[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
YEAR 2000 CONVERSION EFFORTS AND IMPLICATIONS FOR BENEFICIARIES AND
TAXPAYERS
=======================================================================
HEARING
before the
COMMITTEE ON WAYS AND MEANS
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
FEBRUARY 24, 1999
__________
Serial 106-91
__________
Printed for the use of the Committee on Ways and Means
U.S. GOVERNMENT PRINTING OFFICE
66-850 CC WASHINGTON : 2001
_______________________________________________________________________
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC
20402
COMMITTEE ON WAYS AND MEANS
BILL ARCHER, Texas, Chairman
PHILIP M. CRANE, Illinois CHARLES B. RANGEL, New York
BILL THOMAS, California FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York SANDER M. LEVIN, Michigan
WALLY HERGER, California BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana JIM McDERMOTT, Washington
DAVE CAMP, Michigan GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia
JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania KAREN L. THURMAN, Florida
WES WATKINS, Oklahoma LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
A.L. Singleton, Chief of Staff
Janice Mays, Minority Chief Counsel
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Ways and Means are also published
in electronic form. The printed hearing record remains the official
version. Because electronic submissions are used to prepare both
printed and electronic versions of the hearing record, the process of
converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
__________
Page
Advisories of announcing the hearing............................. 2
WITNESSES
Social Security Administration, Hon. Kenneth S. Apfel,
Commissioner of Social Security................................ 7
Financial Management Service, Richard L. Gregg, Commissioner..... 11
U.S. General Accounting Office, Joel C. Willemssen, Director,
Civil Agencies Information Systems, Accounting and Information
Management Division...........................................24, 84,
187
U.S. Department of the Treasury, Dennis S. Schindel, Assistant
Inspector General for Audit, Office of Inspector General....... 28
President's Council on Year 2000 Conversion, Hon. John A.
Koskinen, Chairman............................................. 55
U.S. Department of Health and Human Services, Hon. Olivia Golden,
Assistant Secretary for Children and Families.................. 69
Internal Revenue Service:
Hon. Charles O. Rossotti, Commissioner....................... 92
Paul Cosgrave, Chief Information Officer..................... 111
U.S. General Accounting Office, James R. White, Director, Tax
Policy and Administration Issues, General Government Division.. 101
Bureau of Alcohol, Tobacco, and Firearms:
John W. Magaw, Director...................................... 126
Patrick Schambach, Assistant Director, Science and
Technology, Chief Information Officer, and Year 2000 Senior
Executive.................................................. 128
U.S. Customs Service, S.W. Hall, Jr., Assistant Commissioner and
Chief Information Officer...................................... 134
U.S. Coast Guard, Rear Admiral George N. Naccara, Director,
Information and Technology..................................... 137
U.S. Department of the Treasury, Dennis S. Schindel, Assistant
Inspector General for Audit, Office of the Inspector General... 145
U.S. General Accounting Office, Randolph C. Hite, Associate
Director, Governmentwide and Defense Information Systems,
Accounting and Information Management Division................. 147
Health Care Financing Administration, Nancy-Ann Min DeParle,
Administrator.................................................. 153
______
American Bankers Association, and Zions First National Bank, A.
Scott Anderson................................................. 15
American Hospital Association, and BJC Health Systems, Fred Brown 164
American Medical Association, and National Patient Safety
Foundation, Donald J. Palmisano................................ 169
Blue Cross and Blue Shield Association, and Blue Cross and Blue
Shield Association of Florida, Curtis Lord..................... 177
H&R Block, Inc., Mark A. Ernst................................... 103
Joint Industry Group, James B. Clawson........................... 140
Medicare Rights Center, Diane Archer............................. 184
National Federation of Independent Business, William J. Dennis,
Jr............................................................. 106
National Governors' Association, Connecticut Department of Social
Services, and HCFA Systems Technical Advisory Groupon Y2K,
Julie Pollard.................................................. 80
SUBMISSIONS FOR THE RECORD
U.S. Department of State, Arms Control and Disarmament Agency,
and U.S. Information Agency, Jacquelyn L. Williams-Bridgers,
Inspector General, statement................................... 197
U.S. Department of Health and Human Services, Thomas D.
Roslewicz, Deputy Inspector General for Audit Services, Office
of Inspector, statement........................................ 200
______
White House Conference on Small Business, statement.............. 203
YEAR 2000 CONVERSION EFFORTS AND IMPLICATIONS FOR BENEFICIARIES AND
TAXPAYERS
----------
WEDNESDAY, FEBRUARY 24, 1999
House of Representatives,
Committee on Ways and Means,
Washington, DC.
The Committee met, pursuant to notice, at 9:06 a.m., in
room 1100, Longworth House Office Building, Hon. Bill Archer
(Chairman of the Committee) presiding.
[The advisories announcing the hearing follow:]
ADVISORY
FROM THE
COMMITTEE
ON WAYS
AND
MEANS
CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
January 21, 1999
No. FC-3
Archer Announces Hearing on the Year 2000
Conversion Efforts and Implications for
Beneficiaries and Taxpayers
Congressman Bill Archer (R-TX), Chairman of the Committee on Ways
and Means, today announced that the Committee will hold a hearing on
the Year 2000 or ``Y2K'' computer conversion efforts, remaining
challenges, and implications for beneficiaries and taxpayers. The
hearing will take place on Wednesday, February 24, 1999, in the main
Committee hearing room, 1100 Longworth House Office Building, beginning
at 10:00 a.m.
In view of the limited time available to hear witnesses, oral
testimony at this hearing will be from invited witnesses only.
Witnesses will include officials of the President's Council on Year
2000 Conversion; the Health Care Financing Administration; the
Administration of Children and Families; the Social Security
Administration (SSA); the Internal Revenue Service (IRS); the Financial
Management Service (FMS); the U.S. Customs Service; and the Bureau of
Alcohol, Tobacco, and Firearms. Witnesses will also include private
sector organizations who represent program beneficiaries or taxpayers,
as well as the U.S. General Accounting Office (GAO) and various
Inspector Generals Offices. However, any individual or organization not
scheduled for an oral appearance may submit a written statement for
consideration by the Committee and for inclusion in the printed record
of the hearing.
BACKGROUND:
The United States, with almost half the world's computer capacity
and 60 percent of the world's Internet assets, is the most advanced,
and the most dependent, producer and user of information technologies.
Most computers, computer systems, and telecommunications networks in
use in the Federal Government are currently undergoing modifications so
that they will be able to continue to function properly in the year
2000 and beyond.
Most computers in use in the Federal Government have stored
information for each year in a two-digit format, which makes the year
2000 indistinguishable from the year 1900. Unless they are changed,
computer systems and telecommunications networks that are dependent on
this two-digit year format can malfunction and cause costly problems
for both commerce and government. Modifications have been underway for
some time. Federal agencies, for the most part, are currently testing
the renovated systems to make sure they will process transactions
properly and produce accurate information. The agencies are also
developing and testing contingency plans in the event of any failures.
Of particular concern for this hearing are the Federal programs
within the jurisdiction of the Committee on Ways and Means, including
those administered by the U.S. Departments of Treasury, and Health and
Human Services, plus SSA. Among the major programs affected are tax and
trade administration, Medicare, and Social Security. The computers
serving the programs within the Committee's jurisdiction affect more
than 260 million Americans. The revenue programs affect every
individual and business taxpayer, and the benefit programs impact the
health and well-being of millions. These Americans rely on the vital
services they receive and cannot afford to have them disrupted by
computer failures, nor can they afford to have the computers produce
erroneous penalty assessments or notices, or refund or benefit checks.
In response to Chairman Archer's request in the 105th Congress, the
Subcommittee on Oversight held two hearings and issued a report to the
Full Committee on August 19, 1998, on the implications of potential Y2K
problems on program beneficiaries and taxpayers (WMCP: 105-10). The
Subcommittee report concluded that, with the possible exception of SSA,
which was found to be in a good position, services to taxpayers and
beneficiaries may be disrupted or otherwise jeopardized by computer
systems or telecommunications networks failures unless certain actions
are taken by the Administration, Congress, and the private sector. The
report made several recommendations to preclude Y2K-related failures,
including comprehensive systems testing and contingency planning. Since
the report's issuance, the Subcommittee has continued to monitor the
agencies' Y2K progress, with the assistance of the GAO and Inspectors
General Offices, and has seen considerable progress in the agencies'
Y2K conversion efforts.
In announcing the hearing, Chairman Archer stated: ``With more than
260 million Americans relying on vital services, we cannot afford to
have disruptions because Y2K problems were not dealt with properly or
expeditiously. The stakes are too high. We must get the job done, and
done right.''
FOCUS OF THE HEARING:
The hearing will explore the current status of Y2K renovation
efforts, and the remaining challenges that agencies must overcome to
ensure continuation of vital services provided through programs within
the jurisdiction of the Committee on Ways and Means.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Any person or organization wishing to submit a written statement
for the printed record of the hearing should submit six (6) single-
spaced copies of their statement, along with an IBM compatible 3.5-inch
diskette in WordPerfect 5.1 format, with their name, address, and
hearing date noted on a label, by the close of business, Wednesday,
March 10, 1999, to A.L. Singleton, Chief of Staff, Committee on Ways
and Means, U.S. House of Representatives, 1102 Longworth House Office
Building, Washington, D.C. 20515. If those filing written statements
wish to have their statements distributed to the press and interested
public at the hearing, they may deliver 200 additional copies for this
purpose to the Committee office, room 1102 Longworth House Office
Building, by close of business the day before the hearing.
FORMATTING REQUIREMENTS:
Each statement presented for printing to the Committee by a
witness, any written statement or exhibit submitted for the printed
record or any written comments in response to a request for written
comments must conform to the guidelines listed below. Any statement or
exhibit not in compliance with these guidelines will not be printed,
but will be maintained in the Committee files for review and use by the
Committee.
1. All statements and any accompanying exhibits for printing must
be submitted on an IBM compatible 3.5-diskette in WordPerfect 5.1
format, typed in single space and may not exceed a total of 10 pages
including attachments. Witnesses are advised that the Committee will
rely on electronic submissions for printing the official hearing
record.
2. Copies of whole documents submitted as exhibit material will not
be accepted for printing. Instead, exhibit material should be
referenced and quoted or paraphrased. All exhibit material not meeting
these specifications will be maintained in the Committee files for
review and use by the Committee.
3. A witness appearing at a public hearing, or submitting a
statement for the record of a public hearing, or submitting written
comments in response to a published request for comments by the
Committee, must include on his statement or submission a list of all
clients, persons, or organizations on whose behalf the witness appears.
4. A supplemental sheet must accompany each statement listing the
name, company address, telephone and fax numbers where the witness or
the designated representative may be reached. This supplemental sheet
will not be included in the printed record.
The above restrictions and limitations apply only to material being
submitted for printing. Statements and exhibits or supplementary
material submitted solely for distribution to the Members, the press,
and the public during the course of a public hearing may be submitted
in other forms.
Note: All Committee advisories and news releases are available on
the World Wide Web at ``HTTP://WWW.HOUSE.GOV/WAYS__MEANS/''.
The Committee seeks to make its facilities accessible to persons
with disabilities. If you are in need of special accommodations, please
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four
business days notice is requested). Questions with regard to special
accommodation needs in general (including availability of Committee
materials in alternative formats) may be directed to the Committee as
noted above.
NOTICE--CHANGE IN TIME
ADVISORY
FROM THE
COMMITTEE
ON WAYS
AND
MEANS
CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
January 28, 1999
No. FC-3-Revised
Time Change for Full Committee Hearing on
Wednesday, February 24, 1999,
on the Year 2000 Conversion Efforts and
Implications for Beneficiaries and Taxpayers
Congressman Bill Archer (R-TX), Chairman of the Committee on Ways
and Means, today announced that the full Committee hearing on the Year
2000 computer conversion efforts, remaining challenges, and
implications for beneficiaries and taxpayers, previously scheduled for
Wednesday, February 24, 1999, at 10:00 a.m., in the main Committee
hearing room, 1100 Longworth House Office Building, will begin instead
at 9:00 a.m.
All other details for the hearing remain the same. (See full
Committee press release No. FC-3, dated January 21, 1999.)
Chairman Archer. The Committee will come to order. Good
morning. Is January 1, 2000, going to trigger a global economic
recession as economist Edward Yardeni has predicted? Or is it
much ado about nothing? Are the survivalists right in preparing
for a major catastrophe? Or is the administration's John
Koskinen right that we should just prepare as we normally would
for a long holiday weekend?
We're here today for a public hearing on the year 2000
computer problem, commonly known as Y2K. I hope that we'll get
information to help us to answer these critical questions on
how to prepare for the new millennium.
Today's hearing will help us all better understand Y2K and
how it can impact our lives, and what we can do to protect our
own interests. We'll discuss Y2K implications for beneficiaries
and taxpayers if the problem is not fixed in time by Federal
agencies and those who are involved in the delivery of vital
program services.
After all, while Social Security authorizes retirement
benefits for the elderly, Treasury actually makes the payments.
The authorized payments are either delivered electronically
through the Federal Reserve and into beneficiaries' commercial
bank accounts or mailed through the Postal Service to
beneficiaries' residences. For the elderly to continue to get
their benefits in the year 2000 without disruption, the
computer systems for the Social Security Administration,
Treasury Department, Federal Reserve System, and commercial
banks must all be Y2K-compliant and compatible with each other.
With only 310 days to complete the renovation efforts, we
expect the agencies have already renovated their systems. We
want to understand how they are progressing in the testing of
the renovated systems. To do so may involve the actual trading
of data or processing of transactions with other organizations
like healthcare providers submission of Medicare claims to
Health Care Financing Administration intermediaries for
processing and payment.
Consequently, we are interested in what outreach efforts
have been made by the agencies and what initiative has been
taken by the trading partner to ensure Y2K compliance.
We also want to learn what the agencies are planning to do
to prevent disruptions to those processes in the event of Y2K-
related failures. The contingency plans should consider
alternatives for doing business in the event key systems
networks or infrastructures are not functioning or not
operating property.
With many agencies receiving an increasing amount of
information from beneficiaries, providers, taxpayers, or
importers electronically, each agency and its corresponding
data trading partner will need to have alternative ways to
transmit the data in the event of the Y2K-related failure. The
alternatives, like reverting to paper processing, need to be
properly planned. Resources need to be considered and fully
tested to be sure they will serve their intended purpose.
To ascertain how well the government is doing to prepare
for Y2K, we have with us today a host of experts. Many work for
the administration, many are nonpartisan authorities, and
several come from the private sector. The Administration has
received all the funding it has requested for Y2K. But I must
say, if necessary additional funding is required, it's up to
the agencies to inform the Congress so that we can adequately
provide those resources.
We will do so, where they are justifiably needed, but we
must be told. I look forward to learning how well our
government is doing in meeting this challenge. With so little
time remaining and so much at stake for 260 million Americans,
we must work together to rise to the Y2K challenge and make
sure that vital services are not disrupted.
Our first panel of witnesses today includes a gentleman who
is no stranger to us after yesterday, Mr. Kenneth Apfel,
Commissioner of the Social Security Administration; Hon.
Richard L. Gregg, Commissioner for Financial Management
Service; Scott Anderson, President and chief executive officer
of Zions National Bank, Salt Lake City; Joel Willemssen,
Director of Civil Agencies Information Systems, Accounting and
Information Management for the U.S. General Accounting Office;
Dennis Schindel, Assistant Inspector General for Audit, Office
of Inspector General, U.S. Department of the Treasury.
And if you would all please come to the witness table, we
will be pleased to get the information which you can give us
this morning.
Mr. Rangel. Mr. Chairman.
Chairman Archer. Yes, Mr. Rangel.
Mr. Rangel. I just know how easy it is not to recognize me,
but I just thought I would join in welcoming this panel and
to----
Chairman Archer. It's almost impossible not to recognize
you, Mr. Rangel.
Mr. Rangel. Well, you know----
Chairman Archer. We missed you yesterday.
Mr. Rangel. Yes, I was hoping you would. [Laughter.]
But I wanted to congratulate you for having the foresight
to have these type of hearings, especially in focusing on the
departments and agencies in which we have jurisdiction. I think
that through this type of leadership, with all of the
Committee, Chairmen and Ranking Members, together working with
the private sector that we might allay some of the fears that
we have in this country, indeed throughout the world.
I'm pleased that the Social Security Administration did
lead in correcting the Y2K problems which they would have had
in this area. And it's my understanding that some of the other
agencies that had initial problems, the Health Care Finance
Administration, have made dramatic progress since mid-1998. And
so I merely wanted to be recognized to compliment you on your
foresight, your vision, and your leadership.
Chairman Archer. Thank you. Thank you, Mr. Rangel. I would
add also that we have attempted to get representatives from all
of the various departments and agencies over which we have
jurisdiction before us today. I hope we have not missed any.
[The opening statement of Mr. Ramstad follows:]
Opening Statement of Hon. Jim Ramstad, a Representative in Congress
from the State of Minnesota
Mr. Chairman, thank you for convening this important
hearing on the Year 2000 (Y2K) Problem.
The possible malfunction of the government's computer
systems is a critical issue for all Americans. The magnitude of
this potential problem is illustrated by the number of
representatives we have here today. All of our constituents
have a vested interest in how the different aspects of their
government are working to avoid a potential disaster.
Some progress on solving the Year 2000 problem has been
made. But with only 310 days until January 1, 2000 it is up to
Congress to ensure that we are doing our part to help solve
this problem. We need to ensure that the people we represent
are not left without the health care and financial services
upon which they depend.
I am pleased that this hearing will allow us to examine
what the different agencies under our jurisdiction are doing to
be prepared for the year 2000 and how they are coordinating
their efforts with the organizations in the private sector with
which they work.
Again, Mr. Chairman, thank you for your own leadership in
looking into the Year 2000 computer problem by holding this
critical hearing.
Mr. Apfel, would you be good enough to lead off? We'll be
pleased to receive your testimony.
STATEMENT OF HON. KENNETH S. APFEL, COMMISSIONER OF SOCIAL
SECURITY
Mr. Apfel. Thank you, Mr. Chairman.
It's an honor to be back before this Committee, just 15
hours after leaving from my testimony yesterday, and to start
off where I finished up last night.
Mr. Chairman, Social Security will be there in 2055. Social
Security will be there in 2033. Social Security will be there
in 2013. And the Social Security benefit payment will be there
in January of the year 2000.
Chairman Archer. That is good to hear. [Laughter.]
Mr. Apfel. Thank you, Mr. Chairman.
My agency recognized early on the potential effects of the
year 2000 problem and the critical importance of ensuring that
our operations are unaffected. The Social Security
Administration relies on a vast computer network to keep track
of earnings for the 145 million workers, to pay monthly
benefits to more than 50 million individuals, and to process 6
million new benefit applications each year.
Because so many Americans depend on our systems operations,
we began to take remedial action on the year 2000 problem as
soon as we recognized it. For the past several years, we've had
some of our top people at work on this issue.
I should point out Dean Mesterharm, 10 years ago,
recognized this. He's now our Deputy Commissioner for Systems.
Kathy Adams, Dean's Deputy, sitting behind me, has been heavily
involved with the endeavors over the years, and has done a
remarkable job.
The magnitude of the task that we face cannot be
overstated. We had to review systems supported by more than 35
millionlines of in-house computer code as well as vendor
products. We had to coordinate all of our efforts with other
Federal and State agencies, and with third-party organizations.
But the work has borne results. Today, SSA's benefit system
is 100 percent year 2000 compliant. Of course, ensuring
delivery of benefit payments in January 2000 and beyond also
means that our agency has had to work closely with our
partners, who help produce and deliver benefit payments: the
Treasury Department, the Federal Reserve, and the U.S. Postal
Service.
And since last October, all Social Security and SSI
payments have been made through year 2000 compliant systems at
both SSA and the Treasury Department. The Federal Reserve is
testing payment operations with banking institutions throughout
the country, and Social Security transactions have been
included in the materials tested.
We have also made strong progress in making non-benefit
payment systems Y2K compliant. For example, all 50 State
Disability Determination Service systems operations, which
support the DDS process, are now Y2K compliant.
More than 99 percent of our data exchanges have been made
Y2K compliant. We've begun testing our facilities
infrastructure for Y2K compliance.
Let me now turn briefly to the issues of Y2K contingency
planning in our program of ongoing monitoring for continued
systems compliance. Our business continuity and contingency
plan addresses a wide range of eventualities. If a benefit-
payment-system problem should occur in January 2000, SSA field
offices would provide emergency payment services to
beneficiaries with critical needs. And the Treasury Department
will issue a replacement check.
It is also important to note that every one of the 1,300
field offices across the country, as well as each State DDS
unit, has its own contingency plan for continued business
operations, if there are any service disruptions.
The agency's contingency plan also addresses such needs as
telecommunications, building operations, and human resources.
This plan conforms with the GAO guidelines and, in fact, has
been used as the model by both other Government agencies and
private-sector organizations.
I would like to cite one other key element of this plan,
which we call our day-one strategy. It goes into effect during
the rollover weekend of December 31 through January 3 and
provides a timeline for tracking critical benefit-related
events and ensures that key staff will be available throughout
the rollover period.
Now that all of our mission-critical systems are year-2000
compliant, we have taken steps to make sure that we do nothing
to introduce possible date defects into these systems. Since we
must continue to modify these systems to accommodate
regulations, recent legislation, and other required changes,
such as the COLA announcement and the actual COLA increase, we
have set up an ongoing recertification process.
In addition, as a further safeguard, a moratorium for
discretionary changes to our software will be put in place in
September 1999. And that moratorium will remain in effect
through March 2000.
In conclusion, let me say that I'm proud of the fact that
my agency has been at the forefront of Government and private-
sector organizations addressing year-2000 issues. I'm confident
our systems are ready for this new challenge of the new
millennium.
When our offices open on January 3, 2000, we will be
prepared to provide full service to the American public with
the accuracy and reliability that they have come to expect from
the Social Security Administration.
Thank you, Mr. Chairman.
[The prepared statement follows:]
Statement of Hon. Kenneth S. Apfel, Commissioner of Social Security
Mr. Chairman and Members of the Committee: Thank you for
inviting me to be here today to discuss the Social Security
Administration's (SSA) Year 2000 conversion efforts and the
implications for beneficiaries and taxpayers. SSA recognized
very early the potential effect on beneficiaries and workers
created by the Year 2000 problem. I am pleased to be here today
to report on our progress and plans for the future.
Impact on SSA Operations
SSA relies on a vast computer network to keep track of
earnings for 145 million workers, take six million applications
for benefits a year, and pay monthly benefits to over 50
million beneficiaries. Because so many people depend on SSA's
systems, we began to work on the Year 2000 problem as soon as
it was identified in 1989. The magnitude of this project cannot
be overstated: we had to review systems supported by more than
35 million lines of in-house computer code, as well as vendor
products, while coordinating efforts with State and Federal
agencies and third parties.
SSA's ability to provide world class service to
beneficiaries, workers and their families depend on a complex
infrastructure that is crucial to our ongoing operations.
Power, data, and voice telecommunications, along with the
Agency's computer operations hardware and software, are
essential to ensuring that SSA's business processes are able to
continue uninterrupted. Our automated systems are the means by
which SSA is able to provide service on demand to the public.
SSA has five core business processes through which we
maintain the accuracy of beneficiary records and process and
adjudicate claims:
1. Enumeration, the process through which SSA assigns
Social Security numbers;
2. Earnings, the process which establishes and maintains a
record of an individual's earnings;
3. Claims, the process comprising actions taken by SSA to
determine an individual's eligibility for benefits;
4. Postentitlement, the process involving actions that SSA
takes after an individual becomes entitled to benefits; and
5. Informing the Public, the process by which we
disseminate information about the programs we administer.
I am confident that our systems will function on and after
the Year 2000 to ensure that our core business processes
proceed smoothly and without disruption as we move into the
21st century. When we open our offices for business on January
3, 2000, we expect to be prepared to provide our full
complement of services to the American public with the accuracy
and reliability that they have come to expect from SSA.
January 2000 Benefit Payments
We are happy to report that our benefit payment system is
100 percent Year 2000 compliant. SSA has worked very closely
with the Treasury Department, Federal Reserve and the Post
Office to ensure that Social Security and Supplemental Security
Income checks and direct deposit payments for January 2000 will
be paid on time. Since October 1998, payments for both Social
Security and Supplemental Security Income programs have been
made with Year 2000 compliant systems at both SSA and Treasury.
SSA is working closely with the Treasury Department and the
Federal Reserve to identify any Year 2000 problem that might
affect direct deposit payments. If a problem should occur in
January 2000, the Treasury Department will quickly issue a
replacement check after recertification by SSA, and SSA offices
will provide emergency payment services to beneficiaries with
critical needs.
I do not consider Social Security's job to be done until
timely and correct benefits are in the hands of all of our
beneficiaries.
Status of SSA's Year 2000 Implementation Efforts
I would like to discuss the status of SSA's progress in our
Year 2000 implementation efforts.
All of our mission critical systems have been made Year
2000 compliant. These are the systems that support the core
business processes I described earlier.
Because they are so vital to our disability claims process,
SSA is overseeing and managing the effort of assuring Year 2000
compliance of State Disability Determination Service (DDS)
systems. Fifty State DDSs have automated systems to support the
disability determination process. As of January 31, 1999, all
50 DDS automated systems are Year 2000 compliant and are being
used to process disability claims.
We recognize that it is not enough for our agency to be
Year 2000 compliant if all our trading partners are not ready.
Therefore SSA has worked with all of our trading partners, and
I am pleased to say that 99 percent of our data exchanges are
Year 2000 complaint. We are working with our partners to test
the remaining 1 percent and get them implemented as quickly as
possible.
SSA has inventoried all of our telecommunications systems
and we have a plan and schedule for all fixes and upgrades.
Numerous acquisitions have been made that will result in the
installation of telecommunications software and hardware
upgrades. SSA is also working with the General Services
Administration (GSA) in this effort, particularly with regard
to testing vendor fixes. SSA's goal is to have all
telecommunications compliant by the end of March 1999.
SSA continues to work with GSA in addressing the Year 2000
problem in the areas of our facilities infrastructure. We have
inventoried our building systems and testing contracts have
been awarded. Testing has commenced in some buildings, with all
sites progressing as scheduled.
Our independent verification and validation contractor,
Lockheed Martin, completed a comprehensive review of SSA's Year
2000 program and submitted their finding in October 1998. Their
report covered all aspects of Year 2000 preparedness activities
and found our Year 2000 methodology to be sound and feasible.
Focus of Activities in 1999
Now that all of our mission critical systems are Year 2000
compliant, we have taken steps to make sure we do nothing to
introduce possible date defects into these systems. Since we
must continue to modify these systems to accommodate
regulations, recent legislation, and other required changes, we
have instituted a re-certification process that uses a
commercial computer software tool. In addition we have
instituted a moratorium beginning in July 1999 on the
installation of commercial off-the-shelf software and mainframe
products. A similar moratorium is in place for discretionary
changes to our software beginning in September 1999. The
moratoriums will remain in effect through March 2000.
Business Continuity and Contingency Plan
Obviously, we all hope that there will be no need for
backup or contingency plans. However, SSA recognizes that our
systems are dependent on infrastructure services, such as the
power grid of the telecommunications industry and third
parties, which are beyond our control. Therefore, SSA has
developed a Business Continuity and Contingency Plan. The plan
was first issued March 31, 1998 and it is updated quarterly.
The plan is consistent with Government Accounting Office
guidelines and is being used as a model by other agencies and
private sector organizations.
The plan identifies potential risks to business processes,
ways to mitigate each risk and strategies for ensuring
continuity of operations if systems fail to operate as
intended. The SSA Business Continuity and Contingency Plan
addresses all core processes, including disability claims
processing functions supported by the DDSs.
As part of our Business Continuity and Contingency Plan, we
have in place local plans for each of our field offices,
teleservice centers, and processing centers, hearing offices
and state DDSs. We have also developed contingency plans for
benefit payment and delivery, building operations, human
resources, and communications. Our benefit payment and delivery
plan was developed in conjunction with the Treasury Department
and the Federal Reserve.
Conclusion
I would like to conclude by repeating that SSA was at the
forefront of Government and private organizations in addressing
Year 2000 issues. We are proud of our long-standing reputation
as a leader when it comes to providing customer service, and we
are confident that we will be prepared to continue that
tradition when the new millennium arrives.
I will be happy to answer any questions you may have.
Chairman Archer. Thank you, Mr. Apfel, and thank you, also,
for precisely complying with the 5-minute time suggestion. And
I would alert all other witnesses that we hope you can get your
verbal comments to us within 5 minutes and your entire printed
statement, without objection, will be inserted in the record.
And any Member of the Committee who wished to insert a written
statement into the record, without objection, may do so.
Our next witness is Mr. Richard Gregg, Commissioner of
Financial Management Service. Mr. Gregg.
STATEMENT OF RICHARD L. GREGG, COMMISSIONER, FINANCIAL
MANAGEMENT SERVICE
Mr. Gregg. Thank you, Mr. Chairman, Representative Rangel,
Members of the Committee. Thank you for the opportunity to
appear today to discuss the Financial Management Services year
2000 program.
FMS makes payments to well over 100 million Americans each
year. We provide facilities and systems for the collection of
taxes and other receipts, and provides governmentwide
accounting and reporting and debt-collection services for the
entire Federal Government.
To provide these services, FMS depends on automated
systems. And like most Federal agencies, FMS faces the
challenges of adapting its systems to account for the date
change to the year 2000. Correcting this problem has been and
will continue to be our highest priority.
FMS has made significant progress in addressing the year-
2000 problem. The systems that issue over 740-million
Government payments, 86 percent of FMS's total payments, are
year-2000 ready. The system that collected $1.1 trillion in
Federal revenues in Fiscal 1998, is also Y2K ready. And
compliance of all remaining FMS critical systems is on schedule
for completion by or before March 1999.
I want to assure you that FMS will continue to perform its
critical functions in making payments and collecting revenues
for the government on January 1, in 2000 and thereafter.
I'd like to now provide a brief update of the current
status of our largest and most critical systems. The vast
majority of payments made by FMS are Old-Age and Survivors
benefits and Supplemental Security Income payments issued on
behalf of Social Security. These payments account for over 600-
million payments annually, which comprise 70 percent of FMS's
payment volume. Our average monthly payment volume is 42-
million SSA payments and 6.5-million SSI payments, with a total
value of approximately $30 billion.
Since October 1998, SSA and SSI payments have been issued
through year-2000 compliant systems.
The FMS systems used to issue 27 million annual EFT
payments on behalf of VA, for Veterans Compensation and
Pension, and 10 million annual payments on behalf of the
Railroad Retirement Board were implemented in December 1998.
And the systems that issue the remaining 13 million VA payments
will be implemented in or before March 1999.
IRS payments account for over 10 percent of FMS's overall
payment volume, with approximately 90 million tax-refund
payments each year. Implementation of these systems was
completed in July 1998 and all tax-refund payments since that
time have been issued through Y2K-ready systems.
The FMS systems used to issue 50 million annual EFT Federal
agency salary and travel and vendor payments began
implementation in January with customers serviced by our Kansas
City Regional Finance Center. These same systems are now being
implemented for customers serviced by our four other payment
centers.
And finally, the system that issues 28 million annual OPM
annuity payments is finishing validation and certification
testing and is scheduled for implementation in March.
The systems that I've just mentioned comprise 97 percent of
FMS's payment volume.
With respect to collections, FMS manages the processing of
more than $2 trillion in Federal revenues, which include
corporate and individual income taxes, customs duties, and
Federal fines. The Electronic Federal Tax Payment System,
(EFTPS), through which FMS collected $1.1 trillion, or 56
percent of the government's total collections, and 67 percent
of total tax collections, was determined to be compliant in
December.
The IRS Lockbox, General Lockbox, Plastic Card and other
collection systems that account for the remaining 44 percent in
Federal Government revenue are targeted for implementation in
March 1999.
And FMS debt-collection systems, including the Treasury
Offset Program, through which Federal payments to delinquent
debtors are offset, are now Y2K compliant.
With regard to government-wide accounting, FMS maintains
the central accounting and reporting systems that track the
Government's monetary assets and liabilities. Both the STAR
central accounting system and the Government On-Line Accounting
Link System, GOALS, which serves as the automated
telecommunication link for all Federal program agencies to
report their accounting and financial transactions for
processing into the STAR Central Accounting System, will be
Y2K-ready in March 1999. In fact, 13 of the 16 critical GOALS
subsystems are now Y2K-compliant.
The information with regard to the Inspector General's
report was provided in my formal statement, so I won't go over
that at this time.
I would like to just briefly mention our contingency
planning, which was also discussed by the Inspector General.
FMS has successfully completed contingency plans for all FMS
critical systems and non-mission critical systems. Of the
contingency plans for FMS internally operated systems, 87
percent are final, meaning that they have been revised and
approved after review by an outside contractor. The remaining
plans are under review by the contractor to assure that they
are comprehensive and address all pertinent risks.
FMS has set its priorities and is integrating system
contingency plans with business priorities to make sure the
most critical business functions will continue uninterrupted if
problems occur. On top of the list are key systems such as
Social Security, Supplemental Security and Veterans Affairs
payment systems.
Specific risks have been identified and strategies
developed to mitigate those risks. For example, we are
configuring our systems so payments can be processed in more
than one computer center. This will enable FMS to rotate the
workload should any Y2K disruptions occur in one area of the
country or in one computer center.
In addition, an emergency power generator has been
installed to support our largest computer center in case of
power outages, and system redundancy has been built into the
nationwide network so that alternative routing can be used if
there are data-communication problems. We are also working very
closely with the Federal Reserve to develop integrated business
resumption plans and risk mitigation strategies.
In conclusion, FMS considers preparation for the year 2000
as our absolute highest priority, ensuring that we are able to
perform our mission in the year 2000. We will assign whatever
resources are needed to ensure we do not fail to accomplish
necessary Y2K changes to our computer systems.
Thank you for the opportunity to appear this morning.
[The prepared statement follows:]
Statement of Richard L. Gregg, Commissioner, Financial Management
Service
Chairman Archer, Representative Rangel and members of the
Committee, thank you for the opportunity to appear today to
discuss the Financial Management Service's (FMS) Year 2000
(Y2K) program.
FMS provides payment, collection, government-wide
accounting and reporting, and debt collection services to most
federal agencies, to individuals who receive money from the
government, and to every individual who pays a bill owed to the
government. Our services benefit federal agencies, government
policymakers, and the taxpayers by promoting efficient
financial management practices and facilitating the timeliness
and accuracy of payment and collection processes. Additionally,
our services allow the Treasury to administer prudent financial
management policies, and facilitate centralized management and
oversight of delinquent federal non-tax debt collection
efforts.
To provide these services, FMS depends on automated
systems. Like most federal agencies, FMS faces the challenge of
adapting its systems to account for the date change to the Year
2000. Correcting this problem has been and will continue to be
our highest priority.
In 1997, FMS began working to make its systems Y2K
compliant, completing a full assessment and prioritizing work
according to the magnitude of impact on the public,
particularly payment recipients. These systems progressed from
renovation, in which the code changes are made, through the
validation phase, in which renovated systems with Y2K code
modifications are tested, into full implementation, in which
the renovated and validated systems are put into production.
Following implementation, the systems are certified Y2K
compliant. For our highest priority internal systems, such as
Social Security Administration and Veterans benefit payments,
certification occurs only after an independent contractor
verifies Y2K compliance by analyzing all test results to ensure
that validation testing was successful and comprehensive. If
re-testing is necessary, the contractor will provide specific
guidance on the necessary steps to correct identified problems
and achieve successful validation testing and certification.
Post implementation reviews will be conducted throughout this
year to further ensure compliance. For our external collection
systems, the financial and fiscal agents are self-certifying
based on the Federal Financial Institutions Examination
Council's guidance.
FMS has made significant progress in addressing the Year
2000 problem. The systems that issue more than 740 million
government payments, 86 percent of FMS' total payment volume,
are Year 2000 ready. The system that collected $1.1 trillion in
federal revenue in FY 1998 is also Y2K ready. Compliance of all
remaining FMS critical systems is on schedule for completion by
or before March 1999, and FMS will continue to perform its
critical functions in making payments and collecting revenues
for the federal government on January 1, 2000, and after.
I'd like to now provide a brief update on the current
status of our largest and most critical systems. The vast
majority of payments made by FMS are Old Age and Survivor
Benefits and Supplemental Security Income payments issued on
behalf of SSA. These payments account for more than 600 million
payments annually, which comprise 70 percent of FMS' payment
volume. Our average monthly payment volume is over 42 million
(30 million EFT) SSA payments and 6.5 million (3 million EFT)
SSI payments with a total value of approximately $30 billion.
Since October 1998, SSA and SSI payments have been issued
through Year 2000 compliant systems.
The FMS systems used to issue 27 million annual EFT
payments on behalf of the VA for Veterans' compensation and
pension, and 10 million annual payments on behalf of the RRB
were implemented Y2K compliant in December 1998. The systems
that issue the remaining 13 million VA payments will be
implemented Y2K compliant in or before March 1999. IRS payments
account for over 10 percent of FMS' overall payment volume,
with approximately 90 million tax refund payments made each
year. Y2K implementation of these systems was completed in July
1998, and all tax refund payments since that time have been
issued through the Y2K compliant system.
The FMS systems used to issue nearly 50 million annual EFT
Federal Agency salary, travel, and vendor payments began
implementation in January with customers serviced by our Kansas
City Regional Finance Center. These same systems are now being
implemented for customers serviced by our other four payment
centers. And, finally, the system that issues more than 28
million annual OPM annuity payments is finishing validation and
certification testing and is scheduled for implementation in
March 1999. The seven systems that I have just described
comprise 97 percent of FMS' payment volume.
With respect to collections, FMS manages the processing of
more than $2.0 trillion in federal revenues, which include
corporate and individual income taxes, customs duties, and
federal fines. The Electronic Federal Tax Payment System
(EFTPS) through which FMS collected $1.1 trillion or 56 percent
of the government's total collections and 67 percent of total
tax collections was determined to be compliant in December. The
IRS Lockbox, General Lockbox, Plastic Card and other collection
systems that account for the remaining 44 percent in federal
government revenue are targeted for implementation in or before
March 1999. FMS debt collection systems, including the Treasury
Offset Program through which federal payments to delinquent
debtors are offset, are also now Y2K compliant.
With regard to government-wide accounting, FMS maintains
the central accounting and reporting systems that track the
government's monetary assets and liabilities. Both the STAR
central accounting system and the Government On-Line Accounting
Link System (GOALS), which serves as the automated
telecommunications connection for all federal program agencies
to report their accounting and financial transactions for
processing into the STAR Central Accounting System, will be Y2K
ready by March 1999. In fact, 13 of the 16 critical GOALS
subsystems are already Y2K compliant.
I would now like to address the issues raised by Treasury's
Inspector General based on their audit work from May to
September 1998. Their report has recommended steps to reduce
risk and, in all cases, we are implementing those
recommendations. We have strengthened project management;
improved testing and data exchange strategies; and put
increased emphasis on the development and testing of
comprehensive contingency and continuity of operations plans.
With regard to their recommendations on compiling more
extensive supporting documentation, we believe this is critical
and this work will be completed this spring. I believe,
however, that it is important to keep the Y2K issue in
perspective. Our overriding concern is making sure that federal
benefit payments go out uninterrupted. Sometimes making a
critical business decision to ensure system readiness means
postponing work in other areas such as documentation. This is
not to say we find fault with the Inspector General's
recommendation. I'm just underscoring the need to balance
planning and documentation with system readiness. It's also
important to note that the work associated with the Treasury
Inspector General's report occurred in late spring and summer
1998 and does not reflect the progress FMS has made during the
past five months in ensuring its systems are Y2K compliant.
For example, several initiatives are underway to ensure
that all data exchanges between FMS and our trading partners
will occur smoothly on January 1, 2000, and beyond. We are
finalizing memoranda of understanding (MOU) with federal
program agencies to clearly identify all interfacing systems
and to indicate which ones are retaining existing formats and
which ones are changing formats. For our largest partners such
as VA and SSA, we have already agreed to these formats either
through MOUs or face-to-face meetings. We are also stepping up
our efforts to ensure good communication with our customers. As
part of this effort, FMS sponsored a meeting on December 8,
1998, which brought together more than 100 key officials from
more than 40 federal agencies to exchange information about
testing and compliance issues. We will sponsor another, similar
session this spring. In addition, we are continuing to send
information to our trading partners on file formats, testing
and system status. FMS sent letters in December 1997 and August
1998 to all federal program agencies interfacing with GOALS to
indicate that formats were not changing and to identify
agencies interested in joint testing of that system. In
addition, our Regional Finance Centers sent letters to their
customers last summer indicating that FMS is not changing
agency input formats for salary, vendor and miscellaneous
payments. We are now following up to determine which agencies
are interested in specific interface testing and when they
anticipate being ready.
FMS has also successfully completed contingency plans for
all mission critical systems (43 internal; 15 external; 4
retired) and non-mission critical systems (17 internal, 1
external). Of the contingency plans for FMS internally operated
systems, 87 percent are final--meaning that they have been
revised and approved after review by an outside contractor. The
remaining plans are under review by the contractor to ensure
they are comprehensive and address all pertinent risks. FMS has
set its priorities and is integrating system contingency plans
with business priorities to make sure the most critical
business functions will continue uninterrupted if problems
occur. On top of the list are key systems such as the Social
Security, Supplemental Security and Veterans Affairs payment
systems. Specific risks have been identified and strategies
developed to mitigate those risks. For example, we are
configuring our systems so payments can be processed in more
than one computer center. This will enable FMS to rotate the
workload should any Y2K disruptions occur in one area of the
country, or in one computer center. In addition, an emergency
power generator has been installed to support our largest
computer center in case of power outages and system redundancy
has been built into the nationwide network so that alternative
routing can be used if there are data communications problems.
We are also working closely with the Federal Reserve to develop
integrated business resumption plans and risk mitigation
strategies.
FMS considers preparation for the Year 2000 as our absolute
highest priority, ensuring our ability to maintain current
operations. We will assign whatever resources are needed to
ensure we do not fail to accomplish these changes to our
computer systems. Thank you for the opportunity to discuss FMS'
plans to complete the work necessary to enable us to meet the
year 2000 challenge. I would be happy to answer any questions
you may have regarding this issue.
Chairman Archer. Thank you, Mr. Gregg. Our next witness is
Mr. Anderson, chief executive officer of Zions National Bank,
Salt Lake City. And I believe you are representing the American
Bankers Association. Is that correct?
Mr. Anderson. I am, Mr. Chairman.
Chairman Archer. All right. Welcome, Mr. Anderson, you may
proceed.
STATEMENT OF A. SCOTT ANDERSON, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, ZIONS FIRST NATIONAL BANK, SALT LAKE CITY, UTAH, AND
MEMBER, COMMUNICATIONS COUNCIL, AMERICAN BANKERS ASSOCIATION
Mr. Anderson. Thank you. Mr. Chairman and Members of the
Committee, I'm pleased to be here today to discuss how the
banking industry is addressing the Y2K problem. We believe we
are on track to meet the many challenges we face.
For my bank, Y2K is the single, most critical issue that we
have. And this has been communicated to everyone in our
organization, from the tellers to senior management, from our
board of directors to shareholders. Nothing at our bank has
higher priority, is receiving greater scrutiny or more
resources than this important project.
Bankers realized early on though that Y2K is not just a
technology issue. Equally important are the business and
communication challenges that go along with it. My industry has
spent billions of dollars and thousands of man hours to make
sure that our systems will work and that our customers will be
properly cared for.
At Zions Bank we have two distinct groups working on the
Y2K problem. The first is our in-house computer experts, who
have completed renovation and are now testing systems,
interfaces and end-to-end processes. The other group is
businessmanagers who are involved with business-resumption
planning, resource allocation, assignment of employee
resources, and contingency plans.
One of our greatest challenges is identifying and then
addressing all the vendors, suppliers and other businesses that
touch us from the outside on a daily basis. Ongoing
communication and monitoring of these partners is critical to
the success of our Y2K effort.
At Zions, we have an extensive Y2K contingency plan. I
brought a copy of the plan for our overall organization. Each
of our 200 units have similar plans that look at each detail,
that if there is a glitch, what would we do so that we could
continue to provide service to our customers. These documents
cover such things as immediate responses, command control
centers, backup facilities, information centers, and detailed
business recovery and resumption plans. We even cover how we
will feed our employees.
No one, including me, will be on vacation from Christmas
through January 15, 2000. Hopefully, no one will be needed, but
everyone will be on-call.
As you know, Mr. Chairman, the banking industry is highly
regulated, and bank supervisors have been conducting onsite
examinations in every bank and at all key vendors providing
data and services to the banking industry. The results of these
examinations are very positive. Ninety-seven percent of the
banking industry received the highest grade. Only 17
institutions out of over 10,000 received unsatisfactory
ratings. Outside vendors ranked high as well.
Being prepared, though, is more than just a banking issue.
Success depends on all sectors of the economy, including
energy, telecommunications, transportation, and utilities,
pulling together to keep the fabric of our community and our
economy strong and trustworthy.
Bankers have reached out to these other industries and to
our customers to ensure that we will all come through this
project and this challenge together, intact, and successful.
The banking industry is confident that it can deliver on
time. But the biggest unknown to us and the greatest fear that
we have is the public perception and reaction throughout the
rest of the year.
The problems created by adverse public reaction or panic
could be far worse than actual problems. All of us must join
forces to stabilize public opinion and manage expectations.
In focus groups that the ABA has conducted, we found some
very interesting things. For example, many consumers didn't
know that the Federal regulators were examining banks. This was
good news to them. It was good news to them that the Federal
Reserve is printing billions of extra dollars. It was also good
news to them that bank deposits are insured for $100,000 by the
FDIC.
We must be aggressive to dispense these facts, and to
dispel fiction. We are concerned, for example, that some groups
are advising consumers to withdraw large amounts of cash just
to be safe. In fact, it was reported on one news show that a
couple took out $20,000 from their bank and buried it in the
backyard, only to have it stolen 2 days later.
The safe side? Hardly.
We use this as an example to our senior citizens to help
them make good decisions. The fact is, the safest place for
your money is in the bank. These checks that we have are Y2K-
compliant. They can be used anywhere. This credit card, with an
expiration date of 2001, is Y2K compliant. It can be used
anywhere.
The ABA has produced a variety of videos, newsletters,
manuals, seminars, and, at Zions, we recently created and had a
seminar, which I've given you a transcript of, where we had
Senator Bennett come and speak with some representatives from
the legal and accounting industries to get out the word
concerning what people need to do to be prepared for the Y2K
issue.
In closing, Mr. Chairman, let me say that Congress,
government, and the regulators have a special role to play
disseminating accurate information. Last year's bill helped to
encourage information sharing, but must and needs to be done.
We urge Congress to enact broader Y2K liability laws, and we
pledge to work with toward that goal.
Last year, Zions Bank celebrated its 125th year of
servicing the people of Utah and the intermountain West. One
hundred years ago, we were making plans for a new century, and
we're doing that again today. And we are sure that we will be
successful.
Thank you.
[The prepared statement follows:]
Statement of A. Scott Anderson, President and Chief Executive Officer,
Zions First National Bank, Salt Lake City, Utah, and Member,
Communications Council, American Bankers Association
Mr. Chairman, I am Scott Anderson, President and CEO of
Zions First National Bank, Salt Lake City, Utah, and a member
of the Communications Council of the American Bankers
Association (ABA). The ABA brings together all categories of
banking institutions to best represent the interests of this
rapidly changing industry. Its membership--which includes
community, regional and money center banks and holding
companies, as well as savings associations, trust companies and
savings banks--makes ABA the largest banking trade association
in the country.
I am pleased to be here today to discuss what the banking
industry is doing to address the Year 2000 computer problem
(Y2K). These hearings are very important because information
about the Y2K problem--and what the government and industry are
doing to meet this challenge--is critical to maintaining
confidence in our economy.
Y2K is really two problems. The first is technology--making
sure that software and hardware systems will work on January 1,
2000 and beyond. The second is communication--making sure the
public is knowledgeable about the problem and what is being
done to solve it. Even if the technical problems are fully
resolved, people need to know about it. If nothing is said, the
information void will surely be filled with misleading and
provocative stories that will create undue anxiety, and lead to
bad decisions. The problems created by adverse public reaction
or panic could be far worse than the actual problem. The news
media, government, private industry, bankers, and all other
stakeholders must join forces to stabilize the public opinion,
and manage expectations.
The banking industry is working hard at solving both
aspects of the Y2K problem. Since 1995, the banking industry
has devoted millions of man-hours and billions of dollars to
addressing Y2K. The banking industry is well into the testing
period for all critical systems, working closely the Federal
Reserve and other federal bank regulators. Our progress is
right on track. The ABA and individual banks have also done a
tremendous amount of work to keep our customers informed about
our progress. We believe this communications effort is right on
track, too.
At Zions Bank, Y2K has been identified as the single most
critical project to be completed this year. Its criticality has
been communicated through Senior Management, right down to
every employee and business manager. Nothing at our bank has
higher priority or greater scrutiny than this important
project.
At Zions Bank our efforts have been very successful to this
point. We are confident in our ability to successfully deliver
this project on time. Many of the processing systems have been
replaced in the past five years with up-to-date Y2K compliant
systems. Most of our core processing systems are supplied by
outside vendors and have been remediated by them for Y2K
compliance. Each business unity of Zions Bank has a Y2K
operational plan specific to their unit, and each has prepared
a business resumption plan to cover any contingencies that
might arise. We also have detailed plans for both internal and
external communications to keep bank personnel, customers, and
the media informed about what we are doing before, during and
after January 2000.
The banking industry is unique in that it has extensive
levels of federal and state regulation and examination. We have
worked closely with bank regulators to address all aspects of
the Y2K issue. The results of the Y2K compliance examinations
have been very positive. We believe it would be very helpful
for the bank regulators to discuss publicly the industry's
readiness for Y2K.
There are three key messages that I would like to leave
with the Committee today:
The banking industry is on track meeting critical
deadlines;
Educating our customers and the public generally
is vital; and
The safest place for customers' money is in the
bank.
Mr. Chairman, before turning to these points, I want to
take a moment to focus on why these issues are so important to
the banking industry. We take our role in the economy and in
each community we serve very seriously. Our business is built
on the trust established with our customers over many decades.
Maintaining that trust is no small matter to us. When customers
put money in my bank, I want them to feel that their funds are
secure, accessible when they need them, and financial
transactions will be completed as expected. It is, therefore,
no surprise that we in the banking industry believe much is at
stake in addressing the Y2K problem.
On a larger scale, our national economy relies on a
smoothly functioning payment system. It's something we all take
for granted today because our payment system is so efficient,
accurate and easy to use. Assuring this high level of
performance requires the collective efforts of many
participants: banks, thrifts, brokerage firms, regional
clearinghouses, and the Federal Reserve.
Careful planning, correcting and testing is crucial to
minimize any disruptions from the century date change. But we
must be realistic: it is inevitable that some glitches will
occur. Contingency planning, therefore, must be an integral
part of the process. In the case of the banking industry, our
contingency plans are examined by the bank regulators. We
intend to be as prepared as is possible for any eventuality.
Preparedness, however, goes well beyond the banking and
financial sector. The tightly woven fabric of our economy means
that businesses, households and government must work together.
Success depends upon the efforts of all sectors of the economy,
including energy, telecommunications, transportation, public
utilities, retail services, etc. Bankers have reached out to
other industries, as well as our customers, to ensure that we
all come through this challenge intact and together.
I. Technology: The Banking Industry is on Track Meeting Critical
Deadlines
Many banks began their Y2K risk assessment efforts as early
as 1995. The cost of assessing, correcting, testing and
contingency planning will easily exceed $9 billion. The goal of
this massive commitment of effort and resources is to provide a
smooth transition of banking and financial services into the
21st century with minimal disruptions.
The Y2K strategy involves awareness, assessment,
renovation, validation and implementation. Key components of
these broad strategic areas include the assessing of business
risks, conducting due diligence on service providers and
software vendors, analyzing the impact on customers, and
assuring customer awareness of progress in addressing Y2K
concerns.
Zions Bank has two distinct groups attacking the Y2K
problem. The first is our in-house staff of computer experts
who have completed renovation, and are now testing systems,
interfaces, and end-to-end processes. The other group is
business managers and owners that are actively managing the
business side of the issue. This includes such issues as vendor
management, business resumption planning, resource allocation,
assignment of employee resources, and contingency plans.
One of the greatest challenges to business managers is
identifying and then addressing the vast number of outside
touch-points to a business unit. These include vendors,
suppliers, service providers, and a host of other businesses
that touch us from outside on a daily basis. Ongoing
communication and monitoring of these partners is critical to
the success of the Y2K effort.
Regulatory Oversight
The banking industry is unique in that it is a highly
regulated industry at both the state and federal level. Since
1997, the banking industry has worked with the regulators in
assessing the extent of the Y2K problem and developing a 3-
phase plan of attack.\1\ During phase one, completed June 30,
1998, federal bank supervisors conducted on-site examinations
of every depository institution and rated them on their
remediation plans and written testing strategies. Regulators
also conducted on-site examinations of firms providing data
processing and system services.
---------------------------------------------------------------------------
\1\ The Federal Reserve, the Office of the Comptroller of the
Currency (which regulates national banks), the Federal Deposit
Insurance Corporation, the Office of Thrift Supervision, and the
National Credit Union Administration work jointly on key regulatory and
supervisory issues through what is known as the Federal Financial
Institutions Examination Council, or FFIEC. Through this cooperative
regulatory effort, the FFIEC has played an important role in promoting
Y2K education and communication among bankers and service providers.
For example, representatives of the banking industry trade groups meet
on a quarterly basis in Washington with staff members from the various
Y2K teams of the FFIEC member agencies. These informative meetings are
a chance to discuss ongoing efforts, upcoming programs and
publications, and to exchange news on Y2K developments in general.
Similarly, several of the Federal Reserve staff members responsible for
publishing the Century Date Change Bulletin conduct periodic conference
calls with representatives of financial industry trade groups, to
exchange information about educational programs and progress being made
by the banking industry. The banking agencies are also offering
countless regional seminars on Y2K issues, as provided for in the
``Examination Parity and Year 2000 Readiness for Financial Institutions
Act.'' We are extremely pleased at these joint efforts and the agencies
should be commended for their work in this area.
---------------------------------------------------------------------------
During phase two, supervisors are examining banks for how
well the testing of critical systems is progressing and on
contingency plan development. This is critical as it measures
the success of the remediation efforts. For banks with their
own internal systems, testing was to be completed by the end of
last year. By March 31, 1999, banks relying on outside service
providers should have testing completed. All institutions
should also have initiated external testing with customers,
other banks and payment system providers.
The results of on-site, phase one and phase two
examinations show that the banking industry is right on track
meeting its goals. As of December 31, 1998, 97 percent of the
industry held the highest rating and only 17 institutions--out
of more than 10,000 banks and thrifts--received unsatisfactory
ratings. These poorly rated institutions are being closely
monitored by the regulatory agencies.
Phase three includes final testing of internal and third-
party systems and testing with the Federal Reserve and clearing
systems participants. Phase three will run from April 1 through
December 31, 1999, with a critical deadline of June 30 for
completion of testing validation and implementation of
remediated systems. After June 30, institutions will continue
to monitor and update contingency plans as may be required by
external developments, and monitor customer and counterparty
risk. Agency examiners will continue to check on bank testing
implementation and contingency plans, and, where needed, with
continued on-site reviews.
Testing with the Federal Reserve and clearing system
participants is very important. Starting last summer, the Fed
established dedicated times for banks to test the operability
of systems for Y2K compliance. Systems tested included Federal
Funds Transfer, Fed Automated Clearinghouse (ACH) transactions,
checks and all other payment systems. Additional testing
opportunities are being made available through 1999. As part of
this procedure, banks will test, among other systems, direct
deposit services--including payroll, Social Security electronic
payments, Medicare payments, and other electronic payments--and
tax information reporting systems.
Further, we are informed, the Federal Reserve has been
testing directly over the last several months with the Social
Security Administration.
Credit card systems have already been tested for Y2K
compliance and adjustments to software and hardware have been
made. Many cards in use today have expiration dates in the year
2000 or beyond. Systems needed to be ready to recognize these
cards as valid when they were issued last year. I am happy to
report that the transition was made so smoothly and with so few
problems that the public was largely unaware that any changes
had been made.
Contingency Planning
While we believe our systems will be ready for the century
date change, we nonetheless are actively developing Y2K
contingency plans. One reason contingency planning is so
important is because banks rely on a whole host of outside
service providers, which are undertaking their own Y2K
remediation over which we have little control. For example,
utility companies provide electricity for banking offices,
branches and ATM machines; telecommunications facilitates
customer inquiries of financial records and verifies
transactions at ATM machines and at point-of-sale terminals
(for credit cards and debit cards) in retail establishments.
And banks rely on armored cars to deliver cash to bank branches
and ATMs, and other transportation services to deliver checks
for clearing at large banks or through the Federal Reserve. We
are asking questions of these providers and testing
compatibility of remediated systems.
At Zions we have developed an extensive contingency plan
that sets up a framework to handle Y2K problems, involving data
services, every business unit, and an emergency management team
that would oversee the entire process. This document--which
required over 250 pages to fully detail--covers immediate
response, command control centers, back-up facilities,
information centers, and detailed business recovery and
resumption plans. We've even thought about how we will feed our
employees who work overtime to handle any problems. The very
minute after midnight of January 1, 2000, we will have already
begun to validate that all applications, software, hardware,
systems and infrastructure are operating as expected. No one,
including me, will be taking time off time between December 26,
1999 and January 15, 2000. Hopefully, no one will be needed,
but everyone is on call.
Having plans to deal with unexpected events is nothing new
for the banking industry. Every bank has business recovery
plans in the event of natural disasters such as hurricanes,
earthquakes, tornadoes, floods and fires. When those occasions
arise, the bank is typically the first business in the
community to be back up and running. There are many examples of
this:
The two-dozen banks in the Grand Forks, North
Dakota area got their banks up and running in April 1997 within
days of the worst flooding by the Red River in this century.
Banks reopened in trailers, truck stops and grocery stores to
keep the cash flowing.
In Des Moines in 1993, one bank avoided
disruptions by moving most of its 750 employees to temporary
offices after rising waters flooded out four of its mortgage
operations' downtown buildings. And as a levee threatened to
burst down-river in Kansas City, Missouri, one bank CEO rented
a tractor trailer and with his 23 employees, trucked vital bank
records and equipment to higher ground.
After Hurricane Andrew roared through south
Florida, bankers hauled in portable generators, transferred
employees from other parts of the state and quickly made
available several billion dollars in storm-related emergency
loans.
Banks recovered quickly after the World Trade
Center bombing in New York, too. Despite heavy smoke, employees
at one bank's international operations remained at their
computers processing payments to corporations around the globe.
Within hours the bank shifted its processing to a remote
disaster-recovery location where, over the weekend, employees
worked around the clock to complete the processing.
Most banks reopened within a day or two of the
powerful 1994 Los Angeles/Northridge earthquake. One bank's
credit-card processing facility near the epicenter suffered
structural damage, so the bank moved to vacant offices
downtown, leased busses to transport some 520 employees to the
new location and provided child-care subsidies to offset the
longer work day.
When fire swept through the 62-story First
Interstate headquarters building in Los Angeles in 1988, key
bank employees quickly implemented the bank's new $1.5 million
disaster plan in an underground command center seven blocks
away. The CEO said later that the only customers affected by
the huge fire were those who banked in the headquarters' first-
floor branch.
A detailed disaster plan made it possible for bank
customers to continue to get cash and make deposits after a $75
million Thanksgiving fire in 1982 hit the Minneapolis
headquarters of what is today Norwest Bank. Two days later a
Norwest ad read: ``It takes more than a five-alarm fire to slow
us down.''
ABA has published its own guidance for banks to follow as
they proceed through the contingency planning process, ABA
Millennium Readiness Series, Year 2000 Contingency Planning
Program Management.
II. Beyond Technology: Maintaining Consumer Confidence
The steps banks are taking now are intended to make sure
our systems will work when the calendar changes. Perhaps the
bigger challenge is maintaining public confidence. We believe
that Congress has a critical role to play, as do bankers, in
keeping consumers informed about what is being done and what
they can do to prepare for the century date change. People want
and need to know that their money will be safe, their records
secure and their banks open to serve them next January.
Consumer education is vital. Recent focus group research by
ABA indicates that consumers, while concerned about Y2K, are
not overly alarmed by the prospect of the calendar change.
However, we know there will be tremendous speculation between
now and January 1 about what will work and what will not work.
Many consumers we met with did not know that the federal
financial regulators are examining every bank multiple times to
test compliance on the full range of systems, software, backup
and other contingency plans. The fact that bank regulators are
watching over banks' Y2K efforts is good news to consumers. The
fact that the Federal Reserve is printing tens of billions of
extra dollars and is working to expedite cash delivery to banks
from the current three days to same-day delivery is also good
news to consumers. And the fact that deposits are federally-
insured up to $100,000 and backed up by the full faith and
credit of the federal government is good news as well.
One unique factor affecting the Y2K issue that is different
than other historical events, is the advent and widespread
usage of the Internet as an information medium. News reported
on the Internet surrounding the Y2K issue ranges from sensible
advice and preparation, to absolute propaganda. One problem
with the proliferation of the Internet is the inability of many
consumers to separate fact from fantasy. Many people have not
realized that not everything printed on the Internet is true.
There is much irrational, irrelevant and misleading information
being circulated regarding this issue. Therefore, there must be
an equally aggressive effort to dispense facts and dispel
fiction.
This raises another critical point. Several well-
intentioned organizations are advising consumers to withdraw
extra cash ``just to be on the safe side.'' In fact, it is
anything but the safe side. People need to think twice about
how much money they want to be carrying around with them and
keeping in their house. Personal safety is each individual's
responsibility. Exploiting the year change will tempt many
people, from champagne vendors to petty thieves, who are well
aware that people will be withdrawing extra money. There has
already been one publicized report of $20,000 withdrawn from a
bank in preparation for Y2K, buried in the backyard--and
stolen. The safe side? Not at all.
At Zions Bank, this story disturbed us tremendously. We
thought that this would be a good example to reach out to our
customers to help them make good decisions. I've attached to
this testimony a copy of the letter we are sending to Zions
customers.
The message is simple: The safest place for customers'
money is in the bank. It is much harder to steal, and it is
FDIC-insured. The consumers we spoke to in our focus groups
were concerned about the accuracy of their bank records and
getting access to their cash. In terms of accuracy, customers
get statements of their accounts monthly. Banks reconcile their
books daily and have extensive backup records to preserve the
financial data. In addition, banks will be taking extra
precautions with manual reports and backups during the calendar
change. At Zions, in addition to regular monthly statements, we
will provide to any of our customers, year-end cut-off
statements for them to use as a point of reconciliation should
it be necessary.
How much cash will people need? Probably about as much as
they would need on any other holiday weekend. Personal checks
are Y2K-compliant and will work anywhere--in the bank and at a
wide range of retailers and service providers, both in- and
out-of-state. If people are still concerned about their cash
needs, they can put a little extra money in their checking
account--their FDIC-insured checking account. Would you want to
be carrying around a lot of extra cash? Would you want your
elderly relatives to be carrying around a lot of extra cash? I
know I do not.
There are steps consumers can take to prepare for the
change:
Read the information their bank sends them about
Y2K. Call the bank if they have any questions at all. Trust,
but verify, in other words.
Hold onto bank statements, bank receipts, canceled
checks and other financial records, especially for the months
leading up to January 1.
For customers that bank on-line, make sure home
computers are Y2K-ready. Check with computer and software
manufacturers for details on how to do this.
Copy important financial records kept on home
computers to a back-up disk.
Do not give money to anyone who promises to ``keep
it safe'' through the date change.
Withdraw only as much cash as would be typical for
any other holiday weekend.
For our industry's part, ABA is communicating with bankers,
consumers and the media. We have produced three informational
videos for banks to use with their customers--one designed for
retail customers, a second for a bank's tellers and other
front-line personnel, and a third for small business customers.
We send a monthly fax newsletter to banks, which contains
updates, helpful tips and shares ideas that have worked for
other banks. We have provided ads, a Y2K customer
communications kit to help bankers reach out to their
customers, telephone seminars on a wide range of aspects of the
Y2K challenge, a Y2K Project Management Manual and a Y2K
Contingency Plan Manual. The latest piece in this continuing
series is a Y2K Instruction Booklet containing tips to help
banks comply, communicate and cope. ABA's web site--ABA.com--
provides our members with other Y2K resources and information.
In December, ABA ran a full-page ad in USA Today and beamed
a video news release via satellite to more than 700 television
stations around the country to reach out directly to consumers.
The news release included part of an interview with John
Koskinen, chairman of the President's Council on Year 2000
Conversion, who has said the banking industry is ``ahead of the
curve'' in Y2K preparedness.
ABA has also been holding media briefings jointly in
Washington with the other financial trade groups, and around
the country in collaboration with the state bankers
associations. We are also doing special media tours, making
bankers available to discuss Y2K issues on TV and radio.
Customer communication is a must for every bank in the
country. After all, every customer wants to know about their
particular bank. No one knows how consumers will behave leading
up to January 1, and we will continue to conduct research to
track their behavior and their level of concern. One thing is
sure: they need information, sound advice and reassurance--from
their bank, the banking industry, the federal banking
regulators, and the U.S. Congress.
III. More Can Be Done: Legislative Initiatives Needed
Congress, government and regulators have a special role to
play in disseminating accurate information and creating an
environment for open discussion. The bill enacted last
Congress--Year 2000 Disclosure Act--was a first and extremely
important step in this direction. It helped set a tone for
talking openly and honestly about the problem by encouraging
information sharing. Further, it ensures that disclosure of
Y2K-related technical information will not become the subject
of lawsuits.
Congress can make a difference this year as well. In
particular, we urge Congress to consider broader Y2K liability
issues, such as disruption liability, punitive damages, class
actions, and litigation reduction. The cost of doing nothing
may be considerable. As I noted above, the industry has already
spent billions of dollars on Y2K remediation efforts. Industry
consultants further project that $2 million could be spent on
litigation for every $1 million spent on system remediation.
The ABA, working with a multi-sector coalition, has
identified several desirable legislative reforms that would
help address these concerns.
Limit Y2K litigation to actual damages, and place
limits on consequential or punitive damages, unless parties
have agreed otherwise by written contract.
Provide for a ``reasonable efforts'' defense for
parties that meet a good faith or due diligence standard.
Require federal preemption for all Y2K legal and
equitable claims, unless parties have agreed otherwise by
written contract.
Abolish joint and several liability and create a
federal comparative negligence rule to apportion liability
among multiple parties.
Discourage and channel class action lawsuits
through minimum claim requirements, notice procedures, and
creating federal diversity jurisdiction.
There are additional provisions being considered which
would: encourage the use of alternative dispute resolution to
resolve Y2K disputes without resorting to litigation; require a
``cure period'' prior to commencing legal action, allowing
parties time to remedy Y2K disruptions; require mitigation of
damages by claimants; and place limits on attorneys' fees.
We would be happy to work with Congress to pass legislation
in this important area.
Conclusion
Mr. Chairman, the banking industry has every reason to be
working diligently in meeting the Y2K challenge, and is doing
so with a wide ranging response that sets an example for other
industries to follow. Financial institutions across the U.S.
are executing Y2K project plans that are vast in scope,
complexity and scale. The banking industry is taking the
century date change very seriously, with the goal of achieving
Y2K readiness clearly in sight. But the banking industry alone
cannot deliver ``business as usual'' in January 2000. There
must be parallel commitments by all other sectors of the
economy so that they can become equally prepared. We encourage
Congress to continue its oversight of the broad range of
business and government sectors that together are essential to
producing Y2K readiness in the American economy.
[``Countdown to 2000: Preparing Your Business for Y2K''
will be retained in the official Committee records.]
Zions First National Bank
Salt Lake City, Utah, Month DD, 1999
(Personalized Name and Address)
Re: Year 2000 Readiness Disclosure
Dear (Personalized Name):
Recently, the morning news of NBC-TV's Cleveland affiliate
reported that a couple took $20,000 out of their bank and
buried it. Apparently, they feared that the upcoming change in
the Year 2000 (``Y2K'') would mean their money wasn't going to
be safe, and that they wouldn't be able to access it if they
needed it. In a matter of only a few days, they discovered it
missing from where it had been buried. The couple was quoted as
saying, ``Next time, we are going to keep our money in the
bank.''
News reports about the Y2K challenge have made some people
nervous; a few have considered taking or have already taken
irrational actions, like burying their money or stuffing it in
a mattress. Undoubtedly, some of these will pay dearly for not
trusting their bank.
Zions Bank has been serving the financial needs of our
clients for over 125 years, since our founding by Brigham Young
in 1873. Because of our conservative policies, we have been a
strong, consistent financial resource to the people of Utah and
Idaho--through all kinds of adversity. Zions Bank has been
preparing for the Year 2000 for some time, now, as described in
the enclosed brochure. We have upgraded our computer hardware
and software, and our testing of the changes has been very
satisfactory, thus far. We plan to continue such testing
throughout 1999, to ensure that our systems satisfactorily meet
our needs.
Zions Bank will be prepared for the change to Year 2000.
Your money in Zions Bank will be safe throughout the Y2K
transition, and you will be able to access it conveniently and
in a variety of ways, as you have always done before. We are
also working closely with our regulatory agencies and the
American Bankers Association as they strive to ensure that
direct deposit of social security and other federal recurring
payments will not be disrupted.
As a valued Zions Bank client, please know that we are
making every effort to minimize--or even eliminate--
interruptions to our service due to Y2K problems. We value your
relationship. And we don't want you to be victimized like the
couple who buried their money. We hope you will continue to
rely on the bank you can trust.
Sincerely,
A. Scott Anderson.
Chairman Archer. Thank you, Mr. Anderson. Our next witness
is Mr. Joel Willemssen, representing the GAO. Mr. Willemssen,
welcome and we'll be pleased to receive your testimony.
STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES
INFORMATION SYSTEMS, ACCOUNTING AND
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Thank you, Mr. Chairman. Thank you,
Members. Thank you for inviting us to testify today on SSA's
year 2000 program. As requested, I'll briefly summarize our
statement and in doing so address some of the prior issues that
we pointed out at SSA in our report that we issued on their
year 2000 program, discuss what kind of actions they have taken
in response to our recommendations, and then where SSA stands
today.
Our earlier report on SSA's Y2K program noted that the
agency had made significant progress in assessing and
renovating mission-critical mainframe software that enables it
to provide benefits to the public. SSA first recognized the Y2K
challenge 10 years ago and was therefore able to respond early.
With their knowledge and experience, SSA is recognized as a
Federal leader on Y2K.
While SSA deserved credit for its leadership, we had
previously identified three key risk areas within their Y2K
program. One concerned the compliance of systems for State
Disability Determination Services. Second was the need to focus
on the compliance of SSA's data exchanges with other
organizations. Third was the need for SSA to develop business
continuity and contingency plans that would be available in the
event of system failures.
SSA agreed with our recommendations in these areas, and
agency efforts to implement them have either been taken or are
under way. For example, SSA has enhanced its monitoring and
oversight of State disability systems by establishing a full-
time project team, designating project managers and
coordinators and requesting biweekly status reports.
SSA reported in its most recent Y2K quarterly report that
all automated State systems have now been renovated, tested,
implemented, and certified Y2K compliant as of January 31.
In the date exchange area, SSA is reporting as of January
31, 98 percent of its external exchanges have now been made
compliant.
Turning to contingency planning, SSA's made major progress.
In addition to developing an overall framework for business
continuity, the agency is now in the process of developing
local contingency plans. SSA is scheduled to complete the
development of all of its contingency plans by April 30 and to
complete testing of these plans by June 30.
As the Commissioner pointed out, SSA is also to be
commended for adopting a detailed day-one strategy that will
lay out its procedures for the period between late December and
early January, 2000. SSA also plans to minimize changes to its
systems that have been certified as year-2000 compliant by not
allowing other discretionary changes to be made.
Overall, we've seen significant progress in SSA's efforts
to become Y2K compliant. Several of SSA's actions constitute
best practices that could and should be adopted governmentwide.
At the same time, SSA cannot let up with its Y2K efforts.
It must ensure that all of its data exchanges are made
compliant and tested, it must complete the development and
testing of contingency plans, and in those cases where it needs
to modify already-compliant software, it will need to retest
and recertify those changes.
That concludes the summary of my statement. And after the
panel is done, I'll be pleased to address any questions you may
have.
[The prepared statement follows:]
Statement of Joel C. Willemssen, Director, Civil Agencies Information
Systems, Accounting and Information Management Division, U.S. General
Accounting Office
Mr. Chairman and Members of the Committee: We appreciate
the opportunity to join in today's hearing and share updated
information on the readiness of computer systems that support
key benefits programs to function reliably in the next century.
