Supervisory Committees Role in Year 2000 Compliance

The supervisory committee has a critical role in the success of Year 2000 initiatives, and it is this role we want to address.

We previously issued to all federally insured credit unions two letters to credit unions dealing with Year 2000 compliance: Letter No. 96-CU-5 dated August 16, 1996, and Letter No. 97-CU6 dated June 3, 1997. These letters are enclosed.

Both letters alerted credit unions to the substantial risks represented by the programming code in existing computer systems as we enter the new millennium. Virtually every organization will have its computing operations affected in some way by the roll over of the two digit year value from “99” to “00”. We strongly urged boards of directors and senior management to achieve Year 2000 compliance by performing a high level risk assessment of how systems are affected, followed by the development of a detailed action plan to timely address the problems. The supervisory committee plays a critical role in the credit union’s success.

Under §701.12 of the NCUA Rules and Regulations, the supervisory committee must ensure that the financial condition of the credit union is accurately and fairly presented in the credit union’s financial statements; and the credit union’s management practices and procedures are sufficient to safeguard members’ assets. To meet these responsibilities, §701.12(b)(2) sets forth four requirements. The first, dealing with ensuring internal controls are sufficient to meet financial reporting objectives, and the fourth, dealing with policies and control procedures sufficient to safeguard against error and carelessness, are the most relevant to the Year 2000 discussion.

During your next annual supervisory committee audit, but even more importantly now in interim periods, an assessment of the credit union’s progress and testing of the implementation of Year 2000 modifications is critical. It is your immediate responsibility to assess the board and management on their success in:

• Developing a risk assessment that identifies systems and applications that must be modified, such as, mainframes, personal computers, networks, telephones and PBX systems, audio voice systems, fax machines, elevators, security systems (vaults, badge readers, surveillance systems, etc.).
• Identifying the segments of computer systems that must be modified.
• Identifying and testing the various interface linkages between communication systems, software packages, and delivery systems.
• Evaluating various alternatives (determining which applications that should be redeveloped, replaced, or modified).
• Estimating costs for modifications.
• Reviewing, approving, and establishing milestones to ensure the timely completion of their institution’s millennium plan.
• Ensuring that new systems are Year 2000 compliant.
• Planning, developing and putting into place an adequate contingency plan for critical systems (fall back position) in the event of catastrophic conditions.

If your review leads you to assess that the credit union lacks the necessary expertise to comply with the above requirements, you need to make a written recommendation that the board seek help from outside resources and periodically follow-up on that recommendation. During regulatory and insurance examinations, as applicable, we will be looking for the committee’s review and oversight of the credit union’s Year 2000 initiatives.

Later this year, NCUA will publish and issue a self-analysis guide which credit union management can use to measure successful Year 2000 implementation. This Guide will be a resource for the supervisory committee, as well. Enclosed you will find the examination procedures that NCUA examiners will employ in evaluating credit union Year 2000 compliance. Additionally, the AICPA has issued a document which may be helpful to you, “The Year 2000 Issue: Current Accounting and Auditing Guidance” -- it is available through the AICPA or via their homepage on the worldwide web at www.aicpa.org.

The integrity and success of your credit union will depend on cooperation and timely efforts to meet Year 2000 concerns. If, even with your best efforts, the credit union’s board or management continues to defer dealing with Year 2000 concerns, you may contact your supervising NCUA regional director or state supervisory authority.