: Royal NIVRA Mr R. Hoos RA P.O. Box 7984 1008 AD Amsterdam Telephone: (+) 31 20 3010356 Fax: (+) 31 20 3010302 E-mail: R.Hoos@accountnet.nl 5 Annex 1 to Audit Alert 4 List of potential millennium problem areas to be considered by the auditor This questionnaire is for general guidance only. The contents of the questionnaire are merely illustrative and certainly not exhaustive. Its objective is to provide an impression of the level of awareness of, as well as the approach by management to, the millennium problem within an organisation. A. Awareness on the part of management The management will have to have a leading role in relation to finding a solution to the millennium problem. To do so will require an understanding of possible consequences of the millennium problem for the organisation. This awareness is not restricted to a recognition of the problem, but also extends to formulating an action plan to solve the millennium problem. Based on their responses to the following series of questions, an impression can be gained of management's level of awareness in relation to the millennium problem. 1. Does management regards itself as being involved in the millennium problem? 2. Has management developed a project plan, setting out a detailed approach? 3. Has a project been defined to analyse and solve the problem? 4. Is management regularly informed about the development of the millennium project, for example, by taking note of the project's progress? 5. Has a timetable been developed for the millennium project? 6. Has management made resources (human and physical) available to guarantee that the millennium project can be finished properly and on time? 7. Is the chosen solution currently being implemented or have plans been made to implement the solution in the near future? 8. If the solution has not yet been implemented, is the management of the organisation trying to obtain the required capacity to achieve the goals set? 9. If the solution has been fully implemented, have the systems been tested sufficiently to guarantee that they are millennium-proof? B. Approach by management The following questionnaires have been prepared on the assumption (I) that the management is aware of the millennium problem and has already taken action on this matter, or will do so in the near future; and (II) the millennium problem will be dealt with in the form of a project. The structure of the millennium project should normally provide sufficient guarantee which ensure that the millennium problem is properly and promptly solved. 6 An indication of the approach to the millennium problem on the part of management can be obtained on the basis of responses gained to the questionnaire below. The questionnaire is presented in a format for discussion question-by-question with the client. B1 Survey and analysis 1. Has a survey of the IT environment been carried out? 2. Has an IT-dependence analysis been carried out? 3. If there is a large degree of business relation dependence (for example, suppliers and customers), is an assessment of their approach to the millennium problem included in the millennium project? 4. Is the extent to which the systems, located outside the organisation and on which the organisation is dependent, are millennium-proof included in the analysis (for example, in the event of subcontracting, the use of EDI and interfaces)? 5. Is attention being paid (by management) to the way in which applications are analysed (manually or using tools such as analysis tools, etc.)? 6. Is attention being paid (by management) to the depth with which applications are being analysed? 7. Is attention being paid (by management) to considering the extent to which applications will have to cope with the turn of the century before the year 2000 millennium problems occur (for example, when concluding long-term contracts, shelf-life of stocks, etc.)? 8. Is attention being paid (by management) to analysing the interfaces between various applications (including external interfaces)? 9. Is attention being paid (by management) to analysing the business risk if applications are not made millennium-proof on time? 10. Is attention being paid (by management) to the extent to which current applications will be supported by the supplier in the future? 11. Is attention being paid (by management) to the influence of a possible millennium problem within the clock mechanisms (in connection with the applications) of IT components, such as operating systems, networks, etc.? 12. Is the extent to which new applications have an impact on other IT components (capacity of hardware, network, etc.) being investigated (by management)? 13. Is it being investigated (by management) whether important external parties (for example, suppliers, customers) are paying sufficient attention to the millennium problem? 7 14. Have "reliable" guarantees been issued by suppliers of standard software and IT components about whether they are millennium-proof? 15. Have (according to management) products been supplied by the organisation, the effective operation of which can be affected by the millennium problem? B.2 Project organisation 1. Has a project plan been prepared on the basis of the survey and IT-dependence analysis? 2. Has the organisation prepared a list of solutions tuned to the millennium problem (this can include, for example, the replacement of software, reprogramming of existing software, etc.)? 3. Has a project group been set up and a project manager appointed to solve the millennium problem? 4. Is a member of the management team part of the project group? 5. Are there clear tasks, powers and responsibilities for the respective members of the project group? 