THE 2000 FORUM SEMINAR

Internal Audit’s Role in Y2k: A Case Study

By:- Wayne Haw
Group IS Auditor
Altron Management Services
E-mail:- wrhaw@ams.altron.co.za

Outline

Introduction

Case Study

Ideal Scenario

 

 

INTRODUCTION

Y2k

All of us present know what the "Year 2000 Problem" is all about, the consequences, and the process to solve it.

The things that we lack are time and experience.

What is Internal Audit

In any organisation the responsibility for ensuring that corporate goals and objectives are achieved and that results are consistent with expectations, rests with management. To improve performance and ensure survival in today's competitive and complex environment, management must take significant commercial risks. It is essential therefore, that where significant risks are taken there are also adequate controls in place.

To monitor and reassure management of the adequacy of their controls an internal auditing function is usually established. Internal auditors provide a valuable service to management, advising them on the relationship and balance between risk and control and helping them to:

  • use resources effectively

  • safeguard assets

  • assess the reliability and accuracy of management information

  • comply with agreed procedures, regulations and laws

As well as providing independent advice and proposing solutions to control problems, internal auditors also advise management on the impact of new systems and activities and on major organisational developments.

King’s Report on Corporate Governance

The King Report on Corporate Governance was published in November 1994.

Endorsed by the JSE in 1996.

The King Commission was appointed by the Institute of Directors to make recommendations on the financial aspects of corporate governance.

Internal controls

The directors are responsible for instituting an effective system of internal control.

Your directors report that the company's internal controls and systems are designed to provide reasonable assurance as to the integrity and reliability of the financial statements and to safeguard adequately, verify and maintain accountability of its assets. Such controls are based on established written policies and procedures and implemented by trained, skilled personnel with an appropriate segregation of duties. These are monitored throughout the company and all employees are required to maintain the highest ethical standards in ensuring that the company's business practices are conducted in a manner which, in all reasonable circumstances, is above reproach. Nothing has come to the attention of your directors to indicate that any material breakdown in the functioning of these controls, procedures and systems has occurred during the year under review. The auditors concur with the above statement by the directors.

Internal audit

The internal audit function is also a vital part of an effective system of corporate governance.

The scope of internal audit should be as follows:

  • Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify and report such information
  • Review the systems established to ensure compliance with policies, plans, procedures, laws and regulations
  • Verify the existence of assets and review the means of safeguarding assets,
  • Appraise the economics and efficient management of the company's financial, human and other resources
  • Review operations to ascertain whether results are consistent with established objectives and goals and whether operations are being carried out as planned.

Functions of the Board of Directors

  • Direct the company as to strategy and structure
  • Ensure that executive management implements the strategy
  • Ensure the company has adequate systems of internal controls, both operational and financial
  • Monitor activities of executive management
  • Select the chief executive
  • Ensure succession
  • Give guidance on appointment of senior executives
  • Provide information on company activities
  • Ensure the company operates ethically

 

To be reviewed during 1998.

 

JSE Requirements for Y2k

Listing Requirements : Disclosure with regards to Year 2000 Compliance

The new requirements become effective on 1 May 1998 and are equally applicable to companies already listed and to new applicants for listing.

Companies are required to include the following in their annual reports, interim reports and pre-listing statements:

  • Disclosure by the company as regards its plan of action (including its plans for testing), steps taken and to be taken and expenditure incurred in order to be prepared for the information technology problems expected to occur on or about 1 January 2000;

  • Disclosure regarding any material operational difficulties experienced or expected as a result of the problems associated with the advent of the year 2000 as well as details regarding the likely impact of these difficulties on the company’s performance, should all or part of the company’s systems not be year 2000 compliant;

  • Disclosure regarding the risk and likelihood of the company facing liability directly or indirectly arising from a failure to address or meet the problems associated with the advent of the year 2000;

  • Disclosure regarding the state of compliance of all the company’s agents (including transfer secretaries) and the company’s plan of action if its agents are not year 2000 compliant;

  • The company’s target date by which it will be year 2000 compliant;

The above may be contained in a separate section of the pre-listing statement, annual report and interim report and need not be audited.

External Auditors and Y2k

Purpose of the circular

SA INSTITUTE OF CHARTERED ACCOUNTANTS CIRCULAR 1/98

THE YEAR 2000 ISSUE: IMPLICATIONS FOR THE AUDIT OF ANNUAL FINANCIAL STATEMENTS

This circular is intended to clarify the impact of the year 2000 issue on a financial statement audit and is based on the following:

· It is management’s responsibility to ensure that the business adequately addresses the issue.

· The auditor’s responsibilities outlined in statements of South African Auditing Standards (SAAS) have not changed with the manifestation of the year 2000 issue.

· The auditor obtains a sufficient understanding of any material impact on the financial statements.

The objectives of this circular are therefore:

· to assist in clarifying both management’s and the auditor’s responsibilities,

· to suggest what might be appropriate enquiries for the auditor to make of management,

· to suggest matters that might be reported to management,

· to provide assistance in the application of statements of SAAS to this issue,

· to suggest circumstances where an auditor may issue a modified report, and

· to assist in overcoming the risk of an audit expectation gap arising.

