Skip to Highlights
Highlights

Pursuant to a congressional request, GAO reviewed the National Credit Union Administration's (NCUA) progress in making sure that the automated information systems belonging to the thousands of credit unions it oversees have adequately mitigated the risks associated with the year 2000 date change.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
National Credit Union Administration 1. NCUA should require credit unions to implement the necessary management controls to ensure these financial institutions have adequately mitigated the risks associated with the Year 2000 problem. Specifically, NCUA should require credit union auditors to include Year 2000 issues within the scope of their management and internal control work and report serious problems and corrective actions to NCUA immediately.
Closed - Implemented
On December 1, 1997, NCUA issued a letter, including examination procedures, to the credit union supervisory committees notifying them of the need to include Year 2000 issues as part of the required annual internal control analysis work.
National Credit Union Administration 2. To aid credit union auditors in this effort, NCUA should provide auditors with the procedures developed by NCUA for its examiners to use in assessing Year 2000 compliance and any other guidance that would be instructive.
Closed - Implemented
NCUA's December 1, 1997, letter notifying the credit union supervisory committees of the need to include Year 2000 within the scope of their work included the examination procedures used by NCUA's examiners in assessing Year 2000 compliance.
National Credit Union Administration 3. NCUA should require credit unions to establish processes whereby credit union management would be responsible for certifying Year 2000 readiness by a deadline well before the millenium. Such a certification process should include credit union compliance testing by an independent third party and should allow sufficient time for NCUA to review the results.
Closed - Implemented
In a November 28, 1997, letter to the credit unions, NCUA required credit union management to attest via signature to the accuracy and completeness of future quarterly Year 2000 progress reports to NCUA. However, regarding the use of independent third parties to review system testing results, NCUA stated that it does not believe such reviews would be cost-effective due to, among other things: (1) the difficulty of finding enough firms to perform the reviews; (2) the cost of having all credit unions conduct them; and (3) the potential credit union complacency that could result from the sense that such reviews mitigate all Year 2000 risks.
National Credit Union Administration 4. NCUA should, before the end of the year, determine the level of technical capability needed to allow for thorough review of credit unions' Year 2000 efforts and hire or contract for this capability.
Closed - Implemented
NCUA did not perform an analysis to determine the level of technical capability needed to allow for thorough review of credit unions' year 2000 efforts because, according to agency officials, it did not have the time or resources to hire and develop a large in-house technical staff. Instead of making this assessment, NCUA identified how it could use existing resources to assess technical year 2000 issues. Using this approach, NCUA: (1) contracted with a public accounting firm to review 35 of the largest data processing service providers and 25 large credit unions with either in-house or very complex systems; and (2) hired 3 information systems officers to support its examiners.
National Credit Union Administration 5. NCUA should accelerate agency efforts to complete the assessment of the state of the industry by no later than November 15, 1997, rather than waiting until the end of the year.
Closed - Not Implemented
NCUA completed its initial industry assessment by December 31, 1997, as originally planned and agreed to with the Federal Financial Institutions Examination Council.
National Credit Union Administration 6. NCUA should collect the necessary information to determine the exact phase of each credit union and vendor in addressing the Year 2000 problem. Because NCUA currently does not have a process in place for interim reporting of this information between examinations, NCUA should require credit unions to report the precise status (phase) of their efforts on at least a quarterly basis. One option would be to use the financial reports, commonly referred to as call reports, that credit unions provide to NCUA quarterly. As part of this report, NCUA should also require credit unions to report on the status of identifying their interfaces to determine whether this issue is being adequately addressed and if not, require credit unions to implement such agreements as soon as possible.
Closed - Implemented
Last fall, NCUA implemented a quarterly tracking system and started collecting quarterly information from the credit unions on the status of their remediation efforts including the completion percentage of each phase for mission-critical systems and interfaces in December 1997. In addition, on January 14, 1998, NCUA issued a letter to federally insured credit unions describing the potential problems associated with the system interface issue and providing steps to manage the problem.
National Credit Union Administration 7. NCUA should formally document its contingency plans.
Closed - Implemented
On January 22, 1998, NCUA issued an instruction to its examiners containing its Y2K contingency plan and specific guidance on how examiners are to enforce it. A week before, NCUA had issued a letter to the federally insured credit unions containing guidance for preparing their own contingency plans.

Full Report