As you know, successful Year 2000--or Y2K--conversion is
critical if programs such as Social Security are to provide
accurate services and benefits without interruption. Millions
of Americans rely on such monthly payments.
In a previous report and testimony, we described the
efforts that the Social Security Administration (SSA) was
making to ensure that its information systems are Year 2000
compliant.\1\ This morning I would like to briefly summarize
our findings and recommendations from that report, describe
actions taken on those recommendations, and provide our
perspective on where SSA stands today.
---------------------------------------------------------------------------
\1\ Social Security Administration: Significant Progress Made in
Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22,
1997) and Year 2000 Computing Crisis: Continuing Risks of Disruption to
Social Security, Medicare, and Treasury Programs (GAO/T-AIMD-98-161,
May 7, 1998).
---------------------------------------------------------------------------
Significant Early Progress Made, But Three Key Areas of Risk Identified
in SSA's Year 2000 Program
Our previous report and testimony noted that SSA had made
significant early progress in its efforts to become Year 2000
compliant. SSA first recognized the potential impact of the
Year 2000 problem in 1989 and, in so doing, was able to launch
an early response to this challenge. SSA initiated early
awareness activities and made significant progress in assessing
and renovating mission-critical mainframe software that enables
it to provide Social Security benefits and other assistance to
the public. Because of the knowledge and experience gained
through its Year 2000 efforts, SSA is now a recognized federal
leader in addressing this issue. Among other responsibilities,
SSA's Assistant Deputy Commissioner for Systems chairs the
Chief Information Officers Council's Committee on the Year 2000
and works with other federal agencies to address Year 2000
issues across government.
While SSA deserves credit for its leadership, our earlier
report and testimony pointed out that three key areas of risk
nonetheless threatened to disrupt its ability to deliver
benefits payments. One major risk concerned Year 2000
compliance of mission-critical systems used by the 54 state
Disability Determination Services (DDS) that provide vital
support to SSA in administering its disability programs.
Specifically, SSA had not included these DDS systems in its
initial assessment of systems that it considered a priority for
correction. Without a complete agencywide assessment that
included the DDS systems, SSA could not fully evaluate the
extent of its Year 2000 problem, or the level of effort that
would be required to correct it.
A second major risk in SSA's Year 2000 program concerned
the compliance of its data exchanges with outside sources, such
as other federal agencies, state agencies, and private
businesses. In addressing the Year 2000 problem, agencies need
assurance that data received from other organizations are
accurate. Even if an agency has made its own systems Year 2000
compliant, the data in those systems can still be contaminated
by incorrect data entering from external sources. SSA has
thousands of data exchanges with other organizations, including
the Department of the Treasury, the Internal Revenue Service,
and the states. For example, each month SSA relies on its data
exchange with Treasury's Financial Management Service (FMS) to
process and disburse 50 million benefits payments totaling
approximately $31 billion. Other exchanges may involve data
reported on individuals' tax-withholding forms or pertaining to
state wages and unemployment compensation. Unless SSA is able
to ensure that data received are Year 2000 compliant, program
benefits and eligibility computations that are derived from the
data provided through these exchanges may be compromised and
SSA's databases corrupted.
Third, the risks to SSA's Year 2000 program were compounded
by the lack of contingency plans to ensure business continuity
in the event of systems failure. Business continuity and
contingency plans are essential. Without such plans, agencies
will not have well-defined responses and may not have enough
time to develop and test alternatives when unpredicted failures
occur. Federal agencies depend on data provided by their
business partners as well as on services provided by the public
infrastructure. One weak link anywhere in the chain of critical
dependencies can cause major disruptions to business
operations. Given these interdependencies, it is imperative
that contingency plans be developed for all critical core
business processes and supporting systems, regardless of
whether these systems are owned by the agency. At the time of
our October 1997 review, SSA officials acknowledged the
importance of contingency planning, but had not developed
specific plans to address how the agency would continue to
support its core business processes if its Year 2000 conversion
activities experienced unforeseen disruptions.
We recommended that SSA take several specific actions to
mitigate the risks to its Year 2000 program. These included (1)
strengthening the monitoring and oversight of state DDS Year
2000 activities, (2) expeditiously completing the assessment of
mission-critical systems at DDS offices and using those results
to establish specific plans of action, (3) discussing the
status of DDS Year 2000 activities in SSA's quarterly reports
to the Office of Management and Budget (OMB), (4) quickly
completing SSA's Year 2000 compliance coordination with all
data exchange partners, and (5) developing specific contingency
plans that articulate clear strategies for ensuring the
continuity of core business functions.
Actions Being Taken to Mitigate Year 2000 Risks
At the request of this Committee's Subcommittee on Social
Security and the Senate Special Committee on Aging, we are
currently monitoring SSA's implementation of our
recommendations and additional actions it is taking to achieve
Year 2000 compliance. SSA agreed with all of our earlier
recommendations, and efforts to implement them have either been
taken or are underway. Testing of systems to ensure Year 2000
compliance is vital, and we are continuing to evaluate the
effectiveness of the agency's efforts in this area.
SSA has enhanced its monitoring and oversight of state DDSs
by establishing a full-time DDS project team, designating
project managers and coordinators, and requesting biweekly
status reports. The agency also obtained from each DDS a plan
identifying the specific milestones, resources, and schedules
for completing Year 2000 conversion tasks. Further, in
accordance with our recommendation, SSA in November 1997 began
including information on the status of DDS Year 2000 compliance
activities in its quarterly reports to OMB. SSA reported in its
most recent quarterly report (February 1999) that all automated
DDS systems had been renovated, tested, implemented, and
certified Year 2000 compliant as of January 31, 1999.
In another critical area, data exchanges, SSA has
identified its external exchanges and has coordinated with all
its partners about the schedule and format for making them Year
2000 compliant. As of January 31, 1999, SSA reported that 98
percent of all of its external data exchanges had been made
compliant and implemented, and that it was either in the
process of testing those exchanges that remained noncompliant
or was waiting for its partners to make the exchanges
compliant.
Among SSA's most critical data exchanges are those with FMS
and the Federal Reserve for the disbursement of Title II (Old
Age, Survivors and Disability Insurance program) and Title XVI
(Supplemental Security Income program) benefits checks and
direct deposit payments. SSA began working with FMS in March
1998 to ensure the compliance of these exchanges, and recently
reported that the joint testing of check payment files and the
end-to-end testing from SSA, through FMS and the Federal
Reserve for direct deposit payments, had been successfully
completed. Further, SSA stated that it began generating and
issuing Title II and Title XVI benefits payments using the Year
2000 compliant software at SSA and FMS in October 1998.
Turning to contingency planning, SSA has instituted a
number of key elements, in accordance with our business
continuity and contingency planning guidance.\2\ It initially
developed an overall framework for business continuity that
presented an effective high-level strategy for mitigating risks
associated with the Year 2000. For example, the plan identified
SSA's core business functions that must be supported if Year
2000 conversion activities experience unforeseen disruptions;
potential risks to business processes and ways to mitigate
those risks; and milestones, target dates, and responsible
components for developing local contingency plans and
procedures for SSA's operating components.
---------------------------------------------------------------------------
\2\ Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19, March 1998 [exposure draft], August 1998
[final]).
---------------------------------------------------------------------------
SSA is now in the process of developing local contingency
plans to support its core business operations. It has also
received contingency plans for all state DDSs. Among the plans
that SSA reports as being completed at this time is the
Benefits Payment Delivery Year 2000 Contingency Plan, developed
in conjunction with Treasury and the Federal Reserve to ensure
the continuation of operations supporting Title II and Title
XVI benefits payments. SSA is scheduled to complete the
development of all of its contingency plans by April 30, 1999,
and to complete the testing of all plans by June 30 of this
year.
As noted in our guide, another key element of a business
continuity and contingency plan is the development of a zero-
day or day-one risk reduction strategy, and procedures for the
period between late December 1999 and early January 2000. SSA
has developed such a strategy. Among the features of this
strategy is a moratorium on software changes, except for those
mandated by law. SSA plans to minimize changes to its systems
that have been certified as Year 2000 compliant by not allowing
discretionary changes to be made. The moratorium will be in
effect for commercial-off-the-shelf and mainframe products
between July 1, 1999, and March 31, 2000, and for programmatic
applications between September 1, 1999, and March 31, 2000.
Such a Year 2000 change management policy will significantly
reduce the chance that errors will be introduced into systems
that are already compliant.
Other aspects of SSA's day-one strategy are the
implementation of (1) an integrated control center, whose
purposes include the internal dissemination of critical data
and problem management, and (2) a timeline that details the
hours in which certain events will occur (such as when
workloads will be placed in the queue and backup generators
started) during the late December and early January rollover
period.
SSA is also planning to address the personnel issue with
respect to the rollover. For example, it plans to obtain a
commitment from key staff to be available during the rollover
period and establish a Year 2000 leave policy. Such a strategy,
developed well in advance of the turn of the century, should
help SSA manage the risks associated with the actual rollover
and better position it to address disruptions if they occur.
SSA Well-Positioned for the Year 2000, But Some Work Remains
Overall, we have seen significant continuing progress in
SSA's efforts to become Year 2000 compliant. The agency
reported that, as of January 31, 1999, it had completed the
renovation of all mission-critical systems so targeted, and
implemented them in production. The actions that SSA has taken
to mitigate risk to its Year 2000 program have demonstrated a
sense of urgency and commitment to achieving readiness for the
change of century, and will no doubt better position SSA to
meet the challenge. Moreover, several of SSA's actions-- such
as its implementation of a day-one strategy--constitute a best
practice that we believe should be followed governmentwide.
It is important to note, however, that SSA still needs to
effectively complete certain critical tasks to better ensure
the success of its efforts. For example, SSA must ensure that
all of its data exchanges are made compliant and tested. It
must also complete the development and testing of contingency
plans supporting its core business processes. In addition,
where the agency may be required to modify compliant software
in accordance with legislative mandates, these modifications
will have to be retested and recertified. Our ongoing review of
SSA's Year 2000 actions shows that the agency has established
deadlines for completing its remaining tasks, and is actively
monitoring its progress.
Mr. Chairman, that concludes my statement. I would be
pleased to respond to any questions that you or other members
of the Committee may have at this time.
Chairman Archer. Thank you, Mr. Willemssen. Our last
witness in this panel is Mr. Dennis Schindel. ``Schindel'' or
``Schin-dell?''
Mr. Schindel. ``Schin-dell.''
Chairman Archer. Who is with the Office of the Inspector
General for the Department of the Treasury. We are pleased to
have you with us today, and you may proceed.
STATEMENT OF DENNIS S. SCHINDEL, ASSISTANT INSPECTOR GENERAL
FOR AUDIT, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF THE
TREASURY
Mr. Schindel. Thank you, Mr. Chairman, Representative
Rangel, and Members of the Committee. I'm pleased to appear
before you today to discuss the Office of Inspector General's
oversight of the Department of Treasury's efforts to address
the year-2000 problem.
In the interest of time, I'll briefly summarize the results
of our work at Treasury and then discuss more specifically the
results of our work at the Financial Management Service.
We have been actively engaged in reviewing Treasury's Y2K
efforts. We performed work at the department and at each
Treasury bureau except the IRS and the U.S. Customs Service.
With regard to those two bureaus, we were able to leverage our
resources with the General Accounting Office and with the
former IRS Inspection Service, now the Treasury Inspector
General for Tax Administration.
GAO performed work at Customs, and GAO and the IRS
Inspection Service reviewed IRS' Y2K efforts.
The nature of the Y2K problem is such that I don't think
that anyone can really say for certain that they will be ready
on January 1, 2000. Our work, however, showed that the Treasury
Department has done a credible job managing this massive
effort.
Treasury has applied significant resources and top-level
management attention to the effort and has reduced the risk
that a significant Y2K failure will occur within a critical
Treasury operation. Out of a total of 321 mission-critical
systems, Treasury has reported that as of December 31, 1998,
266 are Y2K compliant. While progress is good, there is
certainly a lot more work to be done. End-to-end testing,
systemwide testing, and regression testing must be performed to
ensure system readiness.
In addition, business continuity and contingency plans must
be prepared, re-evaluated, and tested. Treasury has a good
infrastructure in place for managing these remaining tasks,
which should help ensure that they are successfully completed.
Now let me address our work at FMS. In performing work at
FMS, we focused, as we did at the other Treasury bureaus, on
the broader issue of how well the overall Y2K conversion effort
was being managed. We knew that with a project of this
magnitude, one could apply all the personnel, equipment, and
expertise that was needed, and still not be successful if it
was not well managed. Our experience in working with the
bureaus in the early stages of implementing the Chief Financial
Officers Act taught us that the most successful bureaus were
the ones that first obtained strong commitment from the top and
then obtained buy-in and participation from all program
managers in all parts of the organization.
The specific areas that we focused on in our work at FMS
were project management, system conversion and certification,
data exchange, and contingency plans for business continuity.
Before I describe the results of our work at FMS, it should be
noted that FMS has taken action to address all of our findings
and recommendations. In addition, they have started and/or
completed a number of their own initiatives to strengthen their
Y2K conversion process.
As a result, FMS's management of their conversion effort,
their progress in getting systems implemented, tested, and
certified, and their contingency planning efforts are much
improved from when we conducted our audit work.
That audit work showed that FMS had a project-management
infrastructure, a certified Y2K platform, reasonable guidance,
a commitment from the Commissioner, and an inventory of
mission-critical systems in place to address its Y2K conversion
tasks. However, some parts of FMS's management process needed
to be strengthened, and certain key parts of the Y2K conversion
process needed to be better executed.
For example, the chief information officer had overall
responsibility for FMS's Y2K effort through the establishment
of the Y2K special projects office. However, we found that
summarized project information flowing into the special
projects office and ultimately to the department and OMB was
not always accurate, reliable, and consistently gathered. This
made it more difficult for the special projects office to
effectively manage the FMS-wide effort.
FMS has informed us that the completeness and accuracy of
project information has now been improved since we conducted
our audit work.
We also found that for one of FMS's external systems, that
is, systems that are developed and maintained by an outside
contractor, FMS needed to improve their ability to assess Y2K
compliance. The system that we specifically looked at was the
Government Online Accounting Link System, GOALS, which is
entirely operated and maintained by a contractor at a
contractor's facility.
FMS has significantly limited the amount of test
documentation required from the contractor, which would, in
turn, limit FMS's ability to review the completeness and
reliability of the test results. This potentially increases the
risk that GOALS may not be Y2K compliant and FMS would not be
aware of it.
FMS has taken a number of steps to address this situation,
including performing their own tests of the contractor's
certifications.
In all, we made 14 recommendations for improvement. These
recommendations address key areas of project management, system
conversion, certification strategies, data exchange strategies,
and contingency planning. We recently discussed with FMS their
efforts to address the recommendations we made as a result of
our audit.
FMS has taken positive steps and made progress toward
reducing the risk of a Y2K systems failure. As of January 31,
1999, 36 of their 62 mission-critical systems are compliant.
FMS anticipates the remainder of their mission-critical systems
will be implemented by March 1999. FMS has also initiated
coordination with data-
exchange partners and started some end-to-end testing.
One of the most significant issues at FMS is processing of
Social Security payments. SSA and FMS have worked together to
ensure the entire process for providing Social Security
benefits, from calculating benefits to making payments, is
ready for the century date change. Approximately a month ago,
an independent contractor informed FMS that monthly payments to
the Social Security payment system are indeed ready for the Y2K
date change. This represents a critical step in the Y2K work on
these systems, and FMS will continue to test throughout 1999.
While this progress is good, FMS still has a lot of work to
do, including end-to-end testing with approximately 30 Federal
agencies to provide additional assurance on the GOALS system.
Also, although FMS has prepared contingency plans for all
mission-
critical systems, those plans need to be updated and tested.
I'd like to now briefly describe our plans for additional
work throughout the remainder of 1999. Like management, our job
is not done with regard to Y2K conversion effort. We plan to
perform additional work at the ATF, the U.S. Mint, and FMS to
review their progress related to testing and contingency
planning, as well as provide coverage on the progress of the
Office of Thrift Supervision and OCC, the supervision of
financial institutions' Y2K readiness.
Our work at FMS will be performed in conjunction with GAO.
And finally, we will continue to monitor reported progress
by all the other Treasury bureaus and the Department.
In conclusion, I'd like to say, that Treasury has expended
a great deal of effort trying to fix the Y2K problem over this
past year. This effort has resulted in a great deal of
progress. Treasury's ability to manage and accomplish a
successful Y2K conversion is a lot less uncertain today than it
was a year ago.
At the same time, no one can sit back and declare victory.
A great deal of work remains to be done. If, in the next few
months, the results of the remaining implementation or testing
of critical systems identifies serious Y2K non-compliance, it
could be difficult to put the fixes in place and perform
necessary re-testing before the calendar turns. If sound
contingency and continuity of business plans have not been
adequately tested and are not in place and ready, there may be
no way to avoid serious disruption.
The intensity of the current Y2K conversion effort and the
top management attention that it has received needs to continue
right through to the millennium.
Mr. Chairman, this concludes my remarks, and I'll be happy
to answer any questions.
[The prepared statement follows:]
Statement of Dennis S. Schindel, Assistant Inspector General for Audit,
Office of Inspector General, U.S. Department of Treasury
Introduction
Mr. Chairman, Members of the Committee, I am pleased to
appear before you today to discuss the Office of Inspector
General's (OIG) oversight of the Department of the Treasury's
efforts to address the Year 2000 (Y2K) problem. I will focus
first on Treasury's overall Y2K conversion effort and then
specifically on the efforts at the Bureau of Alcohol, Tobacco
and Firearms (ATF) and the Financial Management Service (FMS).
I will then briefly discuss the audit work we have planned for
the remainder of Fiscal Year 1999.
The impact of a significant Y2K failure within Treasury on
the operations of other Federal agencies, state and local
governments, and the public is well understood by this
Committee and others. The question remaining now is whether we
are prepared, and are there any major operations or services
that will not be fixed in time to avert a major disruption.
Unfortunately, that question will probably not be fully
answered until we enter the new millennium. What we can say
from our review of Treasury's effort, is that Treasury has done
a credible job managing this effort, has applied significant
resources and top management attention to the effort, and has
reduced the risk that a significant Y2K failure will occur
within a critical Treasury operation. In addition, Treasury has
provided constant oversight over the bureaus progress and has
established working groups with representatives from each
bureau. The purpose of these working groups is to exchange
information, share best practices, and learn from one another.
In addition, Treasury has streamlined the contract procurement
process for key Y2K tasks such as independent verification and
validation.
Overall Treasury Results
In its February report to the Office of Management and
Budget (OMB), Treasury reported that as of December 31, 1998 a
total of 266 out of 321 mission critical systems were
compliant. According to the monthly status reports, all bureaus
anticipate meeting OMB's March 1999 milestone for
implementation, except for ATF and the Internal Revenue Service
(IRS) both of which have efforts underway to deal with the
slippage. While the progress is good, there is certainly a lot
more work to be done. Even if the bureaus have implemented
their systems, they must continue to perform testing throughout
1999. End to end testing, system wide testing, and regression
testing must be performed to ensure systems are ready for the
next millennium. In addition, business continuity and
contingency plans must be prepared, reevaluated, and tested.
Now let me briefly describe the work we did in reviewing
Treasury's Y2K conversion effort and what we found.
Starting over a year ago, we divided our review into three
phases. In phase one, we assessed Treasury's compliance with
the Y2K requirements of the Federal Financial Managers
Integrity Act (FFMIA). This involved looking at whether the
Department and individual bureaus had adequate plans for
attacking the Y2K problem, were providing OMB with the required
status reports, and were meeting the milestones established by
OMB. We issued our report on that phase on April 10, 1998
indicating that the Department was in compliance with FFMIA.
In phase two, we assembled teams of auditors to review more
in depth the efforts at each Treasury bureau, except IRS and
the U.S. Customs Service (Customs). With regard to these two
bureaus, we were able to leverage our resources with the
General Accounting Office (GAO) and the IRS Inspection Service,
now the Office of the Treasury Inspector General for Tax
Administration. Both GAO and the IRS Inspection Service
performed work at IRS, and GAO also reviewed Customs. I would
like to mention that we had an excellent working relationship
with both GAO and the IRS Inspection auditors. By working
together, we were able to share best practices while enabling
Treasury to get an independent audit assessment in every bureau
as well as Departmental operations. In addition, we performed
an audit to determine how well the Office of the Comptroller of
the Currency (OCC) in the early stages of its effort, performed
Y2K examinations of banks under OCC supervision.
In performing our work in phase two, we focused on the
broader issue of how the overall Y2K conversion effort was
being managed. Specifically, we determined if processes existed
and were designed to mitigate the Y2K risk to an acceptable
level for ensuring all mission critical Information Technology
(IT) systems remain operable. Therefore, we are not intending
to represent or convey statements that any given system is Y2K
compliant or that a system will or will not work into the next
millennium. We knew that with a project of this magnitude, one
could apply all the personnel, equipment and expertise that was
needed and still not be successful if it was not well managed.
Our experience in working with the bureaus in the early stages
of implementing the Chief Financial Officer (CFO) Act taught us
that the most successful bureaus were the ones that first
obtained strong commitment from the top and then obtained buy-
in and participation from all the program managers. The same is
true of the Y2K conversion effort. If it were viewed as
principally the responsibility of the Chief Information
Officers (CIO) and the IT personnel, then the significant
amount of progress that is needed in a relatively short period
of time, with no option for an extension, would not likely
occur.
We found that the Department and the bureaus established a
good infrastructure for managing the Y2K conversion effort and
minimizing the risk that a Y2K induced failure would have on
its mission critical operations. However, the inherent nature
of the Y2K dilemma denies the ability to completely eliminate
risk. Despite their best efforts and demonstrated success, the
Y2K problem comes with inherent risks that all organizations
face and will continue to face. Accordingly, even in those
bureaus where no significant weaknesses were found, we
developed three suggestions encouraging all Treasury bureaus to
sustain efforts in the areas of change management, data
exchange, and contingency planning for business continuity to
minimize potential disruptions caused by these inherent risks.
Specifically, the actions we suggested were:
Ensure that a disciplined change management
process exists that continues to maintain Y2K conversion
integrity. Once a system has been certified, steps need to be
taken to ensure test integrity is maintained and subsequent
changes to the environment or application do not regress Y2K
compliance.
Ensure that data exchange procedures identify and
coordinate pivots with exchange partners.\1\
---------------------------------------------------------------------------
\1\ The windowing logic technique uses pivots to interpret a two
digit year into a four digit year. All year values above the pivot are
understood to represent one century; while all values below the pivot
are understood to represent another century. Pivots refer to a number
built into system logic to infer the 2 digit century identifier ``19''
or ``20.'' For example, a pivot of 50 infers 19 as the century
identifier for values 50-99 and infers 20 for values 0-49.
---------------------------------------------------------------------------
Ensure the continued development, testing, and
reevaluation of contingency plans for each core business
function, as well as mission critical systems. Business
continuity planning is essential to maintain an acceptable
level of core business processes in the event of an
unanticipated failure.
In our phase two audit, we did identify four bureaus with
significant issues that required prompt action to assist in the
success of their Y2K effort. In these four bureaus we made
additional specific recommendations to correct the weaknesses
we found. We worked closely with bureau officials to promptly
alert them to these weaknesses, and we found the officials were
very receptive to our recommendations. In most cases, our
recommendations were acted upon before we issued our reports.
Since ATF and FMS are two of the bureaus represented at
this hearing and were included in our phase two audit work, I
will briefly discuss the weaknesses we identified at each of
these bureaus, the recommendations we made, and how each bureau
has responded. As I stated earlier, GAO performed work at the
IRS and Customs and will address those bureaus in their
testimony.
ATF Results
I will first start with ATF, which by coincidence was the
bureau where we piloted our phase two audit approach. I want to
preface my remarks by saying that not only was ATF very
responsive to our findings and recommendations, but they were
extremely open and cooperative with us from the very beginning
of our audit work. This helped accelerate our learning process,
and enabled us to share what we learned from ATF with other
bureaus. I also want to point out that at the time we performed
our work at ATF they too were still learning how to best
approach their Y2K conversion effort and manage it effectively.
It has been four months since we issued our draft report to ATF
and even longer since we first brought our findings to their
attention. ATF has taken corrective action on issues we
identified during our audit, and, as a result, their management
of the process and their progress has greatly improved.
The purpose of our audit at ATF was to determine if an
infrastructure for managing the conversion effort and
minimizing the risk that a Y2K induced failure would have on
its operations had been established. Our specific objectives
were to evaluate ATF's Y2K effort for the following: (1)
project management; (2) system conversion and certification;
and (3) contingency plans for business continuity.
We found that ATF had an infrastructure, skilled resources,
and reasonable guidance in place to address its Y2K conversion
task. However, somes aspects of managing the effort and
coordinating among the various components within ATF needed to
be strengthened. Also, while ATF was generally following GAO's
Y2K guidance, improvements were needed in some key parts of the
Y2K conversion process. For example we identified the need for
better coordination and communication between the Y2K project
office and the software development staff to accommodate the
respective needs of the affected groups within the
organization. Originally, we found that while the two groups
were dependent on each other for Y2K certification they had not
coordinated testing, migration, and certification dates with
each other. As a result, the Y2K project office was unable to
identify systems that were ready for certification since the
two schedules had differences in key system dates. After we
discussed this issue with ATF officials, they expedited the
reconciliation of their testing schedules from these cross
functional areas with Y2K responsibility.
We also found that while ATF had identified its data
exchange partners, they had no plans to coordinate the testing
of these interfaces with their trading partners. ATF's Y2K
Project Management Office has now been assigned responsibility
to ensure data exchange testing procedures are incorporated
into the compliance testing process.
In our report to ATF \2\ we identified four major areas
where improvements were needed. These are summarized below. We
included nine specific recommendations in our report designed
to help ATF strengthen their Y2K conversion effort in each of
these areas:
---------------------------------------------------------------------------
\2\ Year 2000 Compliance Effort at the Bureau of Alcohol, Tobacco
and Firearms (OIG-99-021, December 18, 1998)
Project management should be further strengthened
by developing performance measures to ensure accountability and
taking the appropriate action to ensure continuity in
contracted support.
System conversion process and certification plans
should be further strengthened by coordinating cross-functional
activities; formalizing the Y2K compliance testing procedures;
minimizing concurrent development; and improving configuration
management for maintaining conversion integrity.
Data exchange testing strategies should be
improved by including the necessary coordination with data
exchange partners.
Contingency planning should be further
strengthened by accelerating the timeline for developing and
testing contingency plans and developing the plans on a
prioritized basis.
We recently met with ATF to determine what progress they
have made since our field work. Although they have made
significant progress in all areas (implementation,
certification, and contingency planning) and have implemented
most of our recommendations, ATF still has a lot of work ahead
of them. They have three mission critical systems that are not
expected to be implemented until May, July, and August of this
year. Testing still needs to be performed with critical data
exchange partners and business continuity plans must be
prepared and tested for each core business function. If
subsequent testing shows that some systems are not ready, there
will be very little time to correct and retest these systems.
ATF is aware of the tight time frame and narrow margin for
error. They have the infrastructure in place that should enable
them to effectively address this increased risk.
FMS Results
I will now focus on our observations at FMS. The purpose of
our audit was to determine if FMS had established an
infrastructure for managing their conversion effort and
minimizing the risk that a Y2K induced failure would have on
their operations. Our specific objectives were to evaluate FMS'
Y2K effort for the following: (1) project management; (2)
system conversion and certification; (3) data exchange; and (4)
contingency plans for business continuity.
Similar to ATF, FMS has taken action to address all of our
findings and recommendations. In addition, they have started
and/or completed a number of their own initiatives to
strengthen their Y2K conversion process. As a result, FMS'
management of their conversion effort, their progress in
getting systems implemented, tested, certified, and their
contingency planning efforts are much improved from when we
conducted our audit work.
That audit work showed that FMS had a project management
infrastructure, a certified Y2K platform, reasonable guidance,
a commitment from the Commissioner, and an inventory of its
non-information technology mission critical systems in place to
address its Y2K conversion task. However, also like ATF, some
parts of FMS' management process needed to be strengthened and
certain key parts of the Y2K conversion process needed to be
better executed. For example, the Chief Information Officer
(CIO) had overall responsibility for FMS' Y2K effort through
the establishment of the Y2K Special Project Office (SPO).
However, we found that summarized project information flowing
into the SPO and ultimately to the Department and OMB, was not
always accurate, reliable and consistently gathered. We also
observed that while the SPO had prioritized FMS' mission
critical systems, the application of resources and a level of
effort consistent with these priorities was not being managed
from an FMS-wide perspective. FMS informed us that both of
these areas have been substantially improved since we conducted
our audit work.
We also found that for FMS' external systems, that is,
systems developed and maintained by an outside contractor, FMS
needed to improve their ability to assess Y2K compliance. One
such system is the Government On-line Accounting Link System
(GOALS) which is entirely operated and maintained by
contractors at the contractor's facilities. FMS had
significantly limited the amount of test documentation required
from the contractor which would limit FMS' ability to review
the completeness and reliability of the test results. This
potentially increases the risk that GOALS may not be Y2K
compliant and FMS would not be aware of it. FMS has taken a
number of steps to address this situation, including performing
their own tests of the contractors certifications.
A complete summary of the issues we reported to FMS in our
February 10, 1999 draft report are presented below. In addition
to this draft report, we provided FMS with the detailed results
of our evaluation of nine mission critical (IT) systems.
Project management should be further strengthened
by performing more quality assurance reviews to ensure reports
are reliable; establishing priorities from an FMS-wide
perspective; and using performance measures to enforce
adherence to FMS guidance.
System conversion and certification strategies
should be further strengthened by managing and coordinating
test schedules and resources; reviewing test results and
ensuring adequate testing documentation; requiring additional
testing or other procedures to compensate for lack of test
documentation on externally maintained systems; and ensuring a
disciplined change management process exists for maintaining
conversion integrity.
Data exchange strategies should be improved by
completing the data exchange inventory; establishing and
completing agreements with data exchange partners; identifying
and coordinating pivots; performing testing with FMS' data
exchange partners; and establishing accountability for
performing data exchange procedures.
Contingency planning should be further
strengthened by reevaluating, accelerating, and prioritizing
the development and testing of contingency plans; defining
incremental tasks to facilitate the preparation of contingency
plans; incorporating data exchange risks in contingency plans;
and preparing business continuity plans to ensure all core
business processes continue to function at an acceptable level.
We made 14 recommendations and 1 suggestion for corrective
action. These actions are designed to strengthen FMS' Y2K
conversion process and, upon implementation, we believe FMS'
risk of any Y2K induced failure will be reduced.
We recently discussed with FMS their efforts to address the
recommendations and suggestions we made as a result of our
audit. FMS has taken positive steps and made progress toward
reducing the risks of Y2K system failures. As of January 31,
1999, 36 of their 62 mission critical systems are Y2K
compliant. FMS anticipates that the remainder of their mission
critical systems will be implemented by March 1999. FMS has
also initiated coordination with data exchange partners and
started some end to end testing. Despite this progress, FMS
still has a lot of work to do, including end to end testing
with approximately 30 Federal agencies. Although FMS has
prepared contingency plans for all its mission critical
systems, they still need to update and test business continuity
plans.
One of the most significant issues at FMS is processing
Social Security payments. FMS maintains payment systems that
each year make 860 million payments with a dollar value of more
than $1 trillion on behalf of the Social Security
Administration (SSA), the Department of Veterans Affairs, the
IRS, and other agencies. FMS systems issue more than 600
million Social Security and Supplemental Security Income
payments each year on behalf of SSA--roughly 70 percent of all
FMS payments.
SSA and FMS have worked together to ensure that the entire
process for providing Social Security benefits--from
calculating benefits to making payments--is ready for the
century date change. In October 1998, FMS began to issue
monthly Social Security payments on systems that had been fixed
and tested while it awaited independent verification of its
testing, test results, and documentation to ensure that these
systems were, in fact, Y2K compliant. Approximately a month
ago, the independent contractor informed FMS that monthly
Social Security payment systems are indeed ready for the Y2K
date change. This represents a critical step in Y2K work on
these systems, and FMS will continue to test throughout 1999.
OIG Phase Three Work
In Phase three, we plan to perform additional reviews at
selected bureaus to review their progress related to testing
and contingency planning as well as provide coverage on the
progress of the OCC and Office of Thrift Supervision (OTS)
supervision of institutions. Finally, we will continue to
monitor reported progress by the bureaus and the Department.
Our continuing review will be done at ATF, U.S. Mint, and
FMS. The first part of our work will focus on the results of
independent verification and validation and then on contingency
planning. Our work at FMS will be performed in conjunction with
GAO. It is critical that bureaus perform independent
verification and validation to ensure adequate testing was
performed. Without adequate testing, it is possible that a
system could fail without warning. A review at one bureau
revealed that a system was certified as Y2K compliant, but the
auditors found that not all code was identified or renovated.
If this was not corrected prior to the system's critical date
(i.e., January 1, 2000), the system could fail. This issue was
brought to management's attention, and the bureau took prompt
action by bringing in an independent contractor to review 100%
of the code.
In addition, the second part of phase three will focus on
business continuity efforts. OMB established a March 1999
milestone for agencies to have fully implemented systems. Based
on our audit work and review of the bureaus' monthly status
reports, we have identified two bureaus that are unlikely to
meet this milestone: (ATF and IRS). ATF has 3 of 24 mission
critical systems that will be implemented after March 1999;
while IRS has 7 of 133 mission critical systems that will be
implemented after March 1999. Therefore, it is even more
imperative for these bureaus to have comprehensive contingency
plans in place.
It is also imperative that bureaus which exchange data with
international partners have reliable contingency plans in
place. Early indications are that international partners have
made slower progress than the United States in converting their
systems; therefore, there is a higher risk that problems may
occur when transacting business internationally. In each
bureaus' report, we stressed either through a recommendation or
suggestion the importance of contingency planning to all
bureaus in the event that the milestone dates were not met or
unanticipated problems were identified with the operation of an
implemented system. The uncertain and uncontrollable
international situation raises contingency planning for systems
with international exchange data to the same critical level of
concern as actual conversion of mission critical systems.
Conclusion
It would be an understatement to say that a great deal of
effort has been put into solving the Y2K problem over this past
year. However, that effort has resulted in a great deal of
progress. Treasury's ability to manage and accomplish a
successful Y2K conversion is a lot less uncertain today than it
was a year ago. At the same time, no one can sit back and
declare victory. A great deal of work remains to be done. If in
the next few months the results of the remaining implementation
or testing of critical systems identifies serious Y2K non-
compliance, it could be very difficult to put the fixes in
place and perform the necessary re-testing before the calendar
turns. If sound contingency and continuity of business plans
have not been adequately tested and are not in place and ready,
there may be no way to avoid serious disruption. The intensity
of the current Y2K conversion effort and the top management
attention it has received needs to continue right through to
the millennium.
Chairman Archer. Thank you, Mr. Schindel.
The Chair is grateful to all of you for your presentations
today. I must say, generally, they come across as being
comforting, which I am very pleased to hear.
Can any one of you think of any reason why the areas of
operation within your supervision or purview would be disrupted
as we enter the new millennium? Is there any reason why any
necessary functions would be disrupted by this Y2K problem at
the beginning of next year?
Mr. Apfel.
Mr. Apfel. Mr. Chairman, that's really the purpose of our
contingency plans. If there are areas of potential disruption,
how would we overcome those problems? Not how would we change
the systems, but how would we get around and get what we need
to get done, done. And some of that involves moving people to
work, and moving work to people. But if there were potential
disruptions, that's really the focus of what contingency
planning is throughout all of Government, to focus on the areas
where we could have potential problems and how to overcome
those problems. In other words, if there is a power shortage in
our Baltimore headquarters, our contingency assures a week's
worth of power on our own to operate our computers to make sure
that we can handle the workload.
So that's really what the whole focus of contingency
planning is, to take a look at the ``what-ifs'' and decide how
we will resolve the issue.
Chairman Archer. That's very good to hear too. So if Y2K
does happen to cause any problems, you do have contingency
plans so that your necessary services will continue without
disruption. Is that a fair statement?
Mr. Apfel. That is a fair statement.
Chairman Archer. And I would say to all of you who are
involved with the Federal Government, because I don't think we
are going to provide any resources to Mr. Anderson out of the
Federal Treasury, but for those of you involved with the
Federal Government, are you satisfied that the Congress has
provided adequate resources to solve the problems in the
operations over which you either supervise or have within your
purview?
Mr. Gregg. Mr. Chairman, speaking for FMS, we have
sufficient funds to do what we need to do. We just need to keep
focusing on Y2K and get it done.
Chairman Archer. And to all of you, is there any area where
you need additional funds?
Mr. Apfel. No, sir.
Chairman Archer. OK. Then the record will show that the
answers were unanimously ``no'' to that question. Those are the
only questions I have. Mr. Rangel.
Mr. Rangel. Yes. The distinguished Majority Leader, Mr.
Armey, was concerned that some of our financial institutions
might not be prepared to support the progress that is being
made by the Social Security Administration in getting benefit
checks out. And he's written to the President of the United
States about this issue. And I just wondered whether anyone
could satisfy his concern?
Mr. Anderson. If I can speak. The banking industry is on
track in meeting its deadlines. And we have gone through
extensive tests, both of our internal systems and with the Fed,
to ensure that the payments will come to the Fed, from the Fed
they will come to the bank, and from the bank they will be
credited to the proper individual account. If there are
glitches, we have contingency plans as well so that we can
stand behind our Social Security recipients to make sure that
they get through this all right.
Mr. Rangel. Mr. Anderson, would you be kind enough to send
a note to that effect to Mr. Armey because he has concerns like
this. It bothers me. [Laughter.]
Mr. Anderson. I'd be glad to.
Mr. Rangel. Thank you so much. Thank you, Mr. Chairman.
[Mr. A. Scott Anderson submitted his testimony to Richard
K. Armey, House Majority Leader.]
Supplement to the Testimony of A. Scott Anderson; on behalf of the
American Bankers Association
During the February 24 hearing, Representative Mark A.
Foley (R-FL) asked that Mr. Anderson provide a discussion of
the consequence to U.S. financial institutions should Y2K
glitches occur in transactions with their foreign trading
partners. The requested discussion follows.
The issue of global Y2K risk has been of major concern to
all financial institutions that do business across borders.
Aside from testing and preparing contingency plans for their
domestic operations, financial institutions have been closely
examining their international exposure, and assessing the Y2K
readiness of their global partners. For example, consider this
excerpt from the testimony of State Street Corporation, to the
Senate Commerce Committee on February 9, 1999:
In much of our business, we act as an agent or true
financial intermediary in a complex, interconnected chain of
financial transactions. As a middleman, we interact
electronically with securities depositories, broker/dealers,
banks, stock exchanges, telecommunications and utility
providers, our customers and investment data services in more
than 80 countries.
Our business exposes us to the readiness, or failure, of
multiple parties beyond our control. Regardless of how well we
have prepared our own information systems technology for Y2K,
our ability to deliver services remains dependent upon the
state of readiness of thousands of other service providers.\1\
---------------------------------------------------------------------------
\1\ Marshall Carter, Chairman & CEO, State Street Corporation
---------------------------------------------------------------------------
It is precisely this interdependence of multiple parties
engaged in cross-border transactions that makes it difficult to
determine the overall risk level of such activities as trade
finance, currency exchange, and investment settlement services.
However, each financial institution that provides these
important services is continuing to verify and monitor the Y2K
progress of major overseas counter-parties, such as those
mentioned in the referenced testimony. At the same time,
financial institutions are developing contingency plans to
continue their existing services in foreign markets should they
face Y2K-related disruptions.
Chairman Archer. Mr. Crane.
Mr. Crane. Thank you, Mr. Chairman. I want to commend
Commissioner Apfel, especially for the recognition of this
problem earlier, I think, than your counterparts in getting up
to speed and providing that example. And my understanding is,
the person who pioneered that was Kathy Adams. And is Kathy
here?
Mr. Apfel. Kathy is right behind me. Dean Mesterharm also.
And John Dyer.
Mr. Crane. Congratulations, Kathy.
Mr. Apfel. I would like to take full credit for it, but it
started many, many years before I became Commissioner.
Mr. Crane. You're in deep ``kimshe'' if you try.
Mr. Apfel. That's right. [Laughter.]
Mr. Crane. Let me ask one question though. And that is
while you're up to speed, do you have any concerns about the
post office's readiness?
Mr. Apfel. No, sir. The Postal Service is virtually
complete in its operations. And again, if there is a localized
problem, the same notion of moving people to work and moving
work to people is in their contingency plan. If there were a
problem in a certain area, the idea would be to work around it
to assure the delivery of the mails.
I think you should hear that directly from the Postal
Service, but we are very comfortable with our efforts that have
been going on with the Postal Service in this endeavor.
Mr. Crane. That's comforting. Well, I thank you so much.
And I yield back the balance of my time.
Chairman Archer. Mr. Shaw.
Mr. Shaw. I would like to continue that line of questioning
with regard to the delivery of the checks, and I would like to
also speak to Mr. Anderson about this particular matter. What
about foreign banks, American living abroad who are receiving
Social Security checks. I'd like to direct this question both
to Mr. Anderson and Mr. Apfel as to what would happen to them?
Have we done a survey to see how they can cope with this?
Anybody, either one.
Mr. Apfel. I would like to start that.
Mr. Shaw. All right.
Mr. Apfel. This is an area that I think needs greater
attention over the course of this year. That's part of what our
contingency planning is focusing on. If we can't get the
sufficient assurances in the international arena, then we're
going to have to determine alternative systems for delivery at
that time.
This is one of the areas I think the U.S. banks are in a
much stronger position than some in the international arena. So
this is one of the areas that our contingency planning is
focusing on this year.
Mr. Anderson. If I could just add to that, Congressman. I
serve as a senior adviser to the President's Y2K Council, and
that is one of the issues that we are very concerned about. We
are confident that we can get the wires to those other banks,
and we need to make sure that they can then credit it to the
appropriate parties overseas. We have a number of our customers
that do a tremendous amount of wires each day to people serving
all over the world, and we have been working with those
customers to develop contingency plans if in fact the wires
can't get through, that we can get them the cash through other
means.
One of these means is through the ATM card, where they
could then access the cash overseas using the ATM card.
Mr. Shaw. This is very important not only for the
beneficiaries who need these funds but also it is very
disturbing as to the tracks that we leave down to prove that we
did deliver these checks in compliance with the instruction of
the recipient. And I think that we need to really go back and
be sure there is a very good audit trail to prove that we did
send the money, and that this was the choice and the designated
recipient of the money made by each of the beneficiary of the
Social Security system. And I think this is very important that
we look into that because there could be some real glitches
that we didn't prepare for.
I have just one other question that I want to ask Mr.
Apfel. And I ask this with full recognition the tremendous job
that you all have done at Social Security, and Kathy, and
continuing under your leadership. But I do have a question. Our
Subcommittee asked for certain documentation to be given to the
General Accounting Office and that they do certain audits and
report back to the Subcommittee. We understand that there is a
problem with receiving some of the requested documents. If you
comment on that or if you would get back to me if you're not
prepared to comment on that, we do want to fulfill our
obligation to do our oversight in that area.
Mr. Apfel. And this is in the Y2K area?
Mr. Shaw. That's what I understand.
Mr. Apfel. I am unaware of a problem in this area. We will
look into it immediately and have someone contact your office
today.
Mr. Shaw. If you would check with the General Accounting
Office and see what they have requested that you haven't
provided. And we would appreciate your expediting that.
Thank you. Thank you.
Chairman Archer. Mr. Coyne.
Mr. Coyne. Thank you, Mr. Chairman. Mr. Gregg, what
contingency plans does FMS have should any of the direct
deposit electronic systems fail?
Mr. Gregg. We have several, Mr. Coyne. First of all, we
have a nationwide telecommunications network that runs out of
our Hyattsville, Md., office. It has the capacity to shift work
around the country. If we did have a power problem in one part
of the country, we could shift payments processing to another
location.
We also have a backup telecommunications facility in Kansas
City. Both of our telecommunications faacilities have power
generators that could operate if we had some kind of power
problem in those locations.
In addition to the telecommunication network, we have three
computers that can each process the full volume of our payments
for any given month. So if we had a problem, say, in Austin,
Texas, we could shift all the work that would normally be going
out of Austin to either Hyattsville or Philadelphia, and make
the payments through those facilities. I'm talking about
electronic payments.
Someone mentioned earlier about the possibility of a
problem with the Postal Service. If, in fact, we had some
problem with the Postal Service in one part of the country, we
could actually shift work and have the checks printed at
another one of our regional finance centers, where they may not
be having a problem with the Postal Service.
So we have quite a few contingencies to address problems
that could occur. We are doing everything we can to, hopefully,
reduce that risk. But we do have a good contingency plan in
case something does happen.
Mr. Coyne. Are paper benefit checks available as a backup?
Mr. Gregg. Yes they are. Well, they are in terms of our
ability to shift check production from one place to another.
I'm very confident, extremely confident, that the electronic
processes will work. We have about 70 percent of our overall
payments now made electronically. The reason I'm confident is,
first of all, Social Security on one side of us has been ready
for some time. And, on the other side of us, we have the
Federal Reserve, who started on this project about the same
time as SSA. They have also shown great leadership. They have
been testing with the commercial banks that receive electronic
payments for some time and they will continue to test
throughout this year. I'm very confident that those will work.
If we did have some isolated problem, and in my view it
would be only a few banks here and there, if we did have an
isolated problem, we would work with Social Security and
quickly get out a replacement check for that individual.
Mr. Coyne. Thank you.
Chairman Archer. Mr. McCrery.
Mr. McCrery. Mr. Apfel, just one question. You use an
example in your testimony or maybe in response to a question
about the electric power going off, say, in Baltimore and you
had a contingency plan that would allow you to generate your
own power for a week. Is that a real-life example or was that
just----
Mr. Apfel. That is a real-life example. Our data operating
center, which is central to our nerve center, has its own power
source.
Mr. McCrery. But only able to generate power for 1 week?
Mr. Apfel. We have the fuel on hand to power it for a week.
Not that it would shut down in a week.
Mr. McCrery. OK. Well that's good because I was wondering
if you were that confident that a problem of that scope, the
failure of a utility company, for example, to generate power,
could be solved that quickly. Do you have any thoughts on that
in your contingency planning as to the ability of other
entities to identify problems and solve them quickly?
Mr. Apfel. I think the overall power grid issue is a
broader issue that I believe John Koskinen will be speaking to.
He was supposed to testify first, but there have certainly been
significant improvements in this area. The one area that we
felt that was centrally important that we have covered in case
of a localized outage was our data center because that is
clearly the center of our operation. That is taken care of.
If a local power company--we've heard about the Austin
local power--went out, what we would have to do in that
situation, again, would be to redirect around it. We have 1,300
field offices. So that capacity to move work throughout the
country around a localized problem is part of our contingency
planning.
Now that's clearly part of the local contingency plans that
we're developing now and will be finalized by the end of March,
just those forms of localized problems, and how to work around
them and get our work done.
Ultimately, the goal is how do we get the work done if
``blank'' happens? And that's what the contingency plans do.
Mr. McCrery. OK. Thank you.
Mr. Anderson. Congressman, could I add to that?
That's one of the issues that we've looked at very
carefully in the banking industry. What would we do? And in our
particular bank, we have a backup generator for our main
computers that will take us through for 2 weeks. In addition,
we will have trailers with their backup generator in the
trailer that we can move around if there's outages in certain
areas to continue to service the customers. And in the end, we
are prepared to do it with lanterns, the old fashioned way,
with flashlights and so forth.
Mr. Gregg. Mr. Congressman, I want to get on the generator
bandwagon here. We also have a generator in our Hyattsville
office, which is our largest center. We installed it 8 or 9
months ago. And it will run our whole operation for any length
of time as long as we have the fuel. It has worked very well
when we have had power problems due to the weather we have had
over the 7 or 8 months since it's been installed. The generator
has really worked flawlessly.
Mr. McCrery. Mr. Chairman, I yield back, but maybe with all
this talk of extra use of fuel, we can get oil prices back up
to help us out in the oil patch. [Laughter.]
Chairman Archer. That would be beneficial in our part of
the world in any event. Mr. Collins.
Mr. Collins. Thank you, Mr. Chairman.
Mr. Apfel, I'm encouraged by your comments this morning
about how well prepared you are for January 1, 2000, and that
you had the foresight, and your predecessors had foresight many
years ago, to look into this problem. I'm also encouraged by
your reaction to this situation that you're going to be
forthcoming with some very good recommendations as to
structural change for the Social Security system itself, as we
discussed last night.
I only have one question for you. And that is, these
``what-ifs.'' What if there is a real problem at the end of
this year and the beginning of the first two or 3 days of next
year, and those checks don't show up. Were you to, in your
local offices, regional offices, receive the calls that are
going to come from our office? Do you have a good contingency
plan for that one? That's one I'm really worried about because
I know that we will be overrun with calls and visits, and I
know in the Atlanta region office they do a very good job of
helping us today with situations, but that might be a massive
one. Do you have contingency plan to handle us?
Mr. Apfel. To handle?
Mr. Collins. Us, as a Congress. Our calls to you in
reference to constituents?
Mr. Apfel. Absolutely. Part of the local office contingency
planning is--let me go to two things. First of all, our day-one
strategy is for every field office, every facility, every
hearing office that we have, to have people in those offices
during the weekend to go through a series of real-life
situations to ensure that systems are working. We have a
command center in Baltimore to be able to handle that
information. And that goes all the way to such things as
embedded systems.
Let's say you have an electronic lock system. You want to
make sure that electronic lock system is working because you
don't want to get locked out. So clearly there's a whole series
of things that each one of our facilities will be doing.
In addition, we'll have about 40 of our field offices that
will actually be making transactions to assure that those
actual transactions can take place. By the time we open the
doors after the holiday, we will have assessed exactly where,
if there is a problem somewhere, that problem would be. If
there is a problem in a certain area in your district, we would
notify your office to let you know what our contingency plans
would be and how to handle that work.
Mr. Collins. Before the light changes, if you have any
recommendations for my office through the Atlanta regional
office so that we can assist you, please call with those
recommendations because we want to fully prepared too.
Mr. Apfel. Very good, sir.
Mr. Collins. Mr. Anderson, right quickly. You mentioned the
contingency plans that you have and you're encouraging and
trying to educate your customers to keep their moneys in the
bank. The Federal Reserve Chairman also made the same
statement; however, he is printing some $200 billion extra to
stockpile. I had a constituent just earlier this week who told
me that he is stockpiling his own little contingency of cash as
well as other things for January 1, and he's a businessperson,
very well educated. So your education system is not getting
down to the grassroots in all places.
Mr. Anderson. That is absolutely right, Congressman. And
this is why I think we all have to pull together, the industry,
the association, and the government, in getting out the
message. We've had customers come in and pull out their life
savings. And in talking with them, they are going to take it
home and keep it until after the change of the year.
I think back to my mother. I would hate my mother to do
that. I would be worried about her personal security and
safety. I'd be worried that something would happen to the money
and then she would be destitute. She wouldn't have anything.
And I think it's these fears that we really need to address,
and let people know that they will be taken care of.
I'm confident that the ATM system will work. And where you
can go in there on January 1 and draw out money. You have your
checks. You can use your checks. You don't need to just have
cash. You can use your credit cards. And so I am confident that
things will be all right.
But we do have to get the message out.
Chairman Archer. Mr. Kleczka.
Mr. Kleczka. Thank you, Mr. Chairman.
Commissioner Apfel, let me re-ask a question that was asked
by Congressman Coyne. You gave the one scenario of the power
outage, and that's been talked about at length here. Let me
broach this scenario. Let me ask a question first: What
percentage of your benefit checks are direct deposit, or
benefit payments are direct deposit? About 70?
Mr. Apfel. About, yes.
Mr. Kleczka. About 70. OK, which is a hefty amount. Let's
assume for a moment that one or two banks in the system that
accept direct deposits for some reason have a glitch, and the
consumer, the beneficiary cannot access those dollars on
January 3, is it? What is, January 1 is on what date, Saturday?
Mr. Anderson. Yes.
Mr. Kleczka. OK, on January 3. What is that contingency
plan because that is something that is going to be asked of us
repeatedly throughout the year?
Mr. Apfel. The specific contingency plan: Our facility will
be working with that financial institution to determine
immediately whether, in the next 48 hours, the situation would
be resolved so that it could be deposited electronically.
Mr. Kleczka. And the answer to that question is it cannot.
Then what?
Mr. Apfel. Step two is the arrangement to determine whether
a second financial institution could make the electronic
transfer. If we could not, then step three, we would be working
with the FMS to cut a paper-based check. And step four, if
there is an emergency, if someone said I am destitute, our
field offices are prepared at that time to immediately cut a
check.
So we have a several-step process.
Mr. Kleczka. So what is the longest period of delay that a
constituent, say in my district, would suffer if they went to
the bank on Monday for a withdrawal, the transfer was not
showing up, how long before that person could get their actual
dollars?
Mr. Apfel. If the person is not in an emergency situation,
it could be about a week. However, if there is a financial
problem, if they really needed the cash immediately, our field
offices would be prepared to cut that check immediately.
So step one, the first 48 hours with a financial
institution to determine whether it can be done. Step two, it's
whether there could be another alternative financial
institution. If that is immediately ruled out, then cut the
paper-based check. And in the case of emergency, the immediate
check cut by our field office.
Mr. Kleczka. I'm assuming you're going to be asked those
questions repeatedly over the next 300 and some days. What I
would ask you to do is revise the system and move off that 1
week because that will clearly cause panic with some people. So
there's got to be a system where, whether or not it's an
emergency, it's my money. And I went to the bank on Monday and
I want $200. There's got to be some system in place where
within a 24-hour or 48-hour period, that person has access to
those dollars.
OK?
Mr. Apfel. In an emergency situation, the answer is
absolutely yes.
Mr. Kleczka. ``Emergency'' is it's my money and I want it.
Mr. Apfel. Yes.
Mr. Kleczka. OK?
And that's what we're going to be getting in calls to our
office. And it might be to pay a bill, it might be just to go
shopping--I don't know. But with that person, it's an emergency
to them. You know? It's not a life or death, but----
Let me also restate a point made by Mr. Anderson, which I
think is probably the crux of the entire problem. And in your
statement, as you well know, you indicate the biggest, the
bigger challenge, is maintaining public confidence. We believe
that Congress has a critical role to play as do bankers in
keeping consumers informed about what's being done.
We had a hearing yesterday on an important issue on Social
Security, and there were three or four cameras in the room. In
fact, one is sitting right in front of you to get your fact
shot. Today they are not there. And clearly, you know, I don't
know where you put it in the importance of things as far as Y2K
and Social Security. I think both are very important issues,
but we don't have the public exposure to your comments today
like we do for other hearings here. And I think it's incumbent
upon Congress to make sure that we don't cause the panic.
Because it's great sport bringing an agency before various
Committees if one of the administrators indicates that we're
not really up to speed. That word is going to get out right
away, and naturally the public is going to be very concerned.
So I think the burden of consumer confidence and making
sure that the perception that the sky is not falling comes from
this body, the Congress itself. And the agencies are not
surprised at this. They have been working for years in some
cases. We know that billions and billions of dollars have been
spent on the problem. And what I try to do when I go back home,
in fact we write a weekly column for the local newspapers. And
the one about 2 weeks ago was on Y2K and that the government is
coming up to speed and there's no reason for panic. The bankers
and financial institutions are there. And hopefully through
that type of educational process, my consumers, or my
constituents, won't be the ones buying gold and starting to
hoard consumer products, be it food, water, whatever.
But let me ask this panel, and I don't know who wants to
answer it. But we see the stories repeatedly on TV where there
are now conventions or seminars on weekends where people are
told to start squirreling away water and canned goods. Some of
these things are even for sale at these seminars. We've heard
the stories of people pulling their money. My nephew asked the
other day whether or not he thought, or I thought it was a
good, for him to get some gold. You know.
Paint me a scenario where all the food stores in the
country, Giant, Safeway, Kohls, and the like would not be open
at all, that our money would be worthless. I just can't fathom
that transpiring, but some people do. And some people are out
to make a buck by encouraging that type of thinking. Could
somebody here tell me, or try to paint me the worst-case
scenario, where I cannot access any food products whatsoever
for a period of time, or the money supply that I have either
saved or whatever is worthless, and without gold we're all in
deep trouble?
Mr. Anderson. Mr. Congressman, I applaud your comments, and
I do think we need to get the word out. I can't think of an
instance where that would happen. And in fact, if you go back
over history, those who have been the doomsayers in the past
and said invest in gold, that's probably been the worst
investment that they could have. Again, I'm convinced that the
banking side will be ready, that the safest place for people's
money is in the bank. People need to be careful about some of
the hysteria and some of the fraudulent schemes that are out
there to take money away from people, take advantage of the
situation.
Mr. Kleczka. Thank you very much. And again, thank you for
your comments. Hopefully the Members of Congress will be
listening to them and heeding that advice.
Thank you, Mr. Chairman.
Chairman Archer. Mr. Houghton.
Mr. Houghton. Thank you, Mr. Chairman. Thank you,
gentlemen, for your testimony. Good to see you, Commissioner
Apfel. I think you're doing a great job. Thanks very much for
the things that you're doing for the Y2K problem.
Let me just try to put this thing in perspective. The Y2K
issue for the U.S. Government is an issue for the
administration, really not for Congress, or not for the
Judiciary. And the reason we are involved here is because of
the oversight to see how it's going. Are there any weak spots?
And I would assume that the President of the United States or
any of his lieutenants have said to you, we expect that this
will be solved, and be solved expeditiously so that there will
be no problem with the U.S. citizenry. And if it is not, and
you are worried about it, you let us know.
And, in effect, the word came back that you needed a little
less than $3.5 billion, and that came forward through military
and non-military supplemental appropriations last year.
So I would assume, irrespective of what the problems are,
there are always the ``what-if,'' that this thing is going to
be solved and you got enough money. And if it's not, I would
like to know it.
Mr. Apfel. Mr. Houghton, I can only speak for the Social
Security Administration, but we have fully adequate resources
to completely resolve this issue. I think that the importance
of this hearing today is to ask that question of every agency.
I think these hearings are very appropriate to look at where
there are potential problem areas, and what the resource
implications are. From a Social Security perspective, Mr.
Houghton, I can assure you that we have the resources and the
plan in place to handle this.
Mr. Houghton. Well now, let me just go on to Mr. Schindel.
Mr. Schindel, you wrote a sentence which is a sentence I've
never seen before: ``Treasury's ability to manage and
accomplish successful Y2K conversion is a lot less uncertain
today than it was a year ago.'' Tell me, what does that mean?
Mr. Schindel. Congressman, what that means is that a year
ago, I think that most of the agencies and Treasury were where
a lot of other agencies were. They would have liked to have
gotten started a lot sooner. So last year there were a lot of
plans in place. An infrastructure was put in place to start
managing the Y2K conversion, but we didn't have a lot of actual
renovation and conversion of systems going on. That has
substantially improved or increased since that time.
Mr. Houghton. But, Mr. Schindel, if I could just interrupt,
if I were the operating officer of the United States, and you
said that to me, that would worry me. I expect you to do this
job. And we don't get paid off on effort. And I understand some
of the past problems, but we need to be sure that things are
going to be all right. And I know you're in the auditing
business, and I know that's important, but it is not a
reassuring sentence.
Mr. Schindel. Well, I think what it's meant to communicate
is that between now and January 1, 2000, there's still some
work to be done. But everybody is engaged in doing that. And
until that work is completed, additional testing is done, there
is still the potential that some systems could be Y2K non-
compliant.
Mr. Houghton. Mr. Chairman, I've just got one other
question, if I could ask it.
Chairman Archer. Of course. Go right ahead.
Mr. Houghton. All right. I'd like to ask this of Mr.
Anderson. You say in your testimony in the last paragraph
conclusion, that the banking industry alone cannot deliver
business as usual in the year 2000, there must be parallel
commitments by all other sectors of the economy. Are there any
reasons to doubt that there are not?
Mr. Anderson. Mr. Chairman, or Congressman, we are looking
at that very carefully, and we are dealing with our vendors and
our service suppliers with our utilities and the
telecommunication providers to ensure that they are taking
appropriate actions and that the service that they are
providing us will be made----
Mr. Houghton. I'm sure you are, and that is very
reassuring. However, do you see any real soft spots out there
that we should be concerned with?
Mr. Anderson. Overall, I'm very confident. There may be
glitches, but I think we will be able to overcome them so that
the service to the individual consumer at least coming into the
bank will not be interrupted.
Mr. Houghton. Thank you, Mr. Chairman.
Chairman Archer. Mr. Tanner.
Mr. Tanner. Thank you, Mr. Chairman.
I was interested in your opening statement, Mr. Anderson.
My grandfather was in the banking business back during the
Depression. This fellow came in 1 day and withdrew all his
money and said I just can't trust the banking system. A couple
weeks later he came back, put his money back in. My grandfather
asked him, what did you change your mind for?
He said, well I buried it in the backyard and I wore a path
checking on it. He said any fool could have found it.
[Laughter.]
My question following up on Mr. Houghton. Your comments,
all of you, have been reassuring as has been said. What about
your suppliers and those with whom you have Y2 compliant
computer interaction that you must depend on. I mean, it's all
right for you to be Y2 compliant, but those with whom you
interact by computer, if they are not, the old adage, it takes
two to tango in this business. Could you all comment on where
you are with that and if you see any problem. Thank you.
Mr. Apfel. Mr. Tanner, it's a major priority that our
partners, and there's not just one, there's lots, are connected
to us and that everything is compliant. We identified 2,000
data exchanges, that's 2,000 partners. We must be able to
assure that those systems are working in a positive
interconnected way. Within Social Security, we've fixed all but
13 of those 2,000. The last 13 are not mission-critical, but we
still want to get that resolved, and we will over the next 3
months. One of the key aspects of any agency is to determine
what its data exchanges are, identify them, rank them,
determine their mission criticality, and then go in and
actually get it done. That is something that we have done. It's
clearly one of the major undertakings that we went through over
the course of last year.
Mr. Anderson. I may just add, from a banking point of view,
we've gone through and made extensive inventory of all of the
vendors and service providers that deal with banks, from
systems and software providers to elevator operators and
maintenance people, and we've gone back to each of them and
tested their systems. Also, I should mention, and this should
give the public a great deal of relief, that the Federal
banking regulators are looking not only at banks but also at
the major key vendors that provide data and technology services
to banks. And they have found that 95 percent are compliant. In
addition to that, we are working with them and doing our own
testing with each of those vendors.
Mr. Gregg. The only thing I would add is what I said
before. We have considerable redundancy built into our system
so if we did have a problem in one location we could operate
elsewhere. And we also have plans to have additional check
stock on hand, more than we would normally have, just in case
there was some kind of problem.
Chairman Archer. The gentleman's time has expired. Mr.
English.
Mr. English. Thank you, Mr. Chairman. Commissioner Apfel, I
want to compliment you. Your testimony today is most
reassuring, and it's a great testament to your proactive
efforts to deal with this Y2K problem.
Referencing the remarks made by my friend and colleague
from Wisconsin, I think it is incumbent on us to get the good
word out, particularly to Social Security recipients, that you
have done a very good job of insulating them from potential
disruption. And let me say, as my colleague from Wisconsin
said, I wish C-Span were here today because I think this is a
message that really needs to get out with the public.
I have one brief question that you can probably comment on
relative to Mr. Willemssen's written testimony. He identified
three key risk areas. One of them was having to do with support
from the 54 State Disability Determination Services. I am
wondering, are you now satisfied that those 54 State services
are now on track to be Y2K compliant and to support your
efforts to keep the disability program on track?
Mr. Apfel. The answer to that, Mr. English, is yes. It's
not only on track, it's done. The disability determination
services (DDS) systems have completed their operation. I would
also point out that the General Accounting Office also laid out
three areas that we needed to continue to work on. One was data
exchanges, and as I indicated, we have another 13 non-mission-
critical systems to do. So I think we are very much on track in
that area. The second one was any new systems changes that we
make need to be recertified, if we do make any systems changes.
And, of course, there will be some, given say, the COLA
announcement. We intend to do that. That is our plan, which is
consistent with GAO's recommendation. And third, there is the
need for contingency plans, which we are on track to do.
Their original report identified the DDS activities as
being critical, which they are, but I again assure you those
activities are done.
Mr. English. Thank you. Thank you again for your testimony.
Chairman Archer. Ms. Johnson.
Mrs. Johnson of Connecticut. Thank you, Mr. Chairman. I
think it is fair to say that, given the human resources that
you have dedicated to this problem and the monetary resources,
and the general inventiveness of the American people when faced
with a challenge like this, you are going to be able to meet
across the board in the public and private sector the Y2K
problem head-on. And the problems that we are going to
encounter are going to be narrow and localized, I think, across
the Nation.
There are two things specifically that I would like inquire
about. First, Mr. Apfel, when the Social Security system began
end-to-end testing, which I think was before you became the
head of the office----
Mr. Apfel. Well the end-to-end testing was actually
completed 2 to 3 months ago.
Mrs. Johnson of Connecticut. OK. On your first test run,
how many problems did you find? On your second test run, how
many problems did you find? How many runs did it take of end-
to-end testing, which is an extraordinary challenge in and of
itself, before you got to where you felt the system really was
going to serve you, was reliable?
Mr. Apfel. There were some problems identified, and I will
get you for the record a list of the specifics. There were not
very many. Back last July and August, a lot of the runs were
started to determine the efficacy of the system. There were a
few minor problems, and I will for the record document those
for you so that you have them.
The Social Security Administration initiated detailed
planning discussions with the Financial Management Services of
the Treasury Department of Year 2000 end-to-end testing in
March 1997. The software changes were implemented at SSA and
Treasury in August-September 1998. We feel that the key to our
success was that we allowed adequate time (a year) for
planning, requirements, development and internal testing before
we conducted the agency to agency validation with Treasury and
the Federal Reserve. the validation ran from March 1998 through
July 1998, with files being passed to the Federal Reserve for
final validation during July.
During the planning for testing and validation, we
recognized that it was necessary to provide time for reruns. It
usually takes several runs to complete a validation
successfully, and one should not plan on one test run being
sufficient. Both agencies allowed adequate time for internal
testing and the result was that the software we used for the
March-July 1998 agency-to-agency validation produced few
problems.
There were two areas where we encountered challenges, but
they both had to do with setting up validation rather than the
quality of the software:
1. Naming the test files (data set names) in order to get
the files through both SSA's and Treasury's TOP SECRET
telecommunications security systems.
2. Keeping SSA's validation data base synchronized with
Treasury's data base required a great deal of effort and more
time than we had anticipated.
Both of these challenges were overcome, and we were able to
complete the testing within our original schedule.
But by the end of that period of time, we were confident
that we could move to independent external testing. And that is
what took place with FMS, with the Fed, end-to-end testing from
us through FMS into the Fed.
Mrs. Johnson of Connecticut. Now when you--the problems
that you found in your early systems testing, what was the
effect of those problems? Did they infect other areas, or were
they very system-specific or site-specific? In other words, did
a problem in one office bring down the system throughout the
country?
Mr. Apfel. No. It was not like we discovered that one field
office has a particular problem. It was an integrated test to
look at the comprehensive delivery of that system.
Mrs. Johnson of Connecticut. But in looking at that, did
you find that then one problem in one aspect of the system
would bring, would stop the whole system?
Mr. Apfel. No, we did not. It was----
Mrs. Johnson of Connecticut. Because I think what we're
going to face is, very significant departments, I have in mind
Medicare, not beginning end-to-end testing until October or
November or 1999. So it's important as you go throughout, and
unfortunately my time has expired and some of you might want to
come back to this, what you expect when you get to end-to-end
testing in other agencies in terms of whether the problems will
be isolated and how we will manage them and what are the
implications of end-to-end testing beginning so late in a
number of significant services across the government.
Thank you, Mr. Chairman.
Chairman Archer. The Chair would appreciate it, and we
still have a number of Members to inquire. The Chair would
appreciate it if Members would make every effort to stay within
the 5 minutes because we have a lot of witness today before we
get through. And having said that, the Chair recognizes Ms.
Thurman.
Mrs. Thurman. Thank you, Mr. Chairman.
Mr. Anderson, let me ask a question. A lot of people
through the Internet, think the sky is falling over this issue;
how are you reaching your customers to let them know that you
don't believe there will be any interruption within their
service?
Mr. Anderson. We're doing a number of things. We've
developed a comprehensive plan for our customers that we
actually started about a year ago. We've had four mailings to
them. This includes statement stuffers that explain the
problem, explains what the bank is doing. It also gives them
suggestions on what they can do to prepare for themselves.
This is a problem that not only the banks have but they may
have at home. And so if they're on the Internet, they need to
make sure, for example, that their home computer is Y2K
compliant, and they need to make sure they have backup to the
data on there. The ABA has videos, they have statement
stuffers, they have ads, they have seminars that are available
that the banks can use throughout the area.
I would also personally encourage you and all Members of
Congress to meet with your banks and go on a tour of their
facilities and see that they in fact are getting ready for Y2K.
And get the publicity that that would bring. That would be a
tremendous benefit.
Mrs. Thurman. Do you see a possibility, or is there a
potential problem if people do start making a run on the bank
toward the end of 1999? What could happen?
Mr. Anderson. Well, I think that's one of the reasons why
the Federal Reserve has said that they are printing $50 billion
in extra cash so there will be plenty of cash in the system.
But what we really want to do is through communication, to let
our people know, our customers know, that in fact that's not
the smart thing to do. And that in fact, their money is safer
in the bank than in the ground or under their mattress.
[Laughter.]
Mrs. Thurman. And I'm glad to hear that because I am a
little concerned about that just from what you hear on radio
talk shows and some of the things people are doing to prepare.
Mr. Apfel, have you had many people within the Social
Security system who are recipients asking about changing from
electronic transfer to a mail, based on this issue at all?
Mr. Apfel. No. The increase continues in electronic
transactions. So we're not seeing a number of people wanting to
go back to paper, which I think could be a real mistake. Moving
an electronic transaction is really the safest for
beneficiaries and cheapest for cost. So its a very good thing.
Mrs. Thurman. That's why I want this discussion because I
think the American public does need to realize that.
Mr. Anderson, last question, I know you represent the
bankers, but what about independent, rural, and bankers of that
nature. Do you see them in the same mode as you, as the
American Bankers Association as versus independents?
Mr. Anderson. Yes. In fact, the banking regulators have
examined all banks, and of all banks, 97 percent they found
have received the highest rating. Only 17 out of the 10,000-
plus have had any problems.
Mrs. Thurman. Thank you.
Chairman Archer.
Mr. Weller.
Mr. Weller. Thank you, Mr. Chairman, and, Commissioner, it
is good to see you again. You probably feel like you haven't
left because of the hearing going late last evening.
Mr. Apfel. I slept here last night. [Laughter.]
Mr. Weller. I appreciate your good work.
I would actually like to address my question to the
spokesman for the banking community, and I really want to
commend your efforts focusing on communication and education
for your customers because, as folks back home slowly become
more and more aware and concerned about the year 2000 problem,
there are going to be folks that are going to be afraid. And
your efforts to reassure your customers will be important,
particularly as we may expect those in the entertainment
industry to produce TV shows and movies that may cause some
concern, and hopefully not panic, but take advantage of this
landmark time.
The question that I have for you is, you noted in your
testimony that at the end of each month that financial
institutions issue a monthly report. Has some thought ever been
considered into issuing your usual monthly statement on
December 31, but also printing a second one on January 1 after
midnight so that your customers can take their December 31
statement and compare that to their January 1 statement and see
whether or not there are any changes of differences that should
not be there?
Mr. Anderson. That is a very good comment, and we have
considered it. What we are doing at Zion's Bank, at my bank, is
that in the December statements that are mailed out, we will
have a card that will ask the customers if they want an
additional cutoff statement that will come actually as of
December 30. And those who want one, we will prepare it. We
will also let them know that they can go to any ATM machine
throughout the month of December, and they can get a mini-
statement which gives them their last 10 transactions and their
balance. And so, with that information, we feel they should be
confident that when they get their January statement that they
can match it up, and, if there are any issues, they can come
back and we can correct them.
That is the nice thing about the banking industry, we do
have a lot of backup information that helps us identify and
correct problems when they occur.
Mr. Weller. But you are saying that service would just be
available in December and would not be available in January,
because, after midnight is January.
Mr. Anderson. Right.
Mr. Weller. Would that service be available after January
1?
Mr. Anderson. Congressman, we haven't thought of doing it
on January 1. Normally the statements start going out on the
third of January, so they will be getting their statements
toward the first of the month. As we have looked at the
problem, we thought it important that they have a cutoff
statement as of the end of the year that they can compare to
their statement that comes out in January.
Mr. Weller. But the January statement is usually the
December 31 printout, isn't it?