6. Are there procedures for recording findings and problems? 7. Is there a timetable (critical or otherwise) for the millennium project? 8. Has the planning been set up so that an active response can be given to developments or changed circumstances? 9. Is the management informed regularly about the progress of the millennium project? 10. Has sufficient attention been given within the organisation to the awareness of the millennium problem and to the way in which the organisation in question approaches this problem? 11. Have sufficient funds been set aside to deal with the millennium problem? 12. Have sufficient experts been made available for the millennium problem? 13. Has sufficient IT capacity and time for conversion and testing been made available/contracted for (this should also be considered in the case that standard software is used)? 14. Is sufficient attention being paid to matters other than the modification of software, such as converting data files, consequences for existing hardware, etc.? 15. Are the necessary (specific) environments available for analysis, modification and testing? 16. Is relevant documentation being updated on a timely basis when making modifications to IT-equipment? 8 17. Are IT suppliers with sufficient experience being involved in the project? 18. Have contacts been made with suppliers of applications that are used within the organisation to ensure that the millennium problem is solved within the time available? 19. Have sufficient control and monitoring measures been taken to guarantee the quality of the work carried out? B.3 Conversion, testing and implementation and emergency scenarios 1. Has a conversion plan, test plan and implementation plan been prepared, paying attention to time limits, involvement of external parties (including suppliers) and users, documentation, etc.? 2. Does the conversion plan make a distinction between the conversion of applications and data files? 3. Does the test plan provide for the testing of the separate applications and the interfaces between the applications, and (if applicable) the testing of applications in a new IT environment? 4. Have emergency scenarios been developed in relation to vital processes to enable these processes to continue uninterrupted in the cases in question? 9 Annex 2 to Audit Alert 4 Example text that may be included in the 1997 management letter and/or in the 1997 long-form report to the Supervisory Board. ^ A. Introduction A.I Cases where no attention has been paid to the millennium problem in previous management letters or long-form reports to the Supervisory Board. What is known as the millennium problem has become increasingly important. The problem stems from the fact that in the past in computer software, generally with the efficient use of memory and storage capacity in mind, only two digits, instead of four, were set aside to indicate the year element of the date function. As a result, with effect from 1 January 2000 (or earlier in some cases), the electronic data processing may become unreliable and, in some cases, even unusable. Unless action is taken to avoid the problem, such computer systems will view the year 2000 as the year 1900. This problem can occur, in principle, in all computerised systems in which data fields are used. This makes it necessary to investigate all systems used by the organisation (internally or by third parties). Given that the millennium problem can have serious consequences for the management and even for the continued existence of the company as a going concern around the turn of the century, in the context of the 1997 audit, we have investigated the extent to which we consider that attention is being paid to this problem within your organisation. A.2 Cases where the company was asked to look at its approach to the millennium problem in the previous year Further to the comments we made in our 1996 management letter/report on the approach to the millennium problem, we have investigated the extent to which we consider that attention is being paid to this problem within your organisation. B. Scope paragraph We have limited our work to a survey of the extent to which the management is aware of the problem in question and the possible consequences for the organisation and its continued existence as a going concern. Furthermore, we have taken note of the planned (and partially implemented) activities to solve the problem within the time available. We have based our findings on the information provided to us (by the senior staff member responsible). We have not carried out a detailed review of the approach followed, nor have we ascertained whether it has actually been implemented. We would draw your attention to the fact that the solution to the millennium problem is the responsibility of the management of the organisation. The work we carried out as part of the audit of the annual accounts, with respect to the millennium issue, was intended only to evaluate whether, as a consequence of this issue, there may be possible risks to the company's ability to continue as a going concern. In the worst case, this could have an impact on the The text printed in italics is optional and can be used or adapted according to the circumstances of each situation. 