 

 

Internal Audit and Y2k

There are a number of accounting issues that could arise as a result of the Year 2000

These include:

• Incorrect accounting estimates

• Completeness

• External and internal costs associated with modifying software

• Impairment of assets

• Contingent losses

• Commitments

• Disclosures of risks and uncertainties/measurement uncertainty

• Securities laws that may mandate disclosure

• Going concern.

The Year 2000 problem is not a potential risk, but a certain risk. It would be ideal if Internal Audit could test by themselves the systems for Year 2000 compliance. However, it is very difficult to accomplish. So, it is important to use a combination of the methods of audit verification such as inquiry, review, observation and re-performance based on the business criticality of the system.

 

MANAGEMENT AND AUDITOR REPONSIBILITY

The operations of an entity are under the control of management, which has the responsibility for the accurate recording of transactions and the preparation of financial statements in accordance with generally accepted accounting principles. These responsibilities include those related to internal control, such as designing and maintaining accounting records, selecting and applying accounting policies, safeguarding assets and preventing and detecting error and fraud.

Boards of directors, audit committees and senior management look to auditors to provide assurance that this business continuity issue is effectively addressed.

What do we, as auditors, need to do to provide such assurance? Is it enough to simply ask management if the issue is being addressed? How do we dig deeper to gain adequate assurance that reasonable actions are being taken and that the business risk is being managed effectively? From our own point of view, the audit risks are high. So we must have a high degree of confidence in our conclusions regarding the business readiness for the Year 2000.

Management has the following objectives:

  • To avoid failures and disruptions

  • To protect and enhance the shareholder value of the enterprise

  • To manage the legal risks by both avoiding / minimizing litigation and at the same time being prepared for litigation.

Internal Audit can help management in mitigating risks and meeting the management objectives.

The audit objectives are:

  • to ensure comprehensive action by management to assess the business impact of information systems and vendor services, to correct, to test, and to implement the solutions;

  • to provide assurance related to:

    effectiveness of management process for addressing the Year 2000 challenge;

    comprehensiveness of coverage;

    effectiveness of projects and documentation;

    ongoing status that enterprise is on target throughout to achieve the objective of avoiding failures and disruptions;

    Year 2000 readiness of the business in the end; and

  • to maintain adequate audit records so as to provide for regulatory reliance and also to be prepared for litigation.

Internal Audit functions can help management in mitigating risks and meeting the management objectives.

Case Study

Altron’s Structure

Altron – Altech – Fintech - Powertech

– over 200 operations

- around 35 main & then at company level/division/branches

The Altron Y2k Project Team

Structure & Members

  • Group FD

  • Group FM

  • Group IT Manager

  • Group Legal Adviser

  • Group IS Auditor

  • Representative from each sub-holding

  • 2000 Forum Representative

each sub-holding company, and then each company within the group, has own project team with a project leader.

Function & Involvement

Objectives:

to monitor and expedite progress with the individual company projects,

to act as the communications channel between the companies, the project team, and the 2000 Forum,

to provide access to expertise and channel requests for assistance

generic suppliers list.

Internal Audits Involvement

Internal Audit’s Structure – including divisional auditors

Team of 12 HO & 10 divisional

Every audit & specific – detail & overview

As part of each review – standard questionaire involving interview etc.

Specific requests

Internal Audit’s Approach

But while the audit function is familiar to many companies, the Year 2000 is not. The millennium poses a challenge that at first seems quite simple, but soon uncovers complexities and ramifications that still escape even the most gray-haired (or lost-haired) auditor and project manager.

The Year 2000 impacts many unanticipated applications, devices and practices, some of which may not be uncovered until it is too late. By mid 1998, many Year 2000 issues may be common knowledge.

Worse yet, there is no recovery time for the Year 2000. Many applications are "breaking" now, or will be date-challenged before 2000. Unlike projects past, we cannot fail, scrap the project and start again - there simply is no second chance. That is why I hear more and more clients urgently discussing the Year 2000 audit. And by "audit" I often find they are trying to address four distinct needs:

1. "The Paper Trail"

2. Early Warning

3. Test Certification

4. "Clout"

 

Not technical IT issue – business issue

Requirements

  • Business understanding

  • Application System Knowledge

  • Independence

  • Internal Controls & Weaknesses

  • Project Macro Plan

  • Consultation, Audit Assurance, Risk Management, Project Management

Identify which internal controls the Y2k issue would compromise during a normal systems review.

Staff awareness – training sessions & discussions

Impact of non financial systems on financial systems

Reporting to executive management & audit committee

Results – Plus’s & Minus’s

Not there to apportion blame but to give direction and focus on critical areas.

Ideal Scenario

How can Internal Audit add the most value?

What areas should Internal Audit be involved in?

What should Internal Audit’s focus be?

How much time should be available to conduct reviews?

What can be done about the lack of co-operation and education of auditors?

 

 

Additional information:-

Attached is some additional information on this topic.

These are copied from various sources of publicly available documents.

Sample Assessment Programs

Year 2000 Considerations (ISACA)

Year 2000 Audit Guideline (ISACA)

Sample Questions Directors Can Ask (CICA)

Some Technical Considerations (CICA)

Selected Internet Sites

ISACA - http://www.isaca.org/yr2000.htm

CICA – http://www.cica.ca/ (French & English)