Mr. Anderson. Right. But usually the statements for
November come out the first of December, and then the next
statements would come out the first of January. And, as we have
done focus groups with our customers, we have found out that
what they want to know, is, as of the end of December, what is
their balance. They want something more current than the
November 30 statement that came out the first of December. They
want something close to the end of the year so that when they
do get their statements in January, they can compare it to to
see if there are any glitches.
Mr. Weller. I realize I have run out of time here, but the
point that I am trying to make is that the end of December is
midnight. The concern that I have heard back in Illinois is
what happens after midnight. They want a January statement.
They are anxious to know what their bank balance is on January
1, after midnight, compared to December 31. So, I would ask
that you take a look at it--figure out some way that people
have an opportunity to compare what happens after midnight
versus what was in the account before midnight.
Mr. Anderson. That is a good suggestion. We will do that.
Chairman Archer. As is generally true, the gentleman from
Illinois is correct, he is out of time. [Laughter.]
Mr. Lewis.
Mr. Lewis. I have no questions, sir.
Chairman Archer.
Mr. Foley.
Mr. Foley. Thank you, Mr. Chairman.
About 2 months ago we were in Brussels discussing, with our
European counterparts, the Y2K problem, and there seemed to be
a lack of interest in pursuing corrective remedies. In fact,
they seemed to give it short shrift when we discussed it. Can
you give us an illumination from the banker's perspective about
that type of concern that we may have, and, due to the global
nature of our economy, due to the currency changes, the
introduction of the Euro, and all the other things that may
become important, do you see that having an impact? Even though
we, domestically, may be ready, what happens with our European
counterparts?
Mr. Anderson. That is a very good question. That is a very
complicated question, and, if it is all right, I would like to
respond in writing to you on that, for the record.
Mr. Foley. OK. Commissioner?
Mr. Apfel. Mr. Foley, I would think that Mr. Koskinen would
be the perfect person for that question. From a Social Security
perspective, our focus here is the 300,000 individuals who
receive payments overseas. About 100,000 of those are direct
deposit and about 200,000 are through the mail. That is where
we are developing our contingency plans.
I don't think that I have the expertise to comment on the
broader issues that you raise, sir.
Mr. Foley. Does anybody else on the panel have a comment?
Mr. Willemssen. If I may comment, sir.
From a worldwide perspective, those countries generally
considered to be furthest out front, in addition to the United
States, include the United Kingdom, Australia, Canada, and a
couple of other countries. Beyond that, you really have a next
lower tier. Even some of the industrialized countries, such as
Germany and Japan, are not, from a readiness perspective, where
we and some of those other leaders are.
I think, particularly in the banking area, Japan was
considered to be lagging somewhat, and that may have been one
of the reasons for some of the delays in some of the
international bank testing that was planned for later this
year. I understand that they are now in the midst of catching
up, and I don't know if you want to add to that in terms of the
testing that is planned for later this year from an
international perspective.
Mr. Foley. I would be delighted to receive written
response, because I do think that it has some real implications
with arbitrage, currency fluctuations, changes of various and
sundry objectives.
And then there will be further--my time is about up--but I
would also like to look at the Defense Department's Y2K issues
and how it interacts with defense capabilities and the
information that we share with our allies.
Thank you, Mr. Chairman.
Chairman Archer. The gentleman's questions are very
probative, but the Chair would advise members that our effort
here today--and we have got a long list of witnesses--is to
concentrate on those areas that are within our Committee's
jurisdiction. I hope that we can limit the questioning to that.
Mr. Hulshof.
Mr. Hulshof. Mr. Anderson, as you can gather from all the
questions being propounded in your direction, we have been
hearing a lot from our constituents about the efforts that you
have made. I do want to commend you. Mrs. Thurman asked about
the education efforts that you have made to your customers, our
constituents, regarding Y2K and why this should not be a
problem.
Let me take it just one step further, have you also, in
this education effort, communicated to your customers things
that the banking industry has learned in dealing with this Y2K
problem that they find of benefit? Maybe that is not the role
of your industry, but perhaps things that you could communicate
to your customers as to how they might be in their personal
work or home become Y2K compliant?
Mr. Anderson. Well, we have. We have tried to provide them
information and a checklist of things that they should do. ABA
has provided that information to all banks.
For example, we have encouraged our customers to keep
copies of their bank statements and their receipts and their
loan payments so that they have a record. You see, this is a
good chance for our customers to get organized from a financial
point of view so that if there are glitches, they can come back
and correct it. It is always easier when they have the data
there in front of you.
We have told our customers that we are providing and we are
doing backups, so that, if there is a glitch, we can go to our
backup files and pull out information and make corrections as
necessary.
Mr. Hulshof. Mr. Gregg, what a difference a year makes. A
year ago, when this Committee convened, and we talked about the
efforts, obviously as we have talked about already, the
situation regarding financial management services was a concern
to a lot of us. And, God forbid that we be here a year from
now, still talking about Y2K because those generators will have
been running, I think, for 2 months, instead of 2 weeks, as we
have talked about.
Has FMS worked with IRS or other Federal agencies to do
end-to-end testing as you have done with the Commissioner and
the Social Security Administration, and, if so, have any of
those processes been certified as Y2K compliant?
Mr. Gregg. We have plans to do the same thing with IRS and
VA that we did with Social Security. The systems, as I
mentioned, for most of the payments for VA are already running
on Y2K-compliant systems, and, since last July, the IRS
payments have been going out on Y2K-compliant systems. But we
do plan to do some more testing with the major agencies over
the next few months.
Mr. Hulshof. OK.
That is all I have, Mr. Chairman. I yield back my time.
Chairman Archer.
Mr. Portman.
Mr. Portman. Thank you, Mr. Chairman.
Mr. Apfel, I am the father of two elementary school
students who bring home their report cards every now and then.
I am rather efficient at looking at report cards, and I want to
give you a star for your GAO Subcommittee report card this time
around. Except, you went from an A+ to an A, and you like to
see improvement.
But I guess that your other agencies haven't done quite as
well, and we are going to hear from the IRS later today. For
the last couple of years, we have been following the IRS very
closely on this Committee and on the Subcommittee. And I
remember a statement being made about 18 months ago that it was
a marathon that needed to be run at a sprinter's pace.
I guess my question is really to Mr. Gregg, and to Mr.
Schindel would be with regard to the IRS--and we will hear from
them later directly--but do you believe that the sprint is
continuing and that they are going to make the deadline?
Mr. Schindel. We have not done work directly, out of the
Treasury IG's office on IRS. That was done by GAO and the IRS
inspection service. But, in our meetings with them, and in the
information that they have fed us, the IRS is proceeding on
target. Of course, they have a massive, and perhaps a bigger,
renovation effort than a lot of other agencies, hundreds of
thousands of lines of code, but they are making progress.
Mr. Portman. With regard to Social Security, Mr. Apfel, are
you here today to tell us that you are confident that
recipients in the year 2000 will indeed be receiving their
benefits?
Mr. Apfel. Yes, sir, I am.
Mr. Portman. And, Mr. Willemssen, do you agree with that?
Do you have that confidence with regard to the Social Security
program?
Mr. Willemssen. I have as high of a degree of confidence as
you can have without giving a 100 percent guarantee. That is
why I would also say we focus on contingency plans because we
can't give an absolute guarantee that there won't be some
systems failures, and, in the event of those failures, they
need those backup plans.
Mr. Apfel. That is an absolute correct response. That is
the purpose of our contingency plans.
Mr. Portman. Another question--and I appreciate your
confidence--with regard to resources. Again, in the last
Congress, we added significant resources to the Y2K effort, in
part because of Social Security and IRS and other agencies. Are
you comfortable with the amount of resources that this Congress
has provided and that this Committee is supporting?
Mr. Apfel. From our perspective, we have sufficient
resources for this issue.
We did not receive money from that supplemental,
incidentally. We funded that entirely through our ongoing
operations.
Mr. Portman. But do you believe that your resources are
sufficient?
Mr. Apfel. Absolutely. But if that changes at any time, I
would absolutely let you know immediately. But I am very
confident.
Mr. Portman. I am sure that you will.
Thank you, Mr. Chairman.
Chairman Archer. The Chair believes that all members
present have inquired. And, as a result, the Chair is extremely
grateful for you all giving us some insight into your
involvement in the Y2K problem, and we are also very comforted
to know that we are moving forward to where we will not have
any disruption, and, if there is any failure, there are
contingency plans so that services, the essential services,
will be there in January of next year. And that, to me, is the
important message that you have given us today.
So you gentlemen are excused.
Mr. Apfel.
Mr. Apfel. Just one small point: Chairman Shaw asked about
some information that was to be provided by the Social Security
Administration to the General Accounting Office. I indicated
that I would look into it. The answer is that the information
has already been provided to the General Accounting Office, and
that issue is resolved. I wanted to say that for the record.
Chairman Archer. Thank you very much. And again, I thank
all of you.
And while Mr. Koskinen is moving to the witness chair--it
is the Chair's intention to recess at 12 noon for 1 hour at
lunch and to return at 1 o'clock, so witnesses and members can
adjust their schedules accordingly.
Mr. Koskinen, you are really sort of the umbrella
organization working for this entire problem and working for
the President, as I understand it, and I believe that your
official title is Chairman of the President's Council on Year
2000 conversion. Is that correct?
Mr. Koskinen. That is correct, Mr. Chairman. I am also
fondly known as the bag holder. [Laughter.]
Chairman Archer. Well, you have an enormous responsibility.
And, I am sorry that we had to proceed before you got here this
morning, because I know that you have a tight schedule, and I
appreciate your staying with us. I hope that members will
expedite their questions.
We are very pleased to have you with us, and I hope that
you can limit your verbal presentation to 5 minutes. Your
entire written statement, without objection, will be printed in
the record. We will be pleased to have your testimony. You may
proceed.
STATEMENT OF HON. JOHN A. KOSKINEN, ASSISTANT TO THE PRESIDENT,
AND CHAIRMAN, PRESIDENT'S COUNCIL ON YEAR 2000 CONVERSION
Mr. Koskinen. Thank you, Mr. Chairman, and my apologizes
for the traffic delays that caused me to show up here late.
I am pleased to appear before the Committee to discuss the
activities of the President's Council on Year 2000 Conversion,
and the status of public and private-sector efforts to address
the year 2000, or Y2K, problem.
The Council began its work last year using a three-tiered
approach. From the Federal Government's point of view, it means
first ensuring that critical Federal systems are ready for
January 1, 2000. Next, working with our interface partners for
important Federal services, primarily States, to ensure that
they are remediating their systems. And, finally, reaching out
to those whose failures, domestically or internationally, could
have an adverse effect on the public or the economy.
To reach out beyond the Federal Government, the Council has
formed working groups focused on Y2K challenges in over 25
critical sectors such as finance, communications,
transportation, electric power, oil and gas, and water supply.
The working groups have reached out to form cooperative working
relationships with the major trade associations and other
umbrella organizations representing the individual entities
operating in each sector.
Working group outreach efforts are designed to increase the
level of action on the problem and to promote the sharing of
information between entities. The outside organizations in each
sector have also agreed to conduct Year 2000 readiness surveys
of their members which they share with us and the public.
As you just heard, we have also created a Senior Advisors
Group to the President's Council, comprised of Fortune 500
company CEOs and heads of national public-sector organizations
representing our working groups. The Group provides the Council
with an additional perspective on Y2K challenges that cut
across sector lines and recommends how industries can best work
together in these critical areas.
You have already heard from one member of that group, and
you will hear from the other, Mr. Brown of BJC Healthsystems,
who represents the hospital industry. Mr. Anderson, who you
heard from earlier, represents the banking industry. We
appreciate the willingness of these gentlemen and their
organizations to work with us to address the Year 2000 problem.
Our first challenge is to ensure that Federal systems are
prepared for the Year 2000. These are the systems for which we
are responsible and have the authority to fix. I am pleased to
report that the Federal Government continues to make strong,
steady progress in solving its Y2K problems. According to the
most recent agency data, as of January 31, 1999, 79 percent of
all Federal mission-critical systems are now Year 2000
compliant--more than double the 35 percent compliant a year
ago. The data also show that, of critical systems requiring
repair work, 96 percent have been fixed and are now being
tested.
The President has established an ambitious goal of having
100 percent of the government's mission-critical systems Y2K
compliant by March 31, 1999, well ahead of many private-sector
system remediation schedules. Although much work remains to be
done, we expect that close to 90 percent of the government's
mission-critical systems will meet the March goal, a tribute to
the hard, skillful, and dedicated work of thousands of Federal
career employees.
We also expect that all of the government's mission-
critical systems will be Year 2000 compliant before January 1,
2000.
The Social Security Administration, whom you just heard
from has been a leader in Federal agency Y2K efforts. SSA is
virtually done with its work and is now focused, appropriately,
on contingency planning. The Treasury Department, including the
IRS, the Customs Service, and the Financial Management Service,
has some of the most complicated systems in the Government
which serve millions of Americans. New managers, particularly
at the IRS and FMS, have done a very effective job of managing
the process. At the IRS, Commissioner Rossotti, has helped his
agency to master what many thought would be an insurmountable
task. And we are confident that the IRS will have completed
most of its work on mission-critical systems by the end of this
March. You will hear more details from HCFA about the
challenges that they face as they move forward.
Our second challenge is to work with the Federal
Government's interface partners, primarily the States, as they
work to ensure that their systems are ready for the Year 2000.
States administer over 160 Federal programs that provide some
of the most recognizable Federal services, such as unemployment
insurance, Medicaid, and food stamps. As a general matter, most
States are making good progress in remediating their systems.
And, according to the National Association of State Information
Resource Executives, several States have reported that they
have completed Y2K work on more than 70 percent of their
systems.
Unfortunately, not every State is doing as well. The same
NASIRE survey indicates that a handful of States report that
they have not yet completed work on any of their critical
systems. For its next quarterly report, to be released next
month, OMB has asked Federal agencies to provide information
about each State's Y2K progress on 10 key, State-administered
Federal programs such as Food Stamps and Unemployment
Insurance.
The third challenge for the President's Council was to
reach out beyond the Federal Government and its partners to
those organizations whose system failures could have an adverse
effect on us all. Last month, we issued our first quarterly
summary of assessment information across these key sectors. And
I would like to conclude by making three key points about what
we know thus far.
First, we are increasingly confident that there will not be
large-scale, national disruptions in key infrastructure areas.
In particular, the telecommunications and electric power
industries have constructed well-organized and comprehensive
responses to the problem.
Second, banks, large and small, are well prepared for the
Year 2000 transition. In the most recent examination by Federal
regulators, as you have heard, over 96 percent of the Nation's
depository institutions were on track to meet the regulators'
goal of completing Y2K work by June 1999.
The third point is obvious, but bears repeating. Our
greatest risk lies in organizations that are not paying
adequate attention to the problem.
Let me close by noting that we all continue to confront the
challenge of encouraging organizations to take the Y2K problem
seriously, remediate their systems and prepare contingency
plans without causing overreaction by the public. Our strategy
in this area is based on the premise that the public has great
common sense and will respond appropriately when they have the
necessary information.
We believe, therefore, that everyone working on this
problem, at the Federal level, at the State and local level,
and in the private sector, needs to provide the public clear
and candid information about their Year 2000 activities. That
is why we are making industry surveys available to the public.
That is why the OMB reports on Federal agency progress are
provided not only to Congress but to the public. That is why we
have created a toll-free information line for consumers and
constituents across the country. And that is why we will
provide the details of the Government's Y2K contingency
planning and will encourage others to do the same. A corollary
principle is that everyone working on this problem has a
responsibility that their comments accurately reflect the
factual information available and that they avoid over
generalizations that will only play into the hands of those who
want to create panic for their own gain.
We remain committed to working with this Committee and the
full Congress on this critical issue, and I would be pleased to
answer any questions that you might have, Mr. Chairman.
[The prepared statement follows:]
Statement of the Hon. John A. Koskinen, Assistant to the President, and
Chairman, President's Council on Year 2000 Conversion
Good morning. I am pleased to appear before the Committee
to discuss the activities of the President's Council on Year
2000 Conversion and the status of public and private sector
efforts to address the Year 2000 (Y2K) computer problem.
Mr. Chairman, I would like to start by thanking you and the
other members of the Committee for your ongoing interest in the
Y2K problem and its potential implications for beneficiaries
and taxpayers.
Businesses and governments across the country are engaged
in vigorous efforts to ensure that systems are prepared for the
date rollover. It is a vast challenge, and not every system
will be fixed by January 1, 2000. While progress is being made
in the public and private sectors, continued efforts are
necessary if we are to achieve our shared goal of minimizing
Y2K-related disruptions.
The Three-Tiered Approach
The Y2K problem is a layered problem. It's not enough for
the Federal Government, or any organization, to fix its own
systems. Organizations also need to be concerned about the
progress of partners they exchange data with and depend upon as
well as progress among other organizations whose failure could
have a significant effect upon their operations.
The Council began its work last year using this ``three-
tiered'' model. From the Federal Government's point of view, it
means first, ensuring that critical Federal systems are ready
for January 1, 2000; next, working with our interface partners
for important Federal services, primarily States, to ensure
that they are remediating their systems; and, finally, reaching
out to those whose failures domestically or internationally
could have an adverse affect on the public.
The Council's more than 30 agencies, including several
independent regulatory agencies, work together to exchange
information on agency Y2K progress and shared challenges. They
also coordinate interagency testing efforts for programs that
rely upon multiple agency systems and assist each other with
contingency planning efforts.
To reach out beyond the Federal Government, the Council has
formed working groups focused on Y2K challenges in over 25
critical sectors such as finance, communications,
transportation, electric power, oil and gas, and water supply.
The working groups have reached out to form cooperative working
relationships with the major trade associations and other
umbrella organizations representing the individual entities
operating in each sector. Working group outreach efforts are
designed to increase the level of action on the problem and to
promote the sharing of information between entities. The
outside organizations in each sector have also agreed to
conduct Year 2000 readiness surveys of their members.
We have also created a Senior Advisors Group to the
President's Council, comprised of Fortune 500 company CEOs and
heads of national public sector organizations representing our
working groups. The Group provides the Council with an
additional perspective on Y2K challenges that cut across sector
lines and recommends how industries can best work together in
critical areas. You are scheduled today to hear from two
members of this Group. Scott Anderson of Zions National Bank
represents the banking industry and Fred Brown of BJC Health
Systems represents the hospital industry. We appreciate the
willingness of these gentlemen and their organizations to work
with us to address the Year 2000 problem.
Materials describing our working groups and the Senior
Advisors Group are available on the Council's web site--
www.y2k.gov.
Federal Agency Progress
Our first challenge is to ensure that Federal systems are
prepared for the Year 2000. These are the systems for which we
are responsible and have the authority to fix. Consequently, it
is the area about which we have the most information. Agencies
report quarterly to the Office of Management and Budget (OMB)
and Congress, and the OMB summary reports on agency Year 2000
progress are available on the Council's web site. I am pleased
to report that the Federal Government continues to make strong,
steady progress in solving its Y2K problems.
According to the most recent agency data, as of January 31,
1999, 79 percent of all Federal mission-critical systems are
now Year 2000 compliant--more than double the 35 percent
compliant a year ago. These systems have been tested and
implemented and will be able to accurately process data through
the transition from 1999 into the Year 2000. The data also show
that, of critical systems requiring repair work, 96 percent
have been fixed and are now being tested.
The President has established an ambitious goal of having
100 percent of the Government's mission-critical systems Y2K
compliant by March 31, 1999--well ahead of many private sector
system remediation schedules. Although much work remains, we
expect that close to 90 percent of the Government's mission-
critical systems will meet the March goal, a tribute to the
hard, skillful, and dedicated work of thousands of career
Federal employees. Monthly benchmarks with a timetable for
completing the work will be available for every critical system
still being tested or implemented after March. And we expect
that all of the Government's critical systems will be Y2K
compliant before January 1, 2000.
Although you will hear more from all of them later today,
let me say a few words about some of the agencies that are of
particular interest to this Committee--the Social Security
Administration (SSA), the Treasury Department, and the
Department of Health and Human Services (HHS).
As you know, Mr. Chairman, the Social Security
Administration has been a consistent leader in the Federal
Government's Year 2000 efforts. SSA chaired the first
interagency committee on Y2K in 1995 and has been an active
participant on the President's Council, sharing useful guidance
with the other agencies on best practices for remediation,
testing, and contingency planning. In December, after we were
informed that Treasury's Financial Management Service (FMS) had
completed its work in this area, the President announced that
the Social Security payment system is now Y2K compliant. And
according to the most recent data, SSA has now completed work
on all of its mission-critical systems.
The Treasury Department, which includes the Internal
Revenue Service (IRS), the Customs Service, and the Financial
Management Service, has some of the most complicated systems in
the Government which serve millions of Americans. In
particular, the IRS and FMS have faced difficult Y2K
challenges. But the new managers in those agencies have done a
very effective job in managing the process. At the IRS,
Commissioner Rossotti has helped his agency to master what many
thought to be an insurmountable task, and we are confident that
the IRS will have completed work on most of its critical
systems by the end of March.
HHS continues to confront some of the most unique
information technology challenges in the world. The
Department's efforts are complicated by the fact that the
Medicare system is very dependent on the private sector for its
operations. The Health Care Financing Administration (HCFA) has
had to work in concert with roughly 60 large insurance
companies who were not all initially responsive to the need to
meet Government goals that, in most cases, required compliance
earlier than their private sector customers. But they are
making progress. And although significant systems work and
contingency planning will remain after March, most Medicare
contractors are expected to complete renovation and testing by
the Government-wide goal. HCFA is also making substantial
progress on its internal systems, as you will hear from
Administrator Min DeParle.
Interface Partners
Our second challenge is to work with the Federal
Government's interface partners, primarily the States, as they
work to ensure that their systems are ready for the Year 2000.
States administer over 160 Federal programs. These programs
provide some of the most recognizable Federal services such as
Unemployment Insurance, Medicaid, and Food Stamps. Millions of
Americans rely upon these programs, so the Federal Government
obviously has a vested interest in requiring that State systems
administering them are Y2K compliant.
As a general matter, most States are making good progress
in remediating their systems. Virtually every State has an
organized Y2K program in place, often led by a designated State
Y2K Coordinator. According to a National Association of State
Information Resource Executives (NASIRE) survey of State Y2K
remediation efforts, several States report that they have
completed Y2K work on more than 70 percent of their systems.
But not every State is doing well. The same NASIRE survey
indicates that a handful of States report that they have not
yet completed work on any of their critical systems.
The Council's State and Local Government Working Group is
led by the White House Office of Intergovernmental Affairs and
includes key groups like the National Governors Association
(NGA), the National Association of Counties, the National
League of Cities, and NASIRE. Last summer, Council members
joined the NGA in a Y2K summit with Year 2000 coordinators from
45 States. To help sustain the momentum generated at that
conference, I now participate in a monthly conference call with
State Year 2000 executives to discuss cooperative efforts
between the Federal Government and the States and how States
can help each other to address Y2K challenges. We will hold
another State summit next month with the NGA.
Federal agencies are also actively working with the States
to ensure that Federal-State data exchanges for State-
administered programs will be ready for the Year 2000. Most
Federal agencies and States have now inventoried all of their
data exchange points and are sharing information with one
another to ensure the exchanges will function in the Year 2000.
However, as of the most recent OMB quarterly report, three
States had not yet provided any information on the status of
their data exchange activities. For its next quarterly report,
which will be released next month, OMB has asked agencies to
provide assessments of each State's Y2K progress on ten key
State-administered Federal programs such as Food Stamps and
Unemployment Insurance.
Our joint Y2K efforts with the States are bearing fruit.
Working together, we last month overcame one of the first major
examples of a ``look ahead'' Y2K problem. The Unemployment
Insurance program, a major Federal-State partnership
administered by 53 State Employment Security Agencies (SESAs),
encountered the Year 2000 problem on January 4. Since new
claims are calculated on a 12-month basis, State systems had to
process dates going into January 2000. The Labor Department had
been working closely with all the States to ensure that they
could continue to process claims and provide benefits through
this transition, particularly the 16 SESAs that had not
completed all of their Y2K system renovation before January 4,
1999. Thanks to this collaborative effort, these SESAs were
prepared with, and are now using, temporary fixes to their
systems so that they can continue to accept claims and process
benefits while they complete their remaining Y2K work. The
Department has also instituted special reporting procedures for
the Unemployment Insurance program to identify any early
problems. Reports have been received from all States and
indicate that no Y2K-related service disruptions have occurred.
Beyond the Federal Government
The third challenge for the President's Council is to reach
out beyond the Federal Government and its partners to those
organizations whose failures would have an adverse effect on
the public. As noted, to accomplish this goal, the Council has
formed over 25 working groups in critical sectors such as
electric power, communications, oil and gas, finance, and
transportation. One of the first things our working groups
encountered in their relationships with major industry trade
associations and others was a reluctance on the part of many to
share technical and other valuable information about their
experiences in addressing the problem as well as information
about the status of their Y2K remediation efforts.
To break this logjam and help associations and other groups
collect and share Y2K information, the Administration worked
with Congress to enact the ``Year 2000 Information and
Readiness Disclosure Act.'' This bipartisan legislation
provides protection against the use, in civil litigation, of
technical Year 2000 information about an organization's
experiences with product compliance, system fixes, testing
protocols, and testing results when that information is
disclosed in good faith. It also includes important protections
for information gathering that is designated as a ``special
data gathering request'' under the Act. These collections of
information cannot be reached by private litigants, or used by
Federal agencies for regulatory or oversight purposes, except
``with the express consent or permission'' of the provider of
the information.
Using these statutory protections, the working groups,
under the leadership of their outside industry group partners,
are focused on gathering industry assessments of Y2K
preparedness in critical sectors. Last month, the Council
issued its first quarterly summary of this assessment
information. While many industry groups are just beginning to
receive survey data from their members and some report that
they expect to have such information within the first quarter
of this year, I'd like to make three points about what we know
thus far.
First, we are increasingly confident that there will not be
large-scale, national disruptions in key infrastructure areas.
In particular, the telecommunications and electric power
industries have constructed well-organized and comprehensive
responses to the problem.
Second, banks--large and small--are well-prepared for the
Year 2000 transition. In the most recent examination by Federal
regulators, 96 percent of the Nation's depository institutions
were on track to meet the regulators' goal of completing Y2K
work by June 1999.
Third, point is obvious but it bears repeating. Our greatest
risk lies in organizations that are not paying adequate
attention to the problem.
If the head of an organization has fixing the Y2K problem
as a top priority, that organization is by definition going to
be better prepared--even if it cannot fix all of its systems
before January 1, 2000. It is organizations where the
leadership is convinced that the problem doesn't apply to them
or that they can simply fix systems when they break that are of
most concern.
Of all the industry sectors, health care presents some of
the most difficult outreach challenges. As you know, it is a
diverse industry that covers everything from hospitals and
long-term care facilities to pharmaceutical companies and
retailers. Many health care providers and companies are free-
standing entities and are not active participants in national
organizations like the American Hospital Association (AHA) and
others with whom the Council has working relationships. The
diffuse nature of the industry has prompted us to divide the
outreach responsibilities of the Council's Health Care Working
Group into three main areas--medical devices, health care
facilities, and pharmaceuticals.
Under the leadership of the Food and Drug Administration,
and with active participation by the Department of Veterans
Affairs and the Defense Department, the Government has been
collecting and publishing information about the Year 2000
compliance of medical devices. Companies were initially
reluctant to take part in this process, but the level of
participation has increased significantly in the last few
months. Fortunately, the vast majority of medical devices do
not have Year 2000 safety concerns, and many are not affected
by the date rollover. Nonetheless, we are concerned about and
are focused on providing to all health care providers
information about the small number of devices with Y2K problems
that could compromise patient safety.
HHS is working with the AHA, the Joint Commission on Health
Care, and others to assess the status of Y2K efforts within
health care facilities and to encourage information sharing
within this segment of the health care industry. At this
juncture, we are particularly concerned about smaller health
care facilities, many of whom may lack the resources to deal
with the problem.
Under the leadership of the VA, the Council is working with
the pharmaceutical associations, who have been focused on
developing assessments of industry preparedness. We will also
be gathering more information about the pharmaceutical supply
chain, which fortunately does not operate on a strictly just-
in-time inventory system and has reserve capability built into
the process. We are looking forward to working with these
groups to provide information to the public about the adequacy
of prescription drug supplies as we move toward the end of this
year.
Areas of Risk
Following the logic that our greatest risk lies in
organizations where for one reason or another the leadership
does not have the Year 2000 problem as a high priority, I
believe that at this time our greatest risks are in three
areas: smaller government entities, small businesses, and
internationally.
At the local level, many towns, cities, and counties are
aggressively attacking the problem and are making good
progress, but a significant number are not sufficiently
organized to prepare critical systems for the new millennium.
According to a December 1998 National Association of Counties
survey of 500 counties representing 46 States, roughly half of
counties do not have a county-wide plan for addressing Year
2000 conversion issues. Almost two-thirds of respondents have
not yet completed the assessment phase of their Year 2000 work.
Many small- and medium-sized businesses are also taking
steps to address the problem and to ensure not only that their
own systems are compliant but that organizations they depend
upon are ready for the Year 2000 as well. But a significant
number of small- and medium-sized businesses are not preparing
their systems for the new millennium. A recent National
Federation of Independent Business (NFIB) survey, released this
month, indicates that as many as one-third of small businesses
using computers or other at-risk devices have no plans to
assess their exposure to the Y2K problem. The survey also
indicates that more than half of small firms have not yet taken
any defensive steps. The NFIB and other small business surveys
have found that having adequate resources for addressing the
problem is not the concern. Rather, a significant number of
small businesses appear to taking a ``wait and see approach''
on whether or not their systems will be affected by the Y2K
problem. We are trying to get them to understand that this is a
high-risk strategy.
Internationally, there is more activity than there was a
year ago, but it is clear that most countries are significantly
behind the United States in efforts to prepare critical systems
for the new millennium, and a number of countries have thus far
done little to remediate systems. Awareness remains especially
low among developing countries. While strong international
coordination of Y2K efforts has existed for some time in the
area of finance and more recently has begun to take shape for
telecommunications and air traffic, we are very concerned about
the lack of information and coordination in the area of
maritime shipping. You will hear more about that area from the
Coast Guard later today. Lack of progress on the international
front may lead to failures that could affect the United States,
especially in areas that rely upon cross-border networks such
as transportation.
The Council has been working to improve the response among
smaller governments, small businesses, and international
entities. For smaller governments, we have been working to
reach out through groups like the National Association of
Counties and the National League of Cities. We are also
encouraging State Year 2000 coordinators to focus on the
efforts of smaller governments within their jurisdiction. For
small businesses, the Council joined the SBA, the Commerce
Department, and other Federal agencies in launching ``National
Y2K Action Week,'' last October to encourage small- and medium-
sized businesses to take action on the Y2K problem with
educational events that were held across the country. Another
week is planned for this spring. And SBA has mounted an
aggressive outreach program where, through its web page and
with partners in the banking and insurance industries, it is
distributing Y2K informational materials to the Nation's small
businesses.
Internationally, the Council worked with the United Nations
to organize in December a meeting of national Year 2000
coordinators from around the world, perhaps the most important
Year 2000 meeting to date. More than 120 countries sent
representatives to New York. The delegates at the meeting
agreed to work on a regional basis to address cross-border
issues (e.g., telecommunications, transportation). They also
asked the steering committee we had created to help organize
the meeting to establish an international mechanism for
coordinating regional and global activities, including
contingency planning. Earlier this month, the steering
committee announced the creation of the International Y2K
Cooperation Center, which will support regional activities and
international initiatives in areas such as telecommunications
and transportation. The World Bank will support the advisory
and planning activities of the Center through voluntary
donations.
Contingency Planning and Emergency Response
The Federal Government responds to a range of emergencies
under the direction of several agencies. FEMA chairs the
Catastrophic Disaster Response Group, which is comprised of a
set of Federal agencies and the Red Cross. The State Department
and the Treasury Department have responsibilities for foreign
civil emergencies while the Defense Department supports both
domestic and foreign emergency responses as well as being
responsible for national security. The Departments of Energy
and Transportation each have emergency command centers to help
respond to challenges in their areas.
One of the challenges of the Y2K problem is that, while we
do not expect major national failures in the United States, it
is possible that we will have a confluence of demands for
assistance and response as the clock turns to January 1, 2000.
Therefore, we are working with all of the major emergency
response agencies to create a coordinating center to ensure
that we can respond effectively to whatever challenges we face
moving into the next century.
We will also be discussing with our partners in our varied
working groups, under the leadership of the Senior Advisors
Group, the status of industry-wide plans for dealing with any
emergencies that they may confront. While these responses are
primarily the responsibility of each individual enterprise and
industry, we clearly will all benefit by coordinated planning
and communication.
We also are encouraging all organizations, beginning with
the Federal agencies, to have contingency plans for the
possible failure of their systems as well as the failure of
systems they rely on that are run by others. As demonstrated by
the Unemployment Insurance experience, the best form of
response to a system failure is an effective backup plan.
The Balancing Act
Let me close by noting that we all continue to confront the
challenge of encouraging organizations to take the Y2K problem
seriously, remediate their systems, and prepare contingency
plans without causing a public overreaction that is unnecessary
and unwarranted.
Our strategy is based on the premise that the public has
great common sense and will respond appropriately when they
have the necessary information.
We believe, therefore, that everyone working on this
problem--at the Federal level, at the State and local level,
and in the private sector--needs to provide the public with
clear and candid information about the status of their Year
2000 activities. That's why we're making the industry
assessments we gather publicly available. That's why the OMB
reports on Federal progress are available to the public. That's
why we have created the 1-888-USA-4-Y2K information line for
consumers. That's why we will provide details of our
contingency planning and are encouraging others to do the same.
A corollary principle is that everyone working on this
problem has a responsibility to ensure that their comments
accurately reflect the factual information that is available,
and that they avoid over generalizations that will only play
into the hands of those who want to create panic for their own
gain.
We remain committed to working with the Committee and
Congress on this critical issue. I would be pleased to answer
any questions you may have at this time.
Chairman Archer. Thank you, Mr. Koskinen.
Is there any reason why any essential Federal services will
be disrupted in January in the year 2000?
Mr. Koskinen. There is no reason to expect, based on the
information that we have now, that there will be any national
failures. But, as I noted, we are concerned about some small-
and medium-sized organizations in the private-sector and in the
public-sector that are not paying appropriate attention to the
problem. And we think that the risks of outages, if there are
any, will be at the local level--with local power plants, local
telecommunications companies, local water treatment companies.
Chairman Archer. Are there contingency plans to wire around
any possibility of disruption in those areas?
Mr. Koskinen. Contingency plans are being developed for the
vast critical systems that we all depend on nationally. But,
again, our concern is organizations that are not paying
appropriate attention to the problem at the local level. If
organizations are not paying attention to fixing the problem,
it is likely that they are also not paying attention to
ensuring that they have appropriate workarounds.
Chairman Archer. At the Federal level, has the Congress
given all of the resources necessary to solve this problem?
Mr. Koskinen. Yes. The Congress has been very supportive
both financially and, last year, with the passage of the
Information Readiness and Disclosure Act which is designed to
increase the flow of voluntary information about fixes as well
as about readiness.
Chairman Archer. Should you find that there is any other
desperate need that occurs this year, we invite you to let us
know immediately so that we can attend to it.
Mr. Koskinen. Thank you, Mr. Chairman, I appreciate that.
And I would reiterate again that we have had nothing but the
closest and the most supportive cooperation from the full
Congress.
Chairman Archer. And we want to keep it that way from our
part of it.
Mr. Coyne.
Mr. Coyne. Thank you, Mr. Chairman.
Mr. Koskinen, I wonder if you could expand upon your
response relative to reports that one-third of small businesses
that use computers in their businesses have not assessed their
exposure to the Y2K problem, and that about one-half have not
taken any defensive steps to this point. I know that you
touched on it, but I wonder if you could expand on this?
Mr. Koskinen. We just had a trilateral meeting with the
Year 2000 coordinators from Canada and Mexico on Monday and
Tuesday of this week. And their experience, as is ours, is that
the issue with small businesses is actually a problem around
the world. Smaller organizations tend to assume that this
problem doesn't effect them because they are not running major
main frames. Or, increasingly, as they become aware of the
problem, their judgment is that they will wait and see what
breaks and fix it afterward. We are doing everything we can to
advise them that is a very high-risk strategy because if they
wait until it breaks and then try to fix it, they may be at the
end of a very long line of people who took a similar action.
So we, along with the SBA and the Commerce Department, did
a national Y2K action week for small businesses in October. And
the SBA, the Agriculture Department, and Commerce's
Manufacturing Extension Partnership are planning another full-
court press at the end of March to hold seminars and provide
technical information to all the small businesses that we can
get to show up at the meetings. Our problem is--not that small
businesses don't have the resources--many are basically saying
that they will just wait and see.
Mr. Coyne. You have sort of imposed a 90-percent completion
by March 31 of your efforts in your testimony there. I wonder
how you are going to notify Congress whether or not you are 90-
percent compliant by March 31.
Mr. Koskinen. OMB has provided, for the last 2 years,
quarterly reports to Congress. The March report actually
reflects progress as of January 31. The next report will
contain information as of April 30. But for the agencies with
the major challenges, we have been getting monthly reports. The
reports for March 31 will be in to OMB in mid-April, and we
will make that public and advise you as to where the agencies
are.
Mr. Coyne. And, at that point, you expect to be 90-percent
compliant? Hopefully, 100 percent?
Mr. Koskinen. No, I think that we will be over 90 percent.
We expect that there will be a handful of mission-critical
systems in several agencies that will be monitored on a monthly
basis, but there is no indication that they won't be ready, all
of them, well in advance of the Year 2000.
Mr. Coyne. What are your concerns with regard to State and
local governments' computer systems?
Mr. Koskinen. Our concern, again, as I noted in my formal
testimony, is in those organizations where the head of the
organization does not have the problem as a high priority. So,
we have been stressing, not only to Governors, but to county
executives, mayors, and city managers, that the Year 2000
problem has to be their priority because that is the only way
you can send appropriate signals to the people in your
organization. It is more than just an IT problem, it is a
management problem. The cities and towns that think they need
only to focus on software problems have not understood the
impact that this may have on water treatment plants, on local
community hospitals, or on local 911 systems.
So, our risk and concern is not with those organizations
working hard on the problem. Our risk and concern is for those
who have decided for one reason or another, that they are not
going to pay attention.
Mr. Coyne. Thank you.
Chairman Archer. Mr. Crane.
Mr. Crane. Thank you, Mr. Chairman.
Mr. Koskinen, how do you respond to Edward Yardini and
others who predict an international economic crisis that will
result from Y2K, and what else can be done that is not being
done to prevent such a crisis?
Mr. Koskinen. I have talked to Mr. Yardini, and, as I have
made clear several times, he knows a lot more about economics
than I ever will. He is very thoughtful and constructive. But
he is really the only major economist that takes that position.
I have met several times with the Council of Economic Advisors
staff and the NEC, and the recent Economic Report of the
President noted that the consensus of economists is that this
problem will have a relatively modest effect on GDP now, no
more than two or three-tenths of a percent.
We all know that the proof will be in the pudding, but at
this juncture, there is no indication on the basis of what we
know either internationally or domestically, that we will have
a major economic recession or worse as a result of Y2K
problems. That does not mean that there will not be problems.
It simply means that those problems, particularly
internationally, will not by themselves send us into a
recession.
Mr. Crane. And what can Congress do that it is not doing
already to help ensure that there are no major Y2K-related
failures? And I am thinking in terms of funding and legislation
authorizations, oversight.
Mr. Koskinen. I think that oversight hearings like this one
are very productive and important in terms of providing more
information to the public. As noted earlier, one of our issues
is to try to get the public to understand exactly where the
risks are and where they are not. But at this juncture, we do
not have a need for any other major legislative initiatives.
We appreciate Congress' support last year for the
information sharing act. At this juncture, I think the
responsibility for Federal systems is on us and on each of the
cabinet Secretaries. Increasingly, one of the messages that we
are trying to drive home is that the head of every organization
in the public sector and the private sector has a
responsibility for their systems. We can reach out and try to
encourage them. We can try to support their efforts. We can
give visibility to where we think there are problems, but the
ultimate responsibility rests with every chief executive
officer, and every mayor, county executive, and Governor.
Mr. Crane. You touched upon the possibility that at the
local level some are dismissing the possibility of a crisis. It
may not be a national crisis, and yet it could provide serious
hardship to a lot of people. Is there a way that you could
prepare a warning list in some of those targeted areas and try
and guarantee that it gets distributed to newspapers and the
media for publication to try and alert people at the local
level to ask those questions? Are we doing what needs to be
done, and are we going to be spared that?
Mr. Koskinen. It is a very good question. It is, in fact,
the focus of a lot of our activity. The Federal Emergency
Management Agency has been working with the State and local
emergency managers. FEMA is in the process of holding 10
regional meetings for State and local emergency managers, and
we have put the State Year 2000 coordinators in those meetings
to start to look at what the risks are and to send that message
out. Later this spring or in the early part of the summer, we
want to provide to local officials tool kits for, in fact,
conducting what we call ``Community Conversations'' or
``Townhalls.'' These would be gatherings where, in communities
across the United States, citizens and elected officials could
sit down with the local service providers--their banker, their
power company, their telecommunication company--and discuss the
state of readiness. Not necessarily that they are done with
their work, but where they are in the process. And I think that
if we can get more of those dialogs and conversations going at
the local level we will bring to the surface the issue and the
nature of the problems.
Mr. Crane. Well, if you could get the alert signs to us,
too, because that is a message that we can take home for town
meetings and, at least, raise the question ourselves.
I want to congratulate you for what you have done.
Thank you, Mr. Chairman.
Chairman Archer. Does any other member wish to inquire?
Mr. Hulshof.
Mr. Hulshof. Thank you, Mr. Chairman.
I recognize that Ms. Golden will be up momentarily to talk
about HHS, but I noted that in your testimony, Mr. Koskinen,
that you mentioned that HHS has some unique challenges facing
them especially as far as this Committee's jurisdiction
regarding HCFA. Could you just talk about that a little bit?
Mr. Koskinen. Yes.
Obviously, HCFA processes billions of dollars of payments,
and hundreds and millions of transactions each of which are
separate. So HCFA's systems are some of the largest and most
complicated in the world. Now the process, as you all know
better than most, is that Medicare system is actually run for
us by the private sector. Sixty large insurance companies, in
fact, process those claims. So it has taken us some time to
move forward, to some extent because we were pushing for
earlier target dates than the private sector. We wanted
implementation by March 31. Most private-sector companies are
looking at completing work this summer. So, it took us some
time to get them focused.
We have some unique relationships with those companies that
are not the normal Federal contract relationships. HCFA has no
authority to have that work done by other information
processors. It has to be done by the insurance companies. It
also is a situation where the normal contractual rules to end a
relationship are more complicated because of special
legislative provisions. And we have supported HCFA's
recommendations that there be contractor reform legislation
that would put contractors in this area in the same boat with
all other Federal contractors.
But I am happy to report that, with a lot of hard work by
those contractors and HCFA over the last 6 months, we are now
confident that system will work. But, as Mrs. DeParle will tell
you, even if we have our systems working, and the
intermediaries will have their systems working, the question
will be whether the providers have their systems working. Will
the doctors, the hospitals, and the healthcare facilities
actually be able to submit payments to be processed? Those are
systems we don't control. We don't have authority over them.
Again, back to our concern about local communities, our concern
here is about local providers. And you will hear more about
that from HCFA in terms of their outreach efforts, but I think
that if we are going to have a problem, it will be at that end
of the process, not at our end.
Mr. Hulshof. OK, thank you.
Mr. Chairman, I yield back.
Chairman Archer. Mrs. Thurman.
Mrs. Thurman. Thank you, Mr. Chairman.
I have to tell you that I talked to one of my sheriffs last
year, and I need to do a follow-up with him based on this
conversation. He was very, very concerned about this compliance
with Y2K and how he was going to change his computer system
over because there were no grants, there was nothing available
to them to help them through the State systems. Are you seeing
more of that in your conversations with the State and local
people? Monies being available? Because a lot of these people
are hitting caps, can't afford it, especially within rural
areas.
Mr. Koskinen. We are concerned about rural areas. We
deliver 20 percent of utilities in this country in rural areas
and small towns. There are over 3,000 power companies, over
1,400 telephone companies, so a lot of the problem is not just
AT&T and Sprint and the power companies in cities like
Washington. A lot of it is at the local level. And we are
reaching out through the associations and organizations to
reach them.
But, again, as has been our experience with small
businesses, our experience at the local level is not that
people don't have the resources. We don't have a significant
influx of small businesses saying that they need financial
help. And we don't have a lot of local communities saying,
``You know, if we had some money, we would fix it.'' We have a
lot of local communities who, for one reason or another, have
not yet made this a priority.
Mrs. Thurman. Well, this one, particularly, had made it a
priority, but he didn't have any money. He was looking for
grants, loans, and other things to try to update this system
within his area.
Let me ask you this question. In Gainesville last week,
there was an article in the university newspaper. There was a
law conference that was addressing the technology issue with
Y2K, and he mentioned that there was a particular problem--and
I don't know what you are seeing out here, but it is certainly
something, I think, to be talked about. ``I would wager your
business client is doing an inadequate job with Y2K compliance.
Business clients need to prioritize their dependency on certain
items and establishing ongoing conversation with larger
suppliers.''
But he also went on to say that encapsulation and windowing
were how small business were getting around this, or at least,
potentially reacting to this. But these were not really taking
care of the problem. It is just kind of delaying the problem.
Are we seeing a lot of that as some safety net out there
for folks? They are going to do these things, but then they
turn around and it is really not going to be fixed?
Mr. Koskinen. It doesn't solve the underlying problem, but
it is not a short-term fix in some cases depending on the
process.
One way to window is to say that every number after 50 is
1900 and every number before 50 is 2000. So that 00 would be
2000, 01 would be below 50 and would be 2001. So, that would
give you a system that would run until 2050.
There are various other windowing techniques. You can roll
the clock back to 1972 which is the same calendar year as the
Year 2000, and again, you have 28 years.
People who are windowing are using it not as a 6-month fix,
but to give themselves a year or two running room to upgrade or
totally replace the system that is being windowed.
The complication with windowing is that to the extent that
you exchange data, you have got to make sure that the
formatting works with the people you exchange date with, which
is why you hear so much about the importance of data exchanges.
But a lot of work is being done. Rather than moving the
Code from two digits to four, you would, in effect, work around
the Code, and, in fact, have the system think it is a year that
it is not.
Mrs. Thurman. So, they could maybe be feeling that they are
fixing this but falsely not and particularly, if they have to
do a data change----
Mr. Koskinen. Everyone knows that you are doing it to fix
the problem, but that you are not fixing it out to the Year
3000. What you need to do with windowing, and the people doing
it are aware of this, is to ensure that any data exchanges you
make are with systems that can adopt and accept the format you
use.
Mrs. Thurman. And you are saying that finances are not the
problem with small businesses. Why would they not just go ahead
and try to get into compliance with Y2K without using these
other two techniques?
Mr. Koskinen. The SBA already has a loan program that is
available to small businesses. And the explanation as to why
they don't take action is that this would be a lot easier
problem if you could guarantee that everything would fail
because then people would have to fix it.
We don't want small businesses to waste money buying things
that they don't need. That's why, for Federal agencies, the GAO
and OMB analysis starts with an assessment.
What a lot of businesses are saying is that they don't want
to borrow any money, whether it is thruogh a low-interest loan
from SBA or somebody else, and that they are busy and they
don't know about this. They'll just wait and see. And then if
their computer shuts down, they will go and buy another one.
``I don't want to spend a few thousand dollars, or even a few
hundred dollars now, if I don't have to.''
We can't issue an edict in which we say to every small
businesses computers are all going to fail. A lot of them will
not. What small businesses need to do is make an assessment of
what their risks are. Check with their manufacturers. Take
advantage of the information that the SBA and others are
providing to them, and then make a decision. It is that process
that they are not going through.
Mrs. Thurman. Thank you.
Chairman Archer. Does any other member wish to inquire?
Mr. Koskinen, you have taken on a massive responsibility,
and I am impressed by your grasp, your knowledge, and what you
have done both from an overall standpoint and from a detail
standpoint. The Nation is lucky to have you. Thank you for what
you have been doing. Thank you for being before us today.
Mr. Koskinen. Thank you for your very kind comments, Mr.
Chairman.
Chairman Archer. Our next witness is the Honorable Olivia
Golden, Assistant Secretary for Children and Families with HHS.
Good morning, and welcome, Ms. Golden. We are pleased to
have you before us. I think that you probably heard my previous
admonition to witnesses that if you can keep your verbal
testimony to within 5 minutes, we would appreciate it. Your
entire written statement will be inserted, without objection,
in the record.
STATEMENT OF HON. OLIVIA GOLDEN, ASSISTANT SECRETARY FOR
CHILDREN AND FAMILIES, U.S. DEPARTMENT OF HEALTH AND HUMAN
SERVICES
Ms. Golden. Thank you, Mr. Chairman. I will summarize my
longer statement for the record.
Thank you, Mr. Chairman, and Members of the Committee, for
the opportunity to appear before you today to report on the
progress that we have made in ensuring that our automated
systems are Year 2000 compliant and to share our outreach
efforts to the human services sector.
I am extremely pleased to report to the Committee that ACF
has completed our efforts to ensure Year 2000 compliance of all
its automated systems. I would like to describe briefly our
efforts on these systems and our efforts to work with our State
and local partners to address the special problems that they
face.
First, ACF's internal systems. Ensuring that all ACF
mission-critical systems--grant making, child support
enforcement, and information collection and reporting, are Year
2000 compliant, has long been a priority for us.
In 1993, ACF engaged in a business process re-engineering
effort which resulted in the GATES system. This system allows
ACF to carry out all of our functions related to grant making
in one system, and it was designed from its inception to be
Year 2000 compliant.
ACF's second major category of mission-critical systems is
child support enforcement systems: the Federal parent locator
service, the tax refund offset system, the renumeration
verification system, and the child support enforcement network.
The first three of these systems were repaired to meet Year
2000 requirements, and the fourth was developed as a Y2K-
compliant application.
The third, and final, internal system category in ACF
involves information collection and reporting. ACF uses two
systems to collect and analyze information on certain at-risk
populations. We have the adoption and foster care analysis and
reporting system, and the runaway and homeless youth management
information system. Both of these systems were designed to be
Year 2000 compliant.
To further ensure that these systems meet Y2K requirements,
ACF hired three independent verification and validation
contractors to conduct testing of the systems. IV&V efforts
have been completed on all but one of ACF's mission-critical
systems, five have received final compliance certifications
from the contractors. The IV&V effort for the GATES system has
been extremely complex, but we expect to receive the final
certification of compliance by the end of March.
And, as an extra measure of protection from unanticipated
problems, as you have heard from other agencies, ACF has
developed business continuity and contingency plans for all of
our mission-critical systems. The plans contain specific
information on Year 2000-related problems that might occur to
each system and spell out the triggers that would cause a
specific remediation action to be invoked.
In addition to ensuring the integrity of our Federal
systems, we have focused attention on the effect of Year 2000
problems on providers of human services under programs funded
by ACF. I would like to briefly summarize our efforts.
Assistance to States and grantees: ACF supports a wide
range of programs that are administered at the State, county
and local levels. While we do not play a direct role in the
development and operation of the systems needed to support
these programs, we are working on a number of fronts to ensure
that to the maximum extent possible, human services providers
are taking appropriate steps to address the Year 2000 problem.
Our shared goal with States and grantees is to ensure the
continued provision of human services in our programs in the
coming millennium.
To achieve this role, ACF's goal, in addition to ensuring
the readiness of our own system, is threefold. First, to
heighten awareness. For the past few years, ACF has been
involved in actively reaching out to human services providers
on the Year 2000 issue. We are seeking not only to elevate the
level of attention at the State and local level, but also to
glean information about the most useful ways that we can help
our partners continue to deliver services in the case of a
system breakdown. Detailed information on our awareness
strategies is in the long version of my testimony, and I would
be happy to provide details in answer to questions.
Second role: access to resources. ACF has assisted States
and grantees in gaining access to a range of available
resources which will be useful in their efforts to become Year
2000 compliant.
And our third role is to access overall readiness,
including a focus on contingency plan development. ACF will
continue to use information from our surveys and onsite reviews
to assess how we can best work with States and providers that
are most in need.
In conclusion, we are confident that all internal systems
in the administration for Children and Families are Year 2000
compliant. We are continuing our efforts to assist grantees and
other human service providers by conducting extensive Year 2000
outreach.
I would be pleased to respond to any questions. Thank you.
[The prepared statement follows:]
Statement of Hon. Olivia Golden, Assistant Secretary for Children and
Families, U.S. Department of Health and Human Services
Good morning Mr. Chairman and Members of the Committee. I
am Olivia Golden, Assistant Secretary for Children and Families
within the Department of Health and Human Services. I
appreciate the opportunity to appear before you today to report
on the progress we have made in ensuring that our automated
systems are Year 2000 compliant, and to share our outreach
efforts to the human services sector. Your attention to this
issue is certain to help us in highlighting the importance with
which it must be viewed by State, county and local human
service providers.
I am extremely pleased to report that ACF has completed
efforts to ensure Year 2000 compliance of all its automated
systems applications. We initially identified 55 systems as
providing mission-critical support to ACF core business
processes which require Year 2000 remediation--grant-making,
child support enforcement, and information collection and
reporting (ten were subsequently retired).
I would like to describe our efforts to ensure compliance
in each of these critical systems, including our use of
independent verification and validation processes and
contingency planning for the unexpected, and our efforts to
work with our State and local partners to address the special
problems they face.
I. ACF Mission Critical Systems
Ensuring that ACF mission-critical systems are Year 2000
compliant has been a priority for us for several years. I am
convinced that this level of attention was essential to our
success in completing Year 2000 compliance activities for all
our mission-critical systems.
Beginning in 1993, ACF engaged in a business process
reengineering (BPR) effort, the aim of which was to consolidate
the many ACF grant-making, tracking, and reporting systems into
one integrated system. This system, called the Grants
Application, Tracking, and Evaluation System or GATES, allows
ACF to carry out all the administrative functions related to
grant-making via one system. GATES ensures that grants are
processed seamlessly, and allows ACF to collect and analyze
program performance information. It was designed from its
inception to be Year 2000 compliant and is a dynamic system
that will continue to evolve to meet ACF's grants-related
needs.
This transformation of grant-making systems was a huge
accomplishment. Now, all grants, whether entitlement grants
like Child Support Enforcement or discretionary grants such as
Head Start, are processed using one central system.
ACF's second major category of mission-critical systems is
Child Support Enforcement systems. ACF efforts to assist all
States and territories in their attempts to establish and
enforce child support are supported by four systems:
The Federal Parent Locator Service (FPLS) which is
a computerized national location network that consists of a
National Directory of New Hires (NDNH), a centralized
repository of W-4, quarterly wage and unemployment insurance
claims data, and a Federal Case Registry (FCR) of child support
orders. These two databases are automatically matched on a
daily basis, providing States with the most timely, accurate
information available to locate non-custodial parents for the
purpose of establishing or enforcing child support orders;
The Tax Refund Offset System (TROS) which allows
States to intercept Federal tax refunds and other Federal
payments due to non-custodial parents who are delinquent in
paying child support;
The Enumeration Verification System (EVS) which
allows States to verify the social security numbers of non-
custodial parents; and
The Child Support Enforcement Network (CSENet)
which provides a means for States and territories to exchange
information needed to work interstate child support cases.
The first three of these systems are housed on a Social
Security Administration mainframe computer. These systems were
repaired to meet Year 2000 requirements by providing individual
lines of code to ensure that all dates use four-digit years in
calculations, manipulations, display, input, and reports.
CSENet is a federally maintained network of personal
computers (PCs) at 54 State and territorial sites, connected
via modems to a federal host personal computer. CSENet was
developed as a Year 2000 compliant application. Currently, the
PCs upon which this application is run are being upgraded to
ensure Year 2000 compliance of all aspects of the network. This
upgrade will be completed by March 1999 for most States and,
pending completion in the others, a contingency of patches will
be made available for the hardware and its operating systems
until all of the upgraded hardware is in place.
The third and final internal system category in ACF
involves information collection and reporting. ACF collects
information on at-risk segments of the population served by our
programs, such as children in the adoption and foster care
system and runaway and homeless youth.
ACF uses two systems to collect and analyze this
information: the Adoption and Foster Care Analysis and
Reporting System (AFCARS) and the Runaway and Homeless Youth
Management Information System (RHYMIS). AFCARS is housed on a
National Institutes of Health mainframe, while RHYMIS is a
system consisting of stand-alone PCs that collect and analyze
information from approximately 400 grantees. These PCs save
electronic reports to diskettes that grantees mail to the
Family and Youth Services Bureau for uploading into a composite
federal RHYMIS system. Both AFCARS and RHYMIS were designed to
be Year 2000 compliant.
A number of these systems exchange information with State
systems, such as AFCARS, FPLS, TROS, and EVS. In these cases,
we have established bridges to ensure that all data
incorporated in our systems from the States' systems are Year
2000 compliant. A bridge screens the incoming data to ensure
that they use 4-digit year dates; if they do not, the bridge
prefixes the proper century digits to the year date. In turn,
as an interim measure, if a State system cannot accept Year
2000 compliant data, a conversion program will format the data
field in a way that is usable by the State prior to
transmitting the data to the State system.
I'd like to now turn to our Independent Verification and
Validation activities and our contingency planning to deal with
unexpected systems problems.
II. Independent Validation and Contingency Planning
Independent Verification and Validation (IV&V) is essential
for ensuring that the hardware and software associated with a
system meet Year 2000 requirements. Using three IV&V
contractors, ACF's mission-critical systems were tested on
several different levels to ensure that they comply with the
Year 2000 requirements for the use of the four-digit year date
format and that they would function properly after remediation
was completed. IV&V have been completed on all but one of ACF's
mission critical-systems; five of those have received final
compliance certifications from the contractors: AFCARS, RHYMIS,
FPLS, EVS, and TROS.
Although the CSENet IV&V showed that the CSENet application
itself is compliant, it also revealed that the hardware and
operating system software upon which the application runs need
to be upgraded. We are in the process of addressing the needed
upgrades.
The IV&V effort for the GATES systems has been an extremely
complex undertaking. However, we expect to receive the final
certification of compliance by the end of March. The contractor
has spent a large amount of time becoming familiar with the
system's construction and interfaces with external systems and
is currently running a series of date rollover tests as a final
step to certification of compliance.
As a result of these rigorous efforts, we are confident
that our systems will be fully Year 2000 compliant by the end
of March, with the sole exception of CSENet. That system will
be compliant when its underlying hardware and operating systems
are replaced in September 1999. However, as an extra measure of
protection from any unanticipated problems, ACF has developed
Business Continuity and Contingency Plans (BCCPs) for all our
mission-critical systems. These plans will ensure that ACF will
be able to carry out its core business functions until
unforeseen problems are resolved. The BCCPs contain specific
information on Year 2000 related problems that might occur to
each system, and spell out the triggers that would cause a
specific remediation action to be invoked.
In addition to ensuring the integrity of our federal
systems, we have focused attention on the affects of Year 2000
problems on providers of human services under programs funded
by ACF. I would like to briefly describe our efforts.
III. Assistance to States and Grantees
ACF supports a wide range of programs that are administered
at the State, county and local levels. While we do not play a
direct role in the development and operation of the systems
needed to support these programs, we are working on a number of
fronts to ensure that, to the maximum extent possible, human
services providers are taking appropriate steps to address the
Year 2000 problem.
This is very complicated because there are substantial
variations in the degree of automation in each program and at
each level, ranging from sophisticated. Statewide systems for
multiple programs, to simple desktop operation for a non-profit
service provider. The sheer number and complexity of these
systems makes assessment of the potential Year 2000 problems
extremely difficult. The number of entities involved in the
provision of human services, from the federal level down to the
providers of services in communities, further complicates the
picture. An example may help to illustrate this point:
In one large State, there are numerous systems that are used
to administer the human services programs. Four separate
systems determine eligibility for the Temporary Assistance for
Needy Families, food stamp and Medicaid programs. Many Child
Support Enforcement systems are operated at the county level.
There is a Statewide system for the child welfare program under
title IV-E of the Social Security Act, but services may be
tracked by a large number of private service providers at the
community level. There is no centralized child care system--
multiple information systems exist at the county and local
provider level. Head Start grantees operate individual
information systems with varying degrees of sophistication.
This also is true for grantees in many other programs as well.
For the families that rely on our systems, this staggering
level of complexity means that a wide variety of partners in
the Federal, State, and local levels must undertake intensive,
focused efforts to be sure that families and individuals do not
lose crucial services due to Year 2000 computer problems. While
ACF has achieved its own Year 2000 compliance, that alone is
only one part of the battle to ensure that service is not
disrupted. In addition, we must hold States and local entities
accountable for seeing that their systems are compliant and
that they have viable contingency plans in place, with our
support and assistance.
ACF has taken action to make our partners and grantees
aware of the critical nature of the problem, and to assist them
as they plan and execute their own Year 2000 readiness
strategies. As laid out in more detail below, we have provided
and will continue to provide information, technical assistance,
and help with assessments of grantees' systems. In addition, we
plan to accelerate our efforts to do more on-site assessment
and participate in States' contingency planning efforts.
In order to get a clearer sense of the status of all these
systems, we have requested that States provide us with
estimates of Year 2000 readiness for these major programs, the
status of their contingency plans, and updates of this
information on a regular basis. Although no State has indicated
that it will not be Year 2000 ready, a number have indicated
that they will not be ready until late in the year. With just
over half the States responding so far, several indicate that
they are going to finish their fixes later in the year--in the
third or fourth quarter. Coming this close to the deadline is a
real cause for concern, because systems experts believe that
large, complex organizations should be in a testing phase by
now. To compound the fact that some States are cutting it so
close, approximately a quarter report that they have no
contingency plans.
This information, like other reports, indicates that we
have reason to be concerned about State and local readiness
regarding Year 2000. The recent General Accounting Office (GAO)
report on the Year 2000 readiness of State public assistance
systems, and the National Association of Counties (NACO) report
on the readiness of counties, have raised concerns about the
ability of State, territorial, and local governments to deal
with this problem. The GAO survey found most States were not as
far along with their corrective action plans as they should
have been. Similarly, NACO's report, based on a sample of 500
counties, found that up to half of all counties do not have
Year 2000 corrective action plans, or budgets to support such
plans.
ACF's outreach strategy is designed to inform and support
our State and local partners as they move ahead on their
critical task of ensuring that their human services systems are
not disrupted by Year 2000 problems. Our shared goal is to
ensure the continued provision of human services under our
programs in the coming millennium. To achieve this goal, ACF's
role is to:
Ensure the readiness of ACF systems, which is
complete as described above;
Heighten awareness of the issue and the impact of
taking corrective action to ensure continued service delivery;
Assist states in gaining access to available
resources to support their Year 2000 efforts; and
Work with our partners to assess the overall
readiness of their systems and encourage and support the
development of contingency plans.
Heighten awareness
For the past few years, ACF has been involved in actively
reaching out to human service providers on the Year 2000 issue.
ACF has led the Human Services Outreach Sector, which includes
the Administration on Aging, the Health Care Financing
Administration (Medicaid), the Health Resources and Services
Administration and the Substance Abuse and Mental Health
Services Administration.
In addition, I have personally made this issue a top
priority in my meetings with State and local officials and have
asked managers and staff throughout ACF to do the same. We are
seeking not only to elevate the level of attention on the issue
at the State and local level, but also to glean information
about the most useful ways that we can help our partners
continue to deliver services in case of a system breakdown. ACF
has taken additional steps to make program providers aware of
the problem and of the need to take action, including:
Establishment of a comprehensive Year 2000 web
page (www.acf.dhhsgov), which includes information for both
technical and non-technical users, to reach a wide variety of
audiences. The website contains guidance on planning and
undertaking Year 2000 efforts, samples of documents that will
help human service providers catalog their Year 2000 efforts,
and software that will help providers assess the readiness of
their own systems.
Development and distribution of a Year 2000 Guide
for Human Service Providers, which was distributed last year to
over 7,000 human service providers and representative
organizations. This document is currently being revised to be
distributed to an additional 25,000 human service providers
under ACF and other Departmental agencies.
Establishment of a Year 2000 help-desk which human
services providers can access through an internet e-mail
address and 1-800 telephone number.
Insertion of a standard Year 2000 information
sheet in all ACF grant awards.
Access to resources
ACF has assisted States and grantees in gaining access to a
range of available resources, which will be useful in their
efforts to become Year 2000 compliant,
ACF issuance of an Action Transmittal to States on
July 1, 1998, which provided streamlined procedures for
acquiring expedited approval of Federal matching funds in the
cost of activities undertaken to make State systems Year 2000
compliant.
Development of a TANF data collection system which
is Year 2000 compliant and distribution to States of Year 2000
compliant PC-based software that they could use to collect and
maintain information. About 30 percent of States use this
software; the remaining 70 percent extract TANF information
from their existing mainframe systems and transmit it to ACF in
a Year 2000 compliant format.
Use of existing contractor resources, available in
each often HHS regional offices to assist Head Start grantees
in assessing their Year 2000 readiness and solving any
identified problems. In addition, grantees have been advised
that program administration grant funds may be used to make
their systems Year 2000 compliant.
Assess overall readiness including contingency plan development
Considerable gaps in information about the status of State
systems remain. As I indicated, ACF, along with the Assistant
Secretary for Management and Budget at HHS, have surveyed
States on their progress in Year 2000 and on-site reviews will
be conducted to further assess State systems and the need for
States to put contingency plans in place. We will continue to
use information from our surveys and these reviews to assess
how we can best work with States as they make progress in
dealing with this problem.
We also are taking advantage of opportunities provided by
our ongoing systems work, where have a more active role, to
focus on Year 2000 efforts. In child support, we are closely
monitoring State Year 2000 activities as part of all systems
reviews and automation funding requests. The latest information
we have indicates that fully one-third of these systems are
Year 2000 compliant. However, we are requiring that at-risk
States produce an acceptable contingency plan to ensure the
continued collection and disbursement of child support payments
in the event that the State does not complete Year 2000
remediation efforts in time.
In addition, we have completed an in-house assessment for
non-State human service providers, such as Head Start and
Runaway and Homeless Youth. Based on this assessment, we intend
to focus further outreach efforts and provide technical
assistance to those providers most in need.
Finally, should systems disruptions occur, we have
emphasized the need for contingency plans. At the same time as
we are urging all our partners to develop such plans, and
offering to support in those efforts, we are investigating
whether there is flexibility under our programs that might
offer further assistance.
IV. Conclusion
In summary, we are confident that all internal systems in
the Administration for Children and Families are Year 2000
compliant. The remediation of these systems and independent
verification and validation of their functions have helped us
to improve the automated support of our core business
processes. In addition, we are continuing our efforts to assist
grantees and other human service providers by conducting
extensive Year 2000 outreach. I can assure you that we are
taking all possible measures to secure services into and beyond
the new millennium.
Thank you. I would be pleased to respond to any questions.
Chairman Archer. Thank you, Ms. Golden.
Is there any reason why these essential services under your
supervision would be disrupted by the Y2K problem?
Ms. Golden. Let me give you that answer in two parts.
In terms of our systems which move grants to States and
grantees and provide information, we are Y2K compliant, and, as
Mr. Apfel said to you, we are developing contingency plans
which would address any unforeseen circumstances.
The second part of that question, in terms of whether
States can make that assurance to you and to us that all will
be able to provide child support services, welfare, and so
forth, what I would say is that we need to reach the point
where all 50 States can make those assurances. We are not there
yet, but I believe that we will be there.
Chairman Archer. Is it fair to assume that you have given
important notice to the States of how essential this is?
Ms. Golden. Yes. We have been working in a variety of ways.
We began a couple of years ago in terms of basic information
sharing. We have a Web site. We have a help desk. We have a
grant insert with information. We wrote to the States last July
to make sure that they knew that we were providing expedited
access to matching funds if they needed that in a number of
areas. In the child support area where we have been on site
doing systems reviews, we have had more intensive involvement.
We are now intending to kick that up a level. We have
written to the States. I have written, together with John
Callahan, the Assistant Secretary for Management and Budget, to
ask for regular updates from the States in terms of the status
of their remediation and contingency plans, and we will be
working with those materials and expanding our onsite review
capacity.
Chairman Archer. Has the Congress given you adequate
resources for the remediation necessary at the Federal level?
Ms. Golden. Yes. Based on what I know now, we have
completed our remediation.
Chairman Archer. And again, I would invite you that if you
need any on an emergency basis, if something comes up, that you
will please notify us.
Mr. Crane.
Mr. Crane. Thank you, Mr. Chairman.
For the systems that you rely on for the States to develop
and operate, what Y2K risks remain, and what are you doing to
manage those risks?
Ms. Golden. Well, let me tell you a little bit about how
these programs operate and answer that question.
As you know, the child welfare systems, the welfare
programs, child support, childcare, are all systems that are
operated by the States and, in many cases, counties play a role
in them as well. The States and the counties maintain databases
and they often set policies. What needs to happen, is that at
the State level, as Mr. Koskinen said, the chief executive
officer, the Governor, as well as key State staff need to be
focused on ensuring that the State system is Y2K compliant and
that its relationships with county or local systems meet those
requirements.
Right now many States are on track in that respect as Mr.
Koskinen said. I think that there are some cases where we need
to work with States to ensure that level of focus.
Mr. Crane. Have you, by chance, seen this report card yet,
that has been issued on the various departments and agencies in
terms of being up to speed with regard to compliance to all of
the potential Y2K problems?
No. 1, on the report card list, is Social Security
Administration, although they went down hill in May of last
year. They were an A+. They are only an A today.
There are several A's up there. But the Department of
Health and Human Services--and this goes back to May 15, August
15, November 13, of last year--made F grades each time, and
they are up to C+ today. But on the list here, you can see that
C+ is toward the bottom.
What is demoralizing, looking at the list, is that the
Department of Defense is C-, and the Department of State,
Department of Transportation, and the Agency for International
Development are all still making F grades.
At any rate, this was prepared by the Subcommittee on
government Management Information and Technology and issued on
February 22. It is a concern when we listen to the previous
panel and Mr. Koskinen, and it sounded very positive in terms
of preparedness and contingency plans. But the report card, if
it is accurate, is a little demoralizing.
Is that your assessment, that you would give the Department
of Health and Human Services a C+ grade currently?
Ms. Golden. Well, I can only speak to my portion of it. We
are the part of the agency that deals with welfare, childcare,
child support, and foster care programs. And we have completed
our remediation of the internal systems, and we are virtually
complete on the IV&V certification. So, we believe that we also
are bringing you good news in terms of having accomplished
that.
Mr. Crane. Well, that is reassuring. You do have
contingency plans, too?
Ms. Golden. We do.
Mr. Crane. Just in case.
Ms. Golden. Yes, we do have contingency plans.
Mr. Crane. Very good.
Thank you so much. I yield back.
Chairman Archer. Mr. Coyne.
Mr. Coyne. Thank you, Mr. Chairman.
Ms. Golden, which welfare, childcare, and family assistance
systems are at greatest risk due to problems at the State
level?
Ms. Golden. Let me try to give you an overview, Mr. Coyne,
of what we know at this point, and then we will, of course, be
happy to provide more detailed information as we have it later
on.
What we know right now is based on State self reports as
well as the work that GAO has done and some of our own onsite
reviews particularly in child support. What we know at this
point is that no State has told us that they will fail to meet
the deadline. So, no State is currently sending up that alert.
Second, I do believe that most States have a very high
level of focus, and that that is critical and one of the
reasons that this hearing is so important.
And third, some States have already accomplished their
remediation in child support which is the area that we know the
best and have the most detailed information about. More than
one-third of States, we believe, are currently Y2K compliant.
But there are some areas for concern, and I think that I
would just echo Mr. Koskinen's comment about the critical
importance of keeping a focus at the State and local level.
Based on State reports to us, several States are not
anticipating compliance until the third or fourth quarter of
calendar 1999. And that is an area of concern in relation to
these complex systems.
About a quarter of the States that have reported to us do
not currently have contingency plans. That is also an area of
concern. And I would say that those States which have
complicated interaction with county systems, that is an area of
concern, as well.
We are still working with individual States, so I don't
have State-by-State information that I am completely confident
is accurate at this moment, but that is an overview, and we
would be happy to share more.
Mr. Coyne. What recourse does ACF have if a particular
State fails to pay welfare block grants, TANF benefits? And if
they don't transmit child support payments or reimburse foster
care providers on a timely basis because the State has failed
to renovate its computer system? What recourse does your staff
have if that doesn't come about?
Ms. Golden. Well, of course, where I believe we need to be
right now is making sure that that doesn't happen, so we have
been focusing really intently on making sure that there is
awareness at the State level. No State, certainly, would choose
to be in that situation. And so, we are focusing on making sure
that they have information and that there is a real focus on
early contingency planning.