10 annual accounts in question or on the annual accounts for future years. This means that not all sections of the management are necessarily involved in this matter. C. Findings and recommendations 0.1 Cases where management is judged to be insufficiently aware of the millennium problem and the corresponding risks Findings Based on our findings, in our opinion, your organisation is not paying sufficient attention to the millennium problem. This is apparent, among other things, from the following matters: • No survey/analysis has been carried out as yet within the company to determine the possible scope of the problem for the organisation; • No concrete plan of approach for the solution to the problem has been drawn up; • Etc. Evaluation of potential risks We would like to point out that the millennium problem could also have important consequences for your organisation. These consequences can relate to the amount of effort that is required to solve the problem. It is not possible at this time to estimate what efforts are required by your organisation given that such evaluation would involve a thorough survey and analysis, and list of solutions, none of which have been prepared. In addition, the millennium problem can have consequences for the continuity of the operational processes of the organisation owing to the dependence of such processes on computerised information systems. The company has not yet investigated the extent and degree of this dependence. Nevertheless, the examples set out below illustrate that your organisation may encounter possible operating risks: Examples of computerised systems/processes crucial to the organisation in which the millennium problem could play a role (indicate that this is not an exhaustive list). Recommendations Based on the above, we recommend that the following action should be taken as soon as possible: • Define a project with the aim of surveying, analysing and solving the millennium problem in the time available; • Carry out a thorough survey and analysis focusing on the computerised systems within your organisation and, where possible the systems operated by third parties. Attention should also be focused on interfaces between the various systems, both internally and externally; • Prepare a tailor-made plan and carry out the necessary modifications based on this plan; • Contact the suppliers of software and IT components to obtain clarity, and if possible, assurance on the extent to which their products are millennium-proof; • Test the modified system or the new software (and versions of it) extensively to determine whether it is millennium-proof; • Develop emergency procedures for the vital processes to allow them to continue in the event of a standstill or breakdown. This could also include making staff and resources available to confront the problems; 11 • Include a form of quality control and assurance within the project so as to be able to have a reasonable guarantee over the quality of implementation; • Monitor and provide active management support for this project and make the necessary staff and resources available. C.2 Cases where management either underestimates the millennium problem or recognises it and has taken action Depending on the actual circumstances (under-estimation or recognition of the problem), the auditor can include the relevant sections of the text given in C.I above in the management letter and/or the long-form report to the Supervisory Board. 12 BIBLIOTHEEK BIBLIOTHEEK VRIJE l 3 0000 00839 5570
Click tabs to swap between content that is broken into logical sections.
Titel | Audit alert 4 : the millennium issue |
Auteur | Koninklijk Nederlands Instituut van Registeraccountants |
Jaartal | 1997 |
Collectienaam | NIVRA Publicaties |
PPN | 345384490 |
UBVU-ID | 0410020342001 |
Toegangsgegevens (URL) | http://imagebase.ubvu.vu.nl/getobj.php?ppn=345384490 |
Signatuur origineel | EY.00342.- |
Transcript | EY 00342 Audit Alert 4: The millennium issue This is a translation of the official Dutch version of the Audit Alert. In the event of a dispute, the Dutch version shall prevail. 19 December 1997 N IV V\ Koninklijk NIVRA 2060 018 8065 1 KON::'-'|J JK NEDERL/.VDS r'" r VAN R£G1STERACC0UNÏA.^, ^. BIBLIOTHEEK Audit Alert 4: The millennium issue This is a translation of the official Dutch version of the Audit Alert. In the event of a dispute, the Dutch version shall prevail. 19 December 1997 To the members of the Royal NIVRA Introduction This Audit Alert is intended for use by registeraccountants working as auditors. However, information contained in this document may be of relevance to all registeraccountants. The aim of an Audit Alert is to provide information on topical issues and developments in the field of auditing. Background From various publications about the millennium, it would appear that the millennium problem is not being taken as seriously as i t should, and that a new expectation gap could well develop between the auditor and society in general as well as between the auditor and his/her client. This Audit Alert is intended to reduce the likelihood of an expectation gap emerging. By means of good written communication with the client (for example, in engagement letters, management letters and long-form reports to the Supervisory Board), the auditor can make clear the scope of his or her responsibility and expertise as well as the responsibility of the organisation's management. The auditor can assist his/her client for example by promoting awareness, helping to collect information and listing risks, advising on and assessing the project approach (and implementation) and engaging the services of experts. However, in principle, the auditor does not assume the role of a technical expert. Status of the Audit Alert The Audit Alert should be seen as a offering helpful guidance to the auditor in relation to the technical aspects of the millennium issue and is not part of the auditing standards generally accepted in the Netherlands. This does not detract from