I believe that one of the things that I learned from our
successful work within ACF is that you need independent
verification, so that if there are some things that you need to
fix or to plan around, you can do that.
And so, at this point, I believe that it is fair for us and
for you to hold all States accountable for succeeding in
delivering those services, and that we need to keep the intense
focus over the coming months.
Mr. Coyne. So, at this point, you don't have any plans to
have some recourse in the event that they fail? At this point?
Ms. Golden. At this point, all of our energy is on trying
to provide information and ensure accountability for
succeeding.
Mr. Coyne. Which States are in the best shape relative to
Y2K and why are they in better shape than others?
Ms. Golden. I am not sure that I have an answer with names
of States, but we could come back to you. I think that it
varies across the different systems, that is, depending on
whether it is child support, child welfare or TANF. In general,
I think that it help if a State has started early. It helps if
the State has focus at the highest level. And it helps, because
of the interactions between State and county systems in the
delivery of many of these services. If a State needs to deal
with those, it helps to have had a focus of both high level
State and county officials early. So, those are some of the key
elements.
Mr. Coyne. So, you don't want to venture into which States
have been more successful by naming them. Is that it?
Ms. Golden. I don't, at this point, have a name of a State
that has been a model across all the areas. But we can follow
up. We are working on refining our State-by-State information,
and we could follow up with you if that would be useful.
Mr. Coyne. Thank you.
Chairman Archer. Mr. Jefferson.
Mr. Jefferson. Thank you, Mr. Chairman.
Let me follow up on some of the things that Mr. Coyne was
asking about.
What assistance are you providing States in their efforts
to meet their requirements? That your department is providing
today?
Ms. Golden. We have done a variety of things. As you know,
we can't do it for the State. The State has to be accountable
for improving their system. But there is a wide variety of
things that we have been doing and that we plan to do.
In addition to providing information to making sure that
there is a Web site and a help desk and information out there,
we have taken a number of steps to make sure that States have
access to resources. We have written to them to provide an
expedited process for getting access to matching dollars in the
areas of child support and child welfare. In the area of TANF,
of welfare reform, and child care, they don't need help from us
because the dollars that they have already received in their
block grant can be used for this purpose. But we have provided
States with Y2K compliant software for reporting to us in the
welfare reform area. So, we've done that.
As we move more into onsite reviews and assessment, what we
want to do is work with States in seeing if we can be helpful
in contingency planning. For example, we think that in some
cases it may be that States can help each other. Here has been
a lesson learned in one State with one kind of system, that
would be very useful to another State. And so, we are hopeful
that we will be able to help in that arena.
Mr. Jefferson. I understand, your focus is on making the
system work and not in thinking about what happens if it fails
to work. But, of course, there can always be some failures in
whole or in part, in some limited ways, or in some greater or
lesser extent failures here or there.
So, I want to ask, not from the point of view of what does
the Department do if they fail, but what do people who are
recipients do? Low-income folks who are looking for payments
that are delayed?
Ms. Golden. That is a critical question and one that we are
intending to work with the States through contingency planning
to make sure that there is a way to get the checks out.
Let me tell you where we are on that. We asked all the
States to provide us with their contingency plans, and we plan
to review them. We have not received them yet, but we will be
receiving them and reviewing them and knowing much more in the
next couple of months. We expect that we might be able to be
helpful because there might be ways that different counties in
a State or different States could assist each other if it looks
as though there is going to be a problem. And we also, have
among our grantees at ACF not only States and counties but also
community agencies, and we believe that some of the community
agencies have experience providing emergency kinds of
assistance, so we want to get them involved in the contingency
planning as well.
So, I share your view that the most critical thing here is
to make sure that low-income families don't have interruptions
in basic services.
Mr. Jefferson. Now, what time table do you have to work out
these contingency plans that you just discussed with me?
Ms. Golden. We asked the States to provide them to us when
we wrote to the States in December. We are anticipating getting
them soon. We have not gotten contingency plans from all the
States so we expect to be reviewing them over the next couple
of months and working with the States.
Mr. Jefferson. The concerns that you have related in your
prior answers about the compliance of the State systems, do
these concerns also go to the smaller units of government like
cities and counties or villages that are also involved here? Is
there some way that you ask to States to work with them to pass
on information or to provide them with technical support? How
is this working?
Ms. Golden. That is a very important issue. We have done
some work to provide direct information to counties and cities,
and their organizations. We have sent out about 7,000 copies of
a guide for human services providers. As we work with States on
contingency planning, we need to ensure that they are working
with local units of government.
I also would note that I appreciate the Committee's focus
on this set of issues, and I believe that the members here,
given the wide array of States and communities that you
represent, may also be able to raise that focus because I do
believe that it is central to have State chief executives and
local and county chief executives focused on this issue.
Mr. Jefferson. Thank you.
Thank you, Mr. Chairman.
Chairman Archer. Dr. Golden, we want to express
appreciation to you for giving of your time generously today,
and we look forward to working with you in the future.
With that, inasmuch as we have a pending vote on the floor,
rather than call the next panel and let you start your
presentations for a minute or two, we will stand in recess
subject to the call of the Chair. The expectation is that we
should be back here reconvening in 10 to 15 minutes max.
[Recess.]
Mr. Crane [presiding]. Would everyone please take their
seats?
I would now like to call up our next panel. Julie Pollard,
Medicaid Director, Connecticut Department of Social Services,
on behalf of the National Governors' Association. Is Julie
present? And Joel Willemssen, again, to participate in this
panel. And, as I was appropriately taught as a young man,
ladies first.
So, we will have Julie make her presentation, and please
try and confine your oral presentations to 5 minutes, and your
printed remarks will become a part of the permanent record.
Julie, proceed.
STATEMENT OF JULIE POLLARD, MEDICAID DIRECTOR, CONNECTICUT
DEPARTMENT OF SOCIAL SERVICES, AND CHAIR, HCFA SYSTEMS
TECHNICAL ADVISORY GROUP ON Y2K; ON BEHALF OF THE NATIONAL
GOVERNORS ASSOCIATION
Ms. Pollard. Thank you very much.
I appreciate having this opportunity to be here today, and
I have been asked by the National Governors' Association to
provide information to your Committee on State Medicaid agency
Year 2000 readiness with the Medicaid management information
system technology.
Governors, as well as State agency directors and staff, are
committed to meeting the challenge of Year 2000 computer
problems in order to assure the clients of public services are
not adversely affected.
I appreciate having this opportunity to be here today to
update you both on Connecticut's progress and on steps being
taken to ensure that all States are properly prepared for the
Year 2000. As the State Medicaid administrator and chair of the
Systems Technical Advisory Group to the Health Care Financing
Administration, I have gained an understanding of the
complexity of the tasks at hand and an appreciation for the
hard work and diligent efforts of the many who are rising to
meet the Year 2000 challenge.
First, I will provide you with an overview of my agency in
Connecticut. I will then let you know about the State and
Federal entities who have been supporting us through this
process, and then some closing comments.
The Department of Social Services is the designated single
State agency for administration of the approved State plan of
the Connecticut Medicaid Program. The Connecticut Medicaid
Program currently provides quality healthcare access to
approximately 360,000 eligible consumers. A full range of
demographics from newborns to elders in rural and urban locales
through community-based and institutional settings can be seen
in the population that receives our support. They can access a
wide variety of healthcare services ranging from traditional
medical care provided by physicians, pharmacies, hospitals,
clinics and others to the alternative, non-traditional supports
found in the Medicaid waiver initiatives. Our connection to
that eligible population is through our Medicaid provider
community.
Our administrative activities support the processing,
authorizing, reporting and monitoring of the medical assistant
services that the department pays for as required by Federal
and State statutes. During the past State fiscal year, the
department paid over 20 million claim details costing over $2
billion to more than 6,000 medical providers and service
organizations who are enrolled in our program.
Claims processing, provider relations, Federal and State
financial reporting and surveillance utilization review
reporting are administered through our MMIS.
Clearly, the dynamic world of information technology has
provided many valuable tools that support our daily program
operations.
Accordingly, the applications and operating systems of the
MMIS have needed to successfully perform yesterday, today, and
in the days and century to come. The challenges encountered
along the way secondary to the rapidly changing healthcare
landscape, exciting Federal and State initiatives, or a
millennium have and will be met. Upon completion, our MMIS Year
2000 project will incorporate, recognize and unambiguously
treat the new century and all date fields in the systems, files
and functions in order to continue to effectively process all
claims, reports, and other output.
The Connecticut MMIS will also be equipped for both
outgoing and incoming interfaces with multiple entities,
external systems, including those of the Health Care Financing
Administration and the Internal Revenue Service.
It is important to note that these enhancements are being
completed in a manner that is not disruptive to the current
ongoing daily operations of the Medicaid Program. Project
approach and overall project management has necessarily been
predicated on the fact that our consumers need access to
healthcare services that are inextricably tied to providing
claims payment support in the healthcare industry. We recognize
that responsibility and strive for excellence in that role.
Now, the analysis and implementation of changes to the
Connecticut MMIS has been a complex, yet evolving, set of
tasks. And while initial research for technical solutions began
in early 1997, there has been an ongoing commitment to
remaining current to Year 2000 industry practices and
approaches which resulted in the fine tuning of our approach in
management strategies.
Clearly the input that we received from others, from those
both at the State and Federal levels, has provided valuable
lessons along the way. The phases associated with our MMIS Year
2000 project at a high level can be categorized as assessment,
renovation, testing, and implementation with extensive project
management activities throughout (not unlike the Year 2000
conversion model that was put forth in the September 1997 GAO
assessment guide.)
Now, we have not pursued our initiative in isolation. Our
executive branch, secondary to establishing a centralized Year
2000 Program Office out of our Department of Information
Technology, has promulgated a Year 2000 certification process
and agency reporting management methodology. Their quality
assurance process addresses the issue of certification, and it
is designed to be simple and flexible while ensuring that
projects critical to the State of Connecticut are completed on
time. The Y2K Program Office is also working with each agency
to complete that certification process.
In addition, that department anticipated the need for
independent validation and verification monitoring. They pre-
qualified vendors and established a listing of potential
contractors that could be used by State agencies in procuring
quality assurance and project management services.
Use of that service has facilitated our acquisition of a
quality assurance team that provides independent monitoring and
risk assessment of our MMIS project.
This past July, State Medicaid Directors received
information regarding HCFA's millennium compliance strategy as
it relates to the MMIS. Details regarding steps to be taken by
States in certifying to HCFA that the MMIS and mission-critical
interfaces are Year 2000 compliant were clarified.
Documentation related to contingency planning as well as
monthly Y2K status reports to HCFA Regional Offices was
requested.
Additionally, HCFA strongly recommended the use of IV&V
contractor services and further supported us by providing us
with a 75-percent Federal match for such services.
Recently HCFA has acquired services of an IV&V contractor
to collect status information on States and on their Y2K
activities and to validate the information that is being
reported by State Medicaid agencies to their regional offices.
Onsite visits are being conducted by HCFA's contractors. They
have placed additional demands on State resources. We have
worked together to try to avoid duplication of effort. The
visits are yet another risk-assessment snapshot providing
information for consideration in these final months of Year
2000 project activity.
Now, with hindsight, we might all agree that the best case
scenario would have been for those early computer programmers
to have ignored management concerns over data storage costs and
to have gone ahead and coded a four-digit year format. That
would have been the ultimate, no risk Year 2000 solution. But
here at the end of the 20th Century, we do have a time of
challenge for program managers and technology experts alike as
we prepare for the next millennium.
Throughout our daily activities, we strive to achieve
effective and efficient delivery of services to our customers
to improve the quality of their lives. And I am here to assure
you that we are committed to fulfilling our administrative
responsibilities to these families and individuals who need our
assistance in maintaining or achieving their self-direction and
self-reliance and independent living.
Thank you for this opportunity. I would be happy to answer
your questions.
[The prepared statement follows:]
Statement of Julie Pollard, Medicaid Director, Connecticut Department
of Social Services, and Chair, HCFA Systems Technical Advisory Group on
Y2K; on behalf of the National Governors' Association
Mr. Chairman, I have been asked by the National Governors'
Association to provide information to your committee on State
Medicaid Agency Year 2000 readiness of Medicaid Management
Information System technology. Governors, as well as state
agency directors and staff, are committed to meeting the
challenge of the Year 2000 computer problem in order to ensure
that clients of public services are not adversely affected.
I appreciate having this opportunity to appear before you
today to share an update on both Connecticut's progress, and on
steps being taken to ensure that all states are adequately
prepared for the year 2000. As a state Medicaid administrator
and chair of the Systems Technical Advisory Group to the Health
Care Financing Administration, I have gained an understanding
of the complexities of the task at hand and an appreciation for
the hard work and diligent efforts of the many who are rising
to and meeting the Year 2000 challenge.
First I will provide an overview of how my agency, the
Connecticut Department of Social Services, is approaching Year
2000 readiness of our Medicaid Management Information System.
Second, I will discuss the Year 2000 support and input that we
have received from state and federal entities. Finally, I will
offer some closing comments.
Connecticut Overview
The Department of Social Services is the designated single
state agency that administers the approved state plan for the
Connecticut Medicaid Program. The Connecticut Medicaid program
currently provides access to quality health care for
approximately 360,000 eligible consumers. The full range of
demographics, from newborns to elders, in urban and rural
locales, through community-based and institutional settings,
can be seen in the population that receives our support. They
can access a wide variety of health care services ranging from
traditional medical care provided by physicians, pharmacies,
hospitals, clinics, and others, to the alternative, non-
traditional supports found in Medicaid waiver initiatives. Our
connection to that eligible population is through our Medicaid
provider community.
Our administrative activities support the processing,
authorizing, reporting, and monitoring of the medical
assistance services the Department pays for as required by
federal and state statutes. During the past state fiscal year,
the Department paid over 20 million claim details costing over
$2 billion to more than 6,000 medical providers and service
organizations enrolled in our program. Claims processing,
provider relations, federal and state financial management
reporting, and surveillance and utilization review reporting
are administered through the use of a federally certified
Medicaid Management Information System (MMIS). Clearly, the
dynamic world of information technology has provided many
valuable tools in support of daily program administration.
Accordingly, the applications and operating systems of the
MMIS have needed to successfully perform yesterday, today, and
in the days and century to come. Challenges encountered along
the way secondary to the rapidly changing health care
landscape, such as exciting federal or state initiatives, or a
millennium New Year, have and will be met. Upon completion, our
MMIS Year 2000 project will incorporate, recognize, and
unambiguously treat the new century in all date fields in all
systems, files, and functions in order to continue to
effectively process all claims, jobs, reports, and other
output. Internal functionality will be equipped to deal with
appropriate century identification through all its process. The
Connecticut MMIS will also be equipped for both incoming and
outgoing interfaces with multiple external entities and
systems, including those of the Health Care Financing
Administration (HCFA) and the Internal Revenue Service.
It is important to note that these enhancements are being
completed in a manner that is not disruptive to the on-going
daily operation of the Medicaid program. Project approach and
overall project management has necessarily been predicated on
the fact that our consumers need access to health care services
that is inextricably tied to providing claims payment support
to the health care industry. We recognize that responsibility
and strive for excellence in that role.
The analysis and implementation of changes to the
Connecticut MMIS has been a complex yet evolving set of tasks.
While initial research of the technical solution began in early
1997, there has been an on-going commitment to remain current
on Year 2000 industry practices and approaches with a resultant
``fine tuning'' of our approach and project management
strategies along the way. Clearly, the input received from
others, at both the state and federal levels, has provided
valued ``lessons learned'' along the way.
The phases associated with our MMIS Year 2000 project at a
high level can be categorized as assessment, renovation,
testing, and implementation, with extensive project management
activities throughout. (This approach is not unlike the Year
2000 Conversion Model put forth in the September 1997 GAO
assessment guide.) The first phase, assessment, was critical to
the success of subsequent project activities. Solution
strategies were reviewed and validated, scope of work was
finalized, tool requirements were determined, and staffing was
validated. The second phase of code renovation was conducted
parallel to preparations for the testing phase, which includes
unit, end to end, and user testing. Implementation follows the
testing phase and results in a Year 2000 ready MMIS.
State Support
The Connecticut Department of Social Services has not
pursued this Medicaid Year 2000 initiative in isolation. Our
Executive Branch, secondary to establishing a centralized Year
2000 Program Office out of the Department of Information
Technology, has promulgated a Year 2000 certification process
and agency project management methodology. In carrying out
their oversight role, the Y2K Program Office in Connecticut has
defined a quality assurance process, a set of deliverables, and
a project management methodology for agency Year 2000 projects.
The quality assurance process addresses the issue of
certification, and is designed to be simple and flexible, while
ensuring that projects critical to the State of Connecticut are
completed on time. The Y2K Program Office is working with each
agency to complete the certification process.
As an additional support to state agencies, the Department
of Information Technology anticipated the need for independent
validation and verification monitoring. They pre-qualified
vendors and established a listing of potential contractors to
be used by state agencies in procuring quality assurance and
project management services in the monitoring of Year 2000
initiatives. Use of that list facilitated our acquisition of a
Quality Assurance Contract Team, thus enhancing our MMIS Year
2000 Project management support and providing independent
monitoring and risk assessment.
Federal Support
States have been moving forward with Year 2000 readiness.
In recent months there has been heightened external attention
as to the status of State Medicaid Agencies in responding to
the Year 2000 challenge.
This past July, State Medicaid Directors received
information regarding HCFA's Millennium Compliance Strategy as
it relates to the MMIS. Details regarding steps to be taken by
States in certifying to HCFA that the MMIS and mission-critical
interfaces are Year 2000 compliant were clarified.
Documentation related to contingency planning, as well as
monthly Y2K status reporting to HCFA Regional Offices, was
requested. Additionally, HCFA strongly recommended that states
contract for Independent Verification and Validation (IV&V)
services as a means of obtaining an unbiased view of an
organization's systems to provide yet another level of risk
mitigation in dealing with Year 2000 issues. HCFA further
supported this recommendation by offering to provide a 75%
federal match rate for such services.
More recently HCFA has acquired the services of their own
IV&V contractor to collect status information on states and
their Y2K activities and validate the information that is being
reported by state Medicaid agencies to the regional offices.
On-site visits conducted by HCFA's contractor have placed
additional demands on state resources and we have worked
together to avoid duplication of effort whenever possible. The
visits provide yet another risk assessment snapshot, providing
information for consideration in these final months of Year
2000 Project activity.
Closing Comments
With hindsight, we might all agree that the best case
scenario would have been for those early computer programmers
to have ignored management concerns over data storage costs and
coded dates using a four-digit year format. That would have
been the ultimate ``no risk'' Year 2000 solution.
The end of the twentieth century presents a time of
challenge for program managers and technology experts alike as
we prepare for the next millennium. Throughout our daily
activities, we strive to achieve effective and efficient
delivery of the highest quality of services to help our
customers improve the quality of their lives. I can assure you
that we are committed to fulfilling our administrative
responsibilities within the context of our agency mission: to
serve families and individuals who need assistance in
maintaining or achieving their full potential for self-
direction, self-reliance, and independent living.
Thank you again for this opportunity to testify on the
topic of Medicaid Year 2000 Readiness.
Mr. Crane. Thank you, Ms. Pollard.
Mr. Willemssen.
STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES
INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION MANAGEMENT
DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Thank you, and thank you for letting us
testify on this critical issue of State systems supporting
critical human services programs such as TANF, child support
enforcement and Medicaid.
For these and other programs, last year we reported on
States systems' status. And overall the results were not
encouraging. We found that States were reporting only about
one-third of their systems as compliant. The compliance rate
ranged from about 16 percent for Medicaid to 25 percent for
TANF, 56 percent for child care.
We also found disappointing results in the testing area.
Despite the need for thorough testing, States said that they
had not developed test plans for about 27 percent of their
systems.
In addition to the Year 2000 systems conversions, States
must continue to perform routine systems development and
maintenance activities as well as implement other systems
changes required to support their programs. Eighty percent of
the States reported to us that these systems activities had
been delayed because of the Y2K compliance efforts.
Since our report in November, Federal guidance and
oversight activities for State systems have increased. For
example, OMB implemented a requirement that Federal oversight
agencies include the status of State human services systems in
quarterly Y2K progress reports. For Medicaid, HCFA's
administered two State self-reported surveys and conducted
several onsite visits.
Unfortunately, overall, State Medicaid system status
appears to have changed little. For example, HCFA reported in
November that Medicaid systems had shown some progress in
renovation, but that the number of States reporting completion
of this phase had actually decreased compared to the July
August data that we had reported.
To obtain more reliable Y2K information, HCFA has hired a
contractor to conduct independent verification and validation
of State systems. After conducting another survey, HCFA decided
to rely on onsite visits to determine States' status. HCFA
reported in the HHS February quarterly report to OMB that,
based on seven site visits, some of the dates that States had
told us in July August had already slipped.
Next, let me turn to ACF and TANF, child support
enforcement, childcare and child welfare. ACF could not provide
us with updated information on all State systems for this
program since our report. As noted earlier, ACF did send
letters and surveys to States asking for system status
information. However, as of February 16, only 27 responses had
been received. Further, according to HHS, the information
provided by the States raised more questions than answers.
ACF is now considering onsite reviews of State systems, and
it is considering developing a process similar to the one being
used by HCFA or possibly working with HCFA in gathering
information.
Overall, in closing, although some States are reporting
progress, others are not due to be compliant until later this
year. For those States and those systems, contingency planning
will be especially critical.
That concludes the summary of my statement. I would be
pleased to address any questions.
[The prepared statement follows:]
Statement of Joel C. Willemssen, Director, Civil Agencies Information
Systems, Accounting and Information Management Division, U.S. General
Accounting Office
Mr. Chairman and Members of the Committee: Thank you for
inviting us to participate in today's hearing on the Year 2000
status of states' automated systems that support federal human
services programs, such as Medicaid, Temporary Assistance for
Needy Families, and Food Stamps. The federal government and
states have a huge vested interest--financial and social--in
related automated state systems. Many of these systems must
still be renovated to make the transition to the year 2000.\1\
Unless successfully remediated, many systems will mistake data
referring to Year 2000 as meaning 1900. Such corrupted data can
seriously hinder an agency's ability to provide essential
services to the public and ensure adequate accountability over
program operations.
---------------------------------------------------------------------------
\1\ The Year 2000 problem is rooted in the way dates are recorded
and computed in automated information systems. For the past several
decades, systems have typically used two digits to represent the year,
such as ``99'' to represent 1998, in order to conserve electronic data
storage and reduce operating costs. With this two-digit format,
however, the year 2000 is indistinguishable from 1900 because both are
represented simply as ``00.'' As a result, if not modified, computer
systems or applications that use dates or perform date- or time-
sensitive calculations may generate incorrect results beyond 1999.
---------------------------------------------------------------------------
Given the magnitude and nature of the programs these
automated systems support, the potential problems of failing to
complete Year 2000 conversion could be felt by millions of
needy Americans. While some progress has been achieved, many
states' systems have been reported to be at risk and not
scheduled to become compliant until the last half of 1999.
Further, progress reports to date have been based largely on
state self-reporting which, upon on-site visits, has
occasionally been found to be overly optimistic. Given these
risks, business continuity and contingency planning becomes
even more important in ensuring continuity of program
operations and benefits in the event of systems failures.
Human Services Programs' Essential Services Face Risk of
Year 2000 Disruptions
Failure to complete Year 2000 conversion activities could
cause billions of dollars in benefits payments to fail to reach
our nation's elderly, needy families, and women, infants, and
children. Those newly approved for benefits could face an
inability to be automatically added to the recipient file;
eligibility for new applicants might not be able to be
determined in a timely fashion; eligible recipients could be
denied benefits; and payments could be underpaid, overpaid, or
delayed. Key state-administered programs that could be affected
include the following:
In fiscal year 1997, Medicaid provided about $160
billion to millions of recipients. A joint federal-state
program supported by the Department of Health and Human
Services' (HHS) Health Care Financing Administration (HCFA) and
administered by the states, Medicaid provides health coverage
for 36 million low-income people, including over 17 million
children. Its beneficiaries also include elderly, blind, and
disabled individuals.
Temporary Assistance for Needy Families (TANF),
child support enforcement, child care, and child welfare
programs are likewise critical to the health and well being of
needy families. HHS' Administration for Children and Families
(ACF) oversees these programs that provide benefits to
economically needy families with children who lack financial
support from one or both parents because of death, absence,
incapacity, or unemployment. In fiscal year 1997, federal and
state agencies spent just under $14 billion on cash and work-
based assistance. Of this total, almost $8 billion was federal
money, while just over $6 billion was state-funded. This
program served almost 8 million recipients as of September
1998.
Food Stamp and the Supplemental Program for Women,
Infants, and Children (WIC) programs provide food for millions
of Americans. The U.S. Department of Agriculture's (USDA) Food
and Nutrition Service (FNS) oversees these programs. In 1998,
almost 20 million people received food stamp benefits, while an
average of 7.5 million received monthly WIC benefits.
Survey of State Readiness to Support Federal Human Services Programs
Raises Concerns and Potential Risks
Our survey last year of states' Year 2000 status found that
many systems were at risk and much work remained to ensure
continued services. Overall, only about one-third of the
systems supporting the Medicaid, TANF, Food Stamp (FS), WIC,
Child Support Enforcement (CSE), Child Care (CC), and Child
Welfare (CW) programs were reported to be compliant.\2\ As
figure 1 illustrates, the state reported compliance rate ranged
from a low of about 16 percent (Medicaid systems) to a high of
56 percent (child care systems).\3\
---------------------------------------------------------------------------
\2\ Year 2000 Computing Crisis: Readiness of State Automated
Systems to Support Federal Welfare Programs (GAO/AIMD-99-28, November
6, 1998). We sent a survey to the 50 states, the District of Columbia,
and three territories (Guam, Puerto Rico, and the Virgin Islands).
\3\ The Office and Management and Budget endorsed a five-phase
approach for conducting Year 2000 work, and established target
completion dates for each phase. Following awareness, agencies were
instructed to assess systems (by June 1997), including inventorying,
analyzing, and prioritizing them. Agencies then had to renovate their
systems, either by converting or replacing them (by September 1998);
validate through testing and verification (by January 1999), and then
implement the converted or replaced systems (by March 1999). These
phases are detailed in GAO's Year 2000 assessment guidance, Year 2000
Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September
1997).
---------------------------------------------------------------------------
Figure 1: Percentage of Systems Reported Compliant--July/
August 1998.\4\
---------------------------------------------------------------------------
\4\ The states reported using a total of 421 automated systems to
manage these programs. (Several states reported using more than one
system to support a program.)
[GRAPHIC] [TIFF OMITTED] T6850.001
States reported having completed renovation on only about
one-third of the systems as of July/August. Of those states
that had not completed this phase, many systems (25 percent)
were no more than one-quarter complete. For example, 18 states
reported that they had completed renovating one quarter or
fewer of their Medicaid claims processing systems. These 18
states had Medicaid expenditures of about $40 billion in fiscal
year 1997--one-quarter of total Medicaid expenditures
nationwide, covering about 9.5 million recipients.
Thorough testing is required to ensure that Year 2000
modifications function as intended and do not introduce new
problems. Despite this need, states said last summer that they
had not yet developed test plans for about 27 percent of the
systems. Further, only about one-quarter of the systems were
reported at that time as having completed validation and
implementation.
In addition to Year 2000 systems conversions, states must
continue to perform routine systems development and maintenance
activities, as well as implement other systems changes required
to support their human services programs. Eighty percent of the
states noted that these systems activities had been delayed
because of Year 2000 compliance efforts. Faced with these
competing priorities, states reported struggling to manage
their workloads, including important initiatives such as
tracking and reporting the requirements of federal welfare
reform, new HCFA programmatic requirements, and new child
support requirements.
Updated Results of State Human Services Systems
Since our report, federal guidance and oversight activities
for state human services systems have increased; however,
concerns regarding states' systems status remain. Following our
report, OMB implemented a requirement that federal oversight
agencies include the status of state human services systems in
quarterly Year 2000 progress reports.\5\ Specifically, it
requested that federal agencies describe actions to help ensure
that federally supported, state-run programs will be able to
provide services and benefits. OMB has further asked that
agencies report the date when each state's systems will be Year
2000 compliant, and provide information on any significant
difficulties that states are encountering.
---------------------------------------------------------------------------
\5\ OMB Memorandum for the Heads of Selected Agencies, Revised
Reporting Guidance on Year 2000 Efforts, January 26, 1999. The state
programs included were Food Stamps, Medical Assistance, Unemployment
Insurance, TANF, Child Support Enforcement, WIC, Low Income Home Energy
Assistance, Child Nutrition, Child Care, and Child Welfare.
---------------------------------------------------------------------------
Medicaid Systems Remain at Risk
Since last summer, HCFA has administered two state self-
reported surveys and conducted several on-site visits and found
that overall state Medicaid systems status has improved little.
For example, HCFA reported in November 1998 that Medicaid
systems had shown some progress in renovation, but that the
number of states reporting completion of this phase had
actually decreased compared to the July/August 1998 data that
was reported to us by the states. It found, further, that 11
states' Medicaid systems were still reported to be 25 percent
or less renovated, and about half of the states were 50 percent
or less renovated. Only five states--Arkansas, California,
Idaho, Illinois, and Iowa--reported their Medicaid systems to
be 100 percent renovated. Thus, while OMB guidelines target
completion of systems renovation by September 1998, states'
self reported data to HCFA showed that about 90 percent of
states had not completed renovation for the Medicaid programs
as of November 1998.
To obtain more reliable Year 2000 state Medicaid status
information, HCFA hired a contractor to conduct independent
verification and validation of states' systems. As an initial
effort, the contractor and HCFA distributed a survey to all
states to ascertain background and Year 2000 status
information. However, based on more recent information from on-
site visits, the IV&V project leader said that the survey data
were not as reliable as HCFA had expected because states tended
to overstate their progress. As a result, HCFA has instead
decided to rely on on-site contractor visits to ascertain
accurate Medicaid systems' status.
HCFA reported in HHS' February 1999 quarterly report to OMB
that based on seven site visits, some of the dates' states had
reported to us in July/August 1998 had already slipped,
underscoring the need for on-site visits to secure more
accurate information. For example, according to HCFA, while
four states appeared to have made some progress in the 6 months
since our survey, three states' status remained the same.
Further, HCFA found that one state's Medicaid eligibility
system was not as far along as the state had reported in our
survey. As of February 17, 1999, HCFA told us they had visited
14 states and that half of those states have shown some
improvements. Thus, HCFA and the IV&V contractor plan to make
on-site visits to all 50 states and the District of Columbia by
the end of this April. For states considered at risk, HCFA will
conduct second site visits between May and September 1999 and,
if necessary, third visits between October and December 1999.
The later visits will emphasize contingency planning to help
the states ensure continuity of program operations in the event
of systems failures.
Current Status of Systems Supporting ACF Programs is Unknown
ACF is currently surveying the states to determine the
status of TANF, child support enforcement, child care, and
child welfare systems, however, it does not have current
information on states' systems. In response to OMB's
requirement to provide updated state systems status in the
quarterly Y2K progress reports, ACF sent letters and surveys to
state Chief Information Officers asking for such information
and asked the states to return the survey by January 31, 1999.
As of February 16, 1999, ACF had received responses from 27
states. Further, according to HHS' Year 2000 Program Manager,
the information provided by the states raised more questions
than answers--some states did not answer all questions or
complete the survey for all systems.
ACF is now proposing on-site reviews of state systems for
TANF and the child support enforcement, child welfare, and
child care programs in all 50 states. ACF sees these reviews as
enhancing the available information concerning states' Year
2000 readiness and providing a vehicle through which the agency
can provide states with technical assistance. ACF is
considering developing a process similar to the one being used
by HCFA, or possibly working with HCFA in gathering
information.
USDA Has Been Tracking Systems Status for Food Stamps and WIC
The Department of Agriculture's Food and Nutrition Service
(FNS) is tracking and reporting on Year 2000 progress for the
Food Stamp and WIC programs for all 50 states, the District of
Columbia, Guam, Puerto Rico, and the Virgin Islands. For both
programs, USDA initiated a survey in April 1998, asking states
when their hardware, software, and telecommunications
supporting automated Food Stamp and WIC systems would be
compliant.
FNS updated the survey last December, and noted that 13 of
the states' software, hardware, and telecommunications systems
supporting the Food Stamp Program were reported as being Year
2000 compliant. Another 15 expected to be compliant by March
31, and another 13 by June 30 of this year. The remaining 13
states reported that they would not achieve compliance until
the last 6 months of calendar year 1999--which puts them at
high risk of failure if any unforeseen problems are encountered
during testing.
Regarding WIC, as of last December, FNS reported that 42
states said their WIC systems were already compliant or would
be Year 2000 compliant by June 30, 1999. However, 12 states
reported that they would not be compliant until the last 6
months of 1999. For states reporting that they will not be
compliant by March 31, 1999, USDA has requested the state to
certify in writing that they have a working contingency plan in
place that will ensure the delivery of benefits to Food Stamp
Program and WIC recipients.
* * * * *
In closing, although some states are reporting progress in
achieving Year 2000 compliance, many human services systems may
not become compliant until later this year. Consequently, these
systems are at a high risk if any unforeseen problems are
encountered during testing. Business continuity and contingency
plans will thus become increasingly critical for these states
in an effort to ensure continued timely and accurate delivery
of benefits and services. Federal oversight agencies, through
their monitoring activities, plan to likewise continue to
emphasize the need for contingency planning to ensure
continuity of service.
Mr. Chairman, this concludes my statement. I would be happy
to respond to any questions that you or other members of the
Committee may have at this time.
Mr. Crane. Thank you, Mr. Willemssen.
That report that showed the wide disparity between the
States and among the programs within the States is unnerving,
and your requirement of another report, a quarterly report, I
hope that you can get to us as soon as possible. We hope and
pray that there is significant progress.
Mr. Coyne.
Mr. Coyne. Thank you, Mr. Chairman.
Ms. Pollard, does the NGA have any data that contradicts
GAO's findings that at least 15 States are less than half way
through renovating their welfare block-grant computer system?
Do you have any information to the contrary?
Ms. Pollard. I am not aware of NGA specifically having
statistics that would align or rebut those numbers. I am aware,
from my interactions with my healthcare financing activities
that many States are much farther along now than they were in
November 1998, which is the last time, I believe, that a
snapshot was taken of Medicaid activity.
Mr. Coyne. Assuming that there are some of those States,
let's assume 15, do you have any reason--can you give us any
reasons why you think that they are that far behind?
Ms. Pollard. Well, I think that there could be, perhaps,
the point to be made with regard to the definition of
``behind.'' A State that was timing testing, for example, to be
in June or July of this year, may not consider themselves
behind. Perhaps someone else could be viewing that as a
standard whereby they were saying that testing should be done
no later than March which would then lead one to say that June
testing is behind.
So, I believe that the way in which the project management
is approached by the different States does lead to some lack of
clarity as to how those measures are being judged on a national
survey level.
Mr. Coyne. What type of contingency plans are the States
making to ensure timely payment of TANF benefits, recognizing
that some States may not have fully renovated their computer
systems by January 1, 2000?
Ms. Pollard. I can speak to the issues that I am familiar
with with regard to the Medicaid management system which is the
technology used to reimburse healthcare services.
It is interesting that the issue of contingency planning is
spoken of so strongly with Year 2000 readiness. Contingency
planning has been a part of system development all along. And
through the years, different States at times have gone through
development and implementation activities where they have,
after a period of time, totally built a new system, turned off
the old system, turned on the new system. Those moments don't
always happen seamlessly.
So, how one continues to conduct business, how one has
business continuity, even if there is a problem with the
computer, is part of Medicaid business. For example, interim
payments, being able to issue checks and payment for services
outside of that particular computer. Later on, being able to
reconcile it back in relative to reporting, but being able to
issue that money in a way that is separate from the traditional
claims payment system is a tool that all States are very much
aware of and have used at times when they have done major
system changes in the past.
Another example would be when we have a brandnew provider.
For example, pharmacy services are very technologically
dependent upon the use of drug use review systems. We recently
had the experience in Connecticut where a brandnew provider was
joining us--nothing to do Y2K per se, but the issue of
technology. They were not able to get their system ready in
time for when they wanted to start their billing with us. We
were able to provide them with funds outside of the system so
that their business could continue while the problems were
corrected and then we reflected those fund expenditures back
into the system at a later time.
So, the issue of business continuity, I think, is well
known to Medicaid Program administrators. The use of
technology, when it is there, is certainly to our advantage.
There are ways to do business without technology.
Mr. Coyne. Thank you.
Mr. Crane. Mr. Houghton.
Mr. Houghton. Thank you, Mr. Chairman.
Mr. Willemssen, I don't find myself very encouraged by your
report. What you, in effect, are saying, and I quote, ``many
human services systems may not become compliant, and therefore,
they are at high risk. In other words, if they find there are
glitches, there is not going to be enough time to change and to
correct those glitches.''
Is that right?
Mr. Willemssen. That is correct. That is why it is
especially important that we continue to raise the level of
concern for these types of systems similar to the way that that
kind of concern has been raised historically at Federal
agencies.
One point to keep in mind is, if you look at States, you
see an incredible amount of variance between States and even
within States between programs, and so, it is hard to say that
all States are in this category or in that category. But there
are pockets of States and programs that are way ahead and
others that are way behind. And to the extent that we can
continue to surface the issues and make sure that everyone is
on board within the limited time remaining, I think that we can
reduce that risk.
Mr. Houghton. Well, that is a good goal, but you know you
have 50 States and they are all individual little fiefdoms
under themselves. You say that we must raise the concern, who
is ``we''? It is not us. It is the States themselves. And the
question is, how does this interact?
Mr. Willemssen. We, in terms of the report that we issued,
I think that we assisted in raising the concern level. So, I
use it in that vein.
I think that the approach, for example, that HCFA is using
in conducting onsite visits through its independent
verification and validation contractor is a good model that
other organizations such as ACF may want to emulate to get
better ground data on exactly where that State and that program
is at.
Mr. Houghton. OK, well, these agencies in the States they
are going to be ready or they are not. So, if they are not,
then what happens? Is there something that the Federal
Government has to do? Or what about the funding of----
Mr. Willemssen. That is, again, why we would--as mentioned
here, we continue to emphasize the need for contingency
planning. There has to be some backup mode.
Mr. Houghton. If there is high risk and some of these human
services systems may not meet the test, do you find that in the
cases where you are most worried that there is contingency
planning?
Mr. Willemssen. I find that generally speaking they are
under development. As was mentioned, contingency plans and
disaster recovery plans often exist for general computer
systems environments. Do those plans exist for the most part
from a Year 2000-induced failure scenario? No. Not at this
point. Not based on the work that we have done.
Are they under development? Yes, generally. But there is
little time left, and that is why we have to continue to rachet
up the attention. The words that were spoken earlier by Ms.
Golden, that has to continue to be the focus.
Mr. Houghton. So, one State, in terms of some human service
area, falls by the wayside; they don't do it. It is January 20,
and we are all in trouble. How does that effect the recipients
of Federal funds?
Mr. Willemssen. It could affect it. If nothing is done and
the backup is not in place, the recipient may get an inaccurate
accounting of what is owed them, or may not get the payment on
time.
If I may give you an example. State unemployment insurance
systems have already gone through a failure scenario. State
unemployment insurance systems had a failure date in early
January 1999, and, in fact, there were four whose systems
failed and had to have a contingency plan. That contingency
plan was putting in a, so-to-speak, make-believe date in order
that checks could be processed.
So, there is already some experience in this. The
Department of Labor took a very proactive stance, as well as
Mr. Koskinen, in making sure that those failures were
minimized. I would theorize that you will probably see similar
things going on later in 1999 in this human services arena.
Mr. Houghton. Mr. Chairman, I don't know what we do to
follow up on this session. Obviously we are all very concerned.
But, if Mr. Willemssen says that there are States that are at
risk, and further more, they don't have a contingency plan, we
ought to know about this.
Mr. Crane. I couldn't agree more. You can provide that to
us, right?
Mr. Willemssen. Yes, sir, we can provide that information.
Mr. Houghton. Thank you very much.
Mr. Crane. Well, I thank you, and I thank Ms. Pollard, and
I thank you, Mr. Willemssen.
And, with that, the Committee will stand in recess until
one.
[Whereupon, at 12:13 p.m., the Committee recessed, to
reconvene at 1 p.m., the same day.]
Mr. Collins [presiding]. OK, we will get under way here.
The next panel consists of Hon. Charles O. Rossotti,
Commissioner, Internal Revenue Service; Mr. Paul Cosgrave,
Chief Information Officer with Internal RevenueService.
Gentlemen, we appreciate you all serving on the panel with
some private-sector people. Thank you very much.
Mark A. Ernst, executive vice president and chief operating
officer of H&R Block; William J. Dennis, Jr., senior research
fellow, National Federation of Independent Businesses; Mr.
James R. White, Director of Tax Policy and Administration
Issues, General government Division, U.S. General Accounting
Office.
We thank you, gentlemen, for being here with us today, and
Mr. Rossotti, we will begin with you. And each of your
statements, full statements, will be entered into the record.
STATEMENT OF HON. CHARLES O. ROSSOTTI, COMMISSIONER, INTERNAL
REVENUE SERVICE
Mr. Rossotti. Thank you very much, Mr. Collins. I'd just
like to briefly summarize my written statement and then turn it
over to Mr. Cosgrave.
As of last month, nearly all of the IRS' mission-critical
applications systems were Y2K compliant, and were placed back
into production for the 1999 tax filing season. About half of
these systems have been successfully tested from end to end,
from beginning to end, with the clock rolled forward with the
new century date. So we will continue focusing our efforts on
these mission-critical applications systems from now until
about the end of March. And then from April through the end of
1999, most of our effort will be on completing the integration
of these application systems with commercial software products,
wrapping up some smaller systems, and, most importantly,
completing this really large-scale end-to-end test.
So while this is generally a positive picture, we do want
to stress that there is still a great deal of risk and we do
have some trouble spots. We believe the next 60 days represent
the riskiest period. And that's just because of the massive
amount of changes that have been made to our systems in the
last year, coupled with the heavy volume of processing that
occurs during the peak of the filing season. It may cause some
localized problems.
We have organized an internal process to identify and
respond to these problems immediately, especially so we can
mitigate any possible impact on taxpayers.
We are continuing to allocate major amounts of management
time to the Y2K program. We have, of course, a century date
change program office, made up of a senior executive director,
53 full-time staffers, and about 1,000 other IRS employees and
contractors. This program office conducts weekly status
meetings, during which they review every aspect of the Y2K
repair activities.
I also want to stress that Y2K is my own personal top
priority. I chair a monthly executive steering Committee with
representatives of all the key people involved in the program.
And we, of course regularly meet with Mr. Cosgrave here and
other key executives, to go over particular projects and
particular risks.
We also meet periodically with our major partners in the
contracting firms that are assisting us to talk about specific
issues and stress the importance of it.
I do want to mention that in addition to our internal
technical challenges at the IRS, we need to address the
question of potential impact on taxpayers of potential Y2K
problems that might occur next year after the change of the
century. And I think the main point here is that we want to
make sure that we at the IRS are in a position so that
taxpayers who are attempting to file in good faith and pay on a
timely basis are not harmed because of a Y2K computer problem
that might be beyond their control.
So, at the present time, of course, the IRS has discretion
to abate penalties for reasonable cause, but only limited
discretion to abate interest. We are currently working with the
Treasury Department to develop abatement policies and
recommendations to be prepared to address this issue. And we
will certainly keep the Committee aware of our progress and
advise of any legislative changes that we think might be needed
in this area.
So in conclusion, although significant risks remain, we are
confident the IRS will be capable of fulfilling its mission in
the year 2000 and beyond. We will keep the Committee informed,
of course, of any errors or problems that we experience, and
any impact on taxpayers and our actions to alleviate any added
burden.
Thank you for this time, and I'd now like to introduce Mr.
Cosgrave, our Chief Information Officer, to briefly summarize
the status of our Y2K effort and each project.
[The prepared statement follows:]
Statement of Hon. Charles O. Rossotti, Commissioner,
Internal Revenue Service
Mr. Chairman and Distinguished Members of the Committee:
Thank you for the opportunity to discuss the status of the
Internal Revenue Service's (IRS') Century Date Change
Conversion program and our progress towards meeting the
challenge of the Year 2000.
The IRS has made significant progress in preparing for the
Year 2000. As of last month, nearly all of our mission critical
systems were made Y2K compliant and were placed back into
production for the 1999 Filing Season. Approximately half of
these systems have been successfully tested ``end-to-end'' with
the clocks rolled forward. We will continue focusing our repair
efforts on mission critical systems from now until the end of
March. From April through the end of 1999, most of the effort
will be applied to wrapping up some smaller systems and, most
importantly, completing the full-scale End-to-End Testing.
While this picture is generally positive, there is still a
great deal of risk and some trouble spots. In fact, we believe
that the next 90 days represent the riskiest period. The
massive amount of changes made to our systems in the last year,
coupled with the extremely heavy volumes of processing that
occur during the filing season, may cause localized problems.
We have organized an internal process to identify and respond
to such problems immediately and to eliminate or mitigate any
possible impact on taxpayers.
I would like to take the next few minutes to discuss the
scope of the Year 2000 conversion at the IRS and address the
leadership structure we have in place to manage our progress
toward Year 2000 compliance. Then, I would like my Chief
Information Officer, Paul Cosgrave, to present some of the more
detailed facts about the IRS' Y2K efforts.
Program Scope
The IRS is a vast and complex organization, employing more
than 100,000 individuals in service centers, regional offices,
district offices, and posts of duty across the United States
and around the world. Each year the IRS collects over $1.7
trillion in tax revenue to support the operations of the
Federal Government. In order to fulfill its mission of service
to taxpayers, the IRS depends on its automated systems to
process tax returns, issue refunds, deposit payments, and
provide taxpayers basic answers to their more than 170 million
inquiries a year which we must respond to 24 hours a day, 7
days a week.
Most of these systems date back to the 1960s and 1970s when
programmers were required to use two-digit date fields to
represent the year because of space limitations. This is, of
course, what causes the Year 2000 problem as we know it. The
Year 2000 problem is undoubtedly a top priority at the IRS this
year. If we don't fix our programs, our systems could generate
millions of erroneous tax notices, refunds, bills, and any
number of other financial reporting errors.
Making the IRS' Y2K problem even more challenging is the
sheer number of affected information technology systems. The
IRS currently houses over 80 mainframe computers, 1,400
minicomputers, over 100,000 personal computers and a massive
telecommunications network comprised of more than 100,000
components. There are over 40 million lines of code in 79,000
software programs that support IRS operations. We must also
address non-information technology (non-IT) items, such as
security systems, heat and air conditioning, and office
equipment in over 850 IRS locations.
I will now address our management commitment, and then Paul
Cosgrave will address the progress of our work and the current
priorities of our Year 2000 project.
Management Commitment
Almost 28 months ago, the Century Date Change (CDC) Program
Office was created to manage and execute the IRS' Year 2000
repair activities. The CDC Program Office is comprised of a
Senior Executive Program Director and 53 full-time IRS staffers
who are supported by over 1,000 IRS employees and contractors.
The CDC Program Office conducts weekly status meetings during
which the Director reviews the progress of every aspect of IRS
Y2K repair activities. The Program Office then uses this
information to create a Y2K ``dashboard''--a widely used
project management tool--which is a concentrated and high-level
look at the overall status and progress of all IRS Y2K efforts.
Please refer to the attachment, Year 2000 Dashboard Report, for
the most recent Y2K ``dashboard.''
Allow me to assure you that Y2K is an IRS top priority, as
well as my own this year. In support of our Y2K repair project,
I chair a monthly Executive Steering Committee with
representatives from Treasury, the IRS, the General Accounting
Office, and the National Treasury Employees Union. In addition,
I meet regularly with the IRS' Chief Information Officer and
other key executives to obtain individual project status
updates, monitor key risks, and to ensure that all necessary
actions are being taken. I also meet periodically with key
executives from the major contracting firms that support IRS
tax administration systems to emphasize the importance of
meeting our Y2K objectives and time lines and to obtain their
personal commitment to our needs.
Finally, in order to validate that we are doing everything
we can to ensure that the IRS is Year 2000 compliant, we have
commissioned independent assessments by organizations such as
Booz-Allen & Hamilton, Inc. and Northrup Grumman, Inc. Booz-
Allen & Hamilton, Inc. is performing risk identification and
assessment on all CDC Program activities, while Grumman is
performing a 100% review of our code renovation. They have
reviewed 67.5% of our code and have found only one in every
20,000 lines of code that requires reprogramming.
An independent review of our Commercial Off-the-Shelf
(COTS) products has also been scheduled. The review of the COTS
products is scheduled to begin in March. In addition, we
continue to rely on feedback from the Treasury Inspector
General for Tax Administration (TIGTA) and GAO assessments on
our Year 2000 program.
Significant Progress Made
Business Systems Conversion
The IRS conducts its operations using custom-developed
applications. The total number of ``mission critical''
information technology systems is made up of 126 application
systems and 7 telecommunication systems, of which two of the
application systems will be retired. We are focusing our
conversion activities on the application systems to ensure
their continued and uninterrupted operation. Overall,
approximately 40 million lines of code must be made compliant
within these mission critical application systems. As of
January 31, 1999, the IRS completed 92% of its code compliance
work. More specifically, 114 of the 124 mission critical
application systems have been made compliant.
Infrastructure
Mainframes (Tier I)--Most of the IRS' mainframe
infrastructure was scheduled to be Y2K compliant by January 31,
1999. Some COTS products associated with mainframes are still
being evaluated. Y2K compliant versions of these products will
be fully implemented before the start of our final, integrated
test.
Minicomputers (Tier II)--Approximately 1,400 minicomputers
and their associated systems software (operating systems,
databases, etc.) must be replaced or upgraded to be Y2K
compliant. As of January 31, 1999, the infrastructure
supporting 14 of the 27 Tier II mission critical systems is Y2K
compliant. The balance of Tier II infrastructure conversion is
scheduled for completion by July 1999 with the exception of 4
mission critical systems, whose infrastructure will be
compliant by September 30, 1999. While any delay in
implementation is of concern, the affected systems have been
identified as having minimal or no impact on filing season
activities. We are confident that these systems will be ready
for the final, integrated test.
Personal Computers (Tier III)--We are currently upgrading
our inventory of personal computers and laptops. Our goal is to
achieve Y2K compliance by July 31, 1999 by retiring our
obsolete PCs, moving to modern, Pentium-class platforms
throughout the agency, and implementing a Y2K compliant
standard suite of software. This effort will not only make us
Y2K compliant, but will also eliminate the vast numbers of old,
incompatible software products in existence at IRS.
Telecommunications
The IRS' telecommunications network, critical to
operations, is supported through the Treasury Communications
System (TCS) contract. The network conversion is a significant
challenge given the need to upgrade or replace thousands of
components within the TCS network, as well as additional custom
IRS networks that include another 30,000 components. Our
telecommunication equipment was made compliant in January with
a few exceptions. Some telecom support equipment for collection
has been deferred until after the peak of the filing season.
The completion of our Voice Messaging System upgrade will
continue into March.
External Trading Partners (ETPs)
The IRS, like other organizations, relies on its ability to
exchange information with other organizations, or trading
partners. For example, the IRS must be able to receive
electronic tax returns that are prepared by various tax
practitioners or exchange data with organizations like the
Financial Management Service who prepares refund checks. The
IRS is working closely with its trading partners and requiring
them to certify that their interfacing systems will comply with
the IRS' expanded date format. Over 70% of the 406 files
exchanged externally that needed to be compliant have been
converted. The balance is scheduled for completion by July. We
are also conducting assessments of our critical trading
partners' systems to ensure that they are Y2K compliant.
Meanwhile, information exchanges are being tested throughout
the conversion process and will be included in the final
integrated test.
Our work on the Electronic Federal Tax Payment System
(EFTPS) is an example of our success in this area. EFTPS is one
of the major systems used by business taxpayers and receives
over $400 billion a year in federal tax payments. The system
was successfully made compliant and implemented last year.
Non-IT
All areas unrelated to computer systems or software are
either Telecommunications or Non-IT systems. Non-IT systems are
real or personal property that contain a computer chip used to
record or regulate functions. Examples of real property include
security systems, alarm systems, heat and air conditioning
systems, and utility systems. Examples of personal property
include reproduction and other office equipment, vehicles,
laboratory equipment, and special production equipment such as
the Composite Mail Processing Systems (COMPS) used to process
mail at IRS service centers.
The IRS has completed an assessment of its personal
property. With the exception of the COMPS equipment that will
be replaced with Y2K compliant equipment by November 1999, all
of the 5700+ IRS personal property products that could have an
impact on IRS operations have been made Y2K compliant.
For real property, the IRS occupies 756 buildings of which
96 have been identified as mission critical. Renovation of 54%
of the 96 mission critical buildings is complete. The remaining
mission critical buildings are scheduled for completion by July
1999. Contingency Plans for all mission critical buildings will
be developed by July 1999.
Of the remaining 660 IRS occupied buildings, which are
owned/operated by The General Services Administration (GSA),
41% are Y2K ready. The IRS is working closely with GSA to
ensure that the remaining buildings are Y2K compliant on a
timely basis.
Budget
For the last two fiscal years, IRS expenditures for the
Year 2000 Conversion effort have totaled over $620 million.
Expenditures for Fiscal Year 1999 are projected to be $378.5
million. All told, the project life cycle costs of the Year
2000 conversion effort will be approximately $1.3 billion.
IRS' Year 2000 effort also involves replacement of our
major tax return processing system and payment processing
system. These replacements include our Mainframe Consolidation
project and our Integrated Submission and Remittance Processing
System.
Mainframe Consolidation
The IRS proposed and received Congressional approval for a
program to consolidate its mainframe computers while making
them compliant for the Year 2000. This is a major program that
involves eliminating 67 mainframe computers in 12 sites and
replacing them with 12 new, Y2K compliant mainframes in two
computing centers. This program is an important step in moving
the IRS to a modern, standardized method of managing its
computing resources and is consistent with the Office of
Management and Budget (OMB) directives requiring consolidation
of mainframe computing. Our current projections indicate that
this program will also reduce operating costs by $79 million
per year when fully implemented.
This large program consists of 5 projects and each is being
carefully managed to ensure our ability to support the filing
season, to achieve Year 2000 compliance, and to achieve the
objectives of improved management and reduced long-term costs.
As of January, we replaced the non-compliant Communications
Replacement System (CRS) and moved the workload from all 10
service centers to the two computing centers. Conversion of CRS
was extremely difficult, especially in light of the fact that
there is not an effective back-up plan for this system. The new
Y2K compliant tax processing mainframes were installed in the
two computing centers and workload from three of the 10 service
centers was moved. The IRS identified the need for additional
emphasis in the areas of standardization, automated tools, and
staffing prior to the remaining migrations. In order to
complete this work and minimize risk to the filing season, we
held the remaining migrations until after the 1999 Filing
Season. Upgrades were made, however, to vendor-supplied
software to make the existing, older mainframe computers Y2K
compliant. We also replaced over 15,000 obsolete computer
terminals as part of the program.
Integrated Submission and Remittance Processing System (ISRP)
The Integrated Submission and Remittance Processing System
(ISRP) replaces two legacy systems which could not be made Year
2000 compliant. The Distributed Input System (DIS) and
Remittance Processing System (RPS) originally formed the core
input system which processes more than 200 million tax returns
and accounts for tax revenues of over $1.7 trillion. The new
Y2K compliant system is operational for data entry in all 10 of
the IRS' service centers. However, we experienced some problems
in implementing the Remittance Processing System (RPS) which
precipitated our decision to defer the roll out of RPS to four
service centers until August 1999. Presently, six service
centers have implemented RPS and will perform filing season
activities.
Recent events during the week of February 8 helped to
lessen the level of concern with ISRP RPS considerably. Major
software upgrades were successfully installed in two of the six
ISRP RPS centers that alleviate many of the problems and risks
associated with the new remittance processing system. Plans are
in place to implement these upgrades to the remaining four ISRP
RPS centers during the next three weeks. Detailed contingency
plans have been prepared by all centers to use the legacy RPS
equipment as a backup if the new system has problems during the
April peak processing period. All centers will test their plans
and equipment by ``falling back'' to the legacy RPS equipment
for several days between now and March 8.
As you can see, the IRS has made significant progress in
its Y2K repair efforts over the past several months. This can
be attributed to a strong team of IRS employees and contractors
and the effective leadership of the CDC Program Office.
However, as much as we have accomplished to date, the Year 2000
remains a challenge for the IRS. It is a challenge that forces
us to continually adjust our schedule, and to maneuver people
and resources to attack the most critical Y2K problems. Failure
to manage risks and schedules in this flexible way enormously
increases the likelihood of failures and frequently ends up
delaying, rather than accelerating, actual progress. We have
worked hard to establish a realistic repair schedule that works
for the IRS and the specific challenges we face. It is a
schedule that gets the job done right the first time, because
everyone knows there won't be any second chances. Our teams are
at work everyday to meet these deadlines, as well as
maintaining our focus on the government-wide deadlines
established by OMB. We have come a long way, and we fully
acknowledge that there is a great deal of work left to be
accomplished this year.
As I discussed, our original schedule was altered on
several of our systems due to infrastructure issues. We
prioritized our schedule so that systems involved in the filing
season are converted and tested first. The remaining systems
that are not critical to the filing season will be converted
and tested at a later date. I might also add that we are
currently using the converted systems to process tax returns.
Any problems that we encountered have not impacted taxpayers
and were generally fixed within 24 hours of being identified.
I'd now like to explain our most pressing Year 2000
priorities for this year, beginning with filing season
activities which are now taking place.
Current Priorities
1999 Filing Season
While the Year 2000 problem is a top priority, providing
high-quality service to taxpayers and efficiently collecting
tax revenue remains our primary mission. The impact of our Y2K
repairs remains a major concern for this filing season and
Filing Season 2000, but we are encouraged by the results of the
1999 Filing Season to date. Reports show that as of February 5,
1999 we have processed over 10 million of the 13 million
returns received. This is four percent more than last year.
This year, we are proactively reporting errors, Y2K related
or not, through a new web page on our Internet site. This page
will report errors that impact taxpayers, such as erroneous
notices sent due a systems error. It will also include other
non-Y2K errors such as incorrect information in printed forms
or instructions.
End-to-End Testing
End-to-End Testing will be performed on IRS mission
critical systems to ensure that they function together through
a series of increasingly complex tests that simulate tax
processing activities in a Year 2000 environment. While many
tests focus solely on the individual system, End-to-End Testing
will test the entire process that takes a tax return from its
receipt to issuance of a notice or refund.
Testing activities are being performed in an isolated test
environment so that the IRS can continue its core business
activities--processing tax returns. Currently, the second of
three major End-to-End Tests is in progress and, to date,
testing has been successful. The final End-to-End Test is
scheduled to begin in October 1999. However, the fact that we
will need to compress our schedule for making changes to filing
season software programs makes End-to-End Testing very
challenging. All Filing Season 2000 changes need to be made to
the software before they can be included in the final End-to-
End Test.
Maintaining Focus
Although we have concentrated on converting the systems
that have the most direct impact on taxpayers, we have not lost
sight of the work that still needs to be done to convert and
test some of our smaller systems and complete critical
information technology projects.
As prevously mentioned, from April through the end of 1999
most of our efforts will be applied to wrapping up these
smaller systems and completing the full-scale End-to-End
Testing activities. Simultaneously, we will be completing the
roll-out of our Integrated Submissions and Remittance
Processing System (ISRP), which will be fully operational by
August 1999. Mainframe consolidation efforts will also be
taking place as we finish Y2K compliance activities.
Small Business/Practitioner Outreach
In addition to communicating with taxpayers about errors,
we are also working with the Small Business Administration
(SBA) to inform the small business community about the
importance of Year 2000 compliance. We have held a joint press
conference and produced a special Y2K article for the SSA/IRS
Reporter, which is mailed to 6.5 million businesses throughout
the country. In addition, the IRS homepage was updated to
encourage small businesses to determine if they are ``Y2K OK,''
and includes a link to the SBA's Y2K homepage which provides a
wealth of useful information about the Year 2000. Our efforts
will help ensure that small businesses have every opportunity
to prepare for the Year 2000.
We also hold regular liaison meetings with practitioner
organizations, such as H&R Block, Jackson-Hewitt, and the
National Association of Tax Practitioners, which provide a
forum in which to discuss the Y2K project. Specifically, the
Information Reporting Program Advisory Committee (IRPAC) has
addressed the Y2K problem in their semi-annual meetings. IRPAC
was established in 1991 as a way to advise the IRS on
information reporting issues of concern to the private sector
and the Federal Government.
Practitioners are aware that the IRS is operating Year 2000
compliant systems this filing season and they have been asked
to help out by identifying problems as they surface. Their
efforts will benefit not only the IRS, but also their own
organizations since early detection will allow a faster
turnaround if corrections or repairs are necessary.
Contingency Planning
The IRS is developing contingency plans that outline the
necessary procedures to follow in the event that a Year 2000
problem affects any of the IRS' mission critical tax processing
systems. These plans concentrate on those areas that have the
greatest impact on tax processing activities in addition to the
areas we know to be particularly affected by the Y2K problem.
This will allow us to work on aspects that have the greatest
risk, while continuing to leverage the majority of our limited
resources on Year 2000 conversion activities and testing.
Taxpayer Impact
Mr. Chairman, in addition to our internal technical
challenges, there is a question about the impact on taxpayers.
We want to be sure that taxpayers who attempt to file in good
faith or pay on a timely basis are not harmed because of a Y2K
computer problem beyond their control. At the present time, the
IRS has discretion to abate penalties for reasonable cause, but
has only limited discretion to abate interest. We are currently
working with the Treasury Department to develop abatement
policies and recommendations to address this issue. We will
certainly keep the Committee aware of our progress and advise
you of any legislative changes that may be needed.
Long-Term Benefits
While our primary goal is Year 2000 compliance, the Y2K
problem has forced the IRS to address some shortcomings in its
current practices. As a result of measures implemented to
address the Y2K problem, the IRS will reap several long-term
benefits. While I will not take the time to address all of
these benefits, I would like to discuss the two which I feel
are most important:
Use of Consistent Standards
The Year 2000 problem will allow us to continue to develop
and employ consistent standards across the agency. For example,
our Y2K work involved extensive testing of Y2K repaired
systems, including a series of integrated End-to-End tests.
Many of these testing activities will become standard practice
at the IRS long after the Year 2000. In addition, as a result
of Y2K work, we developed standards for desktop software
applications, such as e-mail and word processing programs.
Improved Project Management Practices
The Year 2000 problem is perhaps the greatest project
management challenge facing organizations today. Y2K has given
the IRS the opportunity to hone its project management skills
in preparation for similar large-scale projects, such as
modernizing the agency.
Conclusion
We are personally monitoring the status of IRS' Year 2000
activities, and are confident that the IRS will be capable of
fulfilling its mission in the Year 2000 and beyond. While we
recognize that significant risks still exist, we have every
confidence that our CDC Program leadership is taking the steps
necessary to address them. As we continue to develop our
contingency plans and closely monitor our schedule and
progress, we will keep the Committee apprised of any Year 2000-
related errors we experience, their impact on taxpayers, and
our actions to alleviate any added taxpayer burden. We thank
you again for the opportunity to discuss the IRS' Y2K efforts
and appreciate the continued support of the Committee.
I will be happy to entertain questions.
Year 2000--DASHBOARD REPORT
------------------------------------------------------------------------
Project Area Overall Assessment Comments
------------------------------------------------------------------------
Business Systems Applications... Yellow............ 92% of
Mission Critical
application
systems are Y2K
compliant. The
remaining systems
will be compliant
by July 31, 1999.
75% of
Non-Mission
Critical
application
systems are Y2K
compliant. The
remaining systems
will be compliant
by July 31, 1999.
A 100%
code review is
underway and on
schedule. 27
million lines of
code (LOC)
reviewed to date.
Error rate--
.005%.
Integrated Submission and Yellow............ Return
Remittance Processing System... processing
segment
operational in
all 10 service
centers.
Remittanc
e processing
segment
operational in 6
to 10 service
centers.
Contingen
cy plans inplace
at all sites to
mitigate risks.
Infrastructure.................. Yellow............ Infrastru
cture supporting
14 of 27 key Tier
2 systems was
completed on
schedule by 1/31/
1999; the
remaining systems
are scheduled for
completion by
July 1999 except
for 4 systems
approved for
completion later
in 1999.
Contract
for an
independent
review of all
COTS product
across all tiers
has been awarded.
Work will begin
March 1999 and
will be completed
September 1999.
All
personal
computers and
laptops to be Y2K
compliant by July
1999.
Service Center Mainframe Green............. All
Consolidation.................. segments with Y2K
compliance
issues, which
include security
systems and
terminal
replacements,
complete.
Schedule
for consolidating
remaining
segments adjusted
to minimize
unnecessary
change prior to
the millenium.
Telecommunications.............. Green............. Y2K
compliant rate
for the entire
Telecommunication
s inventory is
99%.
Remaining
products/systems
are scheduled to
be compliant
after the filing
season.
External Partners............... Yellow............ 291
externally
exchanged
datafiles must be
made Y2K
compliant. Over
70% of these are
currently Y2K
compliant.
The
balance of the
remaining files
will be compliant
by July 1999.
Additiona
l FMS testing is
currently being
carried out--
scheduled
completion date 4/
1/1999.
Non-IT.......................... Green............. Of the 67
IRS-controlled
mission-critical
buildings, 35 are
complete, 19 are
green (on
schedule), and 13
are yellow (5%
and 15% behind
schedule).
All 5700+
personal property
products have
been made Y2K
compliant with
the exception of
the Composite
Mail Processing
System (COMPS).
The IRS
is working with
GSA to develop
reporting of the
29 mission-
critical
buildings under
GSA control.
Budget--FY 1999................. Yellow............ Identifyi
ng area of
potential savings
and quantify new
costs.
End-to-End Testing.............. Green............. Testing
is on schedule.
Tracking
mechanism is in
place.
Contingency Management Plant Green............. CMP
(CMP).......................... developed.
Matrix of
IS systems to
business
processes
delivered.
All plans
comprising the
CMP on schedule
and due by 5/31/
1999.
Location Specific Deployment Green............. Process
Plan........................... in place.
Data is
available to all
IRS personnel on
the Y2K web site.
End Game Planning............... Green............. Process
underway to
coordinate all
January 1, 2000
planned
activities.
------------------------------------------------------------------------
Mr. Collins. Thank you, Mr. Commissioner.
Mr. Cosgrave, we will be pleased to receive your testimony.
STATEMENT OF PAUL COSGRAVE, CHIEF INFORMATION OFFICER, INTERNAL
REVENUE SERVICE
Mr. Cosgrave. Thank you, Mr. Chairman. Commissioner
Rossotti gave you an overview of both the scope and management
of IRS' Y2K program. I will go into a little more depth about
the status of our Y2K efforts.
Specifically, I'm going to talk about our software
applications and technology infrastructure; our external
partners, with whom we exchange information; major systems
replacement projects; and finally our end-to-end testing,
contingency planning, and additional support planning for
January 2000.
First, Commissioner Rossotti discussed the scope of the Y2K
effort at the IRS. We have 800,000 individual components that
we are converting, testing, and implementing to ensure that
they will operate smoothly at the turn of the century. This
work is like taking an 800,000-piece jigsaw puzzle apart,
looking at each piece individually, doing something, and then
putting them back so it all works together. You have to take
apart the puzzle and get it all working again.
And I'm pleased to report, all but a handful of those
800,000 pieces will be back together by July of this year. The
remaining pieces will be done by September, and they will all
be included in our final integration test, which is scheduled
for the remainder of this year.
In terms of our applications, at this time 92 percent of
IRS' mission-critical applications are Y2K compliant, and 75
percent of our non-mission-critical applications are compliant,
with the remainder to be completed by July 1999. Most all of
our local-area networks are now Y2K compliant, and all of our
PC's and laptops will be Y2K compliant by July 1999.
The entire technology infrastructure that supports these
applications is today approximately 56 percent compliant, with
the rest to be completed later in 1999. The principal reason
for trailing in the infrastructure area is that several vendors
of our off-the-shelf business applications did not declare
themselves Y2K compliant until late in 1998. So I didn't try to
rush implementation and testing of those products. Rather, I
decided to wait until after filing season to implement the new
programs and validate Y2K compliance of these infrastructure
systems.
All the infrastructure and applications with completion
dates later in this year will still be part of our final
integration tests. We are also conducting an independent review
of 100 percent of all of our computer programming code that's
over 40 million lines of code. To date, we've reviewed 27
million lines, and that revealed an error rate of only .005
percent. I'll just comment that our error rate approaches a
number known as six sigma, which is a standard of quality used
by some of the best private-sector companies.
With respect to our external partners, I'd like to give you
some sense of our progress. Our external partners include the
Social Security Administration, Financial Management Service, a
number of banks--NationsBank, BancOne--service providers such
as H&R Block, and over 50 and State and local entities, and
many others.
IRS is working very closely with our external partners
ensuring that their interfacing systems comply with our four-
digit year date format and making sure they get the information
they need so they can comply with the formats we need. Seventy-
two point 5 percent of the files exchanged externally are
currently Y2K compliant, and the remainder will be complete by
July. We are also assessing the Y2K plans of our most critical
partners to ensure they are Y2K ready.
Some of our systems in two particular cases here, are over
20 years old and literally cannot be made compliant. These are
some of our most important base systems, the one that processes
our basic returns and our payments, and also our mainframe
computers that perform our consolidated reporting.
As it relates to processing returns and payments, first our
new integrated submissions and processing system has two
critical components that have to be made Y2K compliant. The
component that processes returns has been completed and is now
operational at all 10 service centers and is being used during
this filing season. The component that processes payments is
currently operational for this filing season in 6 of the 10
service centers, and those six sites are performing their
normal activities effectively. The remaining four sites will be
converted in August of this year.
The second replacement project is our service center
mainframe consolidation project. This project has several
objectives, in addition to achieving Y2K compliance, that
includes supporting the filing season, positioning the service
for modernization, reducing long-term cost, meeting OMB
directives, and implementing disaster recovery. All components
of this project that had Y2K issues, which include the security
systems and the terminal replacements, have now been made Y2K
compliant and the workload has been moved from the 10 service
centers to two consolidated computing centers.
The schedule for the remaining components, which includes
consolidating some collection systems and our printing
capabilities, is now complete at three centers. We'll have five
centers done by year-end, and will complete all 10 sites in
calendar 2000.
Since we have completed all necessary Y2K work, we changed
the schedule in order to minimize introducing unnecessary
change prior to the actual millennium date.
Finally, our end-to-end tests, which tests how well all
these jigsaw pieces fit back together, are on schedule. We
completed the first two phases of this testing, and we'll begin
the final integrated tests in May.
In addition to end-to-end tests, we're developing
contingency plans based on GAO's recommendations. All plans are
on schedule and will be complete by May 1999.
In addition to testing and contingency planning, we are
also preparing for additional support in January 2000 should
hiccups occur in any of these different systems. These plans
included activities scheduled for January 1st and 2nd of 2000,
prior to the first work day.
So in conclusion, both the Commissioner and I are
personally monitoring the status of IRS' year 2000 activities
and we are confident we will be able to fulfill our mission in
the year 2000.
We recognize that there may be some glitches along the way,
but we are prepared to deal with them in an organized manner to
minimize any impact on taxpayers.
Thank you for your time.
Chairman Archer. Thank you, Mr. Cosgrave.
Our next witness is Mr. Mark Ernst. If you will identify
yourself and whom you represent for the record, you may
proceed. Welcome.
STATEMENT OF MARK A. ERNST, EXECUTIVE VICE PRESIDENT AND CHIEF
OPERATING OFFICER, H&R BLOCK, INC.
Mr. Ernst. Thank you. Mr. Chairman and Members of the
Committee. I'm Mark Ernst. I'm executive vice president and
chief operating officer of H&R Block. We appreciate the
opportunity to discuss the effects that Y2K adjustments by the
IRS and IRS' stakeholders will have on taxpayers.
I would like to make just four brief points.
First, H&R Block is the Nation's largest tax preparation
firm. With the year 2000 beginning in only 310 days, we and
over 15 million of our clients who file one in seven individual
tax returns that are received by the IRS (and about 36,000 per
Congressional District), have a very big stake in a smooth
transition.
Our clients are especially concerned about receiving timely
refunds. Seventy percent of taxpayers get refunds, and many
families depend on them to pay bills and as a source of annual
forced savings.
Second, we know that successful Y2K transition depends not
only on the IRS but also on a long chain of external trading
partners, including tax professionals like H&R Block. I'm
pleased to report that we are on schedule for successfully
modifying our systems for year 2000. We've completed and tested
90 percent of 133 Y2K projects in nine mission-critical
business functions. The remainder are scheduled for after April
15. While we do not expect any major interruptions of our
business, we are preparing contingency plans to address areas
of exposure, including trying to anticipate issues which may
arise out of the IRS.
Third, we are encouraged by the IRS' progress. The current
1999 tax season, in which many Y2K upgrades are being tested,
is functioning fairly well. IRS appears on track, and it has
been active in meeting with key partners and stakeholders. So
far, so good.
Fourth, for the future we've made a number of suggestions
which have been well received by the IRS. They include:
increasing the openness about the IRS' plans and
progress,
identification of risks to facilitate our and
other tax practitioners' contingency planning,
a continued dialog with a wide group of
stakeholders, and
tests with State revenue departments, the Social
Security Administration, and the Financial Management Service
before fourth-quarter end-to-end tests.
Mr. Chairman, we appreciate your support and IRS's
cooperation. And we look forward to working with the Service
and other stakeholders to ensure a seamless transition.
While we can't guarantee that citizens will be any more
thrilled about paying taxes in the next millennium, we are
working to ensure that the process will go smoothly and refunds
will be issued promptly. We are happy to respond to questions.
[The prepared statement follows:]
Statement of Mark A. Ernst, Executive Vice President and Chief
Operating Officer, H&R Block, Inc.
Summary
H&R Block handles over 15.6 million individual
U.S. tax returns, 1 of 7 received by the IRS (about 36,000 per
Congressional district), and markets Kiplinger
TaxCut.
With Y2K beginning in only 310 days, stakes are
high for government units and especially for the 70% of
taxpayers who expect timely refunds. Y2K compliance depends not
only on the IRS but on a long chain of external trading
partners.
H&R Block is on target to successfully modify its
systems and prepare for Y2K. It has completed and tested 90% of
133 Y2K projects in nine mission-critical business functions;
the remainder are scheduled after April 15.
We are encouraged by IRS's progress. The 1999 tax
season--in which many Y2K upgrades are being tested--is
functioning well. IRS appears on track, and has been proactive
in meeting with key partners and stakeholders.
Our suggestions have been well received, including
openness about plans and progress, identification of risks to
facilitate contingency planning, continued dialogue with a wide
group of stakeholders, and tests with state revenue
departments, SSA, and FMS before fourth quarter end-to-end
tests.
----------
Mr. Chairman and Members of the Committee: I'm Mark Ernst,
Executive Vice President and Chief Operating Officer of H&R
Block. Prior to joining the company last September, I was for
12 years affiliated with American Express. We appreciate the
opportunity to discuss the effects of Y2K adjustments by the
Internal Revenue Service and its stakeholders on taxpayers and
beneficiaries of federal programs. With me today are David
Jamison, head of our Y2K project office, and Bob Weinberger,
our vice president for government relations.
About H&R Block
H&R Block, founded in 1955 and headquartered in Kansas
City, is America's largest tax return preparation company. Over
120,000 individuals take our tax training courses annually. At
8,900 U.S. offices, we handle over 15.6 million individual
returns--which is one in seven received by the IRS and about
36,000 per Congressional district. We are leaders in electronic
filing, originating over half the practitioner e-filed returns
that IRS receives. One of our subsidiaries--Block Financial--
develops and markets Kiplinger TaxCut tax preparation
software, which has over 1.5 million users. We also offer our
clients mortgages, financial planning, and investment services.
We have recently acquired accounting practices in five cities.
And we prepare tax returns internationally at over 1,200
offices in Canada, Australia, and the United Kingdom.
High Stakes
The implications of Y2K for taxpayers and the tax system
are serious. Calendar year 2000 begins in just 310 days. Almost
immediately, America will begin the annual ritual of an
intensive and complex 105-day tax season. Over 120 million
individual taxpayers, 4.7 million corporations, 640,000 tax-
exempt organizations, and millions of payors and employers will
file over a billion federal information and tax returns.
The compliance chain needed to make the 2000 tax season
successful includes employers and information return providers,
software publishers, tax professionals, electronic return
trans-mitters and originators, state governments, financial
institutions and payroll agents, and nearly 50 federal agencies
including the Social Security Administration and the Financial
Management Service.
Much depends on that data: IRS bookkeeping, compliance, and
enforcement; the operation of thousands of state and local
government units; verification of Social Security numbers to
validate dependents and credits; the issuance of checks or
direct deposits; the offset of refunds for delinquent child
support, student loans, and government tax debts; the
administration of Social Security and Medicare; and, of course,
the availability of $1.8 trillion in revenue that funds federal
government benefits and programs that affect all Americans.
Beyond the effect on governments, many of the 70% of
individual taxpayers--who today receive an average tax refund
of $1,800 each--depend on receiving their refunds promptly.
What may be a minor hiccup in the tax system can have
significant effects for an individual taxpayer.
Block's Program 90% Complete
At H&R Block, we have been working since 1997 to remediate
our systems and prepare for Y2K. Our efforts are detailed in an
Attachment to my remarks. Of 133 projects within nine mission-
critical business functions, over 90% were completed and tested
by the end of January; the remainder are scheduled to be
finished after the current tax season ends. These efforts
relate primarily to company-owned offices. About half of our
tax offices are owned by franchisees. We are surveying their
progress and offering assistance. We are also monitoring our
suppliers and transmitters.
As the IRS notes, results can never be guaranteed, but we
believe our own program is on target for successful completion.
We are trying to identify any weaknesses of others in the tax
chain to work through, or around, any problems. One plus for us
is that we prepare our own tax software and so have an
infrastructure of programmers and testers. Because we modify
our software annually, we have experience in making necessary
changes. But while we do not expect major interruption of our
business, we are preparing for the possibility in any case.
Good IRS Progress
Because of the high stakes, we are encouraged by the
progress Commissioner Rossotti, Paul Cosgrave, IRS's Chief
Information Officer, John Yost, the Y2K Program Director, and
Bob Barr, Assistant Commissioner for Electronic Tax
Administration, are making. You have given them needed funds
and support to do the job. Each has a solid background in
information systems technology and management. They are working
to implement best practices.
Significantly, they report most Y2K changes have been made
already with the remainder well on track. And, despite minor
glitches, the current tax season--which is effectively testing
many of the upgraded systems--seems to be functioning fairly
smoothly. So far, so good.
Our contacts with the IRS have been effective. IRS has been
proactive in its outreach and assessment of 13 key external
trading partners. IRS's outside consultants, Booz Allen &
Hamilton, met separately last winter with us and with our
electronic return transmitter--then CompuServe, now MCI-
WorldCom--to make sure our Y2K plans were robust. In early
1998, we tested modernized electronic filing formats that
reflected Y2K upgrades through the Preparer Acceptance Testing
System (PATS). IRS has also addressed stakeholders through the
Council for Electronic Revenue Advancement (CERCA) and the
Electronic Tax Administration Advisory Committee (ETAAC). IRS
end-to-end testing is set for the second half of 1999, and we
have eagerly requested to participate.
Suggestions that we have made to IRS have been well
received. They include:
First, we encourage IRS to continue to be open
about its plans and progress. Disclosure of trouble spots where
IRS believes its systems may be at risk will allow us to
develop contingency plans accordingly.
Second, IRS needs to continue communications with
a wide group of stakeholders whose cooperation is essential for
a successful 2000 tax filing season. Each is fixing its own
computers and software. Active dialogue among stakeholders and
with the IRS will help to ensure that the many ways we interact
with one another are successful beginning in January, 2000. In
our own case as the nation's largest tax preparer, we have
invited Messrs. Cosgrave and Yost to a review and planning
discussion.
Third, we suggest that IRS test its systems with
state revenue departments, the Financial Management Service,
and the Social Security Administration and share the results in
advance of end-to-end testing. Each plays an important role in
tax administration.
Our suggestions in these areas are not meant to imply that
IRS is not adequately planning or sequencing its Y2K
operations. It properly needs to keep focus on its own repair
efforts. Its cooperation enables us to perform our role in the
tax chain and develop contingency plans where risks can't fully
be seen.
We look forward to working with the Service and various
stakeholders and partners to ensure a smooth transition to a
successful 2000 filing season in which returns are filed easily
and refunds issued promptly.
I'm happy to respond to questions.
H&R Block Y2K Plans and Status
In July 1997, H&R Block established a program to inventory,
evaluate and mitigate potential Year 2000 related issues. As
part of this program, the company identified three key
categories of software and systems, including information
technology (IT) systems, non-IT systems (systems with internal
clocks or imbedded microprocessors) and systems of third
parties with which it interacts. Although the assessment phase
of the project is essentially complete, our Year 2000 Project
Office continually monitors the Y2K environment for new
information that may adversely affect us and implements
industry best practices to ensure successful operations
continue well into the new millennium.
During assessment, we identified nine mission critical
business functions, with U.S. tax preparation services topping
the list, and 28 non-mission critical business functions.
Within each of the business functions, key IT and non-IT
systems are being inventoried and assessed for compliance and
detailed plans are in place for required system modifications
or replacements.
Currently, remediation projects are at different phases of
completion. One hundred and thirty-three remediation projects,
including both IT and non-IT systems, were identified within
the nine mission critical business functions. Of these 133
projects, over 90% completed remediation and testing by January
31, 1999. The remaining projects in testing cannot be fully
completed and in production until after the 1999 tax season due
to the nature of our business.
We are also in the process of completing a survey and
inventory of our tax franchisees. Some readiness issues have
been identified and we are assisting our franchisees with their
remediation programs to help mitigate their risk. One area in
which we are assisting includes an understanding of IRS Y2K
status.
The Company has initiated communications and surveyed
state, Federal and foreign governments and suppliers and
business partners with which it interacts to determine their
plans for addressing Year 2000 issues. We are relying on their
responses to determine if they will be Year 2000 compliant. Not
all have responded. Contingency plans are being modified and
developed as appropriate.
One of the Company's mission critical business partners, if
not the most mission critical, is the Internal Revenue Service.
In its most recent report, dated December 8, 1998, the Office
of Management and Budget lists IRS as a ``Tier Two Agency''--
evidence of progress is visible, but concerns also exist.
The IRS was scheduled to be Year 2000 compliant by January
31, 1999. It plans to do end-to-end testing in a simulated Year
2000 environment with critical business partners and state
departments of revenue in the second half of 1999.
We have met with associates from Booz, Allen & Hamilton who
represent IRS in its efforts to understand the status of H&R
Block's systems and business processes that interface with IRS.
We have also audited IRS Program Director John Yost's Y2K
update to the Council on Electronic Revenue Advancement (CERCA)
membership last October. Eddie Feinstein, H&R Block's Director
of Electronic Commerce, has also met with Commissioner Rosotti,
CIO Paul Cosgrave, and others in the Y2K project in his role as
CERCA Chairman and a member of the Electronic Tax
Administration Advisory Committee (ETAAC).
Chairman Archer. Thank you, Mr. Ernst.
Our next witness is Mr. William Dennis. If you will
identify yourself and whom you represent for the record, you
may proceed.
STATEMENT OF WILLIAM J. DENNIS, JR., SENIOR RESEARCH FELLOW,
EDUCATION FOUNDATION, NATIONAL FEDERATION OF INDEPENDENT
BUSINESS
Mr. Dennis. Thank you, Mr. Chairman. I'm William Dennis,
senior research fellow with the NFIB Education Foundation here
in Washington.
Attached to my written statement is a copy of a report that
I prepared late last year regarding the preparedness of small
business for Y2K as of late October, early November. The report
itself was developed from data collected for us by The Gallup
Organization, from a national random sample, not just of NFIB
members, but from all small businesses.
We expect to conduct the third survey in this series in
April and we will be happy to report to you when the project
completed in May.
Since the full report is attached, let me just briefly
summarize and discuss implications for issues within the
jurisdiction of the Committee. When you think about small
business and its preparedness for Y2K, divide the population
into thirds. The first third of this 5.7 million small
employers is the group that has done something. They have taken
steps; they feel that they are prepared; 70 percent have
already tested their systems. Unless something very different
happens, they think they are prepared.
This group consists disproportionately of larger small
firms and more urban small firms. As a result, they cover a
greater share of the employment in the small business
population than their numbers within it.
The second third falls at the direct opposite end. This is
the third that hasn't done anything, and says it is not going
to do anything. Their rationale is that they don't think they
are going to be affected. But if they are going to be affected,
it probably will be cheaper for them to fix any problem after
January 1 than to go ahead through the entire process earlier.
An optimist would point out that 90 percent of all small firms
have had their most critical software updated in the last 2
years and virtually all within the last 5 years. Nonetheless, a
substantial number of small firm owners appear not to be ready
to do anything further.
The final third can be divided into two equal halves. The
first one of these halves is the group that doesn't have
computers and says that it doesn't have equipment with any
embedded chips in them. This group essentially has no
management control over any type of vulnerable equipment. It
couldn't take any action within the firm that would affect the
Y2K problem one way or another.
The second group, the other sixth, is the group that plans
to do something, but hasn't yet done it. Given the history of
these surveys, this group probably will follow through. Thus,
if we take the plans that they have and extrapolate them
forward, we're looking at approximately 3 million small
employers who will be prepared. We're looking at about 1
million who essentially are out of the picture and don't really
have to be worried. And we're looking at about 1.75 million or
slightly less than that who will have taken no action.
Now small business owners basically consider this a small
business problem or a business problem. And warn that business
is going to have to resolve it themselves. The primary issue
for the Federal Government is to make sure its own house is in
order. When small business files its taxes, it must be sure
that it's taxes been properly credited and so forth.
The second thing the Federal Government can do is lead. It
can do more with wheedling, cajoling, and explaining than it
already has. And I'd be happy to give you some particulars on
that.
Since my time is running short, let me just conclude with
one final point. Data problems prohibit us from offering a
definitive estimate of the cost that those who have taken
action have incurred. While some are running into extraordinary
costs, very high costs, most are running into very minimal
costs. In fact, 75 percent have spent less than $5,000 to come
into compliance.
So it's not a lot and most of them have annual computer
budgets that are larger than that. So at this time, financing
is not a major impediment to action.
Thank you very much, Mr. Chairman.
[The prepared statement follows:]
Statement of William J. Dennis, Jr., Senior Research Fellow, Education
Foundation, National Federation of Independent Business
Thank you for this opportunity to present testimony on the
Y2K preparedness of small business and its implications for
matters within the jurisdiction of this Committee.
Attached is a copy of the full report that I wrote in
December concerning the preparedness of small business for Y2K
as of late October/early November. The report was developed
from data collected for the NFIB Education Foundation by The
Gallup Organization. The document is the second report in the
series, the first published in May and sponsored by the Wells
Fargo Bank. The Foundation currently expects to conduct a third
survey study in April with results available in May.
Since the full report is attached, let me summarize the
salient points and move to implications. The state of small
business preparedness for Y2K can be roughly divided into
thirds. The first third of the estimated 5.75 million small
employers has taken steps to prevent internal problems that may
have been created by the Millennium Bug. This group has
generally completed preventive measures (or is the process of
completion) and in most instances have tested their systems.
Small business owners in this third are ready for January 1,
2000, for all intents and purposes and plan no additional
measures. It should be noted that these owners tend to operate
larger small businesses and therefore include a
disproportionately large share of small business employment.
They also are disproportionately located in urban areas.
The second third falls at the other end of the preparedness
scale. Its members have taken no action and plan to take none.
While it is likely that some will eventually move from the no
action category to the action category, my judgment is that
most will do precisely what they say they will do--nothing.
Their rationale is generally straight-forward: they don't think
Y2K is a problem that will directly affect them or will
directly affect them enough to worry about. (In this context
``directly affects'' means an impact that they can control. It
does not mean a problem beyond their management authority,
e.g., loss of electric power.) Theirs is not an altogether
irrational position. A very small business with a relatively
new computers and updated software could conceivably spend more
checking itself than replacing its system if it went down, and
with new equipment the chances of a problem are greatly
minimized. An optimist can even point out that almost 90
percent have updated their most critical software in the last
two years and the remainder have in the last five.
The difficulty with this rationale, however, and the single
greatest argument for small business owners taking preventive
measures as soon as possible is that those impacted will all be
hit at about the same time. The key to minimizing damage or
even surviving will be to get the impacted systems up and
running immediately. But small business will be at the end of
every line to obtain/purchase help, and those who can find it
will pay a premium.
The third must actually be divided into halves. The first
half of the group is planning to take action, but has not yet
done so (as of the date of the survey). If history provides any
insight, this one-sixth of the population will follow-through
on its plans. The number in the April survey who planned to
take steps was the number in the October/November survey who
took steps in that six month interval.
[GRAPHIC] [TIFF OMITTED] T6850.002
The last group, i.e., the second half of the third third,
doesn't have equipment susceptible to the Millennium Bug.
Owners in this category have no computers or similar devices.
They have no embedded chips threatening to close down critical
machines. While these ventures may be impacted by events
occurring outside their place of business, they can do little
within the framework of their enterprise to prevent problems.
It appears that about half of all small employers will have
taken action by January 1, 2000, to protect themselves from
internally generated Y2K impacts. That constitutes almost three
million firms. Yet, over one and two-thirds million will be
exposed to difficulties brought on by their own equipment. The
final one million do not need to be concerned.
Pressures are being brought to bear within the private
sector to improve these numbers. Larger firms often require
their suppliers to be Y2K compliant. Some commercial banks are
demanding their customers, particularly those who interact
electronically, to certify that they have taken preventive
measures. Still, only 27 percent of exposed owners claim to
have received a communication from a supplier, customer or
financial institution asking them to certify their preparedness
for Y2K.
Y2K Is a Business Problem
Y2K is essentially a business problem. It originated
through a normal business decision-making process which, at the
time, seemed quite rational. It was neither instigated nor
coerced by government nor will government be the prime vehicle
to resolve it.
The most important thing the Federal government can do is
put its own house in order. IRS must have its systems prepared
to accurately and efficiently process the vast amount of data
it receives. If a tax-paying small business owner deposits his
taxes on the anointed day, he has every right to expect that he
will receive credit for the deposit and that it will be done
without persistent snafus. If a tax-paying small business owner
needs to inquire about any aspect of his account with IRS, he
should be able to receive an accurate and timely response.
Those of us on the outside have no means to judge how
effectively IRS is addressing its Y2K problem. But little could
be more disruptive than to have the tax agency beset by
systematic data processing problems.
The second thing the Federal government can do is to adopt
a position of the Village Nag. It can use its pulpit to
wheedle, cajole and explain. In other words, it can lead. The
Federal government can raise Y2K visibility and can warn (in
contrast to alarm) people. It can also encourage business to
work with one another to identify problems and to resolve them.
None of us really know what will happen next January 1.
Some think it will be just another day while others stock their
bunkers. But assume for the moment that some machines lock or
malfunction. That will not stop business from being transacted
nor government from demanding its paperwork. Small employers
will be expected to fulfill their legal obligations as if
nothing had happened.
But, what will the IRS reaction be if a small employer's
computers lock and he can't file his W-3s by the end of
January? What will the IRS reaction be if an owner is in the
middle of an audit and he can't retrieve critical information?
What will its attitude be if a small business owner is the
client of a firm which experiences a Y2K malfunction? IRS (and
other governmental agencies) should have policies in place to
handle such contingencies. An announced policy recognizing and
allowing for the existence of adverse Y2K outcomes might have
the secondary benefit of serving as an incentive for some to
take action when they otherwise might not have.
I easily reconcile the view that Y2K is essentially a
business problem with the fear that IRS policy will not
appreciate or account for Y2K difficulties (public policy) that
may arise among smaller firms. My rationale is the uncertainty
of the solutions. To some extent, I am less concerned about the
very small firms which have not taken action than larger, firms
which have. The reason is that larger firms are on the whole
older firms. For example, the median age of a 1-4 employee
business is about four to four and one-half years. The median
age of a 50-100 employee business is over 10 years. Newer firms
will have fewer old systems and affected devices. As a rule,
they are also less likely to have sophisticated equipment
(though medical facilities are examples to the contrary). In
addition, the issue of embedded chip devices remains a major
question mark. What equipment contains them? And what equipment
contains chips with timing/dating mechanisms? Most think of Y2K
in terms of their computers, but what of the other, less
obvious systems?
Costs of Action
Data problems prohibit definitive estimates of Y2K costs.
However, most small business owners who have taken action have
spent minimal sums to become ``Y2K compliant.'' While there are
small firms required to spend $50,000 or more to protect
themselves, the common figure is less than $1,000. Over 75
percent who have taken action have spent less than $5,000.
(Another nine percent didn't know). That sum clearly falls
within their computer budgets. The median annual budget for
hardware, software and maintenance is about $4,000 with almost
three in four budgeting less than $10,000. As the deadline
approaches, costs appear to be rising. The reason isn't clear,
though one can speculate that the easiest ``fixes'' were
completed first and the more difficult, more expensive ones are
following.
Financing is not a major impediment to action at this time.
Only three percent now planning action say that the reason they
have not done so to date is a financing problem. Few small
business owner respondents mentioned finance in any context.
However, for some, the out-of-pocket costs will be significant
and ones that they would not normally make. This is not a
question of locating debt finance to undertake the preventive
measures. That appears readily available. It is a question of
paying for them.
International Problems
The Committee has every right to be concerned about the
impact of Y2K on international trade given the lesser
preparedness in many parts of the world. From the parochial
small business perspective, the impact of Y2K does present a
serious difficulty. Just three percent of small business owners
say that they interact electronically ``a lot'' with business
associates, i.e., suppliers, financial institutions or
customers, outside the country. Fifteen (15) say the interact
with these people ``a little.'' The rapid growth of e-commerce
means these percentages may already have changed since the
conduct of the survey upon which this information was
developed. Still, it is not a major small business
consideration at this time.
Conclusion
To repeat, the most important thing that the Federal
government can do to help small business with Y2K is be certain
that its own house is in order and to exhibit consideration
with regard to its administrative requirements for those owners
who have encountered an adverse Y2K experience.
I will attempt to answer any questions that you may have.
[The attachment is being retained in the Committee files.]
Chairman Archer. Thank you, Mr. Dennis.
Our last witness on this panel is Mr. James White. Would
you identify yourself and the group that you are representing,
which I think I'm familiar with. You may proceed.
STATEMENT OF JAMES R. WHITE, DIRECTOR, TAX POLICY AND
ADMINISTRATION ISSUES, GENERAL GOVERNMENT DIVISION, U.S.
GENERAL ACCOUNTING OFFICE
Mr. White. Thank you, Mr. Chairman, and Members of the
Committee. My name is James White, I'm the Director of the Tax
Issue area at the General Accounting Office. I'm pleased to be
here today to discuss the status of IRS' year 2000, or Y2K,
effort and the remaining challenges it faces.
My statement makes four points, which are summarized in the
full version of my statement on page 2.
First, we are unable to provide an overall picture of the
Y2K status of IRS' 133 mission-critical systems. Examples of
these systems are Telefile, which allows taxpayers to file
simple returns by phone, and various programs that update
taxpayer accounts. IRS does not report the status of these
mission-critical systems, rather, as Mr. Cosgrave explained, it
reports on components, such as application software and
hardware. This reflects the way IRS is organized, with one
office managing applications, one managing hardware, and so on.
Second, although we cannot report on the status of the
mission-critical systems in their entirety, IRS has made
significant progress since we testified before the Ways and
Means Oversight Subcommittee last May. However, it has not met
all of its goals. IRS did meet its January 1999 goal for
correcting application software, upgrading telecommunications
networks, and implementing the Y2K part of its mainframe
computer consolidation.
Despite significant progress, it did not meet its goal for
upgrading systems software and hardware, and for fully
implementing its new tax return and payment processing system.
One consequence of not meeting these goals is that some systems
will not be ready for full testing until late in 1999.
Third, in addition to completing the work I just discussed,
IRS faces two remaining crucial year 2000 tasks. The first is
what is called an end-to-end test of IRS' mission-critical
systems. It will test the ability of IRS' upgraded systems to
work collectively.
The second critical task is to develop 36 contingency plans
to deal with possible failures scenarios. In response to
recommendations we made last June, IRS has broadened its
contingency planning effort. However, it has delayed the
completion date for the plans, leaving less time for testing
them, in part because of competing demands on the staff
responsible for the plan. IRS has prioritized the due dates for
these contingency plans based on risks.
Fourth, IRS will continue to face the challenge of
competing demands on its information system staff. Demands that
compete with the year 2000 effort include making tax law
changes and customer service improvements. To address these
competing demands, so far IRS has transferred staff, hired
staff, and delayed some activities.
As I said, IRS has made considerable progress in completing
its year 2000 work. However, it did not complete all the work
it had planned by January, and in addition has other crucial
tasks to complete this year. In the next 5 months, IRS will
pass several key milestones, including the April start for end-
to-end testing and the May deadline for contingency plans. As
each milestone is passed, the IRS and Congress should have
additional information about the risks posed by the year 2000
to IRS' mission-critical systems and thus to taxpayers.
Mr. Chairman, that concludes my statement. I'll be happy to
answer questions.
[The prepared statement follows:]
Statement of James R. White, Director, Tax Policy and Administration
Issues, General Government Division, U.S. General Accounting Office
Mr. Chairman and Members of the Committee: We are pleased
to be here today to discuss the status of the Internal Revenue
Service's (IRS) Year 2000 efforts \1\ and the remaining
challenges IRS faces in making its information systems Year
2000 compliant. If IRS' Year 2000 efforts are unsuccessful, the
impacts on taxpayers could include millions of erroneous tax
notices and delayed or erroneous refunds. IRS had established a
goal to complete most of its Year 2000 work by January 31,
1999. IRS established that goal to help ensure that it would
(1) have a Year 2000 compliant environment implemented for the
1999 filing season and (2) provide time for working out
problems that surfaced in the 1999 filing season and its Year
2000 testing.\2\
---------------------------------------------------------------------------
\1\ IRS' Year 2000 efforts are necessary because IRS' information
systems, many of which are over 25 years old, were programmed to read
two-digit date fields. Therefore, if unchanged, these systems would
interpret 2000 as 1900, seriously jeopardizing tax processing and
collection operations. IRS' Year 2000 efforts include (1) fixing
existing systems by correcting application software and data and
upgrading hardware and systems software, if needed; (2) replacing
systems if correcting them is not cost-beneficial or technically
feasible; and (3) retiring systems if they will not be corrected by
2000.
\2\ The Year 2000 end-to-end test is to ensure that most of IRS'
mission-critical systems can operate collectively, with all systems
date clocks set forward to simulate the Year 2000.
---------------------------------------------------------------------------
Our statement discusses four topics--(1) the extent to
which IRS monitors the Year 2000 status of its mission-critical
systems in their entirety; (2) whether IRS met the January 31,
1999, completion goal for the areas that it monitors--
application software, systems software, hardware, and
telecommunications networks; (3) the status of two remaining,
critical Year 2000 tasks--conducting Year 2000 testing and
completing 36 contingency plans; and (4) the fact that other
business initiatives are creating competing demands on staff
needed for Year 2000 efforts.
First, we cannot provide a complete picture of the
Year 2000 status of IRS' 133 mission-critical systems because
IRS does not report Year 2000 status for these systems in their
entirety. Instead, IRS monitors the Year 2000 status of the
components of an information system, such as the application
software,\3\ systems software,\4\ and hardware, for each of its
three types of computers--mainframes, minicomputers/file
servers, and personal computers. IRS officials acknowledge that
their monitoring reports do not provide a complete picture on a
system-by-system basis. However, these officials believe the
costs of doing so outweigh the benefits, particularly given the
time remaining to complete IRS' Year 2000 work.
---------------------------------------------------------------------------
\3\ Application software is the collection of computer programs
that allows a user to perform a specific job task.
\4\ Systems software is the collection of computer programs that
manage the computer's system hardware components (e.g., operating
system, central processing unit, or disk drives) that allow the
application software to interact with the hardware.
---------------------------------------------------------------------------
Second, IRS reports that it met the January 31,
1999, completion goal for some of the areas that it monitors
but not for others. IRS reports that it met the January 1999
completion goal for (1) correcting application software, (2)
upgrading telecommunications networks, and (3) fully
implementing one of its two major system replacement projects.
Despite significant progress since our testimony last May,\5\
IRS did not meet the goal for (1) upgrading systems software
and hardware for its three types of computers and (2) fully
implementing the other major system replacement project. As a
result of not meeting the goal some changes will not be tested
until late in 1999, reducing the time available to make
corrections before January 2000. Also, some service center
staffs will have no experience before 2000 using the new system
to process peak filing season volumes of remittances.
---------------------------------------------------------------------------
\5\ IRS' Year 2000 Efforts: Status and Risks (GAO/T-GGD-98-123, May
7, 1998).
---------------------------------------------------------------------------
Third, in addition to completing work on upgrading
systems software and hardware, IRS faces two remaining,
critical Year 2000 tasks. The first task, and one most
important for gauging IRS' success in achieving Year 2000
compliance, is an unprecedented, Year 2000 end-to-end test of
most of IRS' mission-critical systems. The end-to-end test is
to begin in April 1999. The need to conduct this test has
created an additional new challenge for IRS--meeting a
compressed schedule for developing and implementing tax law
changes for the 2000 filing season. The second critical task is
to develop 36 contingency plans that IRS has determined are
needed to address various failure scenarios for its core
business processes. IRS is developing these plans in response
to our June 1998 report.\6\ IRS has delayed the completion
dates so that the first set of plans are to be completed by
March 31, 1999, and the second set of plans by May 31, 1999. To
the extent that the plans require additional actions, such as
those associated with testing or preparatory activities needed
to implement the plans, this delay reduces the time available
to complete these activities.
---------------------------------------------------------------------------
\6\ IRS' Year 2000 Efforts: Business Continuity Planning Needed for
Potential Year 2000 System Failures (GAO/GGD-98-138, June 15, 1998).
---------------------------------------------------------------------------
Fourth, as IRS continues its Year 2000 efforts, it
will face the challenge of how to address the competing demands
on its staff. These competing demands are created by IRS' other
major business initiatives, such as implementing tax law
changes and completing the non-Year 2000 portions of one of
IRS' major system replacement projects. To address these
competing demands, in the past several months, IRS has (1)
transferred staff from other areas, (2) hired additional staff,
and (3) delayed some activities.
Our statement today is based on our past and ongoing Year
2000 work for this Committee's Oversight Subcommittee. As a
part of this work, we have interviewed officials from the
National Office and reviewed IRS' contingency planning
documents and IRS' Year 2000 progress reports for the week
ending February 6, 1999. We did not verify the reliability of
the data included in the February 6, 1999, reports.
IRS' Reports Do Not Provide A Complete Picture of Mission-Critical
Systems' Status
IRS' Year 2000 status reports do not provide a complete
picture of the status of IRS' mission-critical systems because
IRS does not monitor Year 2000 status for its mission-critical
systems in their entirety. Instead, IRS monitors the Year 2000
status of the components of an information system, such as the
application software, systems software, and hardware for each
of its three types of computers--mainframes, minicomputers/file
servers, and personal computers. IRS also monitors its
telecommunications networks separately.
As part of IRS' Year 2000 risk mitigation efforts,\7\ IRS
has hired a contractor to conduct periodic risk assessments.
The contractor's December 1998 report recommended exploring the
feasibility of tracking status on a system-by-system basis to
provide a clear view of IRS' ability to achieve Year 2000
compliance. The report stated that such a system view would
permit IRS to, among other things, help assess the need to
target resources to achieve Year 2000 compliance. IRS officials
said that IRS' approach to monitoring Year 2000 compliance
corresponds to how IRS' Information Systems organization is
structured to carry out its work. Specifically, IRS officials
said that separate organizational units are responsible for
application software, systems software and hardware, and
telecommunications networks. Therefore, IRS monitors its Year
2000 status by these areas. They do not believe the benefits of
monitoring status on a system-by-system basis outweigh the
costs, given the amount of time remaining to complete IRS' Year
2000 work.
---------------------------------------------------------------------------
\7\ IRS' Century Date Change Project Office outlined a risk
management process that is to (1) identify risks to the successful
completion of Year 2000 goals, (2) coordinate the development of risk
mitigation strategies, (3) oversee the execution of the strategies, and
(4) elevate unmitigated risks to the Commissioner's Executive Steering
Committee on the 1999 filing season and Year 2000 efforts.
---------------------------------------------------------------------------
Reports Indicate That IRS Met The January 1999 Completion Goal For Some
Areas But Not For Others
IRS' reports indicate that it met the January 1999
completion goal for some areas but not for others. The reports
indicate that IRS met the January 1999 goal for correcting the
application software for its existing systems and upgrading
telecommunications networks. Since May 1998, when we last
testified on this topic, IRS has also made progress in an area
that we said was lagging--upgrading systems software and
hardware. Despite this progress, however, IRS did not achieve
its January 1999 completion goal for any of its three types of
computer hardware. IRS fully implemented the Year 2000 aspects
for one of its major system replacement projects. For the other
system replacement project, 6 of the 10 service centers were
using the full suite of Year 2000 changes.
Reports Indicate that IRS Met Its Goal for Application Software
for Existing Systems and Telecommunications Networks
Since we testified in May 1998, IRS has continued to make
progress in correcting the application software for its
mission-critical systems. As of February 6, 1999, IRS reports
indicate that IRS has corrected 88 percent of these
applications, thereby exceeding its 85 percent goal.\8\ In
addition to completing this work, IRS has hired a contractor to
review all of the corrected application software to determine
whether IRS made any errors. This effort began in August 1998
and is scheduled to continue through May 1999.
---------------------------------------------------------------------------
\8\ In assessing progress, IRS determined that it needed to
complete 85 percent of its application software work by January 31,
1999. The work for the remaining 15 percent includes the steps needed
to certify that IRS has achieved Year 2000 compliance. IRS has deferred
correcting about 2 percent of its application software until July 1999
and January 2000.
---------------------------------------------------------------------------
In addition, IRS reports indicate that it met its goal for
completing work on its telecommunications networks. In May
1998, we said that, according to IRS, telecommunications
networks presented the most significant correction challenge
and were likely the highest risk for not being completed by
January 31, 1999. As of February 6, 1999, with the exception of
three areas, IRS reported that it met its goal for these
networks.\9\
---------------------------------------------------------------------------
\9\ The three areas are (1) voice mail for some of IRS' field
locations; (2) telephone routing for IRS' automated collection system;
and (3) telecommunications networks for at least 8,000 terminals. Work
on these three areas is to be completed by July 31, 1999.
Reports Indicate That IRS Did Not Meet the Goal for Systems
---------------------------------------------------------------------------
Software and Hardware
IRS' reports indicate that IRS made significant progress in
an area that in May 1998 we said was lagging--upgrading systems
software and hardware for its three types of computers:
mainframes, minicomputers/file servers, and personal computers.
Despite this progress, IRS did not meet the January 31, 1999,
completion goal for its three types of computers.
For IRS' mainframe computers, IRS officials said IRS fell
short in meeting its goal because of delays in receiving the
Year 2000 upgrades for one of its system replacement projects.
IRS officials said those upgrades are to be received and
implemented by March 1, 1999.
For minicomputers/file servers, IRS reports indicate that
as of February 6, 1999, IRS' Information Systems organization
had completed 60 percent of the work for upgrading systems
software and hardware--a significant increase from 13 percent
that was done in May 1998, when we last testified on the IRS'
Year 2000 status.\10\ According to IRS, systems software and
hardware for 13 of the 27 mission-critical systems that use
minicomputers/file server were not upgraded by January 31,
1999. The systems software and hardware for 7 of the 13 systems
are not scheduled to be Year 2000 compliant until after March
1999. As a result of the delay, some changes are not to be
tested until October 1999, when the second part of the Year
2000 end-to-end test is to begin. This delay reduces the time
available to make any needed corrections before January 1,
2000.
---------------------------------------------------------------------------
\10\ IRS' goal for systems software and hardware was to complete 80
percent of the work by January 31, 1999.
---------------------------------------------------------------------------
For personal computers, IRS officials said they plan to
replace about 35,000 personal computers and the associated
systems software between February 1999 and July 1999 to achieve
Year 2000 compliance. As a part of this replacement effort, IRS
plans to reduce the number of commercial software and hardware
products in its inventory from about 4,000 to 60 core standard
products. According to IRS officials, thus far, IRS has
completed testing on 5 of the 60 core products. IRS plans to
complete the testing for the remaining 55 products by April
1999. IRS' goal is to eliminate all nonstandard products by
July 1999.
Full Implementation of Year 2000 Changes Achieved for One of
the Two Replacement Projects; Less Than Full Implementation
Achieved for the Other
For one of IRS' two major system replacement projects, IRS
implemented the Year 2000 changes at all 10 service centers by
January 31, 1999; for the other system replacement project, 6
of the 10 service centers were using the full suite of Year
2000 changes for the system by January 31, 1999. IRS' two major
system replacement projects are Service Center Mainframe
Consolidation (SCMC) and the Integrated Submission and
Remittance Processing (ISRP) System. SCMC is to consolidate the
mainframe computer tax processing activities from the 10
service centers to 2 computing centers--thereby reducing the
total number of tax processing mainframe computers from 67 to
12. Specifically, SCMC is to (1) replace and/or upgrade
mainframe hardware, systems software, and telecommunications
networks; (2) replace about 16,000 terminals that support
frontline customer service and compliance activities; and (3)
replace the system that provides security functions for on-line
taxpayer account databases with a new system known as the
Security and Communications System (SACS). Replacement of the
terminals and the implementation of SACS are critical to IRS'
achieving Year 2000 compliance. The other replacement project
is ISRP. ISRP is a single, integrated system that is to perform
the functions of two systems that are not Year 2000 compliant--
the Distributed Input System that IRS uses to process tax
returns and the Remittance Processing System that IRS uses to
process tax payments.
SCMC
IRS completed the Year 2000 critical portions of SCMC by
January 31, 1999. Specifically, in early October 1998, IRS
completed its implementation of the 16,000 terminals that are
needed for frontline customer service and compliance
activities. Also, as of January 31, 1999, all 10 service
centers were using SACS.
Originally, IRS had planned to have the other aspects of
SCMC besides SACS--that is, the tax processing activities of
the 10 service centers--moved to the 2 computing centers by
December 1998. As of January 31, 1999, the tax processing
activities for three service centers had been moved to the
computing centers. IRS is determining the number of additional
service centers that are to be moved in 1999. SCMC officials
have developed several different schedule options for moving
the tax processing activities of the remaining seven service
centers. At the time we prepared this statement, IRS officials
had not yet selected a schedule option.
According to IRS officials, the tax processing activities
of all 10 service centers do not need to be moved before 2000
because the existing mainframes in each of the 10 service
centers have been made Year 2000 compliant. Thus, in all
likelihood, at the start of the 2000 filing season, some
service centers will be processing their data locally, whereas
others will have their data processed at the computing centers.
IRS' Year 2000 end-to-end test is designed to include both
processing scenarios.
ISRP
Both functions of ISRP--tax return processing and
remittance processing--were to be implemented in November 1998.
However, as a result of problems that occurred during the pilot
test of ISRP and the contingency option IRS implemented for the
1999 filing season to address those problems, 4 of the 10
service centers are not to begin using the remittance
processing portion of ISRP until August 1999.
For the 1999 filing season, the contingency option for ISRP
is to retain enough of the old tax processing and remittance
processing equipment in the service centers so that IRS could
revert to the old systems if ISRP experiences problems.
However, four of the service centers did not have enough floor
space to accommodate both the old tax processing and remittance
processing systems and the ISRP equipment. As a result, these
four service centers are to continue using the old remittance
processing equipment during the 1999 filing season and convert
to ISRP in August 1999. These four service centers were among
the top five remittance processing centers during the peak of
the 1998 filing season. We recognize that this contingency
option may have been the only feasible one for IRS. As we
reported in December 1998, these four service centers are to
receive their equipment late in 1999. As a result, their staffs
will have no experience with the new equipment before the 2000
filing season in processing the large volume of remittances
that occur in the peak of the filing season.\11\
---------------------------------------------------------------------------
\11\ Tax Administration: IRS' 1998 Tax Filing Season (GAO/GGD-99-
21, Dec. 31, 1998).
---------------------------------------------------------------------------
Two Remaining Critical Year 2000 Activities Still Remain; One of Which
is Behind Schedule
In addition to fixing its existing systems, IRS still needs
to complete two critical activities for its Year 2000 efforts,
and one of these activities is behind schedule. The two
critical activities are the completion of (1) an unprecedented
Year 2000 end-to-end test of 97 of IRS' 133 mission-critical
systems and (2) 36 contingency plans for IRS' core business
processes.
Unprecedented End-to-End Test is to be Begin in April 1999
Using thousands of test cases, IRS' Year 2000 end-to-end
test is to assess the ability of IRS' mission-critical systems
to function collectively in a Year 2000 compliant environment.
These cases are intended to replicate the many different kinds
of transactions that IRS' information systems process on any
given day to help assess whether IRS' systems can perform all
date computations using data and systems date clocks with
January 1, 2000, or later. The test will involve 97 of IRS' 133
mission-critical systems.\12\ Most of IRS' mission-critical
system application software has been tested individually;
however, the ability of the application software to operate
collectively, using Year 2000 compliant systems software and
hardware, with all systems date clocks set forward to simulate
the Year 2000, has not been fully tested.
---------------------------------------------------------------------------
\12\ According to IRS' Product Assurance officials, 97 systems
represent the maximum number of systems Product Assurance could
effectively manage. Testing for the remaining systems is to be done by
those organizations that have responsibility for maintaining them.
---------------------------------------------------------------------------
In July 1998, IRS began the preliminary activities
associated with conducting the end-to-end test. These
activities included, but were not limited to, establishing a
dedicated test environment to replicate IRS' tax processing
environment, developing test plans and procedures, and doing
some preliminary testing of some systems with the systems date
clock set forward to 2000. Currently, IRS is developing
baseline data from the 1999 filing season that will be
ultimately used for the Year 2000 end-to-end test. The end-to-
end test is to have two parts. The first part is scheduled to
begin in April and end in July 1999. The second part is to
begin in October and end in December 1999. The April test is to
include the application software that is currently being used
for the 1999 filing season. The October test is to include the
application software changes that are needed for the tax law
changes that are to be implemented for the 2000 filing season.
The need to conduct this test has in turn created an
additional challenge in completing the work necessary for the
2000 filing season. As shown in table 1, to accommodate the
Year 2000 end-to-end test, IRS revised its traditional
milestones for implementing tax law changes for the 2000 filing
season, thereby compressing the amount of time available to
develop and test these changes. Under this compressed schedule,
instead of having until January 2000, IRS must program and test
all tax law changes that are to take effect in the 2000 filing
season before September 30, 1999.
Table 1.--Key Activities Associated With Implementing Tax Law Changes,
Traditional Milestones, and Revised Milestones as a result of Year 2000
Test Schedule
------------------------------------------------------------------------
Revised milestone
Traditional as a result of
Key activity milestone Year 2000 testing
requirements
------------------------------------------------------------------------
Business requirements developed. Summer to January. Summer of 1998 to
January 1999
Business requirements February to June.. February 1999
transmitted to Information
Systems organization.
Development of application March to October.. March to Mid-June,
software. 1999
Systems acceptance testing a.... Late August to mid- Mid-June to
January. September, 1999
Final phase of the Year 2000 end- N/A b............. October to
to-end test. December, 1999
Implementation.................. January........... January 2000
------------------------------------------------------------------------
a IRS' systems acceptance testing assesses whether an application meets
the specified user requirements.
b Not applicable.
Source: IRS data.
Under the compressed schedule, business requirements are to
be delivered to IRS' Information Systems organization by
February 28, 1999; the Information Systems organization is
scheduled to complete the application software changes by June
15, 1999; and testing of these application software changes is
be completed by September 30, 1999.
Staggered Milestones Developed for Completing IRS' Contingency
Plans
In 1999, IRS is to complete the development of 36
contingency plans that IRS determined are needed to address
various Year 2000 failure scenarios for its core business
processes. IRS' initial goal was to have these plans completed
by December 1998; however, IRS' revised goal is to complete 18
submissions processing contingency plans, 2 customer service
contingency plans, and 3 key support services \13\ plans by no
later than March 31, 1999. One key support services contingency
plan and 12 compliance contingency plans are to be completed by
May 31, 1999.
---------------------------------------------------------------------------
\13\ Key support services include internal business processes, such
as maintaining buildings and executing budget functions and payroll
activities.
---------------------------------------------------------------------------
In June 1998, we reported that IRS' Year 2000 contingency
planning efforts fell short of meeting the guidelines included
in our Year 2000 Business Continuity and Contingency planning
guide.\14\ Accordingly, we recommended that the Commissioner of
Internal Revenue take a series of steps to broaden IRS'
contingency planning effort to help ensure that IRS adequately
assesses the vulnerabilities of its core business processes to
potential Year 2000 induced system failures. Specifically, we
recommended that the Commissioner take the following steps: (1)
solicit the input of business functional areas to identify core
business processes and identify those processes that must
continue in the event of a Year 2000 failure; (2) map IRS'
mission-critical systems to those core business processes; (3)
determine the impact of information systems failures on each
core business process; (4) assess existing contingency plans
for their applicability to potential Year 2000 failures; and
(5) develop and test contingency plans for core business
processes if existing plans are not appropriate.
---------------------------------------------------------------------------
\14\ IRS' Year 2000 Efforts: Business Continuity Planning Needed
for Potential Year 2000 System Failures (GAO/GGD-98-138, June 15,
1998).
---------------------------------------------------------------------------
Since we issued our report, IRS has been taking actions to
address our recommendations. IRS has solicited the input of its
business officials and established working groups to identify
failure scenarios and to develop the contingency plans. The
working groups determined IRS should develop 36 contingency
plans that cover various aspects of its core business areas of
submissions processing, customer service, compliance, and key
support services. One factor influencing the staggered schedule
for completing contingency plans was that the staff assigned to
develop plans have competing responsibilities, such as the
development of business requirements to implement tax law
changes as well as other business improvement initiatives.
Under the staggered schedule, with the exception of the key
support services area, earlier completion milestones were
established for those aspects of three other core business
areas that, according to IRS officials, were likely to
experience a Year 2000 before the other areas. To the extent
that the plans require additional actions, such as those
associated with testing or preparatory activities, these delays
reduce the time available to complete these activities.
According to IRS officials, the completion milestones of
March and May 1999 reflect when the technical work for the
plans is to be completed. Once that work is completed, the
plans are to be approved by the official responsible for the
core business process and tested. According to IRS officials, a
contractor is still developing the testing approach. As a
result, these officials could not provide us with the
completion milestones and staff requirements for testing the
contingency plans.
Other Business Initiatives Are Creating Competing Demands On Certain
Staff Needed For Year 2000 Efforts
In addition to Year 2000 efforts, IRS has other ongoing
business initiatives that are placing competing demands on its
information systems and business staff. The Commissioner's
Executive Steering Committee (ESC) and IRS' risk mitigation
efforts have provided a forum for addressing these issues.
Concurrent with its Year 2000 efforts, IRS is continuing to
make changes to its information systems to accommodate changes
resulting from various business initiatives. These initiatives
include the SCMC project that we discussed previously,
implementation of the IRS Restructuring and Reform Act
provisions, and of various taxpayer service initiatives.\15\
While we do not question the importance of these initiatives,
as we have said before, the need to make a significant number
of tax law changes for the 2000 filing season introduces an
additional risk, albeit one that we could not quantify, to IRS'
Year 2000 effort.\16\
---------------------------------------------------------------------------
\15\ The Commissioner of Internal Revenue established the Taxpayer
Treatment and Service Improvement Program in November 1997 to plan,
coordinate, and manage hundreds of commitments for improvements in
service to taxpayers that have emanated from various sources. These
sources include the National Performance Review, Senate Finance
Committee hearings, and the IRS Restructuring and Reform Act.
\16\ Internal Revenue Service: Impact of the IRS Restructuring and
Reform Act on Year 2000 Efforts (GAO/GGD-98-158R, Aug. 4, 1998).
---------------------------------------------------------------------------
In November 1997, the Commissioner established the ESC
Steering Committee (ESC) to identify risks to the 1999 filing
season and the entire Year 2000 effort and to take actions to
mitigate those risks. In addition, IRS hired a contractor to
conduct periodic risk assessments. The contractor's most recent
report was issued in December 1998.
Recent ESC documents, the contractor's December 1998 risk
assessment report, and our interviews with SCMC officials, have
identified the following examples of competing demands on staff
in IRS' Information Systems organization and business
organizations:
Documents prepared for the September 1998 ESC
meeting stated that IRS' Information Systems organization that
is responsible for systems software issues was ``overextended''
because of Year 2000 demands, SCMC, and support for the Year
2000 end-to-end test.
The contractor's December 1998 risk assessment
report indicated that some of IRS' core business area staff
face competing demands from the need to (1) identify business
requirements for the 2000 filing season and (2) complete Year
2000 contingency plans. As we said previously, IRS' goal is to
have business requirements completed by the end of February.
According to the minutes from the January 1999 ESC
meeting, IRS' Internal Audit has also raised a concern about
the availability of sufficient staff to support the Year 2000
end-to-end test given the other Year 2000 demands. According to
IRS officials, Internal Audit has not released a formal report
on this matter.
IRS' draft paper on the SCMC schedule options
states that one of the risks for each of the schedule options
is the resource drain on IRS staff and contractors from the
filing season, the Year 2000 end-to-end test, and critical
staff being used to train any new SCMC staff. The draft option
paper notes that the extent of the drain varies somewhat
depending on how many service centers are to have their tax
processing activities moved to the computing centers in 1999.
Over the last several months, IRS has taken various actions
to address these competing demands. For example:
To address the ``overextension'' of the
Information Systems organization that is responsible for
systems software, the Chief of that organization said that he
obtained contractor support and transferred staff from other
areas. He said the additional staff, coupled with the delays in
moving the tax processing activities of the service centers to
the computing centers, helped alleviate this overextension.
To address the competing demands on the business
staff to develop Year 2000 contingency plans and finalize
business requirements for the 2000 filing season, IRS officials
decided to stagger the completion milestones for contingency
plans.
To help prioritize the work within the Information
Systems organization IRS officials told us they have
established another executive steering committee. In addition,
the minutes from the January 1999 ESC meeting said that the
Commissioner has asked the cognizant staff to identify the
source of each of the 2000 filing season requirements--(i.e.,
IRS Restructuring and Reform Act, Taxpayer Service Improvement
Initiative, etc.). This identification is the first step for
providing the additional information that would be useful for
establishing priorities for IRS' Information Systems staff.
Concluding Observations
Since our testimony in May 1998, IRS has made considerable
progress in completing its Year 2000 work. However, IRS did not
complete all the work that it had planned to do by January
1999. This unfinished work and upcoming critical tasks are to
be completed in the remainder of 1999. At the same time IRS is
addressing its Year 2000 challenge, it is undertaking other
important business initiatives, such as preparing for the 2000
filing season and implementing SCMC. These various initiatives
place competing demands on IRS' business and Information
Systems staff. To date, IRS has taken actions to address these
competing demands, including delaying the completion milestones
for some Year 2000 activities.
In the next 5 months, IRS will pass several key milestones.
As IRS passes each one, it will have more information on the
status of its Year 2000 effort and the amount of remaining
work. This information should help IRS and Congress assess the
level of risk to IRS' core business processes in 2000. For
example:
By the end of February 1999, the business
organizations are to submit their requirements to IRS'
Information Systems organization for the 2000 filing season. In
the event that business requirements for the 2000 filing season
are not submitted on time, IRS increases the risk that some tax
law changes may not be thoroughly tested before they are
implemented.
From April to July 1999, IRS is to conduct its
Year 2000 end-to-end test. The results of this test will be an
indicator of the extent to which, for the work completed thus
far, IRS has been successful in making its systems Year 2000
compliant. The results of this test should also provide
information on how many Information Systems staff will be
needed for correcting any problems that are identified.
By the end May 1999, IRS is to complete its
contingency plans. These plans should provide information on
any additional steps needed to implement the plans.
We plan to continue to monitor IRS' progress in meeting
these key milestones.
Mr. Chairman, this concludes my prepared statement. I
welcome any questions that you may have.
Chairman Archer. Mr. White, thank you. And thank you for
also giving us a little time back. We appreciate it.
Mr. White. You're welcome.
Chairman Archer. Mr. Commissioner and Mr. Cosgrave, this
country owes both of you a deep debt of gratitude for coming to
its aid at a time of great need. I know there are many other
things that you could do with your lives very productively in
our society, and I for one congratulate you and compliment you
on being where you are and the kind of job, the professional
job, that you are committed to do and which you are undertaking
with a very, very complicated, far-flung, difficult operation
to manage.
I suppose your computer system is about the largest in the
world, is it not?
Mr. Rossotti. Well, it's one of the largest. Yes. Depends
on how you measure it.
Chairman Archer. So this is not a small problem; this Y2K
is not a small problem for you. Are you satisfied at this point
that when we go into next year that the IRS will be able to
perform its essential services in a timely manner?
Mr. Rossotti. First of all, let me just thank you for your
opening comment, Mr. Chairman. I really appreciate that very
much.
The answer to your question, yes. I am confident that we
will be able to perform our central mission. I do want to
qualify that with the fact, as we said repeatedly, that I think
we will be able to sufficiently test broadly to be sure that we
will meet, be able to continue to function our central mission.
But we won't be able to test every possible combination of
everything.
That's why there still will remain the possibility, the
risk, of particular problems that may occur. And that's why we
are organizing what we call our end-game strategy, not our end-
to-end tests, but our end-game strategy, which means that we
will be prepared to respond to things that are unexpected, that
come up, so that we can get them out of the way quickly.
Chairman Archer. My question assumes that you will have
contingency plans in the event that there is some snag in your
computer operation so that your services can still performed in
a timely manner. Is that a fair statement?
Mr. Rossotti. I'll let Mr. Cosgrave mention some of the
contingency plans, but I do want to not mislead, Mr. Chairman
and others. The contingency planning that we're doing is aimed
at being able to respond if there's a temporary outage in a
particular area, for example. There really is no contingency
plan, broadly speaking, that if our computer systems were not
functioning in a predominantly successful way that we could
really, really execute an entire filing season. So, I mean
there are contingency plans that are very important to do, but
they are not contingency plans that, say if the whole IRS
computer network were not functioning, that we could still do a
tax season.
I don't think we need a contingency plan for that. First of
all, there really isn't a contingency plan for that. But I
believe we have more than adequate confidence that we are not
going to have a global failure of that kind. But having said
that, let me just ask Paul here to talk about some of the
contingency planning that we are doing.
Mr. Cosgrave. Thank you, Mr. Commissioner.
Let me, first, just acknowledge GAO's assistance here. They
reported back in June of last year that the IRS was behind in
their contingency planning. We took that recommendation to
heart--in fact, adopted an approach that they laid out to us
that had already been used effectively at the Social Security
Administration as the way to go about this problem. In fact,
we, are executing the exact model that they have identified.
This involves addressing this problem from the business
perspective. We have each of our businessowners actively
involved in building contingency plans. First of all, they are
identifying which contingency plans are needed based on the
critical business processes that we need those plans for. They
did that work and that's complete. We have identified the need
for 37 plans. Twenty-four of those 37 plans will, in fact, be
completed by March, and the remaining 13 will be done by May.
So by May of this year, we will have contingency plans in place
for all of our critical business applications.
Chairman Archer. Are you confident that all refund checks
will go out in a timely fashion next year?
Mr. Rossotti. Well, I think that gets to the point. We are
confident that we will be able to process refund checks. They
will be able to go out in a timely manner. But when you say all
refund checks, I have to say I can't be confident of that
because there could be particular situations for particular
taxpayers because of some particular path that they go through
that we haven't tested, where there could be, as we call it, a
glitch.
I don't predict that. I certainly don't want that to
happen, but we also don't want to offer false confidence that
there won't be any problems. This is why we are preparing not
only contingency plans, as Paul mentioned, but also quick
response situations, so that if we find a particular problem,
as we do in every filing season, actually, we'll be able to
respond to it quickly and hopefully minimize any taxpayer
impact to the bare minimum.
Chairman Archer. Do all refund checks go out today in a
timely manner.
Mr. Rossotti. Actually, most do. [Laughter.]
But there are some that don't.
Chairman Archer. Even without the Y2K problem, you can't
make that a blanket statement?
Mr. Rossotti. That's actually an excellent observation.
That's very, very true. Every filing season there are problems.
Chairman Archer. My last question is, is there anything
further that the Congress can do to help you to do your job?
Mr. Rossotti. Well, let me just say that in my year or so
here, I have been very pleased with the response we have gotten
from the Congress. We have gotten just about everything we've
requested from the Congress. At this moment, with respect to
the IRS Y2K problem, I don't think there is. I did mention in
my testimony, that one of the things we are studying in our
role as tax administrator, is to make sure that we are prepared
in case there are taxpayers who have, problems in filing or
paying timely because of a situation that might develop totally
beyond their control. For example, with their bank.
We haven't completed this study yet, but this is something
we are going to be working on with the Treasury. We want to
make sure that we are prepared and able to deal with those
situations to avoid any harm to the taxpayers. We may need to
consult with the Committee over the course of this year, over
the next few months even, as we study that issue to make sure
that we have the requisite authority to deal with that.
We will continue to consult with you on this issue
throughout the year. As of this moment, I think we have what we
need.
Chairman Archer. OK. Thank you very much. If you need
anything else, we invite you to let us know immediately so we
can go to work in working with you.
Ms. Thurman.
Mrs. Thurman. Thank you, Mr. Chairman. We appreciate all of
you being here today. If for no other reason, these hearings
are good to keep the public aware that this is an issue still
ongoing, probably to give some more confidence that we are in
better shape than what some have anticipated so that we don't
have runs on banks and we don't have some of the things that we
are all very concerned about.
But, Mr. Dennis, I really need to ask you some questions
because, and I'm sorry I was not here for your testimony when
you were actually saying it, but I do have the testimony that
you have written before. And I need some clarification on the
last page because it says there that financing is not a major
impediment to action at this time. Only 3 percent now planning
action say that the reason that they have not done so to date
is the financing problem. Few small business owners-respondents
mentioned finance. I guess this is in the form of your survey.
However, for some, the out-of-pocket costs will be significant,
and ones they would not normally make. This is not a question
of locating debt-finance to undertake the preventive measures,
that appears readily available. It is a question of paying for
them.
You've lost me somewhere in here. One minute it doesn't
seem it's about cost, and then the next minute it seems to be
about cost. So I need some clarification on that, particularly
because you know that I've introduced a piece of legislation to
try to do an accelerated depreciation for businesses
specifically for the purposes of kind of grabbing the attention
of small businesses that they really need to get into this Y2K
compliance issue.
So if you could give me some direction, I would be very
appreciative.
Mr. Dennis. Surely. Thank you.
Most small businesses who have taken action already tell us
that they are spending relatively small amounts of money. When
I say most, 75 percent have spent less than $5,000. There are
exceptions, those spending large sums, over $50,000. It's a
very small percentage thus far, one, 2 percent at most.
My reference to financing not being a major problem is tied
to the survey. We provided respondents with reasons for not
going ahead. Financing was one of them. I think it was 3
percent who indicated that that was a problem impeding them
from going forward. So yes, there are extreme cases where it is
going to be difficult. There's no if, ands, or buts about it.
But for the most part, it is not an issue. Owners have told us
that that is not an issue.
When it comes to debt capital, the Small Business
Administration's, SBA's 7(a) program, is a back up. Not only
that, in the 20-some years that I have been working at NFIB,
the present is probably the most favorable conditions for
small-business borrowing I've seen. So that's not an issue
either.
Mrs. Thurman. However, they are familiar with the Code that
does allow them that accelerated depreciation so they might be
a little bit more familiar with this, might be more comfortable
in using some kind of tax issue.
But let me just make this comment too because I think this
is really important, and I'm real concerned after reading this.
I don't know if you were here this morning when I read from an
article about what businesses were doing, and they are doing
something called ``windowing'' and ``encapsulation,'' which may
not be the wherewithal of the fix that some of them are going
to put themselves in believing that they are going to spend
this extra dollar or they are going to roll their computer
back. And then all of a sudden it quits anyway. Do we know
what's happening with small businesses in that way? I'm going
to talk about it when I'm home, but I think we have to capture
their attention on this because I'm really concerned.
Mr. Dennis. I couldn't agree with you more in the sense
that many simply don't believe it, simply don't believe this is
going to affect them and don't think it's a problem. So I
couldn't agree with you any more. I think there's a number of
things that could be done just on awareness issues. One of the
things that's really been disappointing is the use of industry-
specific trade associations to get this message out, even more
so for embedded-chip-type equipment that's particular to
certain industries than for computers in general.
I think that vehicle could be used to a much greater extent
than has been done in the past. Any type of awareness activity
I think is something good to do because there are many owners
out there who just don't believe it, don't believe it will
affect them, and feel that it's not worth the effort to do
anything.
Chairman Archer. The gentlelady's time has expired. Mr.
Weller.
Mr. Weller. Thank you, Mr. Chairman. Before I ask my
questions, I also want to salute the Commissioner of the IRS
for the commitment you've shown to implement IRS reform. The
first IRS reform began in this Committee room under the
leadership of our Chairman and the Ways and Means Committee.
And the follow through, I definitely want to salute you on your
commitment to following through on IRS reform, making IRS
responsive to the taxpayer, rather than the other way around.
So thank you for that.
I'm going to keep the focus of my questioning also on small
business, Mr. Dennis. In your knowledge and you pointed out in
your response to Ms. Thurman's questions, that some small
business owners don't believe anything is going to happen so
they are not going to worry about it. What do you feel is
really the remaining big risk for small business in being Y2K
compliant, and particularly as it relates to taxes and tax
collection.
Mr. Dennis. I think the greatest risk, quite frankly, is
getting people to do something. That's the first major one. The
second one, I would suggest, probably is a little bit different
than you may think. I worry a great deal about embedded chips
and what it's going to do to some firms. Now you say, how does
that affect taxes? Well, it affects taxes because they are
going to have to put all their resources and energy into
correcting any Y2K problem, whatever that problem is. If their
equipment goes down, the key to their survival is going to be
how quickly they can be up and running. That is the absolute
critical thing. So it's possible that some dates can slip and
that kind of thing.
I was very encouraged when Mr. Rossotti indicated that IRS
was developing some sort of internal policy which might address
that problem. Indeed I mentioned that in my written testimony.
I would like to see a policy made public to really encourage
people to take action. The IRS policy would really encourage a
lot of people to say ``Well, gee, if there is some kind of
consideration and if I have done something to address the
potential problem, that might be a very strong incentive to
prepare.''
Mr. Weller. Who is, you know, you had mentioned that
perhaps the trade organizations and business groups could be
better utilized to get information out. Who is everyone
depending on for information today? Where are small business
owners getting their information if it's not coming from their
professional or trade organization?
Mr. Dennis. That's a very good question, and I don't know
that I have a good answer for you. We hear anecdotally, but
that was not one of the questions I asked on the survey.
Anecdotally, we believe that they are getting a lot of
information from the net. They are getting some from general
business magazines, including their trade association-type
magazine. It's kind of a catch-as-catch-can. One of the
problems is that there seems to be a lack of simplistic--no, I
don't want to use the word simplistic--relatively easy, step-
by-step approaches to how you specifically handle problems
discovered. Some Internet addresses, for example, provide very
complicated solutions.
Mr. Weller. Is there one, you know, if you were able to do
one thing to do a better job of getting information out there
to help small business owners deal with Y2K compliance, what
would that initiative be?
Mr. Dennis. Having Mr. Koskinen or someone grab trade
association execs by the back of the neck and say, this has got
to be done.
Mr. Weller. And so those trade organizations in the
audience make a note of that, be thinking how they can
communicate to their members.
And last, I realize the light's yellow here, but are there
any particular tax incentives that may help small business
better comply and afford the cost to comply, realizing that
small business, and many of them are mom and pop shops, limited
on resources and staff?
Mr. Dennis. Tax incentives are always nice. But in terms of
getting more people to do things to resolve their potential Y2K
problems, I haven't seen any evidence they would. Obviously
there will be a few, but not an overwhelming number.
Mr. Weller. All right. Thank you.
Chairman Archer. Mr. Foley.
Mr. Foley. Thank you, Mr. Chairman.
Mr. Rossotti, in your written testimony, you touched
briefly on the end-to-end testing. Can you explain the rigor of
your end-to-end test, and also give us a little greater detail
on that and when it may be complete.
Mr. Rossotti. I think I'll ask Mr. Cosgrave, if it's OK, to
respond to that. He's directly in charge.
Mr. Cosgrave. The end-to-end test is a totally integrated
test, where we are taking most of all our systems and putting
them together in a totally integrated environment, that
includes almost 95 different systems linked together. We're
doing this in three different phases. The first two have
already been completed. And the 1st part of the third phase
will start in April and will run into July of this year. From
my experience, and I believe the Commissioner has the same
experience having done a lot of systems testing in other
businesses, this is as complex, as complete, and as large a
test as we have ever seen anyone undertake. It's running well
to date, and we anticipate having those mission-critical
systems tested and-to-end beginning in April.
Mr. Foley. There's also discussion on--oh, did you want
to----
Mr. Rossotti. I was just going to add one thing. One of the
key things about this that is different from the other testing
that we do, is that we take a special computer and we actually
set the clock forward so we make believe it's already January
1, 2000. That's the one thing that we can't do in our normal
testing, because we can't change the actual computer clocks or
we'll make everything run awry. This actually involves taking a
separate set of computers and operating them with the clock set
forward.
Mr. Foley. You also touch on, you mentioned it briefly in
response to the chairman on contingency planning. It seems to
me that the most critical part of it is to have a backup plan
in case. What is that plan for processing returns, to assure
customer assistance, and, of course, compliance in general.
Mr. Rossotti. Well, again, I'll let Mr. Cosgrave give you
some detailed examples of our 37 contingency plans. But I again
need to stress that there really is no contingency plan that,
given a computer failure, broadly speaking, that will allow us
to continue to do the business of the IRS. We are just too
dependent on these computers, and there isn't any really
practical backup plan you could have on a broad scale. So our
strategy is to use our end-to-end tests to make sure we don't
have a broad failure, recognizing there could be limited
failures.
Our contingency plans are basically designed to cope with
those kinds of localized or specific failures. That's why there
are 37 of them. Mr. Cosgrave can give some examples of what
these are.
Mr. Cosgrave. I'll give one or two examples. In fact, I
happen to have brought one of those plans with me today. This
is the FTD, Federal Tax Deposit, contingency plan. It gets very
specific. For example, on January 3, if something is not
operating the way it should, who will be there to provide
backup support? What exactly are the approaches we would take
as a workaround to the problem? It's got phone numbers; it's
got every conceivable thing we would need in an emergency
situation.
The major systems that I described earlier that we're
implementing, where we are actually replacing the system and
hence have the most risk, would be our submissions processing
and our remittance processing systems. In those cases, we are
actually, in the case of remittance processing, keeping the old
system around. Even thought it won't be Y2K compliant, we know
we can trick the system to fake out the date factor, and we'll
use that as a fallback. But again, those systems are 20 years
old, and frankly we are glad to have the opportunity to replace
them and get some new technology in there. But they will be
there in the backup mode, should we need them.
Mr. Foley. In the transition period, is there any security
breach problems we may encounter through the electronic filing
method? Is there any way for somebody to penetrate the computer
system to alter data?
Mr. Cosgrave. That's an interesting question. With the new
integrated submissions-remittance processing system, we did
detect in our final test one potential security breach. And so
we actually de-installed a few components that would have
allowed that breach. We have operated until just recently, when
we were able to get a fix for that, with some of the
functionality turned off. Now that we have fixed that problem,
we are back in production with the system at full capacity.
Mr. Foley. Thank you, Mr. Chairman.
Chairman Archer. Ms. Thurman would like to make a short
inquiry, and I believe that will conclude this panel.
Mrs. Thurman. Chairman Rossotti, what I'd like to ask is,
if you could get me some information of how many of our small
businesses are using section 179? That might give us a better
idea of whether tax incentives, depreciables, the kinds of
things that we would look in looking at ways we might help.
Mr. Rossotti. Unfortunately, the IRS does not have reliable
data documenting whether businesses located in empowerment/
enterprise zones are using the additional expensing allowance
for depreciable business property as allowed for in section 179
of the Internal Revenue Code. Use of this provision is very
infrequent. The General Accounting Office noted this finding in
their June 1998 report, Community Development--Information on
the Use of Empowerment Zone and Enterprise Community Tax
Incentives. The report states ``IRS officials reported that
none of the information on expensing and depreciation that
businesses or individuals file on Form 4562 (Depreciation and
Amortization) is computerized and entered into a master file.''
In addition, further review of sample data for tax year 1996
indicated that of 124 returns with expensing deductions large
enough to indicate that they might be eligible for the
additional EZ expensing allowance, almost none were. The
Department of Treasury found similar results for tax year 1995.
As the IRS transitions to four operating units designed to
serve unique groups of taxpayers, the need for more specialized
data about customer segments will increase. While the Small
Business/Self Employed Operating Division may not collect
specific information in the future about section 179, they will
have an opportunity to collect more specialized data about
their customers, small businesses and self-employed taxpayers.
This will allow IRS to better understand the needs of these
taxpayers and share that information with Treasury and
Congress.
Chairman Archer. The Committee will stand in recess for the
vote on the floor. We'll go vote and come back as quickly as
possible and reconvene.
Glad to see our next panel is already assembled at the
witness table. And Mr. Magaw, we're going to start off with you
if you are ready. And if you will identify yourself and whom
you represent, for the record, you may proceed.
Our general ground rules are that we'd like for you to keep
your verbal testimony to within 5 minutes, and the lights will
come on. And your entire printed statement, without objection,
will be inserted in the record.
Mr. Magaw.
STATEMENT OF JOHN W. MAGAW, DIRECTOR, BUREAU OF ALCOHOL,
TOBACCO, AND FIREARMS
Mr. Magaw. Thank you, Mr. Chairman. My name is John W.
Magaw and I'm the Director of the Bureau of Alcohol, Tobacco,
and Firearms. Members of this Committee, I am pleased to appear
here today concerning an extremely important issue, that of Y2K
compliance. Accompanying me today, is Mr. Pat Schambach, and
he's like you, Mr. Chairman, I think like you are right now,
wearing two or three hats.
At ATF, he is the assistant director for science and
technology. He's also our chief of information. And also he is
our senior executive for year 2000 compliance, and works on it
virtually every day. And he's sitting to my left and will make
a few comments in a moment.
Most people know ATF for our roles as regulators and
enforcers of criminal laws relating to alcohol, tobacco and
firearms. But it is not as well known that ATF is a major
revenue collector. In Fiscal Year 1998, ATF collected a total
of $12.4 billion, this includes $6.5 billion in alcohol taxes,
$5.6 billion in tobacco taxes, and $300 million in firearms and
ammunition taxes. We estimate that the multiple tobacco tax
increase that is scheduled to begin in January of 2000 will
expand the annual revenue by the year 2002 to more than $15
billion.
We fully appreciate that the continuity of revenue
collection is critical to the Nation's well-being. Our budget
for Fiscal Year 1999 is $608 million, and I am pleased to note
that for the fourth consecutive year, ATF has received the
highest possible rating on the annual general audit of our
finances and internal controls. This audit was conducted by
Price-Waterhouse-Coopers and the Treasury Inspector General's
Office.
It is our intent to maintain a sound revenue management and
regulatory system that continues to reduce taxpayer burden,
improve service, collect the revenue due, and prevent illegal
diversion. We continue to accomplish these objectives in large
part through the partnership with the industry, taxpayers and
through technological innovations. Our National Revenue Center,
in Cincinnati, Ohio, had applied these two principles in
improving the consistency of our tax administration in
preparing for Y2K.
Mr. Schambach will detail more specifically the measures
that we are taking, not only in the area of revenue collection,
but also in all of the matters that impact our ability to serve
the public of this Nation.
Thank you, sir.
[The prepared statement follows:]
Statement of John W. Magaw, Director, Bureau of Alcohol, Tobacco and
Firearms
Thank you, Mr. Chairman, Congressman Rangel, and Members of
the Committee. Accompanying me today is Mr. Pat Schambach who
wears three hats here at ATF--Assistant Director for Science
and Technology, Chief Information Officer, and Year 2000 Senior
Executive.
With your permission, I will briefly provide an overview of
the mission of the Bureau of Alcohol, Tobacco and Firearms
before deferring the balance of my time to Mr. Schambach who
will address ATF's significant Y2K conversion efforts.
ATF's three strategic goals are to reduce violent crime,
protect the public, and collect the revenue. We administer and
enforce the Federal laws and regulations relating to alcohol,
tobacco, firearms, and explosives. Although perhaps not readily
apparent, the commodities regulated by ATF share a common
bond--each has legal consumer uses, the potential for serious
abuse, and significant revenue implications.
In Fiscal Year 1998, ATF collected a total of 12.4 billion
dollars--including $6.5 billion from the alcohol industry/ and
$5.6 billion from commerce in tobacco. We estimate that tax
increases effective January 1, 2000 on tobacco products will
provide $2.5-$3 billion per year in additional revenue by 2002
as we implement the Taxpayer Relief Act of 1997. These
collections are made with a budget of approximately $600
million. All funds are transferred to the Treasury or other
Federal agencies for further distribution in accordance with
various laws and regulations.