the fact, however, that auditors are recommended to consider the matters addressed in this Audit Alert. Essence of the problem The millennium problem stems from the fact that in the past in computer software, generally with the efficient use of memory and storage capacity in mind, only two digits, instead of four, were set aside to indicate the year element of the date function. As a result, with effect from 1 January 2000 (or earlier in some cases), the electronic data processing may become unreliable and in some cases even unusable. Unless action is taken to avoid the problem, such computer systems will read the year 2000 as the year 1900. This problem can arise in all computerised systems which use data fields. mi ftua, cu 1 ., r o i J a I J KONINKLIJK NEDERLANDS IV"^" "' " T VAN REGISTERACCOUNTAIs,;. B I B L I O T H E E K A practical example: The use-by date of medicines is, in many cases, already extending beyond the year 2000. A wholesaler in medicines discovered that the new supplies of medicines with a use-by date on or after the year 2000, were repeatedly being placed at the front of the warehouse, instead of the medicines with a shorter shelf life (1998, 1999). If this situation is discovered too late in computerised warehouses, large stock writedowns (due to obsolescence) could occur. In addition, there is a chance that the stocks (with a use-by date of 2000 or later) will be destroyed due to the fact that the computer recognises them as old, i.e. to be used until 1900 or shortly thereafter It is not only the accounting and logistical processes in which this risk occurs, but also, for example, in the support processes (process computers and computers in aeroplanes, trains, etc.). In practice, it appears that embedded software (such as in heating systems, process control systems, access systems, alarm and telephone installations and communication systems) can also create wide-scale problems. In the context of the millennium issue, an organisation needs to be aware of a wide range of potential risks. These include: • Disruption or breakdown of business processes. In extreme situations, this can lead to the closure of all or part of the organisation; • Legal risks, such as the risk of being held liable (product liability or liability based on guarantees given). Furthermore, there is a risk that statutory obligations, purchase or supply commitments cannot be met; • Risks as a result of the chain effect. On the one hand, problems can arise as a result of interfaces with third party systems, in which the millennium problem has not been anticipated. On the other hand, important business relations (for example, component suppliers and customers) may not meet their "commitments" due to an inadequate approach, or in the worst case, the business fails; • The risk that the statutory obligations relating to the storage of data (e.g. State Taxes Act) cannot be complied with because data from past years can no longer be accessed; • Financial risk, such as where excessively high project expenditure is incurred in making the organisation millennium-proof and the costs of consequential damage if systems fail; ^ • The risk that the problem is not adequately or promptly addressed because of the scale of its scope and impact. There is expected to be a large shortage of experts. With regard to the legal risks, the following matters deserve consideration. Auditors should take account of the fact that the millennium problem can affect the products supplied by organisations, for example, Millennium-proof can be defined as follows: "A product is millennium-proof if the functioning, quality and performance of the project is not affected in any way by ttie processing of dates before, during and after the year 2000. This means (but is not restricted to): • at no time shall the applicable value for the actual date influence the proper operation and performance of the product; • functionality which is based on dates should remain unchanged irrespective of whether the dates are before, during or after the year 2000; • the century in each date should be specified in all storage media, interfaces with other systems and/or people and the processing units, either explicitly or by using unambiguous algorithms or rules, so that no en'ors can arise as a result of an incorrect interpretation; • the year 2000 should be recognised and processed as a leap year." Source: Government Prosecutor; prepared for the Government. 2 organisations which supply software products and/or hardware (components) with embedded software. It is often unclear as to who should bear the costs of modification or replacement. It is not inconceivable that these costs will be charged to the supplier and/or the producer. Account should also be taken of the risk of claims for damages if software and/or hardware (components) previously supplied no longer function reliably prior to, during and after the turn of the century. Advice given by the Government Prosecutor indicates that it is not possible to make general statements as to the circumstances in which a supplier can be held liable. The liability question quickly collapses in personalised contract relationships. According to this advice, in all probability it will not be possible to obtain clarity beforehand on the issue of liability by means of emergency legislation (Lower House, parliamentary session 1997-1998, 25 674, no. 1, annex 2). Responsibility for the approach to the millennium problem The management of the organisation is responsible for the approach to the millennium problem, from the time it becomes aware of it through to the search for possible solutions, the