Permit me to note that for the fourth consecutive year, ATF
has received the highest possible rating on the annual General
audit of our finances and internal controls. This audit was
conducted by Price Waterhouse Coopers and the Treasury
Inspector General.
It is our intent to maintain a sound revenue management and
regulatory system that continues to reduce taxpayer burden,
improve service, collect the revenue due, and prevent illegal
diversion.
We continue to accomplish these objectives, in large part,
through partnership with industry members, States, and other
Federal agencies--and through technological innovation. Our
National Revenue Center has applied these two principles in
improving the consistency of our tax administration, and
providing timely trend analyses and industry statistics.
ATF has used the integration of partnership and innovation
to identify and overcome the potential vulnerabilities that the
Year 2000 portends. We fully appreciate that the continuity of
revenue collection is critical to the Nation's well-being.
Mr. Schambach will detail the measures we are taking not
only in the area of revenue collection but also in all matters
that impact our ability to serve the public.
STATEMENT OF PATRICK SCHAMBACH, ASSISTANT DIRECTOR, SCIENCE AND
TECHNOLOGY, CHIEF INFORMATION OFFICER, AND YEAR 2000 SENIOR
EXECUTIVE, BUREAU OF ALCOHOL, TOBACCO, AND FIREARMS
Mr. Schambach. Thank you, Mr. Director. Mr. Chairman, we
first established our program--sorry
Chairman Archer. Mr. Schambach, if you will give your full
name and the entity that you represent, you may proceed.
Mr. Schambach. Thank you, sir. I'm Patrick R. Schambach,
Assistant Director of the Bureau of Alcohol, Tobacco, and
Firearms. Mr. Chairman, we first established our program in ATF
to address the Y2K challenge in 1996. As you have heard from
many other witnesses, we soon discovered the Y2K challenge has
tentacles into every corner of our organization and extends
beyond the boundaries of our organization into relationships
with other entities.
Our primary efforts can be categorized into the following
major areas, information technology systems, non-information
technology systems, business continuity and contingency
planning, crisis management and outreach. Over 30 full-time-
equivalent positions, both ATF employees and consultants,
support these efforts in our program management office.
Additionally, representatives from all core business areas of
our bureau actively participate in each of these efforts.
In 1997, an integrated project team was established. This
team, chaired by me, was established to provide an open forum
for communicating Y2K status throughout our organization and
for raising and resolving Y2K business issues.
I'd like to focus my remarks in two distinct parts, those
activities aimed at internal ATF preparations, followed by
external preparations aimed at preserving the smooth flow of
revenue that ATF is charged to collect from the alcohol,
tobacco and firearms industries.
The chart on the easel to your left, which I will explain
in a few minutes, indicates the volume of dollars collected
from each of these regulated industries in Fiscal Year 1998. In
our internal preparations we have identified 156 information
technology systems in operation within ATF. Of these, 24 are
mission-critical, and all 24 have completed assessment.
Nineteen are now year 2000 compliant, and 5 systems remain to
be replaced. And efforts are under way to replace these five
systems during Fiscal Year 1999.
Through a major technology upgrade using a new acquisition
method in the Federal Government, called Seat Management, last
year we provided Y2K-compliant personal computers to all ATF
employees. We are certifying all other computer hardware to
provide the best assurance possible that our processes will
continue to function properly. Concurrently we are updating our
contingency plans that have been developed for each mission-
critical system so that we have realistic and actionable
alternatives should we experience unexpected failure.
We have also identified 129 non-information-technology
systems within ATF, to include building security systems,
laboratory equipment, and other devices that contain computer
chips and computer logic. Of these, 85 are mission-critical.
Eighty of these systems have been assessed, and 32 are Y2K
compliant. Renovation plans are in place to repair, replace or
retire the remaining systems determined to be non-compliant.
We are also updating our contingency plans that have been
developed for non-IT mission-critical systems.
While it's our goal to avoid any unexpected surprises to
ensure our vital processes remain intact, or can be resumed
most expeditiously, we are developing business continuity plans
relative to our core processes. That is, we want to have plans
in place should any infrastructure or facility failure occur
that is totally out of our control.
Concurrently, we have started planning efforts for an ATF
crisis management operation to be in effect for the century
date change holiday period. The primary purpose of this
initiative is to have in place a centralized team that will
have the authority and expertise to receive reports of
suspected Y2K failures, analyze them, and make appropriate
business decisions. I expect to have this team in place and
operational in late 1999, working through the New Year's
holiday weekend, and collecting input from more than 220
locations throughout the country.
Now a few words about our external preparations. As you can
see from the chart, ATF is responsible for collecting over $12
billion annually in Federal excise and other taxes. That
amounts to approximately $500 million collected every 2 weeks,
with the first payment in the new year is due January 14. Even
a minor delay in that flow of funds can be costly both to the
government and to the American taxpayer.
Let me take a minute to walk you through the chart,
beginning on the right side. A small amount of our revenue,
approximately $2 million, comes from the tax to transfer
certain controlled weapons, such as machine guns that have been
controlled by law since 1935. Excise taxes are collected from
manufacturers of guns and ammunition to the tune of $165
million last year. Special occupational taxes are imposed on
those involved in the distribution chain of alcohol, tobacco,
and firearms products, which amounted last year to $106
million.
And, finally, firearms and explosives dealers paid license
fees to the tune of $4 million.
That brings us to the larger of Federal excise taxes on
alcohol, on the top half of the pie chart, showing by industry,
beer producers paying over $3 billion, distilled spirits
producers just under $3 billion, and wine producers, almost
half a billion dollars.
Tobacco producers also pay excise taxes of over $5 billion.
In this last category, as the Director mentioned, with the tax
increases already passed by Congress, revenue from tobacco will
increase our overall collections to approximately $15 billion.
Now, to protect the smooth flow of this revenue, ATF
initiated a proactive outreach program in the summer of 1998.
We began by visiting several of our largest taxpayers,
primarily large producers in the beverage alcohol industry to
discuss mutual Y2K concerns and preparations. I've also
addressed an industry-wide Y2K task force of alcoholic-
beverage-industry representatives. As recently as last week, we
hosted major alcohol and tobacco industry members at our
headquarters and via teleconference in a meeting to continue
these important conversations.
Our outreach efforts are aimed at assisting industry
members with contingency plans for tax calculations and payment
processes in order to prevent any disruption to the flow of
Federal excise tax revenue. I've been invited to address a
major industry conference next month to explain our
expectations for industry.
And complementary to these conversations, we are creating a
Y2K Internet site that will be designed to streamline
communication with our industry partners and taxpayers.
In concert with these efforts, similar to comments of
Commissioner Rossotti in the earlier panel, we are looking at
internal policies that would enable ATF to mitigate or waive
penalties for late payments due to Y2K disruptions which are
out of the control of our taxpayers.
Finally, in addition to our efforts with our industry
partners, we are also working with other Federal agencies, such
as our sister bureau, the Financial Management Service, the
Federal Reserve and its financial institutions to ensure that
there will be no disruptions to the revenue flow.
In closing, we are confident that ATF has a viable Y2K
program that is linked to the success of our core business
areas, and we will continue to work diligently to assure the
continuation of our mission. We have enjoyed our longstanding
partnership with industry, and we look forward to building on
that relationship as we deal collectively with year 2000
issues.
Thank you, Mr. Chairman.
[The prepared statement follows:]
Statement of Patrick Schambach, Assistant Director, Science and
Technology, Chief Information Officer, and Year 2000 Senior Executive,
Bureau of Alcohol, Tobacco, and Firearms
Introduction
I am Patrick Schambach, Assistant Director of Science and
Technology at the Bureau of Alcohol, Tobacco and Firearms.
Additionally, I am the Bureau's Chief Information Officer (CIO)
and Year 2000 Senior Executive. I appreciate the opportunity to
acquaint you with the status of ATF's year 2000 program, our
renovation efforts and our remaining challenges that will
ensure the continuation of vital services provided through ATF
programs.
Background
ATF established a program in 1996 to address the Y2K
challenge. As with many organizations, the initial focus of our
program was to educate our people and assure our Information
Technology systems were compliant with the century date change.
As our awareness and knowledge increased it quickly became
evident that the scope and focus of our program had to change
to meet those challenges. What began as a modest Information
Technology (IT) effort, consisting of 67 legacy application
systems, now encompasses over 150 application systems Bureau-
wide and a myriad of hardware, commercial software, and other
specialty equipment and infrastructure areas that affect ATF's
core business activities. As you have heard from many other
witnesses, the Y2k challenge has tentacles into every corner of
our organization, and extends beyond the boundaries of our
organization into our relationships with many other entities.
Y2K Program Structure
Our Year 2000 efforts can be categorized into the following
major areas:
Information Technology Systems, Non-Information Technology
Systems, Business Continuity and Contingency Planning, Crisis
Management, and Outreach. Over 30 full-time equivalent
positions, both ATF employees and consultants, support these
efforts. Additionally, representatives from other Bureau core
business areas outside of the IT organization actively
participate in each of these major efforts. In 1997 an
Integrated Project Team was established. This team, chaired by
me, was established to provide an open forum for communicating
Y2K status throughout our organization and for raising and
resolving Y2K related business issues.
Current Status
I'd like to focus my remaining remarks in two distinct
parts--those activities aimed at internal ATF preparations for
the century date change--followed by external preparations
aimed at preserving the smooth flow of revenue that ATF is
charged to collect from the alcohol, tobacco and firearms
industries.
Internal Preparations
Information Technology Systems: We have identified 156
Information Technology systems in operation within ATF. Of
these, 24 are mission critical. All 24 have completed
assessment: 19 are Year 2000 compliant and 5 systems remain to
be replaced. System development efforts are underway to
construct Y2K-compliant replacements for these 5 systems in FY
'99. Additionally, we are certifying our hardware platforms to
provide the best assurance possible that our client-server
computers and personal computers will function properly.
Concurrently, we are updating our contingency plans that have
been developed for each of our mission critical systems, so
that we have realistic and actionable alternatives should we
experience an unexpected failure.
Non-Information Technology Systems: We have identified 129
Non-Information Technology Systems within ATF. Of these, 85 are
mission critical. Eighty of these systems have been assessed,
and 32 are Year 2000-compliant. Renovation plans are in place
to repair, replace or retire the remaining systems determined
to be non-compliant. In addition, several facility and security
assessments at key ATF locations throughout the country are
underway. As with the IT effort, we are updating our
contingency plans that have been developed for each of our Non-
IT mission critical systems.
Business Continuity/Contingency Planning and Crisis
Management: While it is our goal to avoid any ``unexpected
surprises,'' to insure our vital business processes remain
intact or can be resumed in the most expeditious manner, we are
developing business continuity plans relative to our core
business processes. Concurrently, I have started planning
efforts for an ATF Crisis Management operation. The primary
purpose of this initiative is to activate a centralized team
during the century date-change period. This team will have the
authority and expertise to receive reports of suspected Y2k
failures, and to analyze, resolve and make appropriate business
decisions to effectively address unplanned outages anywhere
within ATF operations. I expect to have this team in place and
operational in late 1999, working through the New Year's
holiday weekend, and collecting input from more than 220 ATF
locations throughout the country.
External Preparations
As you can see from the chart presented here in the hearing
room, ATF is responsible for collecting over $12 billion
annually in federal excise and other taxes. On this chart ATF
revenues are broken down by industry-type to give you an idea
of our tax-paying ``customer'' base.
Outreach: With the intent of protecting the smooth flow of
this revenue, ATF initiated a proactive outreach program in the
Summer of 1998. My counterpart, Mr. William Earle, the Bureau's
Chief Financial Officer and I began by visiting several of our
largest taxpayers, primarily large producers in the beverage
alcohol industry, to discuss Y2k concerns and preparations. I
have also addressed an industry-wide Y2K Task Force of
alcoholic beverage industry representatives. As recently as
last week, we hosted alcohol, tobacco, and firearms industry
members at our headquarters -and via teleconference -to
continue these important conversations.
Our outreach efforts are aimed at assisting industry
members with contingency plans for tax calculations and payment
processes in order to prevent any disruption to the smooth flow
of federal excise tax revenue. I have been invited to address a
major industry conference next month to explain our
expectations for industry in preparing for the century date
change. Complimentary to these conversations, we are creating a
Y2K Internet site that will be designed to streamline
communication with our industry partners and taxpayers. It is
our intent to provide pertinent ATF Y2K information that will
be useful to our industry partners and will provide them a
direct link to address concerns.
In concert with these efforts, we are looking at internal
policies that would enable ATF to mitigate or waive penalties
for late revenue payments due to Y2K disruptions which are out
of the control of the taxpayer. Finally, in addition to our
efforts with our industry partners, we are also working with
other Federal agencies and financial institutions to ensure
that there will be no disruption to the revenue flow process.
Closing
In closing, we are confident that ATF has a viable Y2K
program that is linked to the success of our core business
areas. We will continue to work diligently to ensure the
continuation of our mission. We have enjoyed our long-standing
partnership with industry and we look forward to building on
that relationship as we deal collectively with year 2000
issues.
Thank you again for the opportunity to appear before you
today. I would be happy to answer any questions you may have.
[GRAPHIC] [TIFF OMITTED] T6850.003
Chairman Archer. Thank you, Mr. Schambach.
Mr. Hall, if you'll identify yourself, you may proceed.
STATEMENT OF S.W. HALL, JR., ASSISTANT COMMISSIONER AND CHIEF
INFORMATION OFFICER, U.S. CUSTOMS SERVICE
Mr. Hall. Mr. Chairman, my name is S.W. Hall, Jr. I
currently serve as the Assistant Commissioner for Information
and Technology, and Chief Information Officer at the U.S.
Customs Service.
Mr. Chairman and members, I would like to thank you for the
opportunity to report on the progress of the year 2000 program
at U.S. Customs. I'd like to make some brief remarks and then
submit my statement for the record.
Ensuring that the U.S. Customs automated systems are Y2K
compliant is critical to the smooth flow of trade imports and
exports, the movement of passengers in and out of the country,
timely revenue collection, and effective enforcement of
national laws.
My message today is that Customs is well on its way to
ensuring that these vital systems are ready for the new
millennium. At this point in time I am happy to report that we
have reviewed 25 million lines of code in our mission-critical
systems, and have returned those to production. We are in the
midst of a major independent verification and validation
effort, where we are using automated tools to rescreen that
software to make sure that things have not been overlooked.
We are doing an independent functional review of our
processes to make sure we had indeed followed our internal
testing protocols. We are planning to put an emergency response
center capability in place beginning this summer which will
allow us to support our trade partners as well as any
unforeseen national infrastructure issues that might arise
affecting the operational viability of our systems.
We are in the process of completing the replacement or
upgrading of approximately 20,000 personal computers nationwide
to make sure that they are Y2K compliant. We are in the process
of replacing and upgrading approximately 300 telephone systems
and almost 200 voice mail systems to likewise ensure that they
remain operationally viable. And, we are completing a
comprehensive set of business continuity of operations plans
that ensure that each major operating location has contingency
procedures in place to deal with either local or national
conditions that might arise.
We have had some independent review of our approach to the
Y2K remediation effort. We've received a favorable audit from
the General Accounting Office and the Treasury Department's
Inspector General, which found that our management approach to
this major challenge is disciplined and effective. We have had
an independent review done by the Gartner Group, an independent
consulting group that specializes in auditing and analyzing IT,
information technology, issues. And they declared our program
to be among the best in class.
We have also had the management of this effort recognized
by government Executive magazine as one of the top 20
management success stories this past year in the Federal
Government, and our Y2K program manager was recognized by
government Computer News as an example of a very successful
government information technology manager.
With this in mind, I'd like to conclude by assuring you
that we believe that the Customs Y2K program is on track and
demonstrates when provided the necessary support and resources,
that we can attack a large system challenge successfully and
get done what needs to be done.
This concludes my remarks, and I'd be happy to answer any
questions that you might have.
[The prepared statement follows:]
Statement of S.W. Hall, Jr., Assistant Commissioner and Chief
Information Officer, U.S. Customs Service
The Year 2000 Program at Customs--``Current Status and Remaining
Challenges''
On May 7, 1998, the Assistant Commissioner, Office of
Finance and Chief Financial Officer for the U.S. Customs
Service, testified before this Committee's Subcommittee on
Oversight. During her testimony, she provided the Committee
with an overview of the Customs Year 2000 Program and the
status of the Program at that time. Today, I wish to provide
the Committee with a brief update on the current status of the
Year 2000 Program at Customs, a summary of the accomplishments
which the Program has realized to-date, and a description of
the ongoing tasks which the agency intends to complete prior to
the advent of Fiscal Year 2000.
Overview
On a yearly basis, Customs mission critical computer
systems process over $850 billion worth of imported merchandise
and account for the collection of more than $21 billion in
revenue. Annually, information concerning over 450 million
people who enter the United States from foreign lands are
processed by Customs law enforcement and targeting systems.
Other systems process export information, provide
administrative and payroll support to the Customs Service, and
support trade, carrier and other commercial organizations.
Crucial to the fulfillment of the Customs Mission, Customs
computer systems are also vital to the operational success of
other federal government agencies with whom Customs shares
electronic information: The U.S. Census Bureau, the U.S. Fish
and Wildlife Service, the U.S. Food and Drug Administration,
The U.S. Department of Justice, the U.S. Department of
Agriculture, and Customs' sister bureaus within the Department
of the Treasury are representative of the government agencies
with whom Customs systems interface and share information.
Customs overarching objective in addressing the Year 2000
Problem was to ensure that its mainframe mission critical
computer systems continue to deliver timely, reliable, and
accurate information, without interruption, into the new
millennium. To achieve this goal, the Customs Year 2000 Program
reviewed approximately 25 million lines of computer code and
successfully renovated, tested for Year 2000 compliance, and
migrated into the Customs Production environment 100 % of its
mainframe mission critical assets. This monumental feat was
accomplished within budget, in accordance with General
Accounting Office guidelines, and in advance of deadline dates
imposed by the Department of the Treasury and the Office of
Management and Budget.
With Customs mainframe mission critical systems Year 2000
compliant and fully functional, assuming the public data and
telephone infrastructure is also Year 2000 compliant, Customs
can continue to operate in an efficient , effective, and
dependable manner. If these systems were not Year 2000
compliant however, the results to Customs operations would be
devastating. Millions of passengers and billions of dollars
worth of merchandise arriving into the U.S. would have to be
processed manually, thus creating delays and contributing to a
loss of revenue. The integrity of U.S. borders would be
jeopardized, and efforts to apprehend criminals and interdict
narcotics would be severely crippled.
Year 2000 Program Accomplishments
Guided by the Year 2000 Executive Council and through the
proper management, allocation, and mobilization of necessary
resources, the award-winning Customs Year 2000 Program has
successfully met the Year 2000 Program milestones established
by GAO, OMB and Treasury. In fact, the combined audit team from
GAO and the Inspector General's Office within Treasury found
that ``Customs Has Established Effective Year 2000 Program
Controls.'' In addition to the timely renovation, validation,
and implementation of Customs mission critical mainframe
computer systems, Customs has also:
Validated and tested its mainframe mission
critical hardware, including network and communication
interfacing equipment.
Renovated, validated, and tested the computerized
user developed programs which interface with Customs mainframe
computer systems, tables and files.
Validated and tested the computer software used in
conjunction with its mainframe and personal computers. These
software packages, including operating systems, capacity
planning tools, security packages, word processors and
spreadsheets, were tested in Customs own systems environment.
Identified, tested, and evaluated over 5,000 non-
information technology (non-IT) assets for Year 2000 compliance
including facilities systems, portable radios, lab equipment,
building security systems, and other such products having date-
related functions. Sixty non-IT products assessed as non-
compliant will be renovated or replaced prior to May 1999.
Completed, and submitted to Treasury, business
continuity of operations, technical compliance assurance and
business quality assurance plans. These plans were developed as
a contingency against potential Year 2000 induced failures.
These plans have been used by Treasury as a model for use by
its other bureaus. A simulated test of these procedures, at the
Customs Port in Houston, Texas, was postponed due to local
trade community opposition.
Conducted awareness conferences throughout the
country, addressing Year 2000 issues of concern to field level
Custom offices.
Completed the development of recommendations for a
Year 2000 Emergency Response Center (ERC). The purpose of the
ERC is to protect our private and public sector trading
partners as well as our field support from Year 2000-induced IT
failures. Although Customs is confident in the thoroughness and
quality of its Year 2000 remediation process, there are
external risks over which the agency has no control (e.g., non-
compliant data exchanges from our trading partners, civil
infrastructure failures). We are taking this proactive step to
provide further assurance that service to the field offices and
to our public is unaffected. Our objective is to have the ERC
operational starting August 1, 1999.
Remaining Challenges
While the Customs Year 2000 Program is on-schedule and has
continued to meet all prescribed deadline dates for completion
of its many processes, there is still much work to be
accomplished in the months ahead. Briefly, the Customs Year
2000 Program will be undertaking the following tasks:
Though Customs mainframe mission critical systems
have been successfully tested and are functioning properly, to
further ensure the functionality of the systems, we are re-
testing and will continue to re-test all systems via simulated
post-2000 environments.
Customs is continuing a series of tests with
organizations with whom we interface. These external interface
tests, which began in January 1998, will continue through June
1999. The tests will assist these interfacing organizations in
ensuring that their systems will work with Customs into the
Year 2000 and beyond.
Customs is either checking, upgrading, or
replacing nearly 19,000 personal computers to be Year 2000
compliant. This task is nearly 60% completed. It is anticipated
that all systems, including their software, will either be
replaced or upgraded by June 1999.
Customs is currently replacing 300 telephone
systems and 156 voice mail systems. Year 2000 related upgrades
are being performed on 34 voice mail systems. It is anticipated
that this task will be completed by June 1999.
Customs recently completed Business Continuity Of
Operation Plans and quality assurance plans for its major
business processes. The Information Technology Continuity Of
Operations Plans, in support of Customs business functions, are
in process and will be completed by June 1999.
Customs is conducting an Independent Verification
and Validation (IV&V) Program. Upon the completion of the IV&V
Program, Customs will have reasonable assurance that all of
Customs systems are Year 2000 compliant and that the processes
used in the conduct of the Year 2000 Program followed
appropriate GAO, OMB, and Treasury guidelines. The IV&V Program
includes the use of an automated tool which double checks
potential date problems which may have been overlooked in the
original testing of renovated computer programs. The IV&V
Program will continue through June 1999.
Customs is in the process of developing formalized
plans and an implementation schedule for the Year 2000 ERC. The
plans are based on the recommendations developed in December
1998.
Customs anticipates completion of the renovation,
testing, and replacement of its non-compliant non-IT assets by
May 1999.
Through January 31, 1999, Customs expended
approximately $85 million on the Year 2000 Program. We
currently expect to complete all Year 2000 remediation efforts
under the original project estimate of $120 million.
Long-Term Benefits of the Year 2000 Project Approach
Customs implemented its Year 2000 Program with an eye to
the future. The plans, processes, and procedures put into place
to support the Year 2000 effort were developed so that Agency
operations could continue to benefit from this value-added
approach well after the year 2000 has passed. These long-term
benefits, most of which are based on the agency's ``lessons
learned and best practices,'' include:
The completion of a comprehensive inventory of
applications and user procedures which cross-reference system
files, tables, and systems users, both within and outside of
Customs.
The development of a coordinated approach, and
repeatable processes, to project management and tracking,
through a Project Program Office. The success of the Customs
approach has been recognized with an award of excellence by
Government Executive Magazine.
The upgrade and standardization of various
equipment and systems at both Headquarters offices and field
locations. This approach will create a more cost-effective
asset base and more consistent training methodologies, and will
facilitate enhanced communications between organizational
entities within the agency.
The creation of a separate computer system testing
environment which will be beneficial for other projects as they
enter the acceptance testing phase of the systems development
life cycle.
The development of contingency strategies, plans,
and procedures which will become a permanent part of Customs
business process environment, and which will be invoked in the
event of Year 2000 or other induced systems failures.
The development of an awareness of the importance
of Audit Trail Models and the maintenance of system
``artifacts.'' Following their audit of the structure and
processes of the Year 2000 Program, GAO and Treasury Inspector
General informed Customs that: ``Customs Has Established
Effective Year 2000 Program Controls.''
The development of an Independent Verification and
Validation (IV&V) Program. Through the Year 2000 Program,
Customs developed an IV&V process. Customs will be continuing
the IV&V Program as part of its ongoing quality assurance
program which will be incorporated into all OIT projects.
This concludes my remarks before the Committee. We would
now be pleased to entertain any questions you may have about
our Year 2000 Program and our project approach.
Chairman Archer. Thank you, Mr. Hall.
Admiral Naccara, welcome. If you'll identify yourself, you
may proceed.
STATEMENT OF REAR ADMIRAL GEORGE N. NACCARA, DIRECTOR,
INFORMATION AND TECHNOLOGY, U.S. COAST GUARD
Admiral Naccara. Thank you, sir. I'm George Naccara, the
Coast Guard's Chief Information Officer. I have responsibility
for the Coast Guard's Year 2000 project, and thank you very
much, Mr. Chairman, for the opportunity to testify before you
and your Committee today.
The Coast Guard is certainly aware of the potential for
disruption posed by the so-called Millennium Bug both in Coast
Guard readiness as well in cooperation with and in support of
other agencies. We are working diligently to ensure that our
own information technology systems are prepared for the
millennium. Our motto is Semper Paratus, Always Ready, and
therefore we must similarly ensure that our hardware with which
we deliver our marine safety, environmental protection, search
and rescue, and maritime law enforcement services to the public
is also ready.
On that score, I am pleased to report that we are making
excellent progress, and we expect our boats, ships, planes, and
command and control systems will be ready and operating January
1, 2000, and the many other dates on which there may be Y2K
events.
In addition, our managers and technical staffs are
repairing the administrative and support systems that underpin
our operations. And we expect them to be repaired and working
when the new millennium dawns.
The Coast Guard will leave no stone unturned to prepare its
technology for the millennium, but will also be ready to
continue responding to the call even if a piece of technology
lets us down.
We have directed our unit commanders and our Headquarters
program managers to prepare contingency plans for all systems
that are important to the functioning of their units, hence the
term ``mission-critical systems'' for us. We recognize that
even if all Coast Guard systems and equipment are prepared for
the year 2000 rollover, there is a potential for failures
across the country in public infrastructure, among our
suppliers and business partners, and in the industry we
regulate. To prepare properly for external disruptions that may
impact the Coast Guard, we are evaluating the range of possible
Y2K impacts upon the Coast Guard for all regions, and
developing business continuity contingency plans to address all
potential problems.
Now I want to address the Coast Guard's interface with and
support of the Customs Service and the Bureau of Alcohol,
Tobacco, and Firearms, and the impact of Y2K in maintaining
those relationships.
The primary interaction between the Coast Guard and the
Customs Service and Bureau of Alcohol, Tobacco, and Firearms is
the sharing of law enforcement information. We have no direct
data system contacts with either Customs or ATF. We are,
however, users of the Treasury Enforcement Communications
System. And any Y2K problem in that system would affect us. It
is our understanding from Customs that it is Y2K compliant.
The Coast Guard, through its Law Enforcement Information
System, provides information on vessel sightings and boardings
to the Joint Maritime Information Element, JMIE, a classified
multi-agency database of maritime intelligence information from
the Coast Guard, Navy, Customs Service, Drug Enforcement
Administration, and FBI. The LEIS and JMIE databases reside at
the Coast Guard Operations Systems Center in Martinsburg, West
Virginia. They both have undergone Y2K testing and renovation,
and will be compliant with the OMB-mandated schedule well
before the year 2000.
Therefore, law enforcement agencies accessing this JMIE
system will received the same information as before with no
anticipated interruption in service.
Similarly, the Coast Guard has investigated to ensure it
will be able to receive law enforcement information from other
agencies. We have determined that the Coast Guard connection to
the Anti-Drug Network will continue to function correctly. Also
we receive information from the National Crime Information
Center through LEIS. That connection has been tested by the
Coast Guard and is also Y2K compliant.
The Coast Guard participates directly with the Customs
Service primarily in counterdrug operations. This includes
Coast Guard aviation, cutter, and boat support, as well as in
conducting joint dockside boardings. The primary Y2K concern
for these operations is in communication capability. The Coast
Guard communicates with Customs via UHF and VHF radios. We have
obtained manufacturer verification that most of our radios are
Y2K compliant. Those that are not will be replaced well before
January 1, 2000.
One special initiative between the Coast Guard and Customs,
though still on a small scale, is still worthy of note. Based
on a Memorandum of Understanding between our agencies, a small
number of Coast Guard container inspectors in the port of
Savannah began to access Customs. Automated Manifest System,
tracking all incoming merchandise for tariff and legal reasons.
Coast Guard access is for targeting of hazardous material
containers for inspection. The arrangement has been very
successful. And we plan to expand to four additional offices in
the near future. The system is totally Y2K ready.
The Coast Guard has very limited and only sporadic direct
working relationships with ATF. We have no data interfaces or
any common computer systems or applications.
Thank you very much, Mr. Chairman.
[The prepared statement follows:]
Statement of Rear Admiral George N. Naccara, Director, Information and
Technology
Good afternoon, Mr. Chairman and distinguished Members of
the Committee. I am Rear Admiral George Naccara, the Coast
Guard's Chief Information Officer. I have responsibility for
the Coast Guard's Year 2000 (Y2K) project. I want to thank you
for the opportunity to testify before you today.
The Coast Guard is certainly aware of the potential for
disruption posed by the so-called millennium bug, both in Coast
Guard readiness as well as in cooperation with, and support of,
other agencies. We are working diligently to ensure our own
information technology systems are prepared for the millennium.
Our motto is ``Semper Paratus''--Always Ready--and therefore,
we must similarly ensure that our hardware with which we
deliver our marine safety, environmental protection, search and
rescue, and maritime law enforcement services to the public is
also ready.
On that score I am pleased to report that we are making
excellent progress, and we expect our boats, ships, planes, and
command and control systems will be ready and operating on
January 1, 2000, and the other dates on which there may be Y2K
events. In addition, our managers and technical staffs are
repairing the administrative and support systems that underpin
our operations, and we expect them to be repaired and working
when the new millennium dawns.
The Coast Guard will leave no stone unturned to prepare its
technology for the millennium, but will also be ready to
continue responding to the call even if a piece of technology
lets us down. We have directed our unit commanders and
headquarters program managers to prepare contingency plans for
all systems that are important to the functioning of their
units, hence the term ``mission critical'' system. However, we
recognize that even if Coast Guard systems and equipment are
prepared for the year 2000 rollover, there is the potential for
failures across the country, in public infrastructure, among
our suppliers and business partners, and in the industry we
regulate. To prepare properly for external disruptions that may
impact the Coast Guard, we are evaluating the range of possible
Y2K impacts upon the Coast Guard for all regions and developing
Business Continuity Contingency Plans to address potential
problems.
I want to address the Coast Guard's interface with, and
support of, the Customs Service and the Bureau of Alcohol,
Tobacco, and Firearms, and the impact of Y2K on maintaining
those relationships.
The primary interaction between the Coast Guard and the
Customs Service and Bureau of Alcohol, Tobacco, and Firearms
(ATF) is in the sharing of law enforcement information. We have
no direct data system contacts with either Customs or ATF. We
are, however, users of the Treasury Enforcement Communications
Systems (TECS) and any TECS Y2K problem would affect us. It is
our understanding that TECS is Y2K compliant.
The Coast Guard, through its Law Enforcement Information
System, version II (LEIS II), provides information on vessel
sightings and boardings to the Joint Maritime Information
Element (JMIE). JMIE is a classified multi-agency database of
maritime intelligence information from the Coast Guard, Navy,
Customs, Drug Enforcement Administration and Federal Bureau of
Investigation. The LEIS II and JMIE databases reside at the
Coast Guard Operations System Center in Martinsburg, WV. They
both have undergone Y2K testing and renovation and will be Y2K
compliant in accordance with the Office of Management and
Budget-mandated schedule well before the year 2000. Therefore,
law enforcement agencies accessing JMIE will receive the same
information as before with no anticipated interruption in
services.
Similarly, the Coast Guard has investigated to ensure it
will be able to receive law enforcement information from other
agencies. We have determined that the Coast Guard connection to
the Anti-Drug Network (ADNET) will continue to function
correctly. Also, we receive information from the National Crime
Information Center (NCIC) through LEIS II. That connection has
been tested by the Coast Guard and is Y2K compliant.
The Coast Guard participates directly with the Customs
Service primarily in counterdrug operations. This includes
Coast Guard aviation, cutter, and boat support, as well as in
conducting joint dockside boardings. The primary Y2K concern
for these operations is in communications capability. The Coast
Guard communicates with Customs via UHF and VHF-FM radios. We
have obtained manufacturer verification that most of our radios
are already Y2K compliant. Those that are not compliant will be
replaced by January 1, 2000. One special initiative between the
Coast Guard and Customs, though still on a small scale, is also
worthy of note. Based upon a Memorandum of Understanding
between the Coast Guard and Customs, a small number of Coast
Guard container inspectors at our Captain of the Port (COTP)
office in Savannah began in 1992 to access Customs' Automated
Manifest System (AMS), which tracks all incoming merchandise
for tariff and legal reasons. Coast Guard access is for
targeting of hazardous material containers for inspection. The
arrangement has been very successful at the Savannah site, and
a program to expand to four additional COTP offices has been
funded and is now coming on-line. The system is Y2K ready. As a
result, we do not anticipate any Y2K threat to Coast Guard and
Customs joint operations.
The Coast Guard has very limited and only sporadic direct
working relations with ATF. We have no data interfaces or any
common computer systems or applications.
I will be happy to answer any questions you might have.
Chairman Archer. Thank you, Admiral.
Mr. Clawson, if you will identify yourself for the record,
you may proceed.
STATEMENT OF JAMES B. CLAWSON, SECRETARIAT, JOINT INDUSTRY
GROUP
Mr. Clawson. Thank you, Mr. Chairman, Members of the
Committee. I am Jim Clawson, I'm chief executive officer of JBC
International and for purposes of this hearing, secretariat to
the Joint Industry Group. The Joint Industry Group is a member-
driven collection of over 140 companies and associations and
firms representing about $350 billion in international trade.
We concern ourselves with the Customs issues worldwide.
Our purpose in being here, and we appreciate this
opportunity, is to talk about the Y2K compliance of the U.S.
Customs Service. We've known about this programming glitch in
the private sector with Customs for many years. In fact, in the
late 1980's and early 1990's, our view was that how we were
going to fix it was to pass the Customs Modernization Act,
which provided for a totally new automated system that we
thought would be in place by now. And it was our belief that
all of those elements that we are looking at now with the Y2K
would be taken care of.
Boy we sure missed that action and misjudged that because
here we are in 1999 without a new system, but we are here to
tell you that customs by diverting resources that it was going
to use in developing the new system has been able to look at
all of the data lines, and we're here to say to this Committee
and we are very pleased that the Customs Service has done a
good job under very difficult conditions in renovating its
legacy systems and getting the Y2K compliance and renovation
done.
My written testimony describes in more detail that
renovation, but that's not all of the story. As we've heard
here today a great deal of those systems are so interdependent
with what the other folks are doing that there is still some
concern with us. We are concerned about the private sector's
compliance of their renovation of the Y2K programs as well as
other agencies in the U.S. Government. The Customs Service
performs multiple functions for many agencies as well as
internationally.
You heard this morning about some other countries that may
not be Y2K compliant. I don't say this lightly. In my capacity
with JBC International, we have done a survey of 100 other
countries and their Customs compliance with the Y2K issues.
U.S. Customs is a world leader. Let me say that it doesn't look
good in the rest of these other countries. There are some real
concerns about the kind of information that might be coming
internationally, and the kinds of disruptions that that might
cause to the U.S. Customs, even though it can deal with it
properly.
Also, we are concerned about the information with regard to
transportation, telecommunications, the transportation
companies, particularly in ocean freight. Many of them are
foreign-owned, they are not operating under U.S. requirements--
there are just a whole bunch of these outstanding issues that
are out there that we don't have control over.
So that's of concern to the private sector in these
mission-critical elements in the supply chain management and
getting just-in-time inventories. And we have become so
dependent today on that supply-chain for our economy to
continue.
Now for those issues, what can we do? Some of the countries
can still do manual clearance. You have heard IRS say today
that it cannot go back to manual processing. Our belief is that
the U.S. Customs Service is not able to go back to a manual
system either. You may have seen some newspaper articles about
Customs trying to do some tests in one of the ports in case of
any kind of contingency planning to go back to manual systems.
The private sector was very unhappy about that. It didn't want
to do it. It's a real problem for us in terms of what happens
if a system fails. On this point, it isn't the Y2K that is a
real problem for us, it is the antiquated legacy system that we
have been trying to replace with ACE.
What we are facing is that there has not been sufficient
funding. This Committee was kind enough to authorize another
$50 million in legislation that just passed, but we've got to
get some money appropriated for them to do the work on getting
this system upgraded and in place to perform the services that
the private sector is paying for. In fact, there is a
merchandise processing fee the private sector--this is not like
taxpayers money--pays that raises almost $1 billion a year.
This, for the privilege of having their goods cleared. We think
that those moneys are there to keep these systems up to date.
What we're looking for is the ability to, as payers of this
user fee, is the ability to have the services provided and
benefit from those services.
We're comfortable that some of the work that is being done
on Y2K is going to take place, but we're very uncomfortable
about the fact that the system itself may collapse. And it may
not even be in place by the end of the year to see if Y2K
works.
And with that, I would like to encourage this Committee in
its other capacities to look at that part of the issue. We are
happy to work with you in any way we can.
I'm here to answer any questions you may have.
[The prepared statement follows:]
Statement of James B. Clawson, Secretariat, Joint
Industry Group
Introduction
My name is James B. Clawson and among many other
responsibilities I serve as the Secretariat to the Joint
Industry Group (JIG). JIG is a member-driven coalition of over
one hundred-forty Fortune 500 companies, brokers, importers,
exporters, trade associations, and law firms actively involved
in international trade. We both examine and reflect the
concerns of the business community relative to current and
proposed international trade-related policies, actions,
legislation, and regulations and undertake to improve them
through dialogue with the Executive Branch and Congress. JIG
membership represents more than $350 billion in trade.
The Year 2000 problem goes back to the early days of
computer programming, when memory capacity was nowhere near
what it is today. In an effort to efficiently use a limited
amount of memory, programmers used two-digits to represent
years instead of four-digits. As a result, computers using
software so programmed cannot distinguish between the year 1900
and 2000.
Year 2000 Background
Although some economists and analysts are attempting to
assess the possible impact of the Y2K problem as it is called,
no one really knows how extensive the effects will be.
Obviously, all computer hardware and software will have to be
checked and re-programmed to deal with the Y2K problem.
Compounding the problem, however, is the amount of non-Y2K
compliant hardware and software embedded in anything from
consumer electronics to medical devices.
The U.S. is currently one of very few countries worldwide
that is monitoring the progress of government agencies on a
regular basis. We commend Congress, the Administration, and
government agencies for taking this problem seriously.
Customs Year 2000 Progress
JIG has enjoyed a cooperative relationship with the U.S.
Customs Service for several years. Our coalition has closely
followed their progress in achieving Y2K compliance for all of
its mission critical systems. We appreciate the enormous effort
and resources that the Customs Service has allocated to
renovating all of its computer systems; particularly those
involved in the processing of trade transactions. The trade
community is dependent on the functionality of Customs
automated systems and must be assured that the interaction will
continue as normal at the dawning of the new millennium.
Customs has performed several internal tests of their
computer systems, including tests with other government
agencies, software providers, and one financial institution. On
January 22, 1999, the Customs Service opened testing to the
private sector so that the interface between the trade
community and Customs can be evaluated for compliance. Customs
supplies test data, while industry participants are responsible
for advancing their system clocks to test compliance.
Although industry appreciated Customs' invitation, the
private sector is hesitant to allocate the time and equipment
to conduct the test because Customs is offering no incentive to
participate. One way to induce industry participation is for
Customs to provide a Year 2000 statement of compliance to
software providers that sell products that directly interface
with Customs. Once the software provider has been tested and
evaluated as compliant with Customs systems, Customs can permit
the company to use the compliance statement on marketing
documents and company websites. Such a statement will provide
assurances to those companies using the software that its
systems, working with the Customs' system, will experience no
glitches because of Year 2000 problems. Similar to the
statement of compliance, Customs could offer the use of a mark
or similar certification after software providers or other
companies have successfully completed the testing.
Because Customs has not provided a mechanism for
guaranteeing that after the testing is complete that the
participant's systems will continue to effectively interface
with Customs in the Year 2000, companies are not willing to
allocate the time or resources. An incentive program would not
only benefit export-import software providers, but also their
customers and companies using proprietary internal software to
interface with Customs.
After meeting with several Customs officials to discuss
their progress, we are satisfied that the Customs Service has
prepared its computer systems to continue operations
uninterrupted after January 1, 2000. We question, though, the
preparedness of the users of Customs automated systems--
companies, brokers, and other government agencies. Shutdowns
caused by non-Y2K compliant systems will affect the entire
import processing system and will lead to timely and costly
delays in the clearance of goods at our nation's ports and
border crossings.
Clearance of imports by other government agencies through
the U.S. Customs system is critical. Up to 40 percent of
entries can require approval from the Food and Drug
Administration. The Department of Agriculture inspection
agencies work closely with U.S. Customs in the ports. The
Bureau of Alcohol, Tobacco and Firearms, the Department of
Transportation and many more must be consulted to approve
imports and exports. From a review of these agencies' progress
in becoming Y2K compliant, the fact that U.S. Customs has
completed and tested its systems may be irrelevant to the
private sector if these other agencies cannot clear the goods.
We strongly urge the government to keep the pressure on all
departments and agencies to complete renovation and test their
mission critical systems. We also request that the government
find ways to encourage the private sector to jointly conduct
tests with the respective government agencies to ensure that
their computer systems can handle the rollover to the year
2000.
Customs Automated Systems
Our perception of the government's Y2K readiness,
particularly the Customs Service, may be irrelevant. Customs
Assistant Commissioner for Information Technology, Woody Hall,
stated it best in a February 18, 1999, Wall Street Journal
article when he said, ``The joke around here is that a lot of
good it's going to do you to be Y2K-compliant if the system
crashes around you.'' The current system, the Automated
Commercial System (ACS), is nearly 15 years old and is showing
its age. After several brownouts in the past year, Customs is
more determined than ever that a new system must be created.
Although the new system, the Automated Commercial Environment
(ACE) is already in development stages, ACS must be kept
operational as new ACE applications are brought online. With
only $8 million available in FY 1999, keeping ACS functional is
an enormous obstacle for Customs. The effects of patchwork
repairs on ACS that Customs has resorted to because of lack of
funding are spilling over to industry as brownouts, slow-downs,
and other reductions in ``user service.'' These problems will
inevitably slow or even halt trade if ACS and its replacements
are not properly funded.
Failure to replace the aging components of ACS with
comparable elements from ACE prior to ACS's eventual collapse
will shut down the import process and thereby harm all U.S.
importers and manufacturers, particularly those who rely on
just-in-time delivery systems. Importers will be forced, if it
is even available, to file import entry information through a
time consuming paper process rather than through quick and
efficient electronic means. The loss of revenue to the
government will be staggering and the costs that consumers will
eventually pay will rise.
Customs has made significant efforts to develop a
comprehensive ACE Business Plan, which has been revised as
industry and government needs have changed. The system is
intended to be modular, in that components of ACE can be
adapted as new technology or new needs arise. Customs has
stated that they intend to work with outside contractors to
build the system because the private sector has the most
innovative technologies and systems development expertise.
Customs has made valiant efforts to include the trade community
in ACE design through the Trade Support Network (TSN)
conferences. Customs is sensitive to its customer requirements
but more needs to be done by both the private sector and
Customs to ensure the new systems will be open, interoperable,
and capable of meeting the challenges of the new millenium.
Unfortunately, ACE planning and implementation is stalled.
The White House has shown absolutely no support for Customs
automation. Industry is insulted by the Administration's
proposal for a new ``user fee'' that importers will pay for the
``privilege'' of using Customs automated processing systems. Of
the monies proposed to be collected, the Administration has set
aside only $163 million and $150 million of that cannot be
spent on automation until 2001.
This approach is unacceptable. First, the trade community
is already paying for Customs automation through taxes, duties,
and the merchandise-processing ``user'' fee imposed a number of
years ago to pay for the commercial clearance of goods (which
at the time was 90 percent automated). Since 1994, the
merchandise-processing user fee accounts for an average of $800
million annually. This fee should have been used to keep the
automated system updated and current for its users.
Secondly, at the proposed spending rate for the proposed
new fee of $150 million per year, ACE (at a total cost of about
$1.2 billion) will take approximately 8 years to develop. An 8-
year development cycle for any automated system is unheard of.
By the time ACE is fully implemented, the technology will be
obsolete. So, under this proposal the private sector traders
who represent the bulk of this nation's economy will be paying
over $1 billion in new ``user fees'' for something it has
already paid for and that may be outdated when it arrives. We
deserve better than this from our government.
In addition to the lack of support from the Administration,
the General Accounting Office (GAO) has consistently criticized
Customs efforts. GAO disdainfully points out that Customs has
not completed a sufficient ACE design plan from start to
finish. Although many points in the most recent GAO reports are
legitimate concerns shared by the private sector, some GAO
comments do not consider the technology or development process
involved in these unique Customs automated systems. We know of
no other system in government where the private sector and
government exchange millions of electronic communications 24
hours a day filing multiple tax returns resulting in more than
$23 billion in revenue to the U.S. Government.
Realizing that it is impossible to anticipate advances in
technology, Customs has developed a framework for the
functionality that the system should perform. The technical
aspects of the initial releases of ACE should be fairly well
documented, but it is shortsighted to plan for the technical
design of future modules now. It is also essential that GAO
acknowledge that Customs personnel will not be ``building''
ACE. Customs' responsibilities are to work with the private
sector to define the requirements and specifications for the
system, leaving the technical design to outside contractors.
Industry applauds Customs for developing a plan that
includes a detailed description of the ACS to ACE migration
strategy. The plan explains that portions of ACS must remain
operational during ACE development. As components of ACS are
redesigned into ACE modules, only those portions of ACS will be
turned off. This method of implementation seeks to ensure
minimal disruptions in trade during development and
implementation. In order for the conversion to be successful,
Customs must have the money to keep ACS operational during ACE
development.
Although the Year 2000 problem does not directly affect the
International Trade Data System (ITDS) proposed by the Treasury
Department, JIG would like to express our continued support of
the overall concept. ITDS is a project that has demonstrated
that hundreds of government agencies can coordinate their
automation policies and systems to create a ``front-end''
interface that the government will use to distribute
international trade data collected from industry. JIG is
concerned, though, that too much emphasis is focused on ITDS
development at the expense of ACE. As the ``functional'' part
of the government's automated processing system, it is more
important to develop ACE now rather than designing a data
interface system. If no ``functional'' module operates, the
development of the ``front-end'' interface is irrelevant.
Conclusion
JIG requests the Ways and Means Committee to authorize the
estimated $1.2 billion to Customs for ACE and ITDS development.
This will keep the Customs' Y2K renovation elements
operational. A 4-year ACE and ITDS development cycle is
essential. During these times when we are discussing budget
surpluses, we do not understand the reasoning that money is not
available and a new tax is needed. Automation is an essential
function of the Customs Service mission for processing trade-
related documentation. The existing budget should reflect this
responsibility by making automation funding part of the $800
million user fee revenue amount a baseline component for the
Customs Service.
While the Year 2000 is a critical issue, the JIG believes
that Customs' progress in this area is insignificant if the
automated systems that they have renovated are not operational.
Without sufficient monetary resources, Customs and industry
will be lucky if ACS is still functioning by January 1, 2000.
On behalf of the JIG, I thank you for this opportunity to
provide our comments.
Chairman Archer. Thank you, Mr. Clawson.
Mr. Schindel, if you will identify yourself you may
proceed.
STATEMENT OF DENNIS S. SCHINDEL, ASSISTANT INSPECTOR GENERAL
FOR AUDIT, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF
TREASURY
Mr. Schindel. Mr. Chairman, Members of the Committee, my
name is Dennis Schindel, I'm the Assistant Inspector General
for Audit for the Treasury Inspector General.
This morning I testified on the results of our oversight of
the Department of Treasury's Y2K efforts, and more
specifically, FMS. I would now like to briefly summarize the
results of our work at ATF.
I want to start off by mentioning that ATF was a bureau
that we chose to pilot-test our Y2K audit approach. Not only
was ATF very responsive to our findings and recommendations,
but they were extremely open and cooperative with us from the
very beginning of our audit work. This helped our learning
process and enabled us to share what we learned from ATF with
other bureaus.
I also want to point out, that at the time we performed our
work, ATF too was still learning and adjusting their approaches
to the best way to manage the Y2K conversion effort.
It's been 4 months since we issued our draft report to ATF,
and even longer since we first brought our findings to their
attention. ATF has taken corrective action on the issues we
identified during our audit, and their management of the
process and their progress is greatly improved.
In our audit, we evaluated ATF's Y2K conversion effort in
the areas of project management, system conversion and
certification, and contingency plans for business continuity.
As with FMS, our focus was on the broader issue of how well ATF
was managing and controlling their Y2K conversion effort. We
found that ATF had top management commitment, a good
infrastructure, skilled resources, and reasonable guidance in
place to address its Y2K conversion task.
However, some aspects of managing the effort and
coordinating among the various components within ATF needed to
be strengthened. Also, while ATF was generally following GAO's
Y2K guidance, improvements were needed in some key parts of the
Y2K conversion process.
For example, we identified the need for better coordination
and communication between the Y2K project office and the
software development staff to accommodate the respective needs
of all the affected groups within ATF. Originally, we found
that while the two groups were dependent on each other for Y2K
certification, they had not coordinated testing, migration and
certification dates with each other.
As a result, the Y2K project office was unable to identify
systems that were ready for certification since the two
schedules had differences in key system dates. After we
discussed this issue with ATF, they expedited the
reconciliation of their testing schedules from these cross-
functional areas with Y2K responsibility.
We also found that while ATF had identified its data
exchange partners, they had not developed plans to coordinate
the testing of their interfaces with these data exchange
partners.
ATF's Y2K project management office has now been assigned
responsibility to ensure data exchange testing procedures are
incorporated into the compliance testing process.
In our report to ATF, we included nine specific
recommendations designed to help ATF strengthen their Y2K
conversion effort. We recently met with ATF to determine what
progress they have made since our field work. Although they
have made significant progress in all areas and have
implemented most of our recommendations, ATF still has a good
deal of work ahead of them. They have three mission-critical
systems that are not expected to be implemented until May, July
and August of this year. Testing still needs to be performed
with critical data exchange partners, and business continuity
plans must be prepared and tested for each core business
function. ATF is aware of the tight timeframe for the remaining
tasks, and they have a good infrastructure in place that should
enable them to effectively address this increased risk.
As I mentioned earlier in my testimony this morning, we
plan to do additional work at ATF. We will first focus on the
results of independent verification and validation, and then
contingency planning. With three mission-critical systems that
will not be implemented until after March 1999, it will be
imperative that ATF have comprehensive contingency plans in
place that subsequent testing in late 1999 identifies any
serious Y2K non-compliance.
This concludes my remarks, and I would be happy to answer
any questions.
Chairman Archer. Thank you, Mr. Schindel. Mr. Hite, if you
will identify yourself for the record, you may proceed.
STATEMENT OF RANDOLPH C. HITE, ASSOCIATE DIRECTOR,
GOVERNMENTWIDE AND DEFENSE INFORMATION SYSTEMS, ACCOUNTING AND
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Hite. Thank you, Mr. Chairman. My name is Randy Hite,
I'm an Associate Director in GAO's Accounting and Information
Management Division. My statement today is based on our ongoing
review of Customs' Y2k program management. That review is being
done at the request of this Committee's Subcommittee on
oversight and Subcommittee on trade. Very shortly we will issue
our report on our review, detailing our findings. Today, I can
sum those up in two simple words, cautious optimism.
I'm optimistic because of the good progress that Customs
has made to date. Mr. Hall described the status of the Y2K
efforts. I won't repeat that. He did a fair job of describing
that in an accurate manner. I'm also optimistic because Customs
has implemented effective controls for managing its program. As
you know, GAO issued a series of three documents describing a
set of effective management controls for managing a Y2K
program. We compared Customs' structures and processes against
these guides and found that they were fully implementing all of
the tenets that were specified in those guides. So for these
reasons, Mr. Chairman, I'm optimistic.
My optimism is somewhat tempered because Customs' work on
Y2K is not yet done. And challenging work remains. Hence the
reason for cautious in my two-word summary. For example,
important steps remain to be completed, such as end-to-end
testing, and finalizing testing of continuity of operations
contingency plans.
Now, given that Customs must interact with thousands of
business partners, and in implementing its mission, it relies
on a decentralized organization involving over 300 ports of
entry, this is no trivial task. Also, to perform its missions,
Customs depends on many external systems that are out of its
control, such as public infrastructure systems, transportation,
telecommunication, and power. Customs also depends on systems
owned and operated by its business partners and other
government agencies.
For these collective reasons, I am cautiously optimistic.
Before concluding my statement, I would also like to
comment briefly on how Y2K is both an IT management problem and
an IT management opportunity, and to acknowledge Customs'
stated intention to learn from its Y2K experience and to apply
these lessons learned to its management of IT in general. Over
the last 5 years we have reported on a number of agencies in
terms of IT management weaknesses, particularly those agencies
that have very large modernization programs.
We've made a series of recommendations for correcting these
weaknesses, and I might add that Customs is one of the agencies
where this has been the case. However, for its Y2K program,
Customs chose to break from existing IT management practices,
and instead, institute structured and disciplined processes for
managing IT, modeled after GAO's year 2000 guides. The result
is a program that's on target.
In Y2K, Customs' leadership has stated its intention to
implement the same kind of management rigor and discipline to
all of its IT efforts. But I realize an intention to implement
is a long way from having actually implemented. It's a positive
first step. And I would submit that other Federal agencies
would be well-served by following Customs lead and also taking
this first step.
Mr. Chairman, this concludes my statement. I'll be happy to
answer any questions you may have.
[The prepared statement follows:]
Statement of Randolph C. Hite, Associate Director, Governmentwide and
Defense Information Systems, Accounting and Information Management
Division, U.S. General Accounting Office
Mr. Chairman and Members of the Committee: Thank you for
inviting me to participate in today's hearing on the challenges
faced by the Customs Service in responding to the century date
problem. If this problem is not addressed in time, key
automated systems affecting trillions of dollars in trade
between the United States and other countries could
malfunction, resulting in delayed trade processing, lost trade
revenue, and increased illegal activities, such as narcotics
smuggling, money laundering, and commercial fraud. Fortunately,
Customs has made good progress to date addressing its Year 2000
problem, thanks in large part to the effective Year 2000
program management structures and processes that it has in
place for doing so. Nevertheless, Customs faces certain Year
2000 challenges, such as completing end-to-end testing, before
it will be ready to cross into the new millenium. My testimony
today will address these three areas--progress to date, program
management effectiveness, and future challenges. Additionally,
I will comment on how Customs can benefit from its Year 2000
experience in strengthening its management of information
technology.
This testimony is based on our ongoing review of the
effectiveness of Customs' Year 2000 management and reporting
controls. We are performing this review at the request of this
Committee's Oversight Subcommittee and its Trade Subcommittee.
In short, we have reviewed Customs' Year 2000 management and
reporting structures and processes, including those relating to
testing, contingency planning, risk management, and quality
assurance, and we have compared these to GAO's Year 2000
Guidance \1\ to determine whether key internal controls are in
place and functioning as intended. We have also traced the
reported status of selected system components back to
supporting systems documentation to verify the reported
information's accuracy. We conducted our work in collaboration
with the Treasury Inspector General and in accordance with
generally accepted government auditing standards between July
1998 and January 1999.
---------------------------------------------------------------------------
\1\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
10.1.14, issued as an exposure draft in February 1997, issued final in
September 1997); Year 2000 Computing Crisis: Business Continuity and
Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in
March 1998, issued final in August 1998); and Year 2000 Computing
Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft
in June 1998, issued final in November 1998).
---------------------------------------------------------------------------
Customs' Relies Extensively On Automated Systems
Addressing the Year 2000 problem in time is critical for
the Customs Service because it relies extensively on
information technology to help enforce trade laws and collect
and account for duties, taxes, and fees on imports.\2\ As the
following illustrates, Customs has five mission-critical
systems that run over 20 million lines of application code and
are used by thousands of users within Customs, other government
agencies, and the trade community.
---------------------------------------------------------------------------
\2\ During 1997, Customs collected $22.1 billion in revenue at more
that 300 ports of entry.
---------------------------------------------------------------------------
The Automated Commercial System (ACS) tracks,
controls, and processes all commercial goods imported into the
United States. Over 97 percent of the data filed for imported
cargo entries are sent through ACS and more than 15,000 trade
and other government agency users have access to this system.
Customs' Treasury Enforcement Communications
System (TECS) interfaces with the FBI's National Crime
Information Center and a number of other law enforcement
systems and is the major automation component of the
Interagency Border Inspection System, which serves as a
clearinghouse for law enforcement data. Some 27,000 users,
including Customs; Immigration and Naturalization Service;
Internal Revenue Service; Bureau of Alcohol, Tobacco, and
Firearms; and the State Department rely on TECS.
The Seized Asset and Case Tracking System
(SEACATS) processes and tracks activity associated with
seizures for the initial law enforcement interest in the
property to its final disposition. This system is used by more
than 16,000 Customs employees, and it interfaces with the
Justice Department and Internal Revenue Service systems.
Customs' Automated Export System (AES) collects
export-related data from exporters and carriers and is used to
help target export violators. More than 28,000 users nationwide
rely on this system.
ADMIN is Customs' primary administrative system
supporting financial and human resource functions. It is
comprised of 40 separate systems that interface with each other
and with ACS, AES, and TECS.
In addition to fixing and testing its systems, Customs must
assess and remediate a wide range of telecommunications
equipment and non-information technology (non-IT) assets
installed in over 900 facilities. This non-IT equipment
includes check-writers; scanners; optical readers; security
systems such as badge readers, x-ray systems, cameras, secured
doors and safes; fire alarms; heating and air conditioning
systems; planes; and automobiles.
Customs is Making Good Progress in Addressing its Year 2000 Problem
As of January 1999, Customs reported that it had met
milestones recommended by the Office of Management and Budget
(OMB) for renovating and validating most of its mission-
critical systems.\3\ Specifically, it reported that it had
completed renovation, validation and systems acceptance testing
\4\ of all five of its mission-critical systems. Moreover, it
plans to complete end-to-end testing \5\ for these systems and
associated telecommunications systems by March 1999.
---------------------------------------------------------------------------
\3\ OMB requires that agencies complete renovation of their
mission-critical systems by September 1998, validation by January 1999,
and implementation by March 1999.
\4\ The purpose of system acceptance testing is to verify that the
complete system (i.e., the full complement of application software
running on the target hardware and systems software infrastructure)
satisfies specified requirements (functional, performance, and
security) and is acceptable to end users.
\5\ The purpose of end-to-end testing is to verify that a defined
set of interrelated systems, which collectively support an
organizational core business area or function, interoperate as intended
in an operational environment, either actual or simulated.
---------------------------------------------------------------------------
Customs has also renovated most of its telecommunications
equipment. Specifically, as of January 1999, Customs reported
that it had assessed all of its national data center-related
telecommunications systems and renovated, validated, and
implemented 92 percent of the inventory requiring Year 2000
work. It had also assessed telecommunications equipment in its
field offices and completed 68 percent of needed renovations.
Additionally, Customs had completed about half of the work
needed on headquarters and field office voice communications
equipment, including telephone and voice mail systems.
Customs reported that it has assessed about 82 percent of
its mission-critical non-information technology products. It
reported that 95 percent of the products assessed is compliant,
4 percent requires renovation or replacement and one percent is
to be retired. It expects to complete this work by May 1999.
To help ensure that the information it reports on Year 2000
progress is reliable, Customs has implemented reporting
controls. For example, quality review teams review the
information reported for (1) consistency (by comparing it to
previously reported information), (2) completeness (by
comparing it to reporting standards), and (3) accuracy (by
validating it through observation, inquiry, or review of
supporting documentation). Our review of quality review team
results, as well as our independent review of the reliability
of the information reported in selected system components,
disclosed no discrepancies between what was being reported and
what supporting system documentation showed actual progress to
be.
Effective Management Structure and Processes are Key to
Customs' Success
GAO's Year 2000 Guides provide a framework for effective
Year 2000 program management. Collectively, they define a
comprehensive set of program management controls for planning,
directing, monitoring, and reporting on Year 2000 efforts.
Customs' program management structures and processes are
entirely consistent with GAO guidance, and Customs' good
progress to date is largely attributable to this program
management capability. Along these lines, Customs has done the
following.
Established a Year 2000 Program Office and
designated a Year 2000 Program Manager in May 1997 and charged
the office with authority over and responsibility for
agencywide Year 2000 efforts, including such functional areas
as Year 2000 contracting, budgeting and planning, technical
support to project teams, quality assurance, auditing and
reporting.
Engaged its senior executives in the Year 2000
effort by charging the agency's Executive Council \6\ with
approving and overseeing the implementation of the Year 2000
strategy and resolving such issues as institutional Year 2000
priorities.
---------------------------------------------------------------------------
\6\ The Council is co-chaired by the Chief Information Officer and
the Chief Financial Officer and includes the Year 2000 project managers
as members.
---------------------------------------------------------------------------
Developed a Year 2000 Strategic Plan and Year 2000
Operational Program Management Plan in June 1998, which (1)
identified organizational roles and responsibilities, (2)
established schedules for completing each program phase and
described the tasks to be completed under each phase, (3)
established reporting requirements to track progress in the
various phases, (4) defined performance measures, and (5)
estimated and allocated resources for the tasks and system
activities within these phases.
Issued policies, guidelines, and procedures for
managing and implementing the Year 2000 program, including
guidance on quality assurance, configuration management, and
testing, as well as business continuity and contingency
planning.
To ensure that the plans, policies, and guidelines are
being implemented, the Year 2000 program manager is (1) holding
weekly status meetings with the Year 2000 Program Office staff
and the project teams, (2) tracking, prioritizing, and managing
the risks associated with the IT and non-IT system conversion
efforts, (3) overseeing and managing budget-related issues, and
(4) conducting internal audit reviews to monitor and assess the
implementation of established Year 2000 procedures. The Program
Office is also tracking progress against plans and identifying
issues that may impact its strategy using a central database it
developed.
Structured and disciplined processes have also been
implemented for the testing phase of Customs' Year 2000 effort.
This is important since Customs' key mission-critical systems
run hundreds of interdependent applications, and must interface
with thousands of external systems. In particular, Customs
designated a Year 2000 test manager for mission-critical IT
systems and assigned this manager authority and responsibility
for key testing activities, such as defining exit criteria,
designing and planning the tests, and executing the tests. It
also established in its Year 2000 Application Testing Strategy
and Plan an agencywide definition of Year 2000 compliance;
engaged an independent verification and validation (IV&V) agent
to ensure that process standards have been followed and that
software products perform as intended; provided for ensuring
that vendor-supported IT and non-IT products have been tested
and that they are Year 2000 compliant; and established a Year
2000 test environment. These controls and processes have
enabled Customs to meet milestones recommended by OMB for
renovating and validating mission-critical systems and to allow
time to conduct end-to-end tests.
Finally, Customs has implemented sound management processes
for developing business continuity and contingency plans that
help Customs to mitigate the risks associated with unexpected
internal and uncontrollable external failures. Specifically,
Customs established a business continuity work group; developed
a high-level business continuity planning strategy; developed a
master schedule and milestones; implemented a risk management
process and established a reporting system; and implemented
quality assurance reviews. It then performed a business impact
analysis to determine the effect that failures of mission-
critical information systems have on the viability and
effectiveness of agency core business processes. By defining
disruption scenarios and assessing business, legal, and
regulatory risks for major business processes, this analysis
provided Customs the information needed to develop contingency
plans for continuity of operations. Customs is now in the
processes of testing its contingency plans and it plans to
complete contingency plan testing, including plans for non-IT
systems, by June 1999.
Important Challenges Still Face Customs in Months to Come
Notwithstanding either Customs' good progress to date or
the effectiveness of its program management controls, Customs
still has very important and challenging tasks to complete to
effectively reduce its chances of serious business disruptions.
In particular, Customs still needs to conduct end-to-end
testing of the systems that support important trade missions.
These tests will be particularly challenging since Customs has
hundreds of business partners and their respective systems.
Additionally, Customs still needs to complete its contingency
plans for ensuring continuity of its core business areas in the
event of Year 2000-induced system failures. For Customs, this
is especially challenging because it involves 42 distinct lines
of business that cut across Customs' organization units, and it
involves over 300 organizational units that are located
throughout the United States, each with its own unique and
localized Year 2000 readiness issues.
Moreover, Customs, like most organizations, faces serious
risks outside of its control. For example, Customs' depends on
public infrastructure systems, such as those that provide
power, water, transportation, and voice and data
telecommunications. Given the number of Customs ports of entry
throughout the United States, even localized disruptions in
infrastructure-related services could seriously impact Customs
business operations. As Customs works to develop, test and
complete its contingency plans, it must ensure that these
localized event scenarios are adequately addressed.
Customs Recognizes That Management Improvements Made to Address the
Year 2000 Problem Can Provide Future Benefits
For federal agencies, the lessons to be learned from the
Year 2000 problem are significant. Longstanding organizational
weaknesses in managing information technology contributed to
both the size of the federal government's Year 2000 problem,
and agencies' ensuing difficulties in addressing it. That is,
agencies' unsuccessful attempts to modernize their information
systems over the last 5 years have forced them to continue to
maintain and rely on antiquated, poorly documented, non-
compliant systems. The result was large inventories of non-
compliant systems that the agencies had to quickly repair,
replace, or retire in order to be century date ready. The
Internal Revenue Service, with its well-chronicled history of
modernization difficulties and its mammoth Year 2000 problem,
vividly illustrates this point.
Additionally, to address the Year 2000 problem, agencies
chose to employ the same weak information technology management
structures and processes that have contributed to their system
modernization problems. Our reports and testimonies over the
last 5 years have highlighted these weaknesses in major
modernization programs.\7\ These weaknesses include the lack of
CIO authority over agencies' IT resources, the absence of
complete and enforced systems architectures, the lack of mature
software development and acquisition processes, and the failure
to make informed IT investment decisions. Because of these
weaknesses, we have designated certain modernization efforts,
such as the Federal Aviation Administration's air traffic
control modernization and the Internal Revenue Service's tax
systems modernization, as high-risk federal programs.\8\
---------------------------------------------------------------------------
\7\ Tax System Modernization: Management and Technical Weaknesses
Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July
26, 1995); Tax Systems Modernization: Actions Underway but IRS Has Not
Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106,
June 7, 1996); and Tax Systems Modernization: Blueprint Is a Good Start
but Not Yet Sufficiently Complete to Build or Acquire Systems (GAO/
AIMD/GGD-98-54, February 24, 1998); Air Traffic Control: Immature
Software Acquisition Processes Increase FAA System Acquisition Risks
(GAO/AIMD-97-47, March 21, 1997); Air Traffic Control: Complete and
Enforced Architecture Needed for FAA Systems Modernization (GAO/AIMD-
97-30, February 3, 1997); and Air Traffic Control: Improved Cost
Information Needed to Make Billion Dollar Modernization Investment
Decisions (GAO/AIMD-97-20, January 22, 1997).
\8\ High-Risk Series: An Update (GAO/HR-99-1, January 1999); High-
Risk Series: Information Management and Technology (GAO/HR-97-9,
February 1997); and High-Risk Series: An Overview (GAO/HR-95-1,
February 1995).
---------------------------------------------------------------------------
Customs did not adopt a ``business-as-usual'' approach to
solving the Year 2000 problem. Using GAO's Year 2000 guidance,
Customs defined and implemented effective management structures
and processes, as this testimony has described. The result is a
Year 2000 program that is on schedule and has plans and
management controls in place for completing remaining tasks. As
important, Customs' Commissioner has also committed to
leveraging the agency's Year 2000 experience by extending the
level of project management discipline and rigor being employed
on Year 2000 to other information technology programs and
projects. By doing so, Customs could greatly strengthen its
information technology management capabilities.
In conclusion Mr. Chairman, we are cautiously optimistic
about Customs' Year 2000 program. We are optimistic because of
Customs' progress to date and its effective program management
controls. We are cautious because important tasks remain, and
because Customs, like all organizations, depends on others in
order to fulfill its mission responsibilities.
This concludes my statement. I would be glad to respond to
any questions that you or other Members of the Committee may
have at this time.
Chairman Archer. Thank you, Mr. Hite.
Are there any questions for this panel? If not. Mr. Foley?
Mr. Foley. Just a second, if I could, Mr. Chairman, thanks
very much. Relative to Customs then, the question Mr. Clawson
raised, I believe, is Customs reached out to the trade industry
to make certain that its data to trading partners will be able
to transact business through their related systems in the year
2000?
Mr. Hall. Yes, sir. We began testing last spring, when we
made ourselves available to trading partners. We did some
limited testing during the spring and summer. We just announced
a 5-month window, beginning this month, where we will make time
available to anyone who is ready and prepared to come test,
end-to-end, their systems with ours. That testing has begun. At
this point, while it's a relatively small number of
organizations, something on the order of 25 or so, they
represent the folks who provide software to about half of our
trading partners.
We will continue to do this testing through the spring and,
of course, we will make ourselves available. Actually we are
planning to support testing past the change of the millennium.
We think this is a very helpful way to ensure that the many
types of organizations that use our systems and provide
information to it, have an opportunity to make sure that their
applications work as well as ours.
Mr. Foley. What have you done specifically to ensure the
safety, if you will, of the information you currently have
regarding drug interdiction, drug traffickers, others in the
system that you have been monitoring? To protect that
information in the event there's a computer problem.
Mr. Hall. We have emergency backup facilities at the
Newington Data Center itself in terms of generators and battery
banks so that we could withstand a temporary loss of power. We
do traditional tape backups of data so that we can rebuild
databases if we were to have hardware failures. Does that get
to the point?
Mr. Foley. Just making certain we have something to go back
to, if the computer resets itself and eliminates data. Just
making certain that somewhere there's an ability to recapture
that important information that you may have in process.
Mr. Hall. Yes, sir. Those are the two major strategies. One
is to make sure we can maintain power if there is an
infrastructure failure, and the other is to back up the data
bases.
Mr. Foley. Thank you, Mr. Chairman.
Chairman Archer. Before excusing you, the Chair has just
two quick questions that apply to every one of you except Mr.
Clawson, I believe. Is each of you confident that the entity
that you represent will be able to perform its essential
functions and services on January 1st of next year?
I assume by a silence that each of you is saying yes, we
are confident. And let the record show that.
The second short question is, are there any additional
resources that the Congress need to give you to complete your
remediation problem? I don't mean now, updating the entire
Customs situation Mr. Clawson talked about. [Laughter.]
I'm talking about the Y2K problem. OK?
Admiral Naccara.
Admiral Naccara. Thank you. I think it would be beneficial
if there were continuing opportunities for supplementals as the
year progressed. We continue to find surprises in different
systems.
Chairman Archer. If there are immediate needs, we would
like to be notified so that we can accommodate those in a
responsible way.
Thank you, gentlemen. Appreciate your input.
Our next witness is Nancy-Ann DeParle, Administrator of
HCFA. We're happy to have with us today, Ms. DeParle, and I see
you brought with you Dr. Christoph, and welcome to you also.
And if you'll officially identify yourself for the record, you
may proceed?
STATEMENT OF NANCY-ANN MIN DEPARLE, ADMINISTRATOR, HEALTH CARE
FINANCING ADMINISTRATION
Ms. DeParle. Thank you, Mr. Chairman, and distinguished
Members of the Committee. Thank you for inviting me here to
discuss the progress of the Health Care Financing
Administration in addressing the Year 2000 computer challenge.
As you said, Mr. Chairman, I have with me Dr. Gary Christoph,
who I brought in as HCFA's chief information officer last year
and who has been leading our information technology efforts.
And he is no stranger to this Committee because he spent a good
deal of time here with your staff over the year.
Mr. Chairman, HCFA still has a great deal of work to do,
but we're making good progress and we'll be ready well before
January 1, 2000. As you know, we're responsible for financing
health care for Medicare beneficiaries. We can assure that our
claims processing and payment systems work and that doctors and
hospital bills will get paid. Continuity of care, however,
depends on much more. Doctors, hospitals, and other providers
must ensure that they are also ready. We are therefore engaging
in an unprecedented outreach effort to help our partners meet
their responsibility, and we appreciate the help of Members of
this Committee in doing that.
We have aggressively attacked our part of this problem. We
must continue to re-test systems and refine contingency plans.
However, we've come a long way in the year since I became
administrator. To get to this point we've had to make some
tough decisions, including delaying some provisions of the
Balanced Budget Act. We reached a significant milestone in
December when we reported that all 25 of our internal mission-
critical systems are now compliant. These are the systems that
are under our direct control. At the same time, we also
required the systems operated by the private insurance
companies that we contract with to pay claims to be renovated
and to complete three levels of testing by December 31, 1998.
All 78 of the external mission-critical claims processing
systems have been renovated now and 54 of them have been self-
certified as compliant.
Let me stress that self-certification does not mean that
our work is finished. It does mean that the software has been
renovated and that it has been tested and that systems are able
to process and play claims with future dates. We allowed
contractors to self-certify based on just those things that
they directly control. We required the contractors to tell us
in detail about any qualifications, and we investigated those
qualifications ourselves. For the 54 contractors whose
certifications we accepted, we're confident that the remaining
problems are minor and do not significantly compromise the
claims processing function.
We've established a war room to track progress on all
fronts in our Baltimore headquarters. We have special teams on
site all over the country monitoring contractors as they deal
with their remaining work. And we're developing comprehensive
business continuity and contingency plans in case any
unforeseen problems arise.
We've asked our independent verification and validation
contractor to be tough in judging our progress. They tell me
that they are confident that our Y2K efforts will lead to
success by January 1, 2000. Their latest report says that 17
contractor systems require only minimal effort to resolve
remaining issues. Another 39 require moderate effort. And they
agree with our assessment that about 54 of our 78 external
contractor systems have adequately self-certified.
The GAO and our independent verification and validation
contractor have identified essential work that remains for all
our systems to be millennium ready. We agree with GAO that one
of the most critical tasks is testing our many data exchanges
to ensure that all of our interdependent systems function
properly together. We also must continue end to end testing
from the point of claim submission to the point of sending a
payment instruction to a bank and printing a notice to a
beneficiary.
Because testing is so important, we're going beyond current
industry practice. Providers should be able to test whether a
Y2K compliant claim can be accepted by our claims processing
contractors. We're now instructing our contractors to begin
testing with those providers throughout the country who want to
submit future date claims. This will help build provider
confidence. If they want to test their claims against our
system, they can do so.
In addition, we plan to freeze all of our systems this
summer and then to re-test and re-certify this fall in a fully
production-ready integrated environment. For that final wave of
testing, everything must work properly with no if's, and's or
but's. And we also must finish and refine our contingency plans
which we are doing in accordance with the GAO's advice.
Mr. Chairman, we have much more to do and we fully expect
that there may be bumps in the road. But I want to assure you
that we're committed to doing everything we need to do to get
this job done. And I also want to say that all of this would
have been much harder without Congress's support. And I want to
thank you for that, as well as for GAO's diligent and
continuous efforts with us.
Dr. Christoph and I will be happy to answer your questions.
[The prepared statement follows:]
Statement of Hon. Nancy-Ann Min DeParle, Administrator, Health Care
Financing Administration
Chairman Archer, Congressman Rangel, distinguished
committee members, thank you for inviting me here today to
discuss my highest priority--the Year 2000 computer challenge.
I am happy to report today that, despite serious concerns about
the Health Care Financing Administration's (HCFA) ability to
meet this challenge, we are making remarkable progress. In
fact, I am confident that HCFA's own Year 2000 systems issues
will be resolved well before January 1, 2000.
Our foremost concern has been and continues to be that our
more than 70 million Medicare, Medicaid and Children's Health
Insurance Program (CHIP) beneficiaries continue to receive the
health care services they need. That is why we are not only
addressing the Year 2000 issues in those systems over which we
have responsibility, but are also engaging in an unprecedented
outreach effort to raise awareness and provide information to
those other parts of the health care system where we have
little authority and control.
HCFA is responsible for the financing of health care for
our beneficiaries. We can assure that HCFA's claims processing
and payment systems will work, that doctors and hospital bills
will get paid. Continuity of care, however, depends on far more
than payment systems. It depends upon doctors, hospitals and
other service providers ensuring that their equipment will work
and their offices will remain open. It depends upon
pharmaceutical and medical supply chains, which rely heavily on
information technology, continuing to operate normally. And all
of this, of course, requires the continued functioning of basic
utility and telecommunication services.
We have aggressively attacked our part of the problem.
While our job is not yet done, and we will continue to work
hard for the next year on testing and retesting our systems, as
well as developing our contingency plans, we have already
accomplished a great deal.
All 25 of our internal mission-critical systems
are now certified as Year 2000 compliant, three months ahead of
the government-wide deadline of March 31, 1999.
All 78 of our external mission-critical claim
processing systems that our claims processing contractors use
to pay bills are renovated. Of these, 54 have been self-
certified as compliant. Our independent verification and
validation (IV&V) expert contractor has rated 17 systems as
highly compliant and will require only a minimal effort to
resolve any remaining issues; another 39 systems will require a
moderate level of effort. Our IV&V contractor has assured us
that these systems will be compliant on time and that there is
no evidence to suggest they will not. We will continue to have
our own experts and staff on-site, monitoring and assisting
contractors with remaining Year 2000 work, and we will
recertify all mission-critical systems before October 1999.
And 27 of our 55 non-mission critical internal
systems are certified as compliant.
We readily acknowledge that we got a late start with our
Year 2000 problem, and that this has caused considerable
concern and criticism. We recognize the importance of our
programs to our beneficiaries and have thus set very aggressive
goals and put together a vigorous Year 2000 program, with
extensive testing and independent review. We have asked our
IV&V contractor to set rigorous performance measures and be
hard in their judgment of our contractors' progress.
For the remainder of 1999, we will continue to renovate,
test, and retest our systems. We are ahead of schedule on our
internal mission-critical systems, and we are well on our way
to meeting the Federal government's March 31, 1999 deadline for
our external systems. We will certainly be ready well before
January 1, 2000.
I must be clear, however, about what HCFA can and cannot
do. HCFA pays bills. Providers provide service and send claims
to our claims processing contractors once services are
delivered. We are responsible for all our own systems, our
claims processing contractors' systems, and data exchange
interfaces between all of these systems and the systems of
States, providers, banks, phone companies, and other partners.
We do not have the authority, ability, or resources to step in
and fix systems for others, such as States or providers. And
that leads to a rather substantial concern for which we need
the assistance of Congress and others to address.
Concern for States and Providers
It is not enough for HCFA alone to be ready for the Year
2000. Health care provider computers and systems must be Year
2000 compliant in order for providers to be able to generate
and submit bills to us. State computers and systems also must
be Year 2000 compliant for Medicaid and CHIP to continue
uninterrupted payment for beneficiary service. Many States and
providers will meet the Year 2000 challenge on time. However,
monitoring by us and the General Accounting Office (GAO)
indicates that some States and providers could well fail. This
is the first time any of us have had to deal with such a
problem, and we at HCFA are eager to share the lessons we have
learned along the way. We are providing assistance to the
extent that we are able. But that likely will not be enough.
This matter is of urgent concern, and literally grows in
importance with each passing day.
Our own progress in meeting the Year 2000 challenge is due
in large part to the outstanding effort and commitment of staff
throughout HCFA and at our Medicare contractors. We have been
greatly aided by wise counsel from the GAO, and especially by
the expert IV&V contractors we hired, based on the GAO's
recommendations, to ensure that our Year 2000 work is done
correctly. And, importantly, we could not have come so far so
quickly without the timely support and funding that Congress
has provided.
HCFA's Year 2000 Efforts
There is no question that we have faced an uphill battle in
achieving Year 2000 compliance. A number of key steps are
getting us where we need to be. They include:
Building a ``War Room'' in our Baltimore
headquarters dedicated solely to tracking Year 2000 efforts on
a daily basis not only within our own agency, but also with our
partners across the country. I can now find out what is
happening on any of our essential Year 2000 projects at a
moment's notice. That is something I couldn't do last year.
Establishing contractor oversight teams
specifically responsible for closely monitoring and managing
Year 2000 work for all contractors involved in processing
Medicare claims. These teams include staff who are now on-site
to oversee and aid contractors who most need assistance in
meeting the March 31, 1999 deadline. They also provide timely
information on contractors' status to the War Room.
Negotiating amendments to contracts with more than
60 claims processing contractors. This established, for the
first time, clear requirements that contractors must meet to
make their information systems Year 2000 compliant.
Hiring AverStar, Inc., formerly Intermetrics,
Inc., an IV&V contractor to provide assurance that our Year
2000 work is done right. They have helped us refine our
renovation processes, measure our progress, as well as audit
our testing plans and processes.
Hiring Seta Corporation, another contractor
providing independent testing of especially critical systems,
to further ensure that the Year 2000 work on these systems has
been done correctly. This independent testing goes beyond that
described by GAO.
Helping States by hiring another IV&V contractor,
TRW, to visit every state and validate their Year 2000
progress. TRW is giving us direct information regarding the
status of States' Year 2000 renovation efforts, particularly
for critical Medicaid enrollment and claims processing systems.
We also are sharing with the States whatever information and
insights we can provide.
Helping providers learn what they must do to
prepare for the new millennium through an unprecedented and
broad provider outreach campaign. It includes mailings,
publications, an Internet site, a speakers' bureau, a number of
seminars and conferences, and a wide range of other efforts.
Scope of HCFA's Year 2000 Workload
The Year 2000 especially affects the programs HCFA
administers because of our extensive reliance on multiple
computer systems. More than 150 different systems are used by
HCFA in administering the Medicare program. About 100 of these
systems are considered ``mission-critical.'' These systems are
both internal and external and are responsible for establishing
beneficiary eligibility and making payments to providers,
plans, and States. Medicare is the most automated health care
payer in the country. We process nearly one billion claims
annually, most electronically.
In fact, 97 percent of inpatient hospital and other
Medicare Part A claims, and 81 percent of physician and other
Medicare Part B claims are submitted electronically to the
Medicare claims processing contractors. All claims undergo
substantial electronic processing at the contractors and many
claims are processed to payment with no manual intervention
whatsoever. This high level of electronic billing has allowed
us to achieve significant operating efficiency and cost
savings. However, this reliance on automated systems also has
made the Year 2000 computer fix a major challenge. Critical
dates in computerized claims processing include the date a
beneficiary became eligible, the date a patient was admitted or
discharged from a hospital, the date a wheelchair rental began,
or the date an enrollee entered a managed care plan.
Renovating all these systems has been complicated. Each
system used by our programs and our 60-plus claims processing
contractors, as well as interfaces with State Medicaid
programs, banking institutions and some 1.3 million providers
has to be thoroughly reviewed and renovated by those
responsible for each particular system. We are requiring that
systems be tested individually, as well as with the exchanges
they perform with other partners.
To fix the Medicare systems alone, we have had to renovate
some 49 million lines of internal and external systems code to
find date-sensitive processes. We have had to repair all of our
Medicare-specific software so it will work with new versions of
vendor-supplied software. We have had to update the operating
systems that drive the hardware we use with millennium
compliant versions. We also have had to test and upgrade
deficient operational hardware, including our
telecommunications equipment and software. And we must assure
that all data exchanges with thousands of our partners will
function properly.
Providers' Progress
Providers must ready their own systems for the Year 2000 in
a timely manner if the health care system is to meet the
millennium challenge completely and successfully. One of the
first steps, and perhaps the easiest, is changing the formats
of claims to allow for 8-digit date fields. Our electronic
media claims monitoring indicates that over 98 percent of Part
B claims submitters (either physicians/suppliers or their
billing agents) are submitting the 8-digit date fields. Fifty-
eight percent of Part A submitters (hospitals and other
institutions or their billing agents) that submit claims
electronically are also using the 8-digit fields.
It is essential that all providers address the Year 2000
issue. Thus, we recently announced that we would require all
submitters to start using the 8-digit date formats by April 5,
1999. Claims received on or after that date without the new
formats will not be accepted. That does not mean that providers
need to be fully compliant by April 5, but it does mean that we
want to be assured that they have begun working on their
systems by, at least, having taken this first step.
As mentioned earlier, we will be ready to process claims,
but providers need to be able to submit correct claims. And, we
are concerned that providers address other Year 2000 issues as
well, not just their billing system issues. Providers must take
appropriate Year 2000 remediation steps with other systems,
such as clinical systems, and their biomedical devices to
ensure continued high quality patient care.
Protecting Beneficiaries
I must stress our concern must always be focused first and
foremost on protecting the beneficiaries and their continued
access to care. Providers who fail to fix their own systems,
and thus are unable to bill us for services, are strictly
prohibited from billing beneficiaries. Beneficiaries are
legally protected from liability for bills that Medicare would
ordinarily pay, even if the provider is not Year 2000
compliant. To safeguard beneficiaries in the new millennium, we
will provide them with a phone number to call to report any
inappropriate billings they receive from providers or any
difficulties they encounter in accessing care. Our
beneficiaries are counting on us. Their health care needs will
continue regardless of what day it is.
Provider Outreach
Due to the critical need for providers to become Year 2000
compliant, we have launched a broad outreach campaign. Last
month, in an unprecedented step, we mailed a letter to all 1.3
million providers serving our beneficiaries explaining the
gravity of the Year 2000 problem and providing a checklist for
what must be done to achieve compliance.
Our provider outreach campaign features a special Year 2000
Internet site, www.hcfa.gov/Y2K, which includes some of the
basic steps that can be taken by a Medicare provider or
supplier, such as:
Preparing an inventory of hardware and software
programs and identifying everything that is mission-critical to
their business operations.
Assessing the Year 2000 readiness of their
inventory as well as options for upgrading or replacing
systems, if necessary.
Updating or replacing systems important to
business operations, if necessary.
Testing existing and newly purchased systems and
software and their interfaces.
Developing business continuity plans for
unexpected problems.
The Internet site also includes links to other essential
sites for providers, such as the Food and Drug Administration's
Internet site on medical device compliance.
We have developed a speakers' bureau with staff trained to
make presentations and answer questions on Year 2000 issues all
around the country. We are leading the Health Care Sector of
the President's Council on Year 2000 Conversion, which includes
working closely with provider trade associations and public
sector health partners to raise awareness of the millennium
issue and encourage all providers to become compliant. And our
claims processing contractors are offering providers Year 2000
compliant electronic billing software for free or at minimal
cost.
I was pleased that some provider associations have recently
announced their intention to assess the Year 2000 readiness of
their membership and to step up educational efforts on the
critical nature of this problem. This is an essential
undertaking. Quite simply, Year 2000 compliance cannot be a
one-way street. Providers also must meet this challenge head
on, or risk not being able to receive prompt payment from
Medicare, Medicaid, or virtually any other insurer.
We welcome Congress' help in making providers aware of the
Year 2000 and energizing them to address their part of the
problem. I invite you to help us identify opportunities to get
the Year 2000 message across and encourage you to stress the
importance of this issue when you meet with providers. As I
mentioned previously, we have established a special Year 2000
speakers' bureau with staff around the country prepared to
speak and offer guidance. You may want to have them join you
when you meet with providers, and let others know that they are
available.
States' Progress
Our concern for States is as great as our concern for
providers. For both, we do not have the authority, ability, or
resources to step in and fix their systems for them. Our ten
regional offices are monitoring the status of each State's
remediation effort. We also have an expert IV&V contractor,
TRW, to assist us in conducting on-site visits in every State
to provide advice and validate assessments so that we can
maintain an accurate picture of each State's progress. We have
already done on-site visits in 13 States and the District of
Columbia and expect to visit the remaining States by the end of
April. The preliminary reports confirm earlier work by the GAO
which strongly suggests that some States may not be ready on
time.
We have asked all Medicaid and CHIP Directors to:
report the status of their Year 2000 compliance
efforts;
document contingency plans for systems that may
not be compliant;
and provide updates to HCFA's regional offices on
States' progress.
It is each State's responsibility to take the steps it
believes are appropriate to meet the needs of its Medicaid and
CHIP beneficiaries. Our primary role is to assess, as best we
can, each State's progress and to provide guidance. While we do
not have the authority, ability, or resources to fix State
systems, we can and do want to help. Besides furnishing the
services of TRW, we have developed technical assistance
documents, and we have held regional meetings and workshops for
States on how to develop contingency plans. We know that States
and Congress share our goal of protecting all our beneficiaries
throughout the millennium transition.
Contingency Planning
Although we fully intend to have our own systems ready long
before January 1, 2000, we know we must be prepared in case any
unanticipated problems arise. We are undertaking an extensive
effort to develop contingency plans for all our mission-
critical business processes. Our top priorities in developing
these plans are to:
process claims so as to be able to pay providers
promptly;
prevent payment errors and potential fraud and
abuse;
ensure quality of care; and
enroll beneficiaries.
Contingency planning is an Agency-wide effort with active
participation of all of our most senior executives. We are
closely following the GAO's advice on contingency planning
which they outlined in their August 1998 guidance, Year 2000
Business Continuity and Contingency Planning and in their
September 1998 report, Medicare Computer Systems--Year 2000
Challenges Put Benefits and Services in Jeopardy .
We recently completed the second phase of the contingency
planning process by reviewing 280 Medicare business processes,
performing risk and impact analyses, and identifying the
potential impact of mission-critical failures. We are now in
the third phase wherein we will explicate and document our
contingency plans and implementation modes, define events that
will trigger use of the plans, as well as establish and train
implementation teams should the need arise to execute the
plans.
We expect to complete this third phase of contingency
planning in March 1999. By the end of June 1999, our draft
contingency plans will be validated, reviewed, and finalized.
We anticipate completing our agency-wide plan by July 1999,
three months ahead of the date recently recommended by GAO.
Budgetary Needs
The Year 2000 problem is not static. We are obligated to
perform rigorous testing because of the extent of our reliance
on information systems. Efforts to solve one element of the
problem often uncover other problems. This makes it challenging
to determine our budgetary requirements. As you know, we
previously have had to request additional funding and redirect
existing funding to meet these changing demands.
In fiscal year 1998, we received $107.1 million in funding
for millennium activities. This funding included a $15 million
appropriation; an additional $30 million that was transferred
from other agency projects; $20 million in redesignated funds
originally appropriated for systems transitions; and $42.1
million made available by the Department of Health and Human
Services (HHS) through the Secretary's one percent transfer
authority. Through very careful financial management and a keen
recognition of the importance of the Year 2000 effort, we
actually obligated approximately $148 million in fiscal year
1998 on Year 2000 activities: $130 million on external systems
and $18 million on internal systems.
Thanks to your support in the fiscal year 1999
appropriations process we are making significant progress
toward obtaining the funding needed to support all of our Year
2000 efforts. We received $82.5 million in our appropriation
for this year. The Office of Management and Budget (OMB), with
Congressional concurrence, transferred an additional $205.1
million from the Year 2000 emergency fund. This funding
provides a total of $287.6 million to support our Year 2000
efforts in fiscal year 1999. We plan to use FY 1999 as well as
FY 2000 funding to increase our contingency planning efforts by
developing, testing and rehearsing contingency plans.
The President's Budget request for FY 2000 includes an
additional $150 million for our Year 2000 effort. In addition
to funding our contingency planning efforts, a large portion of
this funding will support outreach, continuing external systems
remediation, and increases in billing and communications
activities at our contractors. Increased public awareness of
the Year 2000 and concern about potential problems, coupled
with possible disruptions in claims processing, may increase
the number and cost of paper and duplicate claims, the level of
inquiries from beneficiaries and providers, as well as related
printing and postage costs. This funding will help us and our
contractors meet these anticipated challenges.
It is important to note that because our systems are highly
automated and the majority of our processes are completed
electronically, we are performing far more rigorous Year 2000
testing than many businesses. Many businesses are not testing
their systems for future dates and they will not know with
certainty if their systems will operate in the Year 2000. HCFA
will. Our testing regimen is far more rigorous than the
industry standard, with multiple layers of testing, including
regression testing, testing in a simulated Year 2000
environment, and testing our entire systems in an actual Year
2000 environment.
In addition to the extensive tests performed by those who
actually maintain the system, we also are requiring independent
testing of our most critical systems and additional oversight
by an IV&V contractor. This coming year we expect to perform
extensive validation and recertification of these critical
systems to ensure that changes made during 1999 do not affect
our Year 2000 renovations. Although this additional testing and
validation significantly increases the time required for and
the cost of certifying the Medicare systems, we know that we
simply cannot afford to fail and are doing everything within
our power to ensure that we do not.
Our systems are not only complex in their own right, they
also require extensive data exchanges with more than one
million partners, such as providers, banks, and vendors. We
must guarantee that all of our renovated systems work with all
of these partners. And so we must conduct data exchange tests
with the provider community to ensure that we can exchange the
transactions required for electronic commerce.
Conclusion
We have made remarkable progress in our Year 2000
compliance effort and have taken critical steps to ensure that
all of our systems will be ready for the new millennium. There
is still a great deal of work to be done, but we now feel that
we are making significant progress. We will continue in 1999 to
work, test and retest our systems. But I must reiterate our
concern with the progress of some States and providers in
meeting their own Year 2000 challenges. We are committed to
providing all the assistance we can, but in some cases that may
not be enough. We all share a common goal of guaranteeing that
our systems and programs function in the new millennium. I
thank you for your attention to this essential issue, and I am
happy to answer any questions you may have.
Chairman Archer. Well, Ms. DeParle, the Chair is imminently
aware of the difficulty of the job that you have. The IRS is
very, very tough and in a way bigger, but I don't think there's
anything that is more difficult to manage than what you have to
do. And we as the Congress want to cooperate with you in every
way that we can.
I'm going to ask you the same questions that I've asked the
other witnesses. They're both very brief. Are you confident
that when January the 1st rolls around that HCFA will be able
to perform its essential functions and services?
Ms. DeParle. Yes, sir, I am.
Chairman Archer. All right. So you think you'll be able to
handle the Y2K problem?
Ms. DeParle. Yes, sir, I do.
Chairman Archer. All right. And that reimbursements to
providers will occur in a timely fashion?
Ms. DeParle. Yes.
Chairman Archer. And has the Congress given you adequate
resources in order to remediate any Y2K problems?
Ms. DeParle. Yes, you have. And I want to say again I
appreciate the work that the Congress has done toward that end.
Chairman Archer. OK. Thank you very much. Are there any
other questions of Ms. DeParle? Yes, Mrs. Johnson?
Mrs. Johnson of Connecticut. Thank you, Mr. Chairman. The
GAO will testify that your progress has been overstated because
you relied too much on self-certifications and that the
independent contractor that you hired has found that most of
the contractor self-certifications will need major to moderate
level of effort to resolve. In other words, that the
certifications were overstated and there's still work to be
done, anywhere from major to moderate. You implied that work is
proceeding. At what pace is it proceeding and when do you think
you will start the end-to-end testing?
Ms. DeParle. We're already doing end to end testing in some
cases, and we'll be in the thick of it throughout the spring
and we'll finish some time this summer.
Mrs. Johnson of Connecticut. You'll finish end to end
testing some time this summer?
Ms. DeParle. Yes, but then we'll probably do another round
of it because, as you know, one of the challenges that we face
is that there are changes continually made to the way we pay
claims and to systems that have to do with implementation, for
example, of changes in the law. As I mentioned, and, as you
know, we've had to delay some of those changes because they
were too complicated and would have gotten in the way of the
work.
Mrs. Johnson of Connecticut. Right.
Ms. DeParle. But, for example, the system that maintains
the names and eligibility of Medicare beneficiaries is called
the common working file. And we'll be updating that throughout
the year. So it won't be until the fall that we freeze all of
that work and do final end to end testing.
Mrs. Johnson of Connecticut. Great. In discussing this with
the Social Security Administration, when they did their first
round of end-to-end testing, they discovered some problems. And
that's why you do it, you find out. And the second round they
found less. But where are you in that process?
Ms. DeParle. I'm going to ask Dr. Christoph?
Mrs. Johnson of Connecticut. How many problems did you find
the first time through? How long did it take to correct those
problems? And what was the situation with the second round of
testing?
Mr. Christoph. Well, actually we've done a complete round
of testing with the majority of contractors, I would say about
70 of them, as part of our certification process. We've gone
through three levels of testing, the last round of which was
integrated or end-to-end testing. And we've already gone
through that round. All of the problems that they've found have
been fixed or will be fixed by the end of March. So we've gone
through one full cycle at this point. And then the second round
will occur starting July 1 and we've allowed 4 months for this.
Mrs. Johnson of Connecticut. And on your contingency plans,
particularly in terms of payments, have you given any thought
to the possibility of providing the equivalent of MIP payments
to hospitals so that before the turn of the year they have a
lump-sum payment which then they can rectify after the term of
the year in case the system doesn't work. To large recipients
of Medicare payments, inability to pay would be an absolute
disaster. Is that kind of pre-payment plan, which we have used
in Medicare over many years very satisfactorily, is that any
part of your contingency planning and can hospitals through
that mechanism rely, A, on payment and, B, on timely updates?
Ms. DeParle. Well, first of all, as I've discussed with
you, Mrs. Johnson, we want providers to all be ready. And that
is a big part of our effort right now. And I appreciate the
help that you've provided up in Connecticut, with a State which
is already, in fact, ahead of most of them in terms of its
providers being ready. We are looking at a number of different
possible contingency scenarios. The one you described is one of
them. But I want to stress that we think the most important
thing is for all providers to try to get ready. We don't want
to provide right now some sort of a fix that might incentivize
some providers to think, ``Well, I don't have to get ready for
this. I won't make the investment.'' But we are looking at all
those kinds of contingencies and would be happy to discuss
those with the Committee.
Mrs. Johnson of Connecticut. Thank you. Thank you,
Administrator DeParle.
Chairman Archer. Mr. Houghton, do you have any questions?
Mr. Houghton. No.
Chairman Archer. Mr. Foley.
Mr. Foley. In following up on Mrs. Johnson's questions, one
thing came to mind because you're going to be integrating a new
system clearly with a lot of providers trying to log on and
communicate with your organization. Have you considered
minimizing the changes to the system, the technical side, but
to the codings and the reimbursements in the period with which
you are then transitioning?
Ms. DeParle. Not only have we considered it, but, as I
mentioned, we had to make some tough decisions last year. We
have been in the process of implementing the 300-plus
provisions of the Balanced Budget Act and because of the
scenario you described, which is that it is difficult to make
these kind of changes and to make sure they're going to work at
the same time you're changing coding and changing other things
to implement new payment methodologies prescribed by law. The
independent verification and validation contractor recommended
to me that we stop implementing some of the provisions of the
Balanced Budget Act. And so we had to do that in order to
minimize the kinds of changes that you're talking about because
you're exactly right, they can pose problems if you're trying
to make renovations and testing a system.
Mr. Foley. Because it seems one of the greatest complaints
I get from providers is the fact that they're constantly being
inundated with changes in the system. That's a fundamental
problem to begin with. But then you lump in there compliance
requirements for the Y2K, and so you've compounded what could
be a disastrous consequence. And I think Mrs. Johnson mentioned
and alluded to if the payments are then withheld, then the
providers themselves can't meet their own obligations. And we
see something spiraling terribly out of control.
Ms. DeParle. Well, the good news actually that I have to
report is that as of January, the majority of claims submitters
now are submitting compliant eight-digit date claims, which
means that they at least are capable of submitting the claims
with the four digits for the year, which is what they need to
do. When I last talked to the Committee, it didn't look as
good. Right now, for part A claims submitters, such as
hospitals, 58 percent of them are already submitting claims in
the proper format. And for Part B claims submitters, such as
doctors, it's more than 98 percent. So we regard that as good
news of their progress. But you're exactly right that it's
difficult for them to make all these other changes at the same
time they're trying to get their systems ready.
Mr. Foley. What do you see as the major risks remaining
right now going into that final stage?
Ms. DeParle. I think the one that I just alluded to, which
is that some providers may not make the changes they need to
make. And we are working, as you know, we've sent out a letter
to all 1.3 million Medicare providers, which is I think
unprecedented. We don't deal directly with the providers. But
we did it this time, in January, because we wanted to make sure
that they were aware of the problem and knew what they needed
to do to fix it. We're also allowing them to do testing of
their claims in a future date environment if they want to. But
one thing that the Members of Congress can do is to help us to
get the word out; and we've offered to send speakers to your
districts or do whatever we can to make sure that providers get
ready.
Mr. Foley. Final follow-up. The question you mentioned
about the delaying implementation of the requirements of the
Balanced Budget Act, the good news is you're saying we're going
to be compliant and probably ready to meet our expectations.
The bad news is we'll probably overshoot the budget?
Ms. DeParle. Well, actually it turns out that most of the
provisions that we're delaying aren't provisions that had
significant savings or if they were, they're being delayed by a
few months. And then, of course, the Committee last year dealt
with one of them, which I appreciate, which was the home health
problem, which we would have lost savings if we had not been
able to implement that. And the Committee dealt with that last
year.
Mr. Foley. Thank you, Mr. Chairman.
Chairman Archer. Mr. Tanner.
Mr. Tanner. Thank you very much, Mr. Chairman. I'm glad to
see Ms. DeParle here. She is from Tennessee. And we've been
friends for a long time. You alluded to the progress that has
been made over the last 12 months. And could you expand on that
because last year I know that there was some concern about
where we might be now. And did I hear correctly 58 percent of
the hospitals are now using----
Ms. DeParle. Yes, that's right. Our most recently available
statistics show that 58 percent of Part A claims submitters,
such as hospitals, are submitting claims in the 8-digit date
compliant format. Now that doesn't mean that all their billing
systems have been fixed, but it means they know how to submit a
Medicare compliant claim, which I think is a good sign of
progress.
Mr. Tanner. Your agency probably much more than any other
Federal agency depends on data from States. How are we doing
there with the interface that will have to take place on all of
that data exchange?
Ms. DeParle. Well, last I guess late summer or early fall,
we were concerned about the data we were getting from States
about their Y2K readiness. As most members know, and I know you
know, the Federal Government pays for half of their costs for
running their systems. And we would pay for them to have
independent verification and validation folks to come in and
look at their systems. But most of them weren't doing that. So
we decided last fall to hire an IV & V contractor to go out to
the States and look at them. And we've now completed I think 14
site visits. Tennessee is not one of them yet. They're
scheduled for a future month. By the end of April, we'll have
been into every State and the District of Columbia.
And we're looking at two things, one is what's called the
MMIS, which is the Medicaid Management Information System. That
is the way they pay claims in the States. The other is the
eligibility system. And in general what we're finding is
consistent with what the GAO found when they looked at self-
reported data in November, which is that most States'
eligibility systems are in pretty good shape. There is a more
mixed story on the side of the claims payment system. And there
are a few States that appear to behind schedule. There are
others that appear to be making good progress. And we are now
engaging with those States to make sure that their Medicaid
directors and their Governors and State officials are aware of
the problem.
Mr. Tanner. Is there anything we can do to help in that
regard, that the Congress could do?
Ms. DeParle. Well, at the appropriate time. We have sent
out the information to each of the States and we've asked them
to give us back any of their comments. At the appropriate time,
I would like to share with you where the States are because I
think members need to know that.
Mr. Tanner. Yes and maybe we could help if necessary.
Ms. DeParle. Thank you.
Mr. Tanner. Thank you. Mr. Chairman, I yield back.
Chairman Archer. Are there any other further questions? Ms.
DeParle, thank you very much. Dr. Christoph, thank you for
being with us. We appreciate your input.
Ms. DeParle. Thank you, Mr. Chairman.
Chairman Archer. Our next panel is Mr. Fred Brown, Mr.
Donald Palmisano, I'm sorry, Dr. Donald Palmisano, Curtis Lord,
Diane Archer, and Joel Willemssen.
I've never met Ms. Archer but I wonder if we might be
distantly related because my family originally settled at
Fordham Manor when they came over from England in the New York
area. And maybe we'll research that somewhere down the line.
Mr. Brown, I would like for you to be our first witness if
you will. And if you will identify yourself for the record, you
may proceed?
STATEMENT OF FRED BROWN, VICE CHAIRMAN, BJC HEALTH SYSTEMS, ST.
LOUIS, MISSOURI, AND CHAIRMAN, BOARD OF TRUSTEES, AMERICAN
HOSPITAL ASSOCIATION
Mr. Brown. Thank you, Mr. Chairman.
Chairman Archer. And I think you probably heard the general
ground rules, try to keep your verbal testimony within 5
minutes and your entire written statement will be printed in
the record without objection. You may proceed.
Mr. Brown. Realizing this is the last panel of a long day.
I am Fred Brown, vice chairman of BJC Health System in St.
Louis, a regional system serving eastern Missouri and southern
Illinois; and chairman of the board of trustees of the American
Hospital Association. I am also part of the Senior Advisors
Group of the President's Council on the Year 2000 Conversion,
representing the hospital field. And I'm here today on behalf
of the AHA's nearly 5,000 hospitals, health systems, networks,
and other providers of care.
The AHA's goal is to help America's hospitals meet the year
2000 challenge. Our focus has been and will continue to be
patient care. And our efforts continue to evolve. We began by
building awareness and we have attempted to help provide
hospitals the tools they need to examine their operations and
make changes when necessary.
Last summer, the AHA conducted an informal survey of how
prepared our members were for the turn of the century. The
nearly 800 responses suggest that hospitals and health systems
were diligently working to prepare for the year 2000. Seventy-
seven percent had developed a plan of evaluation and action.
Eighty-nine percent had already inventoried existing equipment.
Seventy-six percent had survey vendors and manufacturers to
identify year 2000 compliant equipment. Eighty-three percent
had begun making existent equipment, hardware, software, and
data sources year 2000 compliant. And eighty-one percent
projected that year 2000 solutions would be complete in 1999.
What are the costs of these efforts expected to be? The
bottom line is America's hospitals and health systems expect to
spend somewhere around $8 billion to become Y2K compliant. And
much of that $8 billion will be spent this year. And this
presents an immense challenge because the spending comes on top
of significantly declining Medicare reimbursement.
Regardless of how much is accomplished before December 31,
1999, meeting the Y2K challenge also requires being prepared
for the unknown. And that gets me to the current phase of the
AHA's Y2K efforts: contingency planning.
Contingency planning means asking and answering all the
``what if '' questions. These efforts need to be both internal,
within hospital facilities, and external, within communities.
This includes everyone that the hospital depends on, the
medical equipment manufacturers, the power companies, and
telecommunication companies. It also includes those who depend
upon the hospital, like participants in the communities
emergency services network.
We followed up in early March by distributing to each of
our AHA members how-to materials for hospital contingency
planning that stress the need for hospitals to plan with their
community partners how to handle the Y2K induced losses or
disruptions. In addition, the AHA is working with the Federal
Emergency Management Administration to coordinate emergency
preparedness efforts at a national level with contingency
planning taking place at individual hospitals and local
communities.
I applaud the efforts of the Health Care Financing
Administration in their discussions about contingency planning.
And as HCFA has indicated, they are confident that their
payment mechanisms will not be affected by the millennium bug,
but unforeseen problems could occur. It's imperative that
there's communication between HCFA, HHS, and the hospital
industry and providers to establish a fail-safe contingency
plan. We're willing to continue to work and cooperate with HCFA
to ensure that these concerns about the year 2000 are
adequately addressed.
Medicare beneficiaries healthcare needs will remain
constant regardless of how well we prepare for the year 2000
problems. If carrier and payment systems are affected by the
millennium bug, hospitals' ability to continue providing high-
quality healthcare could be severely affected. A system of
advance payments based on past payment levels is one way this
could be prevented and will ensure that hospitals have the
resources necessary to care for Medicare patients in the event
of any Y2K disruption.
We urge that this continually be monitored and there be
appropriate legislation authorizing such a system and have HCFA
make its contingency plans public.
Mr. Chairman, American hospitals and health systems, their
State associations, and the AHA are partners in the effort to
prepare for the year 2000. We encourage Congress and our
Federal agencies to work with us as well and we'll continue to
cooperate with all the agencies to ensure a smooth and healthy
transition into the new millennium.
This concludes my remarks, and I will be glad to answer any
questions.
[The prepared statement follows:]
Statement of Fred Brown, Vice Chairman, BJC Health Systems, St. Louis,
Missouri, and Chairman, Board of Trustees, American Hospital
Association
Mr. Chairman, I am Fred Brown, vice chairman of BJC Health
Systems in St. Louis and chairman of the Board of Trustees of
the American Hospital Association (AHA). I am here on behalf of
the AHA's nearly 5,000 hospitals, health systems, networks, and
other providers of care. I am also privileged to be a Senior
Advisor to the President's Council on Year 2000 Conversion,
representing the hospital field.
The AHA and its members are committed to taking whatever
steps are necessary to prevent potential Year 2000 problems
from interrupting the smooth delivery of high-quality health
care. We appreciate this opportunity to update you on our
efforts, to outline the role that the AHA has taken in aiding
the health care field, and to highlight some areas in which the
government and its agencies can help as they play their
critical roles in this historic effort.
Progress on Y2K Compliance
The AHA last summer conducted an informal survey of how
prepared our members were for the turn of the century. The
nearly 800 responses suggest that hospitals and health systems
are diligently working to prepare for the Year 2000, and are
committed to the smooth delivery of patient care without
interruptions. Respondents represented individual hospitals and
multi-hospital systems in urban and rural areas. Some
highlights:
77% had developed a systematic plan of evaluation
and action.
89% had already inventoried existing equipment.
76% had surveyed vendors/manufacturers to identify
Year 2000-compliant equipment.
83% had begun making existing equipment, hardware,
software and data sources Year 2000 compliant.
81% projected that their Year 2000 solutions would
be complete in 1999.
I'll use my organization, BJC Health System in St. Louis,
to personify what these statistics mean. At BJC, Y2K has been
the focus in the information systems department for more than
18 months. The first priority of all Y2K projects is, of
course, any equipment that is directly related to patient care.
We feel comfortable with our progress so far. We will continue
working diligently throughout 1999 to ensure that the Year 2000
change occurs with minimal disruption in our facilities. Since
the last half of 1997, our information services department's
primary focus has been Y2K. Dozens of individuals have been
solely dedicated to examining computer codes, programs and
computer-assisted medical devices to ensure that they will work
in the new millennium. Along with information services, BJC's
material services department is playing a critical role in our
Y2K compliance. Materials services is primarily working with
vendors and their related equipment, and with clinical
engineering, which oversees all patient-related equipment in
BJC's hospitals and facilities.
The Costs of Compliance
What are the costs of Y2K compliance expected to be? The
AHA is releasing today a new survey that looks into that
question. The survey was sent to 2,000 hospital and health
system CEOs early last month. Five hundred and six surveys were
returned, an excellent 25.3 percent response rate. The results,
quite frankly, point to a huge financial investment by
hospitals and health systems. The bottom line is that America's
hospitals and health systems expect to spend somewhere around
$8 billion to become Y2K compliant.
Smaller hospitals, those with fewer than 100 beds, will
spend close to $1 billion on Y2K fixes, or an average of
$435,000 each. Hospitals with between 100 and 300 beds will
spend $2.5 billion, an average of $1.2 million each. Hospitals
with 300-500 beds will spend nearly $2 billion, or $3.4 million
each. The largest amount of spending, $2.2 billion, will occur
at hospitals that have more than 500 beds.
Much of the $8 billion that hospitals expect to spend on
Y2K compliance will be spent this year. This presents an
immense challenge, because that spending comes on top of
significantly declining Medicare reimbursement brought by the
Balanced Budget Act (BBA) of 1997. The BBA reduced payments to
hospitals by $44.1 billion over five years. Further reductions,
like those proposed in the Administration's recent budget
proposal, would make a terrible burden even more onerous.
The Role of AHA and Other Associations
Hospitals and health systems face the same kinds of Y2K
concerns as other critical sectors of our nation. However,
hospitals are unique. They have a special place in America's
social services safety net. Every community in America relies
on its local hospital to be ready to provide high-quality
health care services on demand, 24 hours a day. It is therefore
very important that the public understand that hospitals have
been very aggressive in their efforts to ensure the seamless
delivery of health care services before, during, and after the
turn of the century. And it is important for hospitals to have
a contingency plan in place.
Protecting Public Confidence, Staying Abreast of Progress
The AHA, in collaboration with our state, regional and
metropolitan associations and other key strategic partners, is
working hard to stress to our member hospitals the importance
of managing the Y2K issue from a public confidence perspective.
We are developing tools to counsel hospitals and health systems
about how to talk with the public about Y2K and health care. A
Y2K Communications Action Kit is being developed that will be
distributed in early March to all our state associations, which
they will then distribute to our members. Our members will be
urged and encouraged to adapt the materials in the kits for use
in their communities. The kit will include tools and samples of
how to communicate to various audiences about the Y2K issue.
We are continuing our efforts to make sure that hospitals
and health systems have the latest information on what their
colleagues and other organizations are doing to address the Y2K
problem. And we are helping them learn about potential
solutions.
Our State Issues Forum, which tracks state-level
legislative and advocacy activities, is hosting biweekly
conference calls dedicated entirely to the Year 2000 issue. On
these calls, state hospital association and AHA staff share
information. A special AHA task force on the Year 2000 problem
has been drawing up timelines for action to make sure our
members get the latest information and know where to turn for
help.
Articles are appearing regularly in AHA News, our national
newspaper, in Hospitals and Health Networks, our national
magazine for hospital CEOs, in Trustee, our national magazine
for volunteer hospital leadership, and in several other
national publications that are published by various AHA
membership societies. Several of these societies, such as the
American Society for Healthcare Engineering and the American
Society for Healthcare Risk Management, are deeply involved in
helping their members attack the millennium bug in their
hospitals.
In addition, the AHA Web site has become an important
clearinghouse of information on the Year 2000 issue, including
links to other sites with information that can help our
members.
Contingency Planning
The AHA believes that the best approach for hospitals to
manage potential disruptions on January 1, 2000, is to
anticipate them. Specifically, it is incumbent upon hospitals
to prepare now to respond to the potential loss or disruption
of any essential hospital processes or services. These efforts
need to be directed both internally across hospitals'
facilities, and externally within communities. This would
include working with such entities as utility companies,
emergency medical services, and other health care providers.
The AHA, along with state, regional and metropolitan
hospital and health system associations, is working hard to
make sure that America's hospitals and health systems are
informed about, educated on, and assisted with Year 2000
contingency planning. We recently distributed to every AHA
member an executive briefing on hospital contingency planning.
This briefing emphasizes the interdependent nature of health
care, and stresses the need for hospitals to plan in advance,
with their key partners, how they will handle potential Y2K-
induced losses or disruptions.
This executive briefing will be followed up in early March
by ``how-to'' materials for hospital contingency planning,
including a business continuity planning guide and a set of
alternate operating procedures that address the most mission-
critical processes of hospitals. The AHA also is working with
the Odin Group's VitalSigns 2000 project, which draws on
leadership from health care provider, payer, pharmaceutical,
and supplier sectors to develop a pamphlet that will help
consumers understand Y2K and health care.
In addition, the AHA will be working with the Federal
Emergency Management Administration to coordinate emergency
preparedness efforts at a national level with contingency
planning taking place at individual hospitals in local
communities. At a meeting scheduled for March, we will bring
together representatives of major health systems and health
care manufacturing and supply companies to discuss how we can
provide guidance to the health care field on issues related to
Y2K preparedness and concerns about health care equipment and
pharmaceutical supply and stockpiling.
The Role of the FDA
Of course, if hospitals are to communicate realistically
with their communities about Y2K readiness, they must receive
realistic communications from manufacturers about the Y2K
readiness of medical devices and equipment. While health care
providers can inventory their thousands of devices and pieces
of equipment, the information about whether these devices are
Year 2000-compliant must come from the manufacturers. Several
organizations, both public and private, have undertaken
concerted efforts to collect this information. Key among them
are the Veterans Administration, the Food and Drug
Administration (FDA), and a consortium of state hospital
associations and the AHA, through the Security Third Millennium
product. The AHA has urged the FDA to play a lead role in
getting manufacturers to report on the Y2K compliance of their
products, and the FDA has responded. The Center for Devices and
Radiological Health (CDRH), the arm of the FDA responsible for
regulating the safety and effectiveness of medical devices, has
taken a number of steps to ensure that manufacturers of medical
devices address potential Year 2000 problems. We commend the
center for its actions. And we commend the many manufacturers
that have made available important information about their
products' Y2K status.
However, some of the information that has been reported has
not been reported in a way that is helpful. Therefore, the FDA
must require manufacturers to improve the quality of
information that hospitals receive. This involves important
issues such as good descriptions of how a product might be
affected if it is not Y2K compliant. It also includes ensuring
that manufacturers specifically report which of their devices
and products are Y2K compliant, instead of just reporting about
those products that may not yet be compliant.
We also urge the FDA to take further steps in two specific
areas. The first is to mandate that non-reporting manufacturers
report on the Y2K readiness of their products. The second is
for the FDA to adopt a rumor control function. There are a lot
of rumors and anecdotal stories about the implications of the
turn of the century being spread--on the Internet, for
example--that need to be reined in. We urge the FDA to
establish itself as the place where people go to get the truth.
The Role of HCFA
On average, America's hospitals and health systems receive
roughly half of their revenues from government programs like
Medicare and Medicaid. If that much revenue were to be suddenly
cut off, hospitals could not survive, and patient care could be
jeopardized. Hospitals would not be able to pay vendors. They
would not be able to purchase food, supplies, laundry services,
maintain medical equipment--in short, they would not be able to
do the job their communities expect of them. All this would
occur even as hospitals and health systems faced the
substantial costs of addressing their own Year 2000 system
needs--costs that are not recognized in the calculation of
current Medicare payment updates.
We applaud the Health Care Financing Administration's
(HCFA) announcement that the Fiscal Year 2000 PPS update will
no longer have to be delayed while the agency prepares its
computer systems for Y2K. We congratulate the agency's
personnel for tackling the problem in such a way that it
apparently will no longer require nearly $300 million in
payment updates to be held back from the hospitals that need
them. However, our congratulations are tempered by our concern
that HCFA has not yet announced that it has an adequate
contingency plan in place.
Even if HCFA and its contractors express confidence that
their payment mechanisms will not be affected by the millennium
bug, unforeseen problems could crop up. Therefore, it is
imperative that HCFA establish a fail-safe contingency plan in
case HCFA or its contractors' payment mechanisms somehow fail
at the turn of the century. We have offered to work with HCFA
to ensure that these short-and long-term concerns about the
Year 2000 are adequately addressed.
Medicare beneficiaries' health care needs will remain
constant, regardless of how well we are prepared for Year 2000
problems. If carrier and fiscal intermediary payment systems
are clogged up by the millennium bug, hospitals' ability to
continue providing high-quality health care could be severely
affected. A system of advance payments, based on past payment
levels, is one way that this could be done. It would ensure
that hospitals have the resources necessary to care for
Medicare patients. We urge Congress to enact legislation to
authorize such a system, and require that HCFA subject such
contingency plans to public comment.
HCFA also must make sure its contractors--including
Medicare+Choice plans--take steps to ensure that their
performance will not be interrupted by Year 2000 problems
caused by the millennium bug. HCFA should make readily
available its work plan, and progress reports, for bringing the
contractors and Medicare+Choice plans into compliance and
monitor their efforts. Letting providers know what changes may
be required of them is also important. This would allow
providers, contractors and plans to prepare simultaneously and
ensure that their systems are compatible.
It is important to note that Medicare is not the only payer
for hospital services. Similar payment delays could occur if
private health insurers and, in the case of Medicaid,
individual states, have not addressed their own Year 2000
problems. HCFA has the authority and leverage to prevent this
from happening, and we urge the agency to exercise that
authority.
The Role of Congress
As I have described, health care providers and the
associations that represent them are devoting significant time,
resources and energy to preventing potential Year 2000 problems
from affecting patient safety. It is essential that we all look
for ways to help prepare America's health care system for the
turn of the century, and Congress can play an important role.
Your attention to this issue, through hearings such as this,
reflects your understanding of the gravity of the situation.
One major step toward Y2K compliance occurred when Congress
passed its ``Good Samaritan'' legislation. By shielding from
liability the sharing of information among businesses that
provide it in good faith, this law encourages all parties--
providers, suppliers, manufacturers, and more--to work
together.
We ask you to help America's health care system avoid Year
2000 problems by taking several other steps:
Congress should provide the FDA with any
additional authority it needs to mandate reporting by
manufacturers.
Congress should authorize advance payments under
Medicare. These payments, based on past payment levels, should
be implemented to ensure adequate cash flow for providers in
case carrier and fiscal intermediary payment systems fail due
to the date change. Congress also should ensure that HCFA has
adequate funding to ensure Y2K compliance, including the
testing needed to demonstrate that the claims processing and
payment systems work for the government, providers,
contractors, and beneficiaries alike.
There has been some talk of the need for a
contingency fund to be created, from which states (in the case
of Medicaid, for example) or hospitals could draw monies needed
to continue operating in case of a Y2K disruption. We would be
glad to be a part of any discussions concerning how such a fund
should be set up.
Mr. Chairman, the Year 2000 issue will affect every aspect
of American life, but few, if any, are as important as health
care. America's hospitals and health systems, their state
associations, and the AHA are partners in the effort to prepare
for the Year 2000. We encourage Congress and our federal
agencies to work with us as well. Together, we can ensure a
smooth--and healthy--transition into the new millennium.
[Attachment is being retained in Committee files.]
Chairman Archer. Thank you, Mr. Brown.
Dr. Palmisano, if you'll identify yourself for the record,
you may proceed?
STATEMENT OF DONALD J. PALMISANO, M.D., J.D., MEMBER, BOARD OF
DIRECTORS, AND CHAIR, DEVELOPMENT COMMITTEE, NATIONAL PATIENT
SAFETY FOUNDATION, AND MEMBER, BOARD OF TRUSTEES, AMERICAN
MEDICAL ASSOCIATION
Dr. Palmisano. Thank you, Mr. Chairman. My name is Dr.
Palmisano. I am a board member of the American Medical
Association, and I want to thank you for inviting me to testify
today.
The year 2000 problem will affect virtually all aspects of
the medical profession, most especially patient care. By nature
of its work, the medical profession has to rely heavily on
technology. Most all physicians use computers in their
practices. They do so for scheduling, reimbursement, and
increasingly for more clinical functions, such as logging
patient histories. Patients and physicians also rely on medical
equipment with embedded micro-chips.
With this reliance comes the risk of malfunctions due to
the Y2K bug. Imagine for a moment yourself as the patient. How
would you feel if a device that was monitoring your heart
failed to sound an alarm when your heart slowed to a dangerous
rate or if a portable defibrillator failed to function at the
moment you went into ventricular fibrillation. Obviously, these
events would alarm you and your physician. The risk of device
malfunctions is real and it has to be anticipated and
eliminated.
Although the year 2000 problem still poses significant
risks for patient care and may adversely affect physicians'
administrative responsibilities, the good news is that the
medical profession is making significant progress. In its
efforts to assist physicians to achieve compliance, the AMA has
been focusing on three areas: education, communication, and
cooperation.
For about a year, the AMA has been educating physicians and
medical students with two of its publications, AMA News and the
Journal of the American Medical Association, JAMA. We have been
raising physicians' level of awareness of the year 2000 problem
with numerous articles on a variety of Y2K subjects from
patient safety concerns to developments in Y2K legislation. The
AMA has also launched a national campaign that focuses both on
education and communication. As part of this campaign, the AMA
has begun holding regional seminars to talk about best to work
with vendors and how to obtain necessary information about
devices that could affect patient care.
We also have made available to literally hundreds of
thousands of physicians a solutions manual entitled: ``The Year
2000 Problem: Guidelines for Protecting Your Patients and
Practice.'' And I have the manual here in my hand. And Members
of the Committee have been given a copy of this particular
manual. This booklet talks about Y2K compliance requirements,
how to obtain information about medical devices, self-
assessment programs, contingency plans, and a lot more. It also
identifies a host of other resources for physicians to obtain
help in becoming Y2K compliant.
To foster greater communication among physicians about the
Y2K problem, the AMA has established a special section on its
award-winning website: www.ama-assn.org. And we invite everyone
to visit this site. We believe this will serve as an important
interactive resource for physicians by providing regularly
updated information about the millennium bug and by enabling
physicians to assist each other in solving their Y2K problems.
The AMA is also promoting cooperation through our
involvement with the National Patient Safety Foundation. This
Foundation already coordinates efforts within the healthcare
system to try and prevent avoidable patient injuries. The AMA
launched the Foundation in partnership with other healthcare
organizations and safety experts. In addition, we helped form
the National Patient Safety Partnership, which was convened by
the Department of Veteran Affairs. It's a public-private
partnership. And this has shown particular leadership on the
Y2K problem, trying to increase the medical community's
awareness of the issues.
We might ask ourselves what more can be done? First, we
cannot become complacent. Not until we have full Y2K compliance
throughout the healthcare community, and for that matter
throughout all industries, can we claim success. Physicians and
other healthcare advocates continue to call on medical device
manufacturers to disclose immediately whether their products
will malfunction. Only they have that information. The
physicians and patients do not have the expertise or resources
to know what devices may or may not fail. We have to rely on
the manufacturers, the Congress, and the administration to
ensure that they promptly disclose this vital information.
We are aware that last year, The Year 2000 Information and
Readiness Disclosure Act was enacted into law. As Congress
considers other methods of motivating vendors to disclose
medical device information, the AMA wants to go on record as
continuing to oppose any tradeoff of liability immunity for
information disclosure.
Finally, we need to reassure patients that medical devices
will continue to work safely regardless of the year 2000. We do
not want a lack of information to cause patients to panic. The
patient has to be our number one concern in all of our Y2K
efforts.
Thank you very much, once again, for inviting me, Mr.
Chairman and Members of the Committee, to testify on behalf of
the AMA. Allow me to offer our services in working further with
the Congress to effectively address this problem.
Thanks.
[The prepared statement follows:]
Statement of Donald J. Palmisano, M.D., J.D., Member, Board of
Directors, and Chair, Development Committee, National Patient Safety
Foundation; and Member, Board of Trustees American Medical Association
Mr. Chairman and Members of the Committee, my name is
Donald J. Palmisano, MD, JD. I am a member of the Board of
Trustees of the American Medical Association (AMA), a Board of
Directors member of the National Patient Safety Foundation
(NPSF) and the Chair of the Development Committee for the same
foundation. I also practice vascular and general surgery in New
Orleans, Louisiana. On behalf of the three hundred thousand
physician and medical student members of the AMA, I appreciate
the chance to comment on the issue of year 2000 conversion
efforts and the implications of the year 2000 problem for
health care beneficiaries.
Introduction
The year 2000 problem has arisen because many computer
systems, software and embedded microchips cannot properly
process date information. These devices and software can only
read the last two digits of the ``year'' field of data; the
first two digits are presumed to be ``19.'' Consequently, when
data requires the entry of a date in the year 2000 or later,
these systems, devices and software will be incapable of
correctly processing the data.
Currently, nearly all industries are in some manner
dependent on information technology, and the medical industry
is no exception. As technology advances and its contributions
mount, our dependency and consequent vulnerability become more
and more evident. The year 2000 problem is revealing to us that
vulnerability.
By the nature of its work, the medical industry relies
tremendously on technology, on computer systems--both hardware
and software, as well as medical devices that have embedded
microchips. A survey conducted last year by the AMA found that
almost 90% of the nation's physicians are using computers in
their practices, and 40% are using them to log patient
histories.\1\ These numbers appear to be growing as physicians
seek to increase efficiency and effectiveness in their
practices and when treating their patients.
---------------------------------------------------------------------------
\1\ ``Doctors Fear Patients Will Suffer Ills of the Millennium Bug;
Many Are Concerned That Y2K Problem Could Erroneously Mix Medical
Data--Botching Prescriptions and Test Results,'' Los Angeles Times,
Jan. 5, 1999, p. A5.
---------------------------------------------------------------------------
Virtually every aspect of the medical profession depends in
some way on these systems--for treating patients, handling
administrative office functions, and conducting transactions.
For some industries, software glitches or even system failures,
can, at best, cause inconvenience, and at worst, cripple the
business. In medicine, those same software or systems
malfunctions can, much more seriously, cause patient injuries
and deaths.
Patient Care
Assessing the current level of risk attributable
specifically to the year 2000 problem within the patient care
setting remains problematic. We do know, however, that the risk
is present and it is real. Consider for a minute what would
occur if a monitor failed to sound an alarm when a patient's
heart stopped beating. Or if a respirator delivered
``unscheduled breaths'' to a respirator-dependent patient. Or
even if a digital display were to attribute the name of one
patient to medical data from another patient. Are these
scenarios hypothetical, based on conjecture? No. Software
problems have caused each one of these medical devices to
malfunction with potentially fatal consequences.\2\ The
potential danger is present.
---------------------------------------------------------------------------
\2\ Anthes, Gary H., ``Killer Apps; People are Being Killed and
Injured by Software and Embedded Systems,'' Computerworld, July 7,
1997.
---------------------------------------------------------------------------
The risk of patient injury is also real. Since 1986, the
FDA has received more than 450 reports identifying software
defects--not related to the year 2000--in medical devices.
Consider one instance--when software error caused a radiation
machine to deliver excessive doses to six cancer patients; for
three of them the software error was fatal.\3\ We can
anticipate that, left unresolved, medical device software
malfunctions due to the millennium bug would be prevalent and
could be serious.
---------------------------------------------------------------------------
\3\ Id.
---------------------------------------------------------------------------
Medical device manufacturers must immediately disclose to
the public whether their products are Y2K compliant. Physicians
and other health care providers do not have the expertise or
resources to determine reliably whether the medical equipment
they possess will function properly in the year 2000. Only the
manufacturers have the necessary in-depth knowledge of the
devices they have sold.
Nevertheless, medical device manufacturers have not always
been willing to assist end-users in determining whether their
products are year 2000 compliant. Last year, the Acting
Commissioner of the FDA, Dr. Michael A. Friedman, testified
before the U.S. Senate Special Committee on the Year 2000
Problem that the FDA estimated that only approximately 500 of
the 2,700 manufacturers of potentially problematic equipment
had even responded to inquiries for information. Even when
vendors did respond, their responses frequently were not
helpful. The Department of Veterans Affairs reported last year
that of more than 1,600 medical device manufacturers it had
previously contacted, 233 manufacturers did not even reply and
another 187 vendors said they were not responsible for
alterations because they had merged, were purchased by another
company, or were no longer in business. One hundred two
companies reported a total of 673 models that were not
compliant but should be repaired or updated this year.\4\ Since
July 1998, however, representatives of the manufacturers
industry have met with the Department of Veterans Affairs, the
FDA, the AMA and others to discuss obstacles to compliance and
have promised to do more for the health care industry.
---------------------------------------------------------------------------
\4\ Morrissey, John, and Weissenstein, Eric, ``What's Bugging
Providers,'' Modern Healthcare, July 13, 1998, p. 14. Also, July 23,
1998 Hearing Statement of Dr. Kenneth W. Kizer, Undersecretary for
Health Department of Veterans Affairs, before the U.S. Senate Special
Committee on the Year 2000 Technology Problem.
---------------------------------------------------------------------------
Administrative
Many physicians and medical centers are also increasingly
relying on information systems for conducting medical
transactions, such as communicating referrals and
electronically transmitting prescriptions, as well as
maintaining medical records. Many physician and medical center
networks have even begun creating large clinical data
repositories and master person indices to maintain, consolidate
and manipulate clinical information, to increase efficiency and
ultimately to improve patient care. If these information
systems malfunction, critical data may be lost, or worse--
unintentionally and incorrectly modified. Even an inability to
access critical data when needed can seriously jeopardize
patient safety.
Other administrative aspects of the Y2K problem involve
Medicare coding and billing transactions. In the middle of last
year, HCFA issued instructions through its contractors
informing physicians and other health care professionals that
electronic and paper claims would have to meet Y2K compliance
criteria by October 1, 1998. In September 1998, however, HCFA
directed Medicare carriers and fiscal intermediaries not to
reject or ``return as unprocessable'' any electronic media
claims for non-Y2K compliance until further notice. That notice
came last month. In January 1999, HCFA instructed both carriers
and fiscal intermediaries to inform health care providers,
including physicians, and suppliers that claims received on or
after April 5, 1999, which are not Y2K compliant will be
rejected and returned as unprocessable.
We understand why HCFA is taking this action at this time.
We genuinely hope, however, that HCFA, to the extent possible,
will assist physicians and other health care professionals who
have been unable to achieve Y2K compliance by April 5. We have
been informed that HCFA has decided to grant physicians
additional time, if necessary, for reasonable good faith
exceptions, and we strongly support that decision. Physicians
are genuinely trying to comply with HCFA's Y2K directives. In
fact, HCFA has already represented that 95% of the electronic
bills being submitted by physicians and other Medicare Part B
providers already meet HCFA's Y2K filing criteria. HCFA must
not withhold reimbursement to, in any sense, punish those
relatively few health care professionals who have lacked the
necessary resources to meet HCFA's Y2K criteria. Instead,
physicians and HCFA need to continue to work together to make
sure that their respective data processing systems are
functioning properly for the orderly and timely processing of
Medicare claims data.
We also hope that HCFA's January 1999 instructions are not
creating a double standard. According to the instructions, HCFA
will reject non-Y2K compliant claims from physicians, other
health care providers and suppliers. HCFA however has failed to
state publicly whether Medicare contractors are under the same
obligation to meet the April 5th deadline. Consequently, after
April 5th non-compliant Medicare contractors will likely
continue to receive reimbursement from HCFA while physicians,
other health care providers, and suppliers that file claims not
meeting HCFA's Y2K criteria will have their claims rejected.
This inequity must be corrected.
Medicare administrative issues are of critical importance
to patients, physicians, and other health care professionals.
In one scenario that took place in my home state of Louisiana,
Arkansas Blue Cross & Blue Shield, the Medicare claims
processor for Louisiana, implemented a new computer system--
intended to be Y2K compliant--to handle physicians' Medicare
claims. Although physicians were warned in advance that the
implementation might result in payment delays of a couple of
weeks, implementation problems resulted in significantly longer
delays. For many physicians, this became a real crisis.
Physicians who were treating significant numbers of Medicare
patients immediately felt significant financial pressure and
had to scramble to cover payroll and purchase necessary
supplies.\5\
---------------------------------------------------------------------------
\5\ ``Year 2000 Bug Bites Doctors; Glitch Stymies Payments for
Medicare Work,'' The Times-Picayune, June 6, 1998, page C1.
---------------------------------------------------------------------------
We are encouraging physicians to address the myriad
challenges the Y2K dilemma poses for their patients and their
practices, which include claims submission requirements. The
public remains concerned however that the federal government
may not achieve Y2K compliance before critical deadlines. An
Office of Management and Budget report issued on December 8,
1998, disclosed that the Department of Health and Human
Services is only 49% Y2K compliant.\6\ In a meeting last week,
though, HCFA representatives stated that HCFA has made
significant progress towards Y2K compliance, specifically on
mission critical systems. In any case, we believe that HCFA
should lead by example and have its systems in compliance as
quickly as possible to allow for adequate parallel testing with
physician claims submission software and other health care
professionals. Such testing would also allow for further
systems refinements, if necessary.
---------------------------------------------------------------------------
\6\ ``Clinton Says Social Security is Y2K Ready,'' Los Angeles
Times, December 29, 1998, p. A1. See ``Government Agencies Behind the
Curve on Y2K Issue,'' Business Wire, January 28, 1999 (stating that
Computer Week on November 26, 1998 reported only a 34% Y2K compliance
level for the Department of Health and Human Services).
---------------------------------------------------------------------------
Reimbursement and Implementation of BBA
To shore up its operations, HCFA has stated that it will
concentrate on fixing its internal computers and systems. As a
result, it has decided not to implement some changes required
under the Balanced Budget Act (BBA) of 1997, and it plans to
postpone physicians' payment updates from January 1, 2000, to
about April 1, 2000.
In the AMA's view, the Y2K problem is and has been an
identifiable and solvable problem. Society has known for many
years that the date problem was coming and that individuals and
institutions needed to take remedial steps to address the
problem. There is no justification for creating a situation
where physicians, hospitals and other providers now are being
asked to pay for government's mistakes by accepting a delay in
their year 2000 payment updates.
HCFA has indicated to the AMA that the delay in making the
payment updates is not being done to save money for the
Medicare Trust Funds. In addition, the agency has said that the
eventual payment updates will be conducted in such a way as to
fairly reimburse physicians for the payment update they should
have received. In other words, the updates will be adjusted so
that total expenditures in the year 2000 on physician services
are no different than if the updates had occurred on January 1.
We are pleased that HCFA has indicated a willingness to
work with us on this issue. But we have grave concerns about
the agency's ability to devise a solution that is equitable and
acceptable to all physicians.
Also, as it turns out, the year 2000 is a critical year for
physicians because several important BBA changes are scheduled
to be made in the resource-based relative value scale (RBRVS)
that Medicare uses to determine physician payments. This
relative value scale is comprised of three components: work,
practice expense, and malpractice expense. Two of the three--
practice expense and malpractice--are due to undergo
Congressionally-mandated modifications in the year 2000.
In general, the practice expense changes will have
different effects on the various specialties. Malpractice
changes, to some modest degree, would offset the practice
expense redistributions. To now delay one or both of these
changes will have different consequences for different medical
specialties and could put HCFA at the eye of a storm that might
have been avoided with proper preparation.
To make matters worse, we also are concerned that delays in
Medicare's reimbursement updates could have consequences far
beyond the Medicare program. Many private insurers and state
Medicaid agencies base their fee-for-service payment systems on
Medicare's RBRVS. Delays in reimbursement updates caused by
HCFA may very well lead other non-Federal payers to follow
Medicare's lead, resulting in a much broader than expected
impact on physicians.
Current Level of Preparedness
Assessing the status of the year 2000 problem is difficult
not only because the inventory of the information systems and
equipment that will be affected is far from complete, but also
because the consequences of noncompliance for each system
remain unclear. Nevertheless, if the studies are correct,
malfunctions in noncompliant systems will occur and equipment
failures can surely be anticipated. The analyses and surveys
that have been conducted present a rather bleak picture for the
health care industry in general, and physicians' practices in
particular.
The Odin Group, a health care information technology
research and advisory group, for instance, found from a survey
of 250 health care managers that many health care companies by
the second half of last year still had not developed Y2K
contingency plans.\7\ The GartnerGroup has similarly concluded,
based on its surveys and studies, that the year 2000 problem's
``effect on health care will be particularly traumatic . . .
[l]ives and health will be at increased risk. Medical devices
may cease to function.'' \8\ In its report, it noted that most
hospitals have a few thousand medical devices with
microcontroller chips, and larger hospital networks and
integrated delivery systems have tens of thousands of devices.
---------------------------------------------------------------------------
\7\ ``Health Care Not Y2K-Ready--Survey Says Companies
Underestimate Need For Planning; Big Players Join Forces,''
InformationWeek, January 11, 1999.
\8\ GartnerGroup, Kenneth A. Kleinberg, ``Healthcare Worldwide Year
2000 Status,'' July 1998 Conference Presentation, p. 2 (hereinafter,
GartnerGroup).
---------------------------------------------------------------------------
Based on early testing, the GartnerGroup also found that
although only 0.5-2.5 percent of medical devices have a year
2000 problem, approximately 5 percent of health care
organizations will not locate all the noncompliant devices in
time.\9\ It determined further that most of these organizations
do not have the resources or the expertise to test these
devices properly and will have to rely on the device
manufacturers for assistance.\10\
---------------------------------------------------------------------------
\9\ Id. at p. 8.
\10\ Id.
---------------------------------------------------------------------------
As a general assessment, the GartnerGroup concluded that
based on a survey of 15,000 companies in 87 countries, the
health care industry remains far behind other industries in its
exposure to the year 2000 problem.\11\ Within the health care
industry, the subgroups which are the furthest behind and
therefore at the highest risk are ``medical practices'' and
``in-home service providers.'' \12\ The GartnerGroup
extrapolated that the costs associated with addressing the year
2000 problem for each practice group will range up to $1.5
million per group.\13\
---------------------------------------------------------------------------
\11\ Id. at p. 10.
\12\ Id. at p. 13.
\13\ Id.
---------------------------------------------------------------------------
Remediation Efforts--AMA's Efforts
We believe that through a united effort, the medical
profession in concert with federal and state governments can
dramatically reduce the potential for any adverse effects
within the medical community resulting from the Y2K problem.
For its part, the AMA has been devoting considerable resources
to assist physicians and other health care providers in
learning about and correcting the problem.
For nearly a year, the AMA has been educating physicians
through two of its publications, AMNews and the Journal of the
American Medical Association (JAMA). AMNews, which is a
national news magazine widely distributed to physicians and
medical students, has regularly featured articles over the last
twelve months discussing the Y2K problem, patient safety
concerns, reimbursement issues, Y2K legislation, and other
related concerns. JAMA, one of the world's leading medical
journals, will feature an article written by the Administrator
of HCFA, explaining the importance for physicians to become Y2K
compliant. The AMA, through these publications, hopes to raise
the level of consciousness among physicians of the potential
risks associated with the year 2000 for their practices and
patients, and identify avenues for resolving some of the
anticipated problems.
The AMA has also developed a national campaign entitled
``Moving Medicine Into the New Millennium: Meeting the Year
2000 Challenge,'' which incorporates a variety of educational
seminars, assessment surveys, promotional information, and
ongoing communication activities designed to help physicians
understand and address the numerous complex issues related to
the Y2K problem. The AMA is currently conducting a series of
surveys to measure the medical profession's state of readiness,
assess where problems exist, and identify what resources would
best reduce any risk. The AMA already has begun mailing the
surveys, and we anticipate receiving responses in the near
future. The information we obtain from this survey will enable
us to identify which segments of the medical profession are
most in need of assistance, and through additional timely
surveys, to appropriately tailor our efforts to the specific
needs of physicians and their patients. The information will
also allow us to more effectively assist our constituent
organizations in responding to the precise needs of other
physicians across the country.
One of the many seminar series the AMA sponsors is the
``Advanced Regional Response Seminars'' program. We are holding
these seminars in various regions of the country and providing
specific, case-study information along with practical
recommendations for the participants. The seminars also provide
tips and recommendations for dealing with vendors and explain
various methods for obtaining beneficial resource information.
Seminar participants receive a Y2K solutions manual, entitled
``The Year 2000 Problem: Guidelines for Protecting Your
Patients and Practice.'' This seventy-five page manual, which
is also available to hundreds of thousands of physicians across
the country, offers a host of different solutions to Y2K
problems that physicians will likely face. It raises
physicians' awareness of the problem, year 2000 operational
implications for physicians' practices, and identifies numerous
resources to address the issue.
In addition, the AMA has opened a web site (URL: www.ama-
assn.org) to provide the physician community additional
assistance to better address the Y2K problem. The site serves
as a central communications clearinghouse, providing up-to-date
information about the millennium bug, as well as a special
interactive section that permits physicians to post questions
and recommended solutions for their specific Y2K problems. The
site also incorporates links to other sites that provide
additional resource information on the year 2000 problem.
On a related note, the AMA in early 1996 began forming the
National Patient Safety Foundation or ``NPSF.'' Our goal was to
build a proactive initiative to prevent avoidable injuries to
patient in the health care system. In developing the NPSF, the
AMA realized that physicians, acting alone, cannot always
assure complete patient safety. In fact, the entire community
of providers is accountable to our patients, and we all have a
responsibility to work together to fashion a systems approach
to identifying and managing risk. It was this realization that
prompted the AMA to launch the NPSF as a separate organization,
which in turn partnered with other health care organizations,
health care leaders, research experts and consumer groups from
throughout the health care sector.
One of these partnerships is the National Patient Safety
Partnership (NPSP), which is a voluntary public-private
partnership dedicated to reducing preventable adverse medical
events and convened by the Department of Veterans Affairs.
Other NPSP members include the American Hospital Association,
the Joint Commission on Accreditation of Healthcare
Organizations, the American Nurses Association, the Association
of American Medical Colleges, the Institute for Healthcare
Improvement, and the National Patient Safety Foundation at the
AMA. The NPSP has made a concerted effort to increase awareness
of the year 2000 hazards that patients relying on certain
medical devices could face at the turn of the century.
Recommendations
As an initial step, we recommend that the Administration or
Congress work closely with the AMA and other health care
leaders to develop a uniform definition of ``compliant'' with
regard to medical equipment. There needs to be clear and
specific requirements that must be met before vendors are
allowed to use the word ``compliant'' in association with their
products. Because there is no current standard definition, it
may mean different things to different vendors, leaving
physicians with confusing, incorrect, or no data at all.
Physicians should be able to spend their time caring for
patients and not be required to spend their time trying to
determine the year 2000 status of the numerous medical
equipment vendors with whom they work.
We further suggest that both the public and private sectors
encourage and facilitate health care practitioners in becoming
more familiar with year 2000 issues and taking action to
mitigate their risks. Greater efforts must be made in educating
health care consumers about the issues concerning the year
2000, and how they can develop Y2K remediation plans, properly
test their systems and devices, and accurately assess their
exposure. We recognize and applaud the efforts of this
Committee, the Congress, and the Administration in all of your
efforts to draw attention to the Y2K problem and the medical
community's concerns.