implementation of the chosen solution and the aftercare. This applies, among other things, to systems (own systems and systems belonging to third parties on which the organisation depends) and for the assessment of the extent to which a business relation is millennium-proof (for example, suppliers and customers). The role of the auditor in the context of the (statutory) audit of the annual accounts In the context of the audit of the annual accounts, it is the responsibility of the auditor to issue an audit report on these accounts. The audit of the annual accounts does not imply that any degree of assurance is given on the ability of the systems or all or part of the organisation to deal with the millennium problem. This fact should be clearly understood by all parties involved. By use of clear (preferably written) communication it is possible to set out the respective responsibilities of the management of the organisation and that of the auditor. This applies, for example, to the letter of engagement, but also to the management letter and the long-form report to the Supervisory Board. The auditor should avoid giving any impression that he/she is making a statement on the extent to which the organisation is millennium-proof. The auditor should also be aware that, in principle, he/she does not have sufficient technical expertise in relation to the millennium problem (Section 11, GSR, 1994). Pursuant to Article 393 (4) of Book 2 of the Netherlands Civil Code, the auditor (in the context of the audit of the annual accounts of medium- and large-sized legal entities) issues a report to the Board of Supervisory Directors and to the Board of Directors (the long-form audit report). According to the second sentence of this article, the auditor "at least reports his findings on the reliability and continuity of the electronic data processing". It is considered vitally important that the auditor informs the Supervisory Board and the Management Board on the approach of the millennium problem by the management. The information to be included can focus on the risk awareness and the approach by the management. Depending on the circumstances in each case, the auditor can make reference to these matters either in writing in the long-form report to the Supervisory Board or in the management letter, or verbally. If information is given verbally, a note of the meeting should preferably be placed on the audit file. 3 Annex 1 provides an example of the matters which an auditor might consider in assessing the management's level of awareness and approach in relation to the millennium issue. Annex 2 provides an example of the wording which could be included in the management letter for 1997 and/or the 1997 long-form report to the Supervisory Board. The role of the auditor in the context of "audit-related engagements" As with audit engagements, when accepting audit-related engagements, the auditor should be aware that, in principle, he/she has insufficient technical expertise in relation to the millennium problem (Section 11, GBR, 1994). Clear (preferably written) communication between the management of the organisation and the auditor should set out the respective responsibilities of each party. For each type of engagement it should be considered whether the letter of engagement should state that carrying out the engagement does not imply that any degree of assurance will be given on the extent to which the systems or all or part of the organisation are millennium-proof. The auditing standards generally accepted in the Netherlands (guideline 120) divide "audit-related engagements" into review engagements, engagements to perform agreed upon procedures and compilation engagements. The same areas of attention apply to review and compilation engagements as to the audit of the annual accounts. For this reason, it is strongly recommended to address the millennium problem in the reports for such engagements. With respect to engagements to perform agreed upon procedures , the due diligence investigation can serve as an example. In consultation with the client, the auditor will normally determine whether, and to what extent, work will be carried out on the risk awareness of, and the approach by, the management to the millennium problem. The value of an organisation in the case of an acquisition, for example, may be considerably lower if it appears that the millennium problem is insoluble, or cannot be solved within the available time, or only at considerable expense. The role of the auditor in the context of specific millennium engagements For specific millennium engagements, also, the auditor should be aware that in principle, he/she has insufficient technical expertise on the millennium problem (Section 11, GBR, 1994). In practice, experts often do not consider it possible, given the nature and scope of the problems, to make a statement efficiently and with a high degree of assurance on the extent to which systems and/or organisations are millennium-proof. As is the case for audit engagements and audit-related engagements, clear communication (preferably written) is important. It should also be realised that the management of organisations requires assurance about the solution of the problem and that auditors (for example, in co-operation with registered EDP auditors or other experts) certainly can provide added value. Examples include promoting awareness, collecting information, assisting in listing risks, advising on and reviewing the project approach (and implementation) and engaging technical experts. 4 Directives from regulators Regulatory bodies may have already issued directives on the millennium problem, which may also have consequences for the work of the auditor. An example of this is the directives issued by the Dutch Central Bank (DNB memorandum of 12 September 1997). The publication of such directives, which are often directed at the client, could lead to a change in the conditions of the engagement previously agreed between the client and the auditor. Updating the Audit Alert It is currently being investigated whether an updated Audit Alert should be issued in the course of 1998. This update would specifically address the consequences for the type of audit report and the text of the report in the 1998 accounts, particularly in connection with any going concern issues that may arise as a result of a possible millennium problem. The valuation of assets and liabilities in the annual accounts is made on the assumption that the organisation will continue in operational existence for the foreseeable future, unless this assumption is not valid or there is doubt concerning the ability of the organisation to continue its operations (the going concern assumption). Given that, in many cases, experts have been unable, due to the nature and scope of the problem, to provide an opinion that carries a high degree of assurance as to the extent to which organisations are millennium-proof, the millennium problem carries with it the risk that the going concern assumption may not longer be appropriate for a particular organisation. This issue will be addressed specifically in the updated Audit Alert. Final comments This Audit Alert has been prepared by the Millennium Working Group. In this working group, the Royal Nederlands Instituut van Registeraccountants (Royal NIVRA) cooperated with the Nederlandse Orde van Register EDP Auditors (NOREA) and the Nederlandse Orde van Accountants-Administratieconsulenten (NOvAA). A joint NIVRA/NOREA/NOvAA meeting is scheduled to take place on 12 January 1998 for registeraccountants, registered EDP auditors and accounting consultants, at which the members will be given the opportunity to obtain more detailed information in relation to the problem. Furthermore, a brochure is expected to be published in February 1998 (also a joint effort of the Royal NIVRA, NOREA and NOvAA), in which the millennium problem will be discussed in more detail. Further information on this Audit Alert in particular and the millennium problem in general can be obtained from: Royal NIVRA Mr R. Hoos RA P.O. Box 7984 1008 AD Amsterdam Telephone: (+) 31 20 3010356 Fax: (+) 31 20 3010302 E-mail: R.Hoos@accountnet.nl 5 Annex 1 to Audit Alert 4 List of potential millennium problem areas to be considered by the auditor This questionnaire is for general guidance only. The contents of the questionnaire are merely illustrative and certainly not exhaustive. Its objective is to provide an impression of the level of awareness of, as well as the approach by management to, the millennium problem within an organisation. A. Awareness on the part of management The management will have to have a leading role in relation to finding a solution to the millennium problem. To do so will require an understanding of possible consequences of the millennium problem for the organisation. This awareness is not restricted to a recognition of the problem, but also extends to formulating an action plan to solve the millennium problem. Based on their responses to the following series of questions, an impression can be gained of management's level of awareness in relation to the millennium problem. 1. Does management regards itself as being involved in the millennium problem? 2. Has management developed a project plan, setting out a detailed approach? 3. Has a project been defined to analyse and solve the problem? 4. Is management regularly informed about the development of the millennium project, for example, by taking note of the project's progress? 5. Has a timetable been developed for the millennium project? 6. Has management made resources (human and physical) available to guarantee that the millennium project can be finished properly and on time? 7. Is the chosen solution currently being implemented or have plans been made to implement the solution in the near future? 8. If the solution has not yet been implemented, is the management of the organisation trying to obtain the required capacity to achieve the goals set? 9. If the solution has been fully implemented, have the systems been tested sufficiently to guarantee that they are millennium-proof? B. Approach by management The following questionnaires have been prepared on the assumption (I) that the management is aware of the millennium problem and has already taken action on this matter, or will do so in the near future; and (II) the millennium problem will be dealt with in the form of a project. The structure of the millennium project should normally provide sufficient guarantee which ensure that the millennium problem is properly and promptly solved. 6 An indication of the approach to the millennium problem on the part of management can be obtained on the basis of responses gained to the questionnaire below. The questionnaire is presented in a format for discussion question-by-question with the client. B1 Survey and analysis 1. Has a survey of the IT environment been carried out? 2. Has an IT-dependence analysis been carried out? 3. If there is a large degree of business relation dependence (for example, suppliers and customers), is an assessment of their approach to the millennium problem included in the millennium project? 4. Is the extent to which the systems, located outside the organisation and on which the organisation is dependent, are millennium-proof included in the analysis (for example, in the event of subcontracting, the use of EDI and interfaces)? 5. Is attention being paid (by management) to the way in which applications are analysed (manually or using tools such as analysis tools, etc.)? 6. Is attention being paid (by management) to the depth with which applications are being analysed? 7. Is attention being paid (by management) to considering the extent to which applications will have to cope with the turn of the century before the year 2000 millennium problems occur (for example, when concluding long-term contracts, shelf-life of stocks, etc.)? 8. Is attention being paid (by management) to analysing the interfaces between various applications (including external interfaces)? 9. Is attention being paid (by management) to analysing the business risk if applications are not made millennium-proof on time? 10. Is attention being paid (by management) to the extent to which current applications will be supported by the supplier in the future? 11. Is attention being paid (by management) to the influence of a possible millennium problem within the clock mechanisms (in connection with the applications) of IT components, such as operating systems, networks, etc.? 12. Is the extent to which new applications have an impact on other IT components (capacity of hardware, network, etc.) being investigated (by management)? 13. Is it being investigated (by management) whether important external parties (for example, suppliers, customers) are paying sufficient attention to the millennium problem? 7 14. Have "reliable" guarantees been issued by suppliers of standard software and IT components about whether they are millennium-proof? 15. Have (according to management) products been supplied by the organisation, the effective operation of which can be affected by the millennium problem? B.2 Project organisation 1. Has a project plan been prepared on the basis of the survey and IT-dependence analysis? 2. Has the organisation prepared a list of solutions tuned to the millennium problem (this can include, for example, the replacement of software, reprogramming of existing software, etc.)? 3. Has a project group been set up and a project manager appointed to solve the millennium problem? 4. Is a member of the management team part of the project group? 5. Are there clear tasks, powers and responsibilities for the respective members of the project group? 6. Are there procedures for recording findings and problems? 7. Is there a timetable (critical or otherwise) for the millennium project? 8. Has the planning been set up so that an active response can be given to developments or changed circumstances? 9. Is the management informed regularly about the progress of the millennium project? 10. Has sufficient attention been given within the organisation to the awareness of the millennium problem and to the way in which the organisation in question approaches this problem? 11. Have sufficient funds been set aside to deal with the millennium problem? 12. Have sufficient experts been made available for the millennium problem? 13. Has sufficient IT capacity and time for conversion and testing been made available/contracted for (this should also be considered in the case that standard software is used)? 14. Is sufficient attention being paid to matters other than the modification of software, such as converting data files, consequences for existing hardware, etc.? 15. Are the necessary (specific) environments available for analysis, modification and testing? 16. Is relevant documentation being updated on a timely basis when making modifications to IT-equipment? 8 17. Are IT suppliers with sufficient experience being involved in the project? 18. Have contacts been made with suppliers of applications that are used within the organisation to ensure that the millennium problem is solved within the time available? 19. Have sufficient control and monitoring measures been taken to guarantee the quality of the work carried out? B.3 Conversion, testing and implementation and emergency scenarios 1. Has a conversion plan, test plan and implementation plan been prepared, paying attention to time limits, involvement of external parties (including suppliers) and users, documentation, etc.? 2. Does the conversion plan make a distinction between the conversion of applications and data files? 3. Does the test plan provide for the testing of the separate applications and the interfaces between the applications, and (if applicable) the testing of applications in a new IT environment? 4. Have emergency scenarios been developed in relation to vital processes to enable these processes to continue uninterrupted in the cases in question? 9 Annex 2 to Audit Alert 4 Example text that may be included in the 1997 management letter and/or in the 1997 long-form report to the Supervisory Board. ^ A. Introduction A.I Cases where no attention has been paid to the millennium problem in previous management letters or long-form reports to the Supervisory Board. What is known as the millennium problem has become increasingly important. The problem stems from the fact that in the past in computer software, generally with the efficient use of memory and storage capacity in mind, only two digits, instead of four, were set aside to indicate the year element of the date function. As a result, with effect from 1 January 2000 (or earlier in some cases), the electronic data processing may become unreliable and, in some cases, even unusable. Unless action is taken to avoid the problem, such computer systems will view the year 2000 as the year 1900. This problem can occur, in principle, in all computerised systems in which data fields are used. This makes it necessary to investigate all systems used by the organisation (internally or by third parties). Given that the millennium problem can have serious consequences for the management and even for the continued existence of the company as a going concern around the turn of the century, in the context of the 1997 audit, we have investigated the extent to which we consider that attention is being paid to this problem within your organisation. A.2 Cases where the company was asked to look at its approach to the millennium problem in the previous year Further to the comments we made in our 1996 management letter/report on the approach to the millennium problem, we have investigated the extent to which we consider that attention is being paid to this problem within your organisation. B. Scope paragraph We have limited our work to a survey of the extent to which the management is aware of the problem in question and the possible consequences for the organisation and its continued existence as a going concern. Furthermore, we have taken note of the planned (and partially implemented) activities to solve the problem within the time available. We have based our findings on the information provided to us (by the senior staff member responsible). We have not carried out a detailed review of the approach followed, nor have we ascertained whether it has actually been implemented. We would draw your attention to the fact that the solution to the millennium problem is the responsibility of the management of the organisation. The work we carried out as part of the audit of the annual accounts, with respect to the millennium issue, was intended only to evaluate whether, as a consequence of this issue, there may be possible risks to the company's ability to continue as a going concern. In the worst case, this could have an impact on the The text printed in italics is optional and can be used or adapted according to the circumstances of each situation. 10 annual accounts in question or on the annual accounts for future years. This means that not all sections of the management are necessarily involved in this matter. C. Findings and recommendations 0.1 Cases where management is judged to be insufficiently aware of the millennium problem and the corresponding risks Findings Based on our findings, in our opinion, your organisation is not paying sufficient attention to the millennium problem. This is apparent, among other things, from the following matters: • No survey/analysis has been carried out as yet within the company to determine the possible scope of the problem for the organisation; • No concrete plan of approach for the solution to the problem has been drawn up; • Etc. Evaluation of potential risks We would like to point out that the millennium problem could also have important consequences for your organisation. These consequences can relate to the amount of effort that is required to solve the problem. It is not possible at this time to estimate what efforts are required by your organisation given that such evaluation would involve a thorough survey and analysis, and list of solutions, none of which have been prepared. In addition, the millennium problem can have consequences for the continuity of the operational processes of the organisation owing to the dependence of such processes on computerised information systems. The company has not yet investigated the extent and degree of this dependence. Nevertheless, the examples set out below illustrate that your organisation may encounter possible operating risks: Examples of computerised systems/processes crucial to the organisation in which the millennium problem could play a role (indicate that this is not an exhaustive list). Recommendations Based on the above, we recommend that the following action should be taken as soon as possible: • Define a project with the aim of surveying, analysing and solving the millennium problem in the time available; • Carry out a thorough survey and analysis focusing on the computerised systems within your organisation and, where possible the systems operated by third parties. Attention should also be focused on interfaces between the various systems, both internally and externally; • Prepare a tailor-made plan and carry out the necessary modifications based on this plan; • Contact the suppliers of software and IT components to obtain clarity, and if possible, assurance on the extent to which their products are millennium-proof; • Test the modified system or the new software (and versions of it) extensively to determine whether it is millennium-proof; • Develop emergency procedures for the vital processes to allow them to continue in the event of a standstill or breakdown. This could also include making staff and resources available to confront the problems; 11 • Include a form of quality control and assurance within the project so as to be able to have a reasonable guarantee over the quality of implementation; • Monitor and provide active management support for this project and make the necessary staff and resources available. C.2 Cases where management either underestimates the millennium problem or recognises it and has taken action Depending on the actual circumstances (under-estimation or recognition of the problem), the auditor can include the relevant sections of the text given in C.I above in the management letter and/or the long-form report to the Supervisory Board. 12 BIBLIOTHEEK BIBLIOTHEEK VRIJE l 3 0000 00839 5570 |
Evaluatie |
|
|
|
B |
|
C |
|
D |
|
F |
|
H |
|
K |
|
M |
|
N |
|
O |
|
P |
|
V |
|
|
|