We also recommend that communities and institutions learn
from other communities and institutions that have successfully
and at least partially solved the problem. Federal, state and
local agencies as well as accrediting bodies that routinely
address public health issues and disaster preparedness are
likely leaders in this area. At the physician level, this means
that public health physicians, including those in the military,
organized medical staff, and medical directors, will need to be
actively involved for a number of reasons. State medical
societies can help take a leadership role in coordinating such
assessments.
We also must stress that medical device and software
manufacturers need to publicly disclose year 2000 compliance
information regarding products that are currently in use. Any
delay in communicating this information may further jeopardize
practitioners' efforts at ensuring compliance. A strategy needs
to be developed to more effectively motivate all manufacturers
to promptly provide compliance status reports. Additionally,
all compliance information should be accurate, complete,
sufficiently detailed and readily understandable to physicians.
We suggest that the Congress and the federal government enlist
the active participation of the FDA or other government
agencies in mandating appropriate reporting procedures for
vendors. We highly praise the Department of Veteran Affairs,
the FDA, and others who maintain Y2K web sites on medical
devices and offer other resources, which have already helped
physicians to make initial assessments about their own
equipment.
We are aware that the ``Year 2000 Information and Readiness
Disclosure Act'' was passed and enacted into law last year, and
is intended to provide protection against liability for certain
communications regarding Y2K compliance Although the AMA
strongly believes that information must be freely shared
between manufacturers and consumers, we continue to caution
against providing liability caps to manufacturers in exchange
for the Y2K information they may provide, for several reasons.
First, as we have stated, generally vendors alone have the
information about whether their products were manufactured to
comply with year 2000 data. These manufacturers should disclose
that information to their consumers without receiving an undue
benefit from a liability cap.
Second, manufacturers are not the only entities involved in
providing medical device services, nor are they alone at risk
if an untoward event occurs. When a product goes through the
stream of commerce, several other parties may incur some
responsibility for the proper functioning of that product, from
equipment retailers to equipment maintenance companies. Each of
these parties, including the end-user--the physician--will
likely retain significant liability exposure if the device
malfunctions because of a Y2K error. However, none of these
parties will typically have had sufficient knowledge about the
product to have prevented the Y2K error, except the device
manufacturer. To limit the manufacturer's liability exposure
under these circumstances flies in the face of sound public
policy.
We also have to build redundancies and contingencies into
the remediation efforts as part of the risk management process.
Much attention has been focused on the vulnerability of medical
devices to the Y2K bug, but the problem does not end there.
Patient injuries can be caused as well by a hospital elevator
that stops functioning properly. Or the failure of a heating/
ventilation/air conditioning system. Or a power outage. The
full panoply of systems that may break down as our perception
of the scope of risk expands may not be as easily delineated as
the potential problems with medical devices. Building in back-
up systems as a fail-safe for these unknown or more diffuse
risks is, therefore, absolutely crucial.
As a final point, we need to determine a strategy to notify
patients in a responsible and professional way. If it is
determined that certain medical devices may have a problem
about which patients need to be notified, this needs to be
anticipated and planned. Conversely, to the extent we can
reassure patients that devices are compliant, this should be
done. Registries for implantable devices or diagnosis-or
procedure-coding databases may exist, for example, which could
help identify patients who have received certain kinds of
technologies that need to be upgraded and/or replaced or that
are compliant. This information should be utilized as much as
possible to help physicians identify patients and communicate
with them.
As we approach the year 2000 and determine those segments
of the medical industry which we are confident will weather the
Y2K problem well, we will all need to reassure the public. We
need to recognize that a significant remaining concern is the
possibility that the public will overreact to potential Y2K-
related problems. The pharmaceutical industry, for instance, is
already anticipating extensive stockpiling of medications by
individuals and health care facilities. In addition to
continuing the remediation efforts, part of our challenge
remains to reassure patients that medical treatment can be
effectively and safely provided through the transition into the
next millennium.
Conclusion
We appreciate the Committee's interest in addressing the
problems posed by the year 2000, and particularly, those
problems that relate to physicians. Because of the broad scope
of the millennium problem and physicians' reliance on
information technology, we realize that the medical community
has significant exposure. The Y2K problem will affect patient
care, practice administration, and Medicare/Medicaid
reimbursement. The AMA, along with the Congress and other
organizations, seeks to better educate the health care
community about Y2K issues, and assist health care
practitioners in remedying, or at least reducing the impact of,
the problem. The public and private sectors must cooperate in
these endeavors, while encouraging the dissemination of
compliance information.
Chairman Archer. Thank you, Doctor.
Our next witness is Mr. Curtis Lord. And if you'll identify
yourself for the record, you may proceed?
STATEMENT OF CURTIS LORD, CHIEF EXECUTIVE OFFICER, FIRST COAST
SERVICE OPTIONS, BLUE CROSS AND BLUE SHIELD ASSOCIATION OF
FLORIDA, ON BEHALF OF BLUE CROSS AND BLUE SHIELD ASSOCIATION
Mr. Lord. Thank you, Mr. Chairman and Members of the
Committee, for the opportunity to testify today. I'm Curtis
Lord, chief executive officer, First Coast Service Options, a
subsidiary of Blue Cross and Blue Shield of Florida. I'm here
on behalf of the Blue Cross and Blue Shield Association.
For more than 30 years, Blue Cross and Blue Shield plans
have partnered with the government to handle the day to day
work of paying Medicare claims accurately and timely. We are
extremely proud of our role as Medicare contractors and the
impressive performance record we've achieved.
My testimony today focuses on three areas: our progress to
assure that Y2K computer adjustments are made correctly and on
time; why new contractor reforms are unwise; and the critical
need for stable and adequate funding for all contractor
operations.
First, Y2K readiness is a top priority for Medicare
contractors. I'm pleased to report we are making excellent
progress toward ensuring that our mission-critical Medicare
payment systems are millennium ready. HCFA has reported that as
of December 31, 1998, all 78 contractor systems were fully
renovated and 54 had self-certified with acceptable
qualifications. According to HCFA, the remaining contractors
are on target to self-certify by March 31, 1999.
We are working closely with HCFA and our external vendors
to make sure that all qualifications to our certifications are
resolved during the first quarter of the year. Additionally,
because Medicare systems are not static, we will continue
testing during 1999 in order to re-certify their readiness by
November the 1st.
Let me now describe for you the efforts my company has made
to become Y2K ready. We began preparing for Y2K readiness in
1997 with the formation of a Y2K project team and the creation
of a comprehensive Y2K readiness plan. In accordance with our
plan, we inventoried software and hardware, reviewed our
telecommunications environments, assessed and renovated codes,
upgraded hardware to make it Y2K compliant and established a
simulated production environment. We then ran test cases or
test claims through the entire claims processing system to
ensure that the system processes the claims with the same
result both before and after the Y2K renovation. We tested over
12,000 claims using eight key dates that span from late
December 1999 through March 1, 2000. Based on the results of
these tests, we were able to certify that the mission-critical
systems we maintain are Y2K compliant as of December 31, 1998.
This year we will continue all levels of testing and plan
to test an additional 10,000 claims before re-certifying
compliance to HCFA by November 1. This will include additional
tests with providers who submit claims electronically to assure
that they can submit bills to us and that we can receive them
and provide remittance advice and payment.
And, importantly, although we don't expect failure, we are
developing and will test extensive contingency plans designed
to help us prepare for potential problems and restore normal
service in the most timely and cost-effective manner.
Overall, we will involve hundreds of our staff and spend
approximately $9.4 million ensuring our Medicare carrier and
intermediary operations are Y2K ready.
Although there is still much to be done, significant and
steady progress has been made. We are confident that Medicare
contractors will be ready to pay claims properly on and beyond
January 1, 2000. Our objective is to ensure that beneficiaries
and providers continue to receive the excellent customer
service they expect and deserve.
Second, HCFA is again proposing legislation to dramatically
restructure the Medicare contracting process. This legislation
would permit HCFA to fragment the functions of current
contractors. Mr. Chairman, we do not believe this is a wise
strategy for a number of reasons, not the least of which is
that it could impede contractors' progress toward Y2K
readiness. We believe the most effective manner to improve
Medicare administration is to set appropriate performance
standards for contractors, enforce them, and terminate the
contracts of those not performing at the required levels.
The last point I would like to make is that stable and
adequate funding is absolutely critical to achieve excellence
in performance. While the additive MIP funding provided by this
Committee in 1996 is helping us strengthen our efforts to fight
fraud and abuse, funding for the larger majority of contractor
operations remains subject to the annual appropriations process
and the tight budget limits that apply to those funds. We
believe that finding a reliable and stable funding source for
all Medicare contractor operations is imperative and would like
to work with both HCFA and this Committee to assure that the
contractors receive the administrative resources necessary to
manage Medicare effectively.
Thank you. I would be happy to answer any questions the
Committee may have.
[The prepared statement follows:]
Statement of Curtis Lord, Chief Executive Officer, First Coast Service
Options, Blue Cross and Blue Shield Association, of Florida, on behalf
of Blue Cross and Blue Shield Association
Mr. Chairman and Members of the Committee, I am Curtis
Lord, CEO of First Coast Service Options, a subsidiary of Blue
Cross and Blue Shield of Florida. I am testifying on behalf of
the Blue Cross and Blue Shield Association, the organization
representing 52 independent Blue Cross and Blue Shield Plans
throughout the nation who provide health coverage to over 70
million people.
I appreciate the opportunity to testify before you today to
report on the excellent progress Blue Cross and Blue Shield
Plans are making to assure Medicare systems will function
properly in 2000.
The Medicare program is administered through a successful
partnership between the private industry and the Health Care
Financing Administration (HCFA). Since 1965, Blue Cross and
Blue Shield Plans have played a leading role in administering
the program. They have contracted with the federal government
to handle much of the day-to-day work of paying Medicare claims
accurately and in a timely manner.
Nationally, Blue Cross and Blue Shield Plans process over
90 percent of Medicare Part A claims and about 67 percent of
all Part B claims. At BCBS of Florida, we process about 5
million Part A claims and 50 million Part B claims each year.
Responsibilities of Medicare Contractors
Medicare contractors have four major areas of
responsibility:
1. Paying claims: Medicare contractors process all the
bills for the traditional Medicare fee-for-service program. In
FY 2000, it is estimated that contractors will process over 900
million claims, more than 3.5 million every working day.
2. Providing Beneficiary and Provider Customer Services:
Contractors are the main point of routine contact with the
Medicare program for both beneficiaries and providers.
Contractors educate beneficiaries and providers about Medicare
and respond to about 40 million inquiries annually.
3. Handling Appeals for Payment: Contractors handled more
than 7 million hearings and appeals for reconsideration of
initial payment determinations last year. In FY 2000, HCFA
expects the cost of processing appeals and hearings to rise by
ten percent.
4. Fighting Medicare Fraud, Waste and Abuse: Contractors
saved $8 billion in 1997--yielding $17 in Medicare savings for
every $1 invested from activities to review claims--by assuring
services are medically necessary and by detecting possible
fraud and abuse.
We are extremely proud of our role as Medicare contractors.
Contractors are:
Cost-effective--operating on administrative
budgets that represent only 1 percent of Medicare benefit
payments.
Efficient--having a track record of quickly and
accurately implementing major programmatic changes under
extremely tight time frames; and
On the first line of defense against fraud and
abuse--aggressively fighting Medicare fraud and abuse with
additional funding provided by this Committee in 1996 for the
Medicare Integrity Program (MIP). BCBSA had long urged Congress
to appropriate increased funding for these efforts. We are now
seeing the positive impact of enhanced contractor efforts. Just
this month, the HHS Inspector General reported a 45 percent
reduction in Medicare overpayments since 1996.
My testimony today focuses on three areas:
I. Our progress to assure that Year 2000 computer
adjustments are made correctly and on time;
II. Why new contractor reforms are unwise and could
jeopardize our efforts to fight fraud and abuse; and
III. The critical need for stable and adequate funding for
all contractor operations.
I. Progress on Efforts to Assure Year 2000 Readiness
Year 2000 readiness is a top priority for Medicare
contractors. Medicare contractors are making excellent progress
to ensure Medicare payment systems are renovated and tested for
millennium readiness. HCFA has reported that, as of December
31, 1998, all 78 contractors' systems were fully renovated and
54 had self-certified with acceptable qualifications. According
to HCFA, the remaining contractors are on target to self-
certify by March 31, 1999. We are working closely with HCFA and
with our external vendors to make sure that all qualifications
are resolved.
While Plans have made significant progress, much remains to
be done in 1999. Contractors are reporting to HCFA weekly on
the resolution of any self-certification qualifications.
Additionally, because Medicare systems are not static,
contractors will continue testing during 1999 in order to
recertify their readiness by November 1, 1999. The objective is
to ensure that all Medicare systems will operate successfully
in future years without exception. Toward this end, all
Medicare systems must be completely renovated, tested, and
implemented.
In addition to testing, contractors are focusing on
contingency plans and the readiness preparation of the provider
communities. Contingency plans, which will also be completed by
March 31, 1999, are designed to ensure business continuance,
minimize any disruptions, and expedite solutions of any Y2K
associated problems that may arise. Based on HCFA guidance,
contractors are developing contingency plans for a minimum of
two possible situations: (1) a 150 to 200 percent increase in
the submission of paper claims; and (2) a lack of access to the
Medicare beneficiary eligibility database known as the common
working file. To ensure their contingency plan's feasibility,
contractors are developing their plans in conjunction with
their Y2K testing to identify the areas that are most
susceptible to Y2K errors. These contingency plans will be
tested by June 30, 1999.
Provider readiness is a major issue for HCFA and for
contractors. Last December, HCFA made available to all Medicare
providers support materials intended to assist them in becoming
Y2K ready. In addition, HCFA sent a letter to providers on
January 12, 1999, advising them that they needed to become Y2K
compliant. The letter included a sample Provider Y2K Readiness
Checklist as well as the website addresses where information
was available.
HCFA has asked contractors to work with providers to help
them become Y2K compliant. Contractors have conducted numerous
outreach efforts, including holding seminars and briefings on
Y2K readiness, and mailing bulletins and newsletters to
providers stressing the importance of becoming Y2K ready. To
help providers become compliant, contractors supply Y2K
compliant billing software to providers at their request free
of charge. Contractors also are conducting systems tests with
providers to ensure readiness.
Let me describe for you the efforts my company has made to
become ready. We began planning for Y2K renovation in 1997 with
the goal of paying or denying Medicare claims correctly on and
after January 1, 2000. By December 31, 1998, we had inventoried
software and hardware, reviewed the LAN and WAN environments,
assessed millions of lines of code, renovated code, retired
modules, upgraded hardware to make it Y2K compliant, tested
each module, and established a simulated production
environment.
We then ran test cases--test claims--through the entire
claims processing system to ensure that the system processes
the claims, with the same result, both before and after the Y2K
renovation. This is a full simulation of production. We want to
be sure that all steps in the process are capable of supporting
business after 2000. We tested over 12,000 claims using 8
different dates that spanned late December 1999 to early
January 2000, and February 28 through March 1, 2000. Based on
the results of these tests, we were able to certify Y2K
compliance to HCFA as of December 31, 1998.
This year, we will continue all levels of testing, and plan
to test an additional 10,000 claims and recertify compliance to
HCFA by November 1. It is critically important that all changes
from HCFA be completely tested. We will test with providers who
submit bills electronically to assure that they can submit
claims to us, and that we can receive them and provide
remittance advice. And, importantly, although we don't expect
failure, we are developing and testing contingency plans for
all mission critical applications and business partners.
We have 25 people devoted full-time to the Y2K project.
Dozens of additional people supported Y2K testing in 1998 on a
part-time basis. These numbers will increase to hundreds of
people as recertification testing and contingency planning
testing and rehearsals reach intense levels in mid-1999.
BCBSA Efforts with HCFA to Ensure Y2K Readiness
BCBSA and Medicare contractors have been working closely
with HCFA on readiness issues. Last year, BCBSA worked with
HCFA to find an agreeable contract amendment related to Year
2000 compliance. Although there was some disagreement over the
language of the contract amendment that HCFA originally sent us
to sign, I would like to clarify that at no time did
contractors refuse to become Y2K ready. BCBSA had several
concerns with the amendment because it would have required
contractors to assume liability for compliance of all vendors
(e.g., financial institutions, facilities managers who control
elevator programming, etc.) and face civil monetary penalties.
HCFA acknowledged that it had drafted the amendment too broadly
and agreed to work with contractors to rewrite the amendment.
In addition, BCBSA worked with HCFA to develop a formal
process to assure regular communication on Y2K issues. In
response to a BCBSA recommendation, HCFA established a steering
committee chaired by HCFA's chief information officer and vice-
chaired by BCBSA. I serve on this committee. The operation of
the steering committee has facilitated very constructive and
useful dialogue between contractors and HCFA about Year 2000
compliance.
The committee has met with the HCFA Administrator and meets
monthly with many of the agency's key directors and other top
management staff. HCFA credits its progress in meeting the Y2K
challenge in large part due to the outstanding effort and
commitment of HCFA staff and the contractors. We look forward
to continuing these cooperative efforts with HCFA.
In reviewing the issues related to Year 2000 readiness, the
committee should be aware of three additional issues that have
made Year 2000 readiness activities challenging:
Significant Change in Direction: Originally, many
of the system changes that were necessary for readiness would
have been accomplished by the conversion of all Medicare
contractors to the Medicare Transaction System (MTS). As you
know, the MTS initiative was terminated in 1997. As a result,
contractors have been required to make significant changes
that, in the absence of the MTS initiative, they would have
been working on for a long time.
Transition to New Standard Systems: Instead of
converting to the MTS system, HCFA had directed contractors to
transition to a single Part A and a single Part B system. In
some cases, this conversion to different systems would have
diluted experienced contractor and HCFA staff from focusing on
critical millennium readiness activities. As a result, HCFA
approved a request by several contractors to delay transition
requirements so they could focus on Year 2000 issues.
Numerous and Broad Programmatic Demands: HCFA
already has said that it will not be able to implement all of
the BBA requirements because of the need to concentrate on Year
2000 efforts. We continue to recommend to HCFA that as many
non-Year 2000 system changes as possible should be removed from
contractor workloads so that experienced technical resources
can be devoted to assuring Year 2000 readiness.
This is even more critical now as we work on the testing
and retesting phase of our readiness efforts. Every time a
change in a system is introduced (e.g., a change in the Part A
deductible, updated physician or hospital payment rates, etc.),
each contractor must retest their entire system to make sure
the new changes are compatible with Y2K.
II. Contractor Reform is Not Necessary
HCFA's FY 2000 budget once again includes a legislative
proposal to dramatically restructure the Medicare contracting
process. This effort to make broad changes in contract
authority is not a new initiative. For several years, HCFA has
been seeking contractor reform legislation to give the agency
broad authority to fragment the functions of current
contractors. While we have not yet seen the details of this
current proposal, our understanding is that it is similar to
previous legislation.
We believe that contractor reform provisions are unwise and
unnecessary for the following reasons:
1. It could jeopardize services to beneficiaries and
providers: HCFA's proposal would eliminate the requirement that
Medicare contractors have experience working with the Medicare
program and would not even require that entities be familiar
with health claims processing. Allowing HCFA to contract with
organizations unfamiliar with Medicare's intricate payment
methodologies could reduce payment accuracy, delay payments to
providers, and reduce the quality of service providers and
beneficiaries expect.
2. It could undermine HCFA's efforts to administer its
other initiatives effectively: Potentially, HCFA would have to
manage many new contractors for claims processing services with
entities unfamiliar with Medicare. These new contracts would
require strict management by HCFA at a time when HCFA has many
other new responsibilities, including BBA and HIPAA. With these
other large workloads, we believe the agency does not have the
resources, staff, or expertise to implement this type of new
procurement activity.
3. It is based on an untested Medicare Integrity Program:
HCFA has just begun to implement the new contracting provisions
for the Medicare Integrity Program (MIP). As of yet, no
contracts have been awarded. Moreover, HCFA's strategy to split
the MIP functions from the Program Management (PM) functions in
Medicare is not yet tested. Due to the historical and
functional integration of claims processing, customer service,
and fraud and abuse activities, separating PM and MIP functions
could jeopardize future fraud and abuse detection. PM and MIP
are not autonomous services, and require constant coordination
and communication in a rapidly changing Medicare program.
Further authority for HCFA to significantly revise contracting
relationships is premature.
I would also call your attention to the HHS Inspector
General's recommendations in the CFO report. The IG is
specifically concerned that instability of Medicare contractors
could reduce the ability to fight Medicare fraud and abuse.
Given the recent improvements in fighting fraud and the
significant programmatic challenges ahead, it simply does not
make sense to pursue an unnecessary restructuring of the
program.
4. It would place Medicare contractors under legislative
constraints that exceed other government contractors: For
example, the legislation eliminates the requirement that HCFA
pay termination costs to contractors that leave the Medicare
program. This provision would make Medicare contracts different
than any other type of government contract, including defense
contracts. The Federal Acquisition Regulations (FAR) require
that the government pay contractors reasonable termination
costs. There is no basis to treat Medicare contractors
differently.
5. HCFA's proposals could impede contractors' progress to
become Y2K ready: At this point, HCFA's proposal would not
improve the Year 2000 problem and, in fact, could make it much
worse. Contractors unfamiliar with the Medicare program would
have the added burden of having to learn its extremely complex
rules and regulations while simultaneously working to achieve
millennium readiness. Moreover, the testing requirements for
contractor certification are extremely complex given the number
of links contractors have with external systems (e.g., HCFA,
banks, providers, etc.). It is highly unlikely that HCFA would
be able to identify a new contractor that could meet the
certification requirements.
Finally, contractor reform is unnecessary to ensure the
quality of Medicare contractors. HCFA currently has the
authority to replace or terminate contractors for poor
performance.
HCFA has claimed this proposal would increase the cost
effectiveness of contractor operations. However, this
legislation has no positive effect on the budget. It does not
reduce expenditures for Medicare contractors. More importantly,
inexperienced contractors may be more apt to make improper
payments, which could further threaten the solvency of the
trust funds.
Success in Medicare claims administration requires that
HCFA and the contractors work together toward their mutual goal
of accurate and timely claims payment. This partnership should
extend to planning the future of Medicare contract
administration. We believe the most effective manner to proceed
in strengthening Medicare administration is to raise
performance standards, aggressively enforce them, and terminate
the contracts of those not performing at the required level.
III. Stable and Adequate Funding is Critical
As Medicare's first line of defense against fraud and
abuse, Medicare contractors require adequate funding in order
to meet the demands of the program and to effectively combat
fraud and abuse.
The President's FY 2000 budget proposes $1.27 billion for
Medicare contractors, virtually the same funding level as 1999.
Given the following, this budget represents a cut to contractor
funding compared to FY 1999:
1. User Fees: Of the $1.27 billion proposed for
contractors, $93 million is dependent on proposed new user fees
from providers, which have previously been rejected by this
Committee. Failure to authorize the user fee could mean a $93
million cut for contractors.
2. Y2K: The President's budget does request $150 million in
addition to the $1.27 billion for HCFA millennium readiness. It
is unclear, at this point, whether or how much of these
proposed funds would be made available for Medicare
contractors' Y2K needs.
3. BBA and HIPAA: Additional funds will be needed to cover
a significantly greater workload next year, including:
Implementing BBA provisions, including new
prospective payment systems for inpatient rehabilitation
facilities and outpatient hospital care.
Implementing HIPAA administrative simplification
provisions, including the national payer identifier initiative
and the development of transaction and security standards for
electronic processing of claims.
Adequate funding also is critical to maintain anti-fraud
efforts and to prevent further service reductions to
beneficiaries and providers. An independent study commissioned
by BCBSA last year indicates that contractor funding will be
significantly strained by the increased anti-fraud and abuse
detection efforts under the newly enacted MIP. The report shows
that every 10 percent increase in MIP funding will result in a
$13 million increase in contractor costs due to increased
appeals, inquiries, and hearings.
Additionally, a letter published in a recent Health Affairs
journal, signed by 14 health policy experts, stressed the need
for more Medicare administrative funding. Specifically, the
letter stated that ``HCFA's ability to provide assistance to
beneficiaries, monitor the quality of provider services, and
protect against fraud and abuse has been increasingly
compromised by the failure to provide the agency with adequate
administrative resources.''
We believe that finding a reliable and stable funding
source for Medicare contractors is critical. In the President's
budget, HCFA indicated a willingness to explore alternative
funding options for Medicare administrative activities. We
support HCFA's efforts and would like to work with HCFA and
Congress to move toward a stable and reliable funding source.
Conclusion
Let me reiterate that Medicare contractors are working
diligently to become millennium ready. This is a monumental
task, and we will face a number of challenges as we complete
it. Medicare contractors are committed to meeting these
challenges just as they have done in the past.
Congress should reject HCFA's request to legislate far-
reaching changes to the Medicare contractor program. Contractor
reform raises fundamental issues and implications for the
Medicare program. In fact, contractor reform would introduce
change, confusion, and diversion of resources at a time when
experience and focus is important. Alternatively, HCFA should
tell contractors exactly what standards they want contractors
to meet. Let contractors meet these standards; otherwise, HCFA
can terminate our contracts.
Finally, given the importance of Medicare to its
beneficiaries, providers, and the nations' economy, it is
critical that the administrative resources necessary to manage
the program effectively be provided.
Chairman Archer. Thank you, Mr. Lord.
Ms. Archer, if you'll identify yourself for the record, you
may proceed?
STATEMENT OF DIANE ARCHER, EXECUTIVE DIRECTOR, MEDICARE RIGHTS
CENTER, NEW YORK, NEW YORK
Ms. Diane Archer. My name is Diane Archer. I'm the
executive director of the Medicare Rights Center, a national
not-for-profit organization based in New York. The Medicare
Rights Center helps seniors and people with disabilities on
Medicare through telephone counseling, public education, and
public policy work. I thank you for this opportunity to testify
today.
We recognize that the U.S. Government and corporate America
are taking Y2K issues seriously, and we hope their efforts will
result in a smooth transition to the year 2000 for everyone on
Medicare. But we do have concerns that people on Medicare could
face serious healthcare access problems.
First, at the Federal level, our foremost concern is
healthcare access for the 6.6 million seniors and people with
disabilities in Medicare HMOs. HCFA is working hard to ensure
that its own systems are Y2K compliant. But HCFA cannot
guarantee that Medicare HMOs will be Y2K compliant. As you
know, unlike original Medicare, most HMOs require prior
authorization for specialty care. Unless the Medicare HMOs are
Y2K compliant, we could see a significant increase in the
number of people on Medicare who because of system failures
can't get authorization for the care they need with potentially
devastating consequences.
Consider this potential scenario: it is February 2000 and a
Medicare HMO enrollee goes to the hospital with stomach pains.
The doctor calls the HMO requesting approval to perform a
Medicare-covered procedure to alleviate the pain. The HMO
doesn't have the systems in place to find the patient's name on
its database or can't use the computer to determine whether the
service is covered and therefore doesn't give authorization. As
a result, the woman does not get the care she needs.
We are concerned about how HCFA protects people in Medicare
HMOs when they can't get care because of Y2K system failures
and how it holds these HMOs accountable. What tools does HCFA
have at its disposal to ensure that HMOs provide people on
Medicare with the care they need?
HCFA has taken a strong first step in requiring all of its
contractors to submit Y2K compliance forms. But, as you know,
these statements are not admissible in a court of law.
We also wonder what advice we should be giving our clients
about joining a Medicare HMO or other Medicare private health
plan in November 1999 to begin on January 1, 2000. Should we
advise people to secure an affidavit of Y2K compliance from
their HMOs that's legally admissible in a court of law or
should we recommend that they withdraw from their Medicare HMOs
for the 3 month period between December 1999 and February 2000
if they wish to avoid the risk of not getting the care they
need because of HMO system failures? If not, we wonder how
seniors and people with disabilities can protect themselves?
We recommend that HCFA set up a special hotline for people
to call if they're denied access to care because of Y2K
problems. We also urge that some mention of Y2K access to care
issues be included in the Medicare and You handbook.
But the Y2K issue brings to the surface the Federal
Government's limited ability to ensure that people on Medicare
get the healthcare they need from the private health plans that
contract with HCFA.
At the State level, we're concerned that system failures
caused by inadequate preparation for Y2K on the part of local
Medicaid and Social Security offices will slow down or
undermine the application process for programs that pay
Medicare premiums and co-insurance for people with low-incomes.
HCFA should institute a system to ensure that the Social
Security Administration does not wrongly drop these people from
Medicare because of Y2K system failures at State Medicaid
offices.
Finally, at the individual level, it's critical that those
people on Medicare who rely on prescription drugs and computer
chip driven medical equipment keep getting the medicine and
equipment they need without interruption when the year 2000
begins. We recommend that HCFA should sponsor a series of
public service announcements telling people on Medicare, their
friends and family members that they should speak with their
doctors and pharmacies to ensure availability of their
prescription during the transition to the year 2000. And that
if they use a medical device, they should check with their
doctor or supplier in advance to make sure that the equipment
is Y2K compliant.
It's our job as professionals who work closely with seniors
and people with disabilities on Medicare to educate our clients
on how to get the care they need when they need it. We hope
that Congress and HCFA will do whatever possible to make sure
that people on Medicare keep getting the care they need in the
new millennium.
Thank you. I'll be happy to answer questions.
[The prepared statement follows:]
Statement of Diane Archer, Executive Director, Medicare Rights Center,
New York, New York
My name is Diane Archer. I am the Executive Director of the
Medicare Rights Center, a national not-for-profit organization
based in New York City. MRC helps seniors and people with
disabilities on Medicare through telephone counseling, public
education, and public policy work. MRC, under a contract with
the New York State Office for the Aging, with funding from the
Health Care Financing Administration, operates a telephone
hotline. Each year, we field approximately 50,000 hotline calls
from people with Medicare questions and problems and provide
direct assistance on a variety of Medicare issues to more than
7,000 individual callers. I thank the Committee on Ways and
Means for this opportunity to testify on how the transition to
the year 2000 may affect people on Medicare.
We recognize that the United States government and
corporate America are taking Y2K issues seriously, and we hope
their efforts will result in a smooth transition to the year
2000 for everyone on Medicare. Otherwise, people on Medicare
could face serious health care access problems. Today, I am
going to talk about some access to care problems that could
arise.
First, at the federal level, our foremost concern is health
care access for the more than 6 million seniors and people with
disabilities in Medicare HMOs. We applaud HCFA's efforts to
ensure that its own systems are Y2K-compliant. But HCFA cannot
guarantee that Medicare HMOs will be Y2K-compliant. As you
know, most HMOs require prior authorization for specialty care.
Unless the Medicare HMOs are Y2K-compliant, we could see a
significant increase in the number of people on Medicare who,
because of system failures, can't get authorization for the
care they need, with potentially devastating consequences.
Consider this potential scenario: it is February 2000 and a
Medicare HMO enrollee goes to the hospital with stomach pains.
The doctor calls the HMO requesting approval to perform a
Medicare-covered procedure to alleviate her pain. The HMO does
not have the systems in place to find the patient's name on its
database or can't use the computer to determine whether the
service is covered and therefore does not give authorization.
As a result, the woman does not get the care she needs.
We wonder what advice we should be giving our clients about
joining a Medicare HMO or other Medicare private health plan in
November 1999 to begin enrollment on January 1, 2000. Should we
advise people to secure an affidavit of Y2K-compliance from
their HMOs that is legally admissible in a court of law? Or,
should we recommend that they withdraw from their Medicare HMOs
for the three-month period between December 1999 and February
2000 if they wish to avoid the risk of not getting the care
they need because of HMO system failures? If not, we wonder how
seniors and people with disabilities can protect themselves. We
strongly recommend that HCFA set up a special hotline for
people to call if they are denied access to care because of Y2K
problems. We also urge that some mention of Y2K access to care
issues be included in the Medicare & You handbook.
We are concerned about how HCFA protects people in Medicare
HMOs when they cannot get care because of Y2K system failures,
and how it holds these HMOs accountable. What tools does HCFA
have at its disposal to ensure that HMOs provide people on
Medicare with the care they need?
HCFA has taken a strong first step in requiring all of its
contractors to submit Y2K compliance forms. But, as you know,
these statements are not admissible in a court of law. And in
the past HCFA has lacked the staff and resources to properly
oversee its contracting agents.\1\ The Y2K issue brings to the
surface the federal government's limited ability to ensure that
people on Medicare get the health care they need from the
private health plans that contract with HCFA.
---------------------------------------------------------------------------
\1\ An Office of Inspector General report finds that HCFA has
neither the staff nor resources to oversee Medicare HMOs. Department of
Health and Human Services, Office of Inspector General, April 1998,
Report Numbers: OEI-01-96-00190 and OEI-01-96-00191.
---------------------------------------------------------------------------
Second, at the state level, we are concerned that system
failures caused by inadequate preparation for Y2K on the part
of local Medicaid and Social Security offices will slow down or
undermine the application process for QMB, SLMB, QI-1 and QI-2.
These programs help many low-income people on Medicare pay for
their health care coverage. The application process is already
slow and difficult in many states, and system failures could
prevent even more people from getting these benefits and the
care and coverage they need and are due. HCFA should institute
a system to ensure that the Social Security Administration does
not drop dually-eligible people from Medicare because of Y2K
system failures at state Medicaid offices.
Finally, at the individual level, it is critical that those
seniors and people with disabilities on Medicare who rely on
prescription drugs and computer-chip driven medical equipment
keep getting the medicine and equipment they need without
interruption when the year 2000 begins. Although overseeing
this continuity of care is outside of HCFA's legal
jurisdiction, HCFA has an important role in educating people on
Medicare on what they need to do to ensure that the transition
to Y2K goes smoothly for them. We believe that HCFA should
sponsor a series of public service announcements telling people
on Medicare, their friends, and family members that: one--they
need to check with their doctors and pharmacy to ensure
availability of their prescriptions during the transition to
the year 2000, and two--if they use a medical device, then they
should check with their doctor or supplier in advance to make
sure that the equipment is Y2K-compliant.
People on Medicare have already lived through many changes
and hardships. Most do not own a computer. They are probably
not overly concerned with the ability of computer systems to
transition smoothly into the year 2000. We do not want to
instill fear in people on Medicare. It is our job, as
professionals who work closely with seniors and people with
disabilities on Medicare, to educate our clients on how to get
the care they need when they need it. We are telling our
clients to ask their doctors, pharmacists, and medical
suppliers if they are Y2K-compliant. We hope that Congress and
HCFA will do whatever possible to make sure that people on
Medicare keep getting the care they need in the new millenium.
Thank you.
Chairman Archer. Our next and last witness of the day is
Joel Willemssen. Welcome back again. And if you'll officially
identify yourself for the record, you may proceed?
STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES
INFORMATION SYSTEMS, ACCOUNTING AND
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Yes, sir, Mr. Chairman. Joel Willemssen
with the General Accounting Office. Thank you. And as
requested, I'll briefly summarize our statement on Medicare Y2K
and then very briefly on the overall readiness of the
healthcare sector.
Regarding Medicare Y2K, we originally reported our concerns
with this nearly 2 years ago. At that time, the level of HCFA
management attention focused on Y2K was minimal. Instead much
of the agency's systems focus was on a failed effort, known as
the Medicare Transaction System, which was intended to replace
existing part A and part B core computing systems. As we've
previously testified, this effort was terminated after about
$80 million had been spent and not one line of software had
been delivered. It's important to keep that history in mind as
we look at the huge challenge HCFA is now up against.
We reported last fall that with its late start on Y2K, HCFA
faced the prospect of having too much to do in too little time.
Many of the basic Y2K management practices that should have
been in place were not. Our conclusions and recommendations to
the administrator reflected our concern about the high level of
risks facing HCFA. HCFA has been very responsive to our
recommendations. And the administrator is to be commended for
making Y2K the agency's top priority and directing a number of
actions to more effectively manage this project.
Among these many actions has been an important commitment
to develop business continuity and contingency plans to help
ensure that no matter what beneficiaries will receive care and
providers will be paid.
Despite that progress, we still have serious concerns with
HCFA and Medicare Y2K. First, HCFA's reported external systems
progress on Y2K has been highly overstated. HCFA and HHS
recently reported that 54 of 78 contractor systems were
compliant as of December 31. In fact, none of these 54 should
have been reported as compliant. All of them had important
exceptions, some of them very significant. Such qualifications
included a major system failing to recognize 00 as a year as
well as 2000 as a leap year.
According to HCFA officials, they reported these systems as
compliant because the qualifications were minor problems that
should not take much time to address. This is at variance with
HCFA's independent verification and validation contractors'
interpretation. The contractor found the qualifications to be
critical, most requiring a major to moderate level of effort to
resolve.
Among the other issues that HCFA needs to address: One,
HCFA still needs an integrated schedule that identifies a
critical path of all the key tasks it needs to complete. Two,
it lacks a risk management process. Three, HCFA still has
thousands of data exchanges that must be renovated and tested.
Four, and maybe most importantly, HCFA faces a huge amount of
testing in 1999. First, changes to resolve the existing
qualifications will need to be retested. Second, testing must
still take place with full production level software. Third,
there are other changes that will be going into effect, from
mandated changes that will also have to be re-tested.
And all of this testing will ultimately determine whether
HCFA's mission-critical systems are, indeed, going to be year
2000 compliant. But given the magnitude of the challenge ahead,
it's absolutely critical that the administrator sustain her
commitment to complete and test business continuity and
contingency plans so that even if system failures occur, HCFA
will be positioned with back-up plans.
Beyond Medicare, and just very briefly looking at the
broader healthcare sector, there is reason for concern about
Y2K readiness, not because of what we know, but because of what
we don't know. The extent of information available on the
readiness of the healthcare sector is generally very limited.
In recent months there has been some good progress made,
especially in the biomedical equipment area. But more will need
to be done in the limited time remaining.
That concludes the summary of my statement. I would be
pleased to address any questions you might have.
[The prepared statement follows:]
Statement of Joel C. Willemssen, Director, Civil Agencies Information
Systems, Accounting and Information Management Division, U.S. General
Accounting Office
Mr. Chairman and Members of the Committee: We appreciate
the opportunity to join in today's hearing and share
information on the readiness of automated systems that support
the nation's delivery of health benefits and services to
function reliably without interruption through the turn of the
century. This includes the ability of Medicare to provide
accurate benefits and services to millions of Americans and the
overall readiness of the health care sector, including such key
elements as biomedical equipment used in the delivery of health
services. Successful Year 2000--or Y2K--conversion is critical
to these efforts.
In a report issued last year, we concluded that the
progress made by the Department of Health and Human Services'
(HHS) Health Care Financing Administration (HCFA)--and its
contractors--in making its computers that process Medicare
claims Year 2000 compliant was severely behind schedule in
areas including repair, testing, and implementation.\1\
Further, we made numerous recommendations to improve key HCFA
management practices which we found to be lacking or
inadequate. This morning I would like to briefly discuss our
findings from that report and our suggestions for strengthening
HCFA's Y2K activities, describe actions taken on those
recommendations, and provide our perspective on where HCFA
stands today.
---------------------------------------------------------------------------
\1\ Medicare Computer Systems: Year 2000 Challenges Put Benefits
and Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998).
---------------------------------------------------------------------------
Beyond Medicare, the level of information on a national
level concerning Year 2000 compliance throughout the health
care sector--including providers, insurers, manufacturers, and
suppliers--is limited. As we reported last fall, this was true
of biomedical equipment routinely used in the delivery of
health care.\2\ Such equipment includes medical devices such as
cardiac defibrillators and monitoring systems that can record,
process, analyze, display, and/or transmit data. Today, I would
like to share information in this area with you as well.
---------------------------------------------------------------------------
\2\ See Year 2000 Computing Crisis: Compliance Status of Many
Biomedical Equipment Items Still Unknown (GAO/AIMD-98-240, September
18, 1998).
---------------------------------------------------------------------------
HCFA's Ability to Process Medicare Claims into the Next Century
As the nation's largest health care insurer, Medicare
expects to process over a billion claims and pay $288 billion
in benefits annually by 2000. The consequences, then, of its
systems' not being Year 2000 compliant could be enormous. We
originally highlighted this concern in May 1997, making several
recommendations for improvement.\3\ In our report of last
September we warned that although HCFA had made improvements in
its Year 2000 management, serious challenges remained to be
resolved in a short period of time. Specifically, we reported
that less than a third of Medicare's mission-critical systems
had been fully renovated, and none had been validated or
implemented. Further, in terms of the agency's key management
practices necessary to adequately direct and monitor its Year
2000 project, HCFA had not:
---------------------------------------------------------------------------
\3\ Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16,
1997).
---------------------------------------------------------------------------
developed an overall schedule and critical path to
identify and rank Y2K tasks to help ensure that they could be
completed in a timely manner;
implemented risk management processes necessary to
highlight potential technical and managerial weaknesses that
could impair project success;
planned for or scheduled end-to-end testing to
ensure that program-wide renovations would work as planned; or
effectively managed its electronic data exchanges,
thereby increasing the risk that Y2K errors would be
transferred through data exchanges from one organization's
computer systems to those of another.
The Office of Management and Budget (OMB) also had
concerns. In its December 8, 1998, summary of Year 2000
progress reports of all agencies for the reporting quarter
ending November 13, 1998, it concluded that while HCFA had made
significant progress in renovating its internal and external
systems, the agency remained a serious concern due to the
remediation schedule of its external systems. OMB further
stated that Medicare contractors would have to make an
intensive, sustained effort to complete validation and
implementation of their mission-critical systems by the
governmentwide goal of March 31, 1999. OMB designated HHS as a
tier 1 agency on its three-tiered rating scale since it had
made insufficient progress in addressing the Year 2000 problem.
Our conclusions and recommendations to the HCFA
Administrator reflected our concerns about the high level of
risk and large number of tasks still facing HCFA. We reported
that it was more critical than ever that HCFA have sound
business continuity and contingency plans in place that can be
implemented should systems failures occur. Our specific
recommendations included that HCFA:
rank its remaining Year 2000 work on the basis of
an integrated project schedule and ensure that all critical
tasks are prioritized and completed in time to prevent
unnecessary delays,
develop a risk management process,
define the scope of an end-to-end test of the
claims process and develop plans and a schedule for conducting
such a test,
ensure that all external and internal systems'
data exchanges have been identified and agreements signed among
exchange partners, and
accelerate the development of business continuity
and contingency plans.
HCFA's Actions To Achieve Compliance
HCFA has been responsive to our recommendations, and its top
management is actively engaged in its Year 2000 program. HCFA's
Administrator has made Year 2000 compliance the agency's top priority
and has directed a number of actions to more effectively manage this
project. For example, HCFA has established a ``war room'' for real-time
monitoring of Year 2000 renovation, testing, and implementation
activities. In addition, the agency established seven contractor
oversight teams to monitor progress. HCFA also strengthened its
outreach efforts: on January 12, 1999, the Administrator sent
individual letters to each of the 1.25 million Medicare providers in
the United States, alerting them to take prompt Year 2000 action on
their information and billing systems. Three days later the
Administrator sent a letter to Congress, with assurances that HCFA is
making progress and stressing that physicians, hospitals, and other
providers must also meet the Y2K challenge. HCFA also offered to
provide speakers in local congressional districts.
To more effectively identify and manage risks, HCFA is relying on
multiple sources of information, including test reports, reports from
its independent validation and verification (IV&V) contractors, and
weekly status reports from its recently established contractor
oversight teams. In addition, HCFA has stationed staff at critical
contractor sites to assess the data being reported to them and to
identify problems.
HCFA is also more effectively managing its electronic data
exchanges. HCFA now reports having a complete data exchange inventory
of nearly 8,000 internal exchanges and over 255,000 external data
exchanges. HCFA also issued instructions to its contractors (carriers
and fiscal intermediaries) to inform providers and suppliers that they
must submit Medicare claims in Year 2000-compliant data exchange format
by April 5 of this year. The status of each of these data exchanges is
being tracked by HCFA staff.
HCFA has also more clearly defined its testing procedures. It
published additional testing guidance in November 1998 that provided a
policy for external systems that requires multiple levels of testing
for each system, including:
Unit level testing: testing of the individual software
component using test cases that exercise all component functionality.
For the standard claims processing system, this includes full
functional testing of claims processing policy and program integrity
edits.
Simulated future date testing: testing of the individual
software component using tools to simulate that the date has been
rolled forward.
Compliance testing: testing in a fully Year 2000-compliant
environment with real future dates to verify that the system is Year
2000 compliant.
HCFA also plans to perform end-to-end testing with its Year 2000-
compliant test sites. These end-to-end tests are to include all
internal systems and contractor systems; however, they will not include
testing with banks and providers. Finally, HCFA has begun to use a Year
2000 analysis tool to measure testing thoroughness, and its IV&V
contractor is assessing test adequacy on the external systems (e.g.,
test coverage and documentation).
The final area in which HCFA has demonstrated progress is
developing business continuity and contingency plans to ensure that, no
matter what, beneficiaries will receive care and providers will be
paid. HCFA has established cross-organizational workgroups to develop
contingency plans for the following core business functions: health
plan and provider payment, eligibility and enrollment issues, program
integrity, managed care, quality of care, litigation, and
telecommunications. HCFA's draft plans document its business impact
analysis; the contingency plans are expected to be completed by March
31 of this year, and testing of the plans by June 30.
Reported Status of HCFA's Mission-Critical Systems
HCFA operates and maintains 25 internal mission-critical
systems; it also relies on 78 external mission-critical systems
operated by contractors throughout the country to process
Medicare claims. These external systems include six standard
processing systems and the ``Common Working File.'' Each
contractor relies on one of these standard systems to process
its claims, and adds its own front-end and back-end processing
systems. The Common Working File is a set of databases located
at nine sites that works with internal and external systems to
authorize claims payments and determine beneficiary
eligibility.
HCFA's reporting of its readiness for next January sounds
quite positive as stated in the most recent HHS Y2K quarterly
progress report to OMB. According to this report, dated
February 10, as of December 31, 1998, all 25 of HCFA's internal
mission-critical systems were reported to be compliant, as were
54 of the 78 external systems. Figure 1 shows HCFA's reported
status, compared with what it reported on September 30, 1998.
Figure 1: Reported Status of HCFA's Mission-Critical Systems
[GRAPHIC] [TIFF OMITTED] T6850.004
Source: HCFA quarterly reports to HHS
Reported Progress Is Highly Overstated
HCFA's reported progress on its external mission-critical
systems is considerably overstated. In fact, none of the 54
systems reported compliant by HCFA was Year 2000 ready as of
December 31, 1998. All 54 external systems that were reported
as compliant have important associated qualifications
(exceptions), some of them very significant. Such
qualifications included a major standard system that failed to
recognize ``00'' as a valid year, as well as 2000 as a leap
year; it also included systems that were not fully future date
tested.
According to HCFA officials, they reported these systems as
compliant because these qualifications were ``minor problems''
that should not take much time to address. This is at variance
with the IV&V contractor's interpretation. More specifically,
the IV&V contractor found that the qualifications reported by
all systems contractors were critical, most requiring a major
to moderate level of effort to resolve.
A specific example of a system reported as compliant with
qualifications is the Florida standard system, used by 29
contractors. This system had one qualification that consisted
of 22 test failures. The IV&V contractor characterized this
failure experience as significant. HCFA reports that these
failures were corrected with a January 29, 1999, software
release. However, in a February 16, 1999, IV&V status report,
Blue Cross of California--a user of the Florida standard
system--found that date test problems remained. In another
example, the EDS MCS standard system that is used by 10
contractors had 25 qualifications; these included 9 problems
that were not future date tested. HCFA now reports that future
date testing of the January software release of the EDS MCS
system is 92 percent complete.
As these examples illustrate, these systems are not yet
Year 2000 compliant, and the 39 contractors that use these two
standard systems likewise cannot be considered compliant.
Further, according to the IV&V contractor, two critical
qualifications associated with each of the standard systems
affect all external contractor systems: (1) HCFA-supplied
systems that contractors use in claims processing were
delivered too late to them for required testing to be
performed; and (2) the claims processing data centers'
hardware, software, and telecommunications were not completely
compliant.
The IV&V contractor acknowledges that Medicare claims
processing systems have made progress toward Year 2000
compliance over the past year, yet the various qualifications
inevitably mean that some renovation and a significant amount
of retesting still needs to be accomplished before these
systems can be considered compliant. To HCFA's credit, it
issued a memorandum in early January requesting Medicare
carriers and fiscal intermediaries to resolve these
qualifications by March 31, the federal target date for Year
2000 compliance. The notice stated that Medicare systems with
unresolved Y2K problems affecting claims processing functions
must be corrected, tested, and installed in production. As part
of our ongoing work for the Senate Special Committee on Aging,
we will be monitoring the resolution of these qualifications
closely.
Other Critical Risks/Challenges That Remain
The February 16, 1999, report of HCFA's IV&V contractor
stated that an integrated schedule that tracks all major
internal system activities needs to be established. It added
that system-specific information--including time, test
scheduling, and resource considerations--needs to be more fully
developed in order to achieve a robust, trackable schedule. We
agree. In fact, this is consistent with our previous
recommendation that remaining Y2K work be ranked on the basis
of a schedule that includes milestones for renovation and
testing of all systems, and that it include time for end-to-end
testing and development and testing of business continuity and
contingency plans.\4\ Such a schedule is even more important
for the external systems because of their greater number,
complexity, and interdependencies. HCFA still lacks an
integrated schedule that identifies a critical path. Without
this, it will be difficult for HCFA management to identify
important dependencies in this complex environment and to
prioritize its remaining work in the time that remains.
---------------------------------------------------------------------------
\4\ GAO/AIMD-98-284, September 28, 1998.
---------------------------------------------------------------------------
HCFA also lacks a formal risk management process--something
to identify all risks and their interdependencies, assess their
impact, establish time frames for mitigation and criteria for
successful mitigation, and ensure that the criteria are
followed. The one system that was intended to serve as its
comprehensive risk management system does not contain current
information, according to the IV&V contractor.
HCFA's systems--both internal and external--exchange data,
both among themselves and with the CWF, other federal agencies,
banks, and providers. Accordingly, it is important that HCFA
ensure that Y2K-related errors will not be introduced into the
Medicare program through these data exchanges. As of February
10, 1999, HCFA reported that over 6,000 of its 7,968 internal
data exchanges were still not compliant, and that over 37,000
of its nearly 255,000 external data exchanges were not
compliant.\5\ To ensure that HCFA's internal and external
systems are capable of exchanging data between themselves as
well as with other federal agencies, banks, and providers, it
is essential that HCFA take steps to resolve the remaining
noncompliance of these data exchanges.
---------------------------------------------------------------------------
\5\ On February 23, 1999, the HCFA Administrator stated that she
wanted us to note that the February 10, 1999, HHS quarterly report to
OMB had a typographical error, and that the total number of internal
data exchanges is 3,418 and that 309 of these are still not compliant.
---------------------------------------------------------------------------
In yet another critical area, HCFA faces a significant
amount of testing in 1999, since changes will continue to be
made to its mission-critical systems to make them compliant.
First, changes to resolve the existing qualifications will need
to be retested. Second, testing must still take place with full
production-level software. For example, the final software
release of the Common Working File before 2000 is scheduled for
late June; testing will therefore be needed after that. Third,
legislatively mandated changes to software that will occur
through June will need to be retested as well. HCFA plans to
conduct these final tests of its systems between July 1 and
November 1, 1999, then recertify all mission-critical systems
as compliant without qualification or exception. These final
tests will ultimately determine whether HCFA's mission-critical
systems are indeed Year 2000 compliant. The late 1999 time
frames associated with this testing represent a high degree of
risk.
In addition to such individual systems testing, HCFA must
also test its systems end-to-end to verify that defined sets of
interrelated systems, which collectively support an
organizational core business function, will work as intended.
As mentioned, HCFA plans to perform this end-to-end testing
with its Year 2000 test sites. These tests are to include all
internal systems and contractor systems, but will not include
testing with banks and providers. HCFA has instructed its
contractors that it is their responsibility to test with
providers and financial institutions. Even excluding banks and
providers, end-to-end testing of HCFA's internal and external
systems is a massive undertaking that will need to be
effectively planned and carried out. HCFA has not yet, however,
developed a detailed end-to-end test plan that explains how
these tests will be conducted or that provides a detailed
schedule for conducting them.
A final aspect of testing concerns the independent testing
contractor. The IV&V contractor's recent assessment of the
independent testing contractor concluded that its strategy as
currently stated ``is high risk for providing effective
independent testing'' because of the limited number of internal
systems to actually be independently tested: 8. This number was
previously 22. Further, this testing will not be completed
until August. The limited number of systems tested and the late
completion date are not reassuring.
Given the magnitude of HCFA's Year 2000 problem and the
many challenges that continue to face it, the development of
contingency plans to ensure continuity of critical operations
and business processes is absolutely critical. Therefore, HCFA
must sustain its efforts to complete and test its agencywide
business continuity and contingency plans by June 30. Another
challenge for HCFA is monitoring the progress of the 62
separate business continuity and contingency plans that will be
submitted by its contractors. We will continue to monitor
progress in this area.
Other issues that further complicate HCFA's Year 2000
challenge are the known and unknown contractor transitions that
are to take place before January 1, 2000, and the unknown
status of the managed care organizations serving Medicare
beneficiaries. As reported in HHS' quarterly submission to OMB,
HCFA is concerned about the possibility of Medicare
contractors, fiscal intermediaries, and carriers leaving the
program and notifying HCFA after June 1999. If this were to
occur, the workload would have to be transferred to another
contractor whose Year 2000 compliance status may not be known.
According to both contractor and HCFA officials, it requires 6-
12 months to transfer the claims processing workload from one
contractor to another. At present, HCFA must transition the
work of three carriers that are leaving the program.
HCFA is requiring the 386 managed care organizations
currently serving 6.6 million Medicare beneficiaries to certify
their systems as Year 2000 compliant by this April 15. These
certifications may be qualified, just as with the fee-for-
service contractors. If this were to occur, a formal
recertification would have to be performed later this year.
Until this initial certification is performed, it will remain
unknown whether the managed care organizations' systems are
year 2000 compliant.
To summarize HCFA's situation, the agency and its
contractors have made progress in addressing issues that we
have raised. However, their reported progress vastly overstates
the facts. Some renovation and a significant amount of testing
must still be performed this year. Until HCFA completes its
planned recertification between July and November 1999, the
final status of the agency's Year 2000 compliance will be
unknown. Given the considerable amount of remaining work that
HCFA faces, it is crucial that development and testing of
HCFA's business continuity and contingency plans move forward
rapidly if we are to avoid the interruption of Medicare claims
processing next year.
Y2K Readiness of the Health Care Sector: Information is Limited
At this point, I would like to broaden our discussion to
the Year 2000-readiness status of the health care sector,
including biomedical equipment used in the delivery of health
care. While it is undeniably important that Medicare systems be
compliant so that the claims of health care providers and
beneficiaries can be paid, it is also critical that the
services and products associated with health care delivery
itself be Year 2000 compliant. However, the level of
information currently available on such compliance is not
reassuring.
Virtually everything in today's hospital is automated--from
the scheduling of procedures such as surgery, to the ordering
of medication such as insulin for a diabetic patient, to the
use of portable devices as diverse as heart defibrillators and
thermometers. It therefore becomes increasingly important for
health care providers such as doctors and hospitals to assess
their health information systems, facility systems (such as
heating, ventilation, and air conditioning), and biomedical
equipment to ensure their continued operation at the turn of
the century. Similarly, pharmaceutical manufacturers and
suppliers that rely heavily on computer systems for the
manufacturing and distribution of drugs must assess their
processes for compliance. Given the large degree of
interdependence among components of the health sector--
providers, suppliers, insurance carriers, and patients/
consumers--the availability and sharing of Y2K readiness
information is vital to safe, efficient, and effective health
care delivery.
Readiness information is limited throughout the health care
sector. Specifically, the amount of data available to consumers
on the Y2K readiness of health care providers, private
insurers, and pharmaceutical manufacturers and suppliers is
scant. This past June, for example, the American Hospital
Association sent a Y2K readiness survey to about 4,700
hospitals. However, only about 17 percent of its members
responded.
In May 1998, the President's Council on Year 2000
Conversion established a Health Care Working Group \6\ chaired
by HCFA to conduct outreach activities of the health care
sector. In response to an October 1998 request from the Chair
of the President's Council to gauge the Year 2000 readiness of
the health sector, several professional health care
associations surveyed their membership, requesting information
on the status of work completed in the Y2K assessment,
renovation, validation, and implementation phases. For example,
the Association of State and Territorial Health Officials and
the Centers for Disease Control and Prevention (CDC) sent a
Year 2000 readiness-assessment survey to 57 state and
territorial health officials. According to CDC, officials of 27
states responded as of February 19, 1999, and the results are
still under review. Similarly, the Generic Pharmaceutical
Industry Association sent a survey to its members last
December; it plans to discuss the results at a March 8, 1999,
meeting of the Year 2000 Pharmaceuticals Acquisition and
Distribution Committee (comprised of federal and pharmaceutical
representatives). Finally, HHS' Office of the Inspector General
sent a Y2K readiness survey last December to a sample of
Medicare providers; it is not known at this time when the
results will be available. The working group plans to gather
Y2K readiness information from this sector throughout 1999,
especially among smaller health care organizations.
---------------------------------------------------------------------------
\6\ Members include federal health care agencies and professional
health care associations such as the American Ambulance Association,
American Hospital Association, American Medical Association, Health
Industry Manufacturers Association, Joint Commission on the
Accreditation of Health Care Organizations, National Association of
Community Health Centers, and National Association of Rural Health
Clinics.
---------------------------------------------------------------------------
Until such survey results are known to consumers, the Y2K
readiness of key components of the health sector will remain in
doubt. Because of the potential impact of the Year 2000 problem
on patient care, it is critical that such readiness information
be obtained and publicized. In this way consumers will have
access to data that can offer some assurance that the
information systems, equipment, and products used in the
delivery of health care services will operate as expected when
needed after the turn of the century. Conversely, the lack of
such information can contribute to consumer doubt,
misinformation, or even panic. It can also foster unnecessary
stockpiling of drugs and the attendant drain on pharmaceutical
product inventories.
Some Biomedical Equipment Status Information Available through FDA
The question of whether medical devices such as magnetic
resonance imaging (MRI) systems, x-ray machines, pacemakers,
and cardiac monitoring equipment can be counted on to work
reliably on and after January 1, 2000, is critical to our
nation's health care. To the extent that biomedical equipment
uses embedded computer chips, it is vulnerable to the Y2K
problem.\7\ Such vulnerability carries with it possible safety
risks. This could range from the more benign--such as incorrect
formatting of a printout--to the most serious--such as
incorrect operation of equipment with the potential to decrease
patient safety. The degree of risk depends on the role the
equipment plays in the patient's care.
---------------------------------------------------------------------------
\7\ Biomedical equipment refers both to medical devices regulated
by HHS' Food and Drug Administration (FDA), and scientific and research
instruments, which are not subject to FDA regulation.
---------------------------------------------------------------------------
As we reported last September,\8\ FDA--which provides
information from biomedical equipment manufacturers to the
public through an Internet World Wide Website--had a
disappointing response rate from biomedical equipment
manufacturers to its request for compliance information. The
FDA biomedical equipment database also lacked detailed
information on the make and model of compliant equipment.
Further, FDA did not require manufacturers to submit test
results certifying compliance. Therefore, the adequacy of
manufacturers' corrections of noncompliant equipment could not
be assured.
---------------------------------------------------------------------------
\8\ GAO/AIMD-98-240, September 18, 1998.
---------------------------------------------------------------------------
To address these issues, we made recommendations to the
Secretaries of HHS and Veterans Affairs (VA)--a key stakeholder
in determining the potential effects of the century change on
biomedical equipment--to determine what actions, if any, should
be taken regarding manufacturers that have not provided
compliance information. We also recommended that the
departments (1) work jointly to develop a single data
clearinghouse to provide compliance information to all users of
biomedical equipment, and (2) take prudent steps to review test
results for critical care/life support biomedical equipment,
especially equipment once determined to be noncompliant but now
deemed compliant--and make those results publicly available
through FDA's central data clearinghouse.
HHS and VA agreed with our recommendation to develop a
single data clearinghouse. FDA, in conjunction with VA, has
established a biomedical equipment clearinghouse; it is
publicly accessible through the Internet site and contains
information on biomedical equipment compliance submitted to FDA
by manufacturers, as well as information gathered by VA and the
Department of Defense as part of their Year 2000 compliance
projects. FDA also plans to include detailed information on the
make and model of equipment reported as compliant.
In its February 10, 1999, quarterly submission to OMB, HHS
reported that as of January 12, 1999, about three quarters
(1,438) of 1,932 biomedical equipment manufacturers identified
by FDA had submitted data to the clearinghouse. As shown in
figure 2, about 40 percent of the manufacturers have products
that do not employ a date, while about 17 percent reported
equipment having date-related problems.
Figure 2: Biomedical Compliance Status Information Reported To
FDA by Manufacturers as of January 12, 1999
[GRAPHIC] [TIFF OMITTED] T6850.005
Last September we reported that most manufacturers citing
noncompliant products listed incorrect display of date and/or
time as the Y2K problem.\9\ According to VA, these cases may
not present a risk to patient safety because health care
providers, such as physicians and nurses, can work around the
problem. Of more serious concern are situations in which
devices depend on date calculations, which can be incorrect.
One manufacturer cited an example of a product used for
planning delivery of radiation treatment using a radioactive
isotope as the source. An error in calculating the strength of
the radiation source on the day of treatment could result in a
dose that is too high or too low, which could have an adverse
effect on the patient.\10\
---------------------------------------------------------------------------
\9\ GAO/AIMD-98-240, September 18, 1998.
\10\ Year 2000 Computing Crisis: Leadership Needed to Collect and
Disseminate Critical Biomedical Equipment Information (GAO/T-AIMD-98-
310, September 24, 1998).
---------------------------------------------------------------------------
HHS reports that FDA will continue to explore ways of
obtaining compliance information from manufacturers who have
not yet replied. In response to our recommendation that FDA and
VA review test results of manufacturers' compliance
certifications, VA--deferring to HHS--stated that it did not
have the legislative or regulatory authority to do this. HHS,
for its part, said that it lacked the available resources to
undertake such a review and, further, that insufficient time
remained to complete such reviews before 2000. We believe that
if HHS lacks sufficient resources to review manufacturers' test
results, it may want to solicit the help of federal health care
providers and professional associations. Finally, HHS stated
that submission of appropriate certifications of compliance is
sufficient to ensure that the certifying manufacturers are in
compliance. We disagree. Through independent reviews of
manufacturers' test results, users of medical devices are
provided with a greater level of confidence that the devices
are indeed Year 2000 compliant.
In summary, there is great need for much more information
available on the Y2K readiness of the health care sector. Until
this information is obtained and publicized, consumers will
remain in doubt as to the Y2K readiness of key health care
components. In addition, while compliance status information is
available for some biomedical equipment through the FDA
clearinghouse, FDA has not reviewed test results supporting
manufacturers' certifications to provide the American public
with a higher level of confidence that biomedical equipment
will work as intended.
* * * * *
Mr. Chairman, this completes my statement. I would be
pleased to respond to any questions that you or other members
of this Committee may have at this time.
Chairman Archer. Thank you, Mr. Willemssen. Does any member
wish to inquire of this panel?
Mr. Tanner.
Mr. Tanner. Thank you, Mr. Chairman. I just have one
question for Mr. Brown. I understand HCFA set a target date of
April the 5th for Medicare providers to submit claims that are
Y2K compliant. Will the hospitals be able to meet that target
date do you think?
Mr. Brown. I think the hospitals are working toward that
date, Mr. Tanner. And to take our own organization as an
example, in St. Louis, our first effort and first focus was
really on our total systems. The claims administration piece of
that is only part of the total of our operating and patient
accounting systems. We're working now doing vendor testing to
be in compliance. Will we be done by April 5? Possibly not
completely, but we anticipate totally by June 15.
I think the hospitals are working toward this, and I think
the fact that the administrator had pointed out, that 58
percent are in compliance today, that's significant. And I
think we have to put it in the perspective of hospitals' number
one focus: their total operating systems and how that
translates into the patient care issues and patient safety
issues.
Mr. Tanner. I understand HCFA has provided some software at
no cost for this purpose. Is there anything further that could
be done, not that the April 5th deadline is such an important
date, but just so there is no problem?
Mr. Brown. The biggest issue to date in terms of the
hospitals, in terms of the provider sector, is that that piece
of software is only one piece of the total system. And so we
have to be able to accommodate that within our total operating
systems. And so, again, in some situations it has been very
helpful. In other situations, it is not; simply because of the
systems that the individual institutions have.
And there's around six major vendors across the country
that really supply most of the patient accounting systems. So
this is really only one piece of that and the hospitals have to
really interface that in with the total.
I think the key thing that was pointed out is the
communication. The issue is, once the contingency plans are
established, those need to be communicated earlier, rather than
later, in terms of HCFA's contingency plans. At the same time,
as hospitals and physicians develop their contingency plans in
their individual communities, we need to communicate that so
that we are able to understand what the potential impact is.
Because when you think about it, over 50 percent of the
reimbursement comes from governmental programs, primarily the
Medicare and Medicaid Programs. So that could have a
significant impact on the cash-flow of hospitals. And we need
to understand what the contingencies are for these systems.
Mr. Tanner. Thank you, Mr. Chairman. I yield back.
Chairman Archer. Thank you. Are there further questions? If
not, thank you very much. We appreciate your input.
And that concludes the hearing on Y2K. The Committee will
stand adjourned until 4:30, at which time we will reconvene to
markup.
[Whereupon, at 4:03 p.m., the hearing adjourned.]
[Submissions for the record follow:]
Statement of Jacquelyn L. Williams-Bridgers, Inspector General of the
Department of State, Arms Control and Disarmament Agency, and United
States Information Agency
Mr. Chairman and Members of the Committee: I am pleased to
have been invited to provide a statement for the record for the
Committee's hearing on the Year 2000 (Y2K) computer problem. On
January 1, 2000, many computer systems worldwide may
malfunction or produce inaccurate information simply because
the date has changed. Unless preventive measures are
successful, these failures will have a costly, widespread
impact on government and private-sector organizations across
the globe.
Embassies, consulates, U.S. businesses, and millions of
Americans living abroad rely on their respective host
countries' infrastructures to provide essential, day-to-day
services such as power, water, telecommunications, and
emergency services. In many areas, particularly in the
developing world, these services could be disrupted if critical
infrastructure components and control systems are not made Y2K
compliant. Failure to resolve the Y2K problem or to implement
adequate contingency plans could create havoc in the foreign
affairs community, including disrupted messaging systems,
hindered embassy operations such as visa and passport
processing, and failed administrative functions such as payroll
and personnel processing.
My office has been actively engaged with the Department of
State (the Department) and our embassies overseas to assist
them in meeting the millennium challenge. Of particular
interest to your Committee, my of lice is also assessing the
Y2K readiness of host countries where the United States
maintains a diplomatic presence. Our work to date assessing
host country readiness has revealed some key themes:
Modern, industrialized countries are generally
ahead of the developing world; however, some of those locations
are at risk of having Y2K-related failures because they were
late in establishing Y2K programs at the national level, and
they are heavily reliant on computer technology in key sectors.
Developing countries are struggling to find the
financial and technical resources needed to resolve their Y2K
problems; still, the relatively low level of computerization in
key sectors (utilities, telecommunications, and transportation,
may reduce the risk of prolonged infrastructure failures.
Former Eastern bloc countries were late in getting
started and are generally unable to provide detailed
information on their Y2K remediation programs, and
Problems related to Y2K readiness in the health
care sector were apparent in nearly every location we visited.
This statement will address OIG's oversight of Y2K
remediation efforts by countries that host our embassies and
consulates and by the U.S. Department of State and the United
States Information Agency (USIA).
OIG Year 2000 Oversight Efforts
International Y2K Efforts: Host Country Preparedness
OIG has been active in international Y2K issues through our
efforts to engage host country representatives and to establish
venues for information sharing and cooperation, and to collect
information on the Y2K readiness of host countries where the
U.S. Government maintains a presence. Since September 1998, OIG
has conducted an aggressive effort to collect and analyze
information on host country Y2K efforts in 25 cities in 20
countries. In addition to consulting with embassy personnel,
OIG met with host country Y2K program managers; representatives
from key infrastructure sectors, such as utilities,
telecommunications, and transportation; and with private sector
officials to discuss their respective Y2K programs and to share
information. A summary of OIG international Y2K site visits is
provided in
Table 1.
The information we collected about host country readiness
provides general insight into a host country's efforts to
reduce the impact that Y2K-related failures might have.
However, I caution that this information represents the
situation at a particular point in time. For example, the
situation as represented by the information we collected in
Mexico 5 months ago may have changed significantly since then.
Table 1.--Summary of OIG International Y2K Site Assessments
------------------------------------------------------------------------
Countries/Cities Visited Date of Visit
------------------------------------------------------------------------
Mexico (Mexico City & Monterrey), Chile September 1998
(Santiago), Panama (Panama City).
South Africa (Pretoria & Capetown), Gabon October 1998
(Libreville), Cameroon (Yaounde),
Ethiopia (Addis Ababa).
Hong Kong, Thailand (Bangkok), Singapore, October/November 1998
Philippines (Manila).
India (Mumbai & New Delhi)............... December 1998
United Kingdom (London), Russia (Moscow), January 1999
Ukraine (Kiev), Poland (Warsaw), France
(Paris), Italy (Rome), Greece (Athens),
Germany (Frankfurt, Bonn, & Berlin).
------------------------------------------------------------------------
OIG has provided information summaries on each of these
countries to appropriate officials in the Department, the
President's Year 2000 Conversion Council, the United States
Information Agency (USIA), congressional committees, and other
foreign affairs organizations. Generally, the information we
have collected about specific countries is considered
sensitive. Disclosure of such information is limited to other
governments, international organizations, and entities which
the Department determines may benefit in connection with their
own Y2K activities.
Our work has helped to raise awareness of Y2K issues and to
increase cooperation and coordination between the U.S. and its
foreign partners on mutually beneficial Y2K matters. For
example, the United States Embassy in Paris used our visit to
develop a number of bilateral Y2K initiatives, including
sharing information on health care and developing policy
initiatives for assisting African countries with their Y2K
efforts. In addition, our work has helped engender support for
establishing a policy framework to address Y2K issues in the
developing world.
OIG is also engaged in other international Y2K efforts. In
accordance with a Memorandum of Understanding signed by the
Secretary of State and Chile's Minister of Foreign Affairs, OIG
has begun a cooperative effort to work with the Chilean
Government on a number of internal audit issues. In September
1998, OIG auditors met with Chilean Government representatives
to exchange ideas on addressing and enhancing Y2K-related audit
methodologies.
Also, in coordination with the Organization of American
States (OAS) and USIA, OIG has initiated a series of USIA
Worldnet Interactives with Latin America and Canada to provide
expert guidance on timely contingency planning and Y2K
compliance in the sectors of health, energy, and financial
institutions. In coordination with OAS and USIA, these
interactive programs have been broadcast live throughout this
hemisphere and worldwide via the Internet. The programs have
explored problems, strategies and solutions in the areas of
timely contingency planning, energy, and financial
institutional readiness.
Results of OIG International Assessments
Based on our work in the countries cited above and on our
assessment of other information provided by the Department,
four themes have emerged relating to the potential impact the
Y2K problem may have in the global arena. Our assessment of the
timeliness of host country efforts to solve Y2K problems is
being conducted in accordance with a phased methodology,
similar to that recommended in the General Accounting Office's
(GAO) Year 2000 assessment guide. The phases include awareness
of the problem at the highest levels, assessment of the impact
of the Y2K problem, renovation or replacement of noncompliant
systems, validation of renovated or replaced systems, and
finally, implementation of the revised system. According to
this methodology, the renovation phase should have been
completed by mid-1998 to allow sufficient time for validation
and implementation. Further, testing will account for 45-50
percent of the time needed to correct a Y2K problem.
Our work has resulted in the following findings:
Inconsistent Progress in Industrialized Countries. Modern,
industrialized countries, while generally ahead of the
developing world in terms of identifying and acknowledging the
Y2K problem, were not consistently focused or effective in
their efforts. Governments in several European countries, for
example, had started Y2K programs in mid-1998, and some of
those programs were making only minimal progress in getting
their systems renovated. The risk of Y2K-related failures is,
in some respects, higher in these countries because of their
high reliance on modern computers.
Lack of Financial and Technical Resources in Developing
Countries. Developing countries were struggling to make headway
in solving their Y2K problems. These countries were generally
in the assessment phase toward the end of 1998, as they
endeavored to develop effective remediation plans and to
address the difficult task of finding adequate financial and
technical resources to resolve Y2K issues or to develop
contingency plans. The governments of some developing countries
did not regard Y2K as a priority and thus had not established
committees or task forces to address Y2K on a national basis.
In these locations, the risk of failure in such key sectors as
utilities and telecommunications will depend on the extent to
which they rely on computers and embedded devices. Although
these countries are generally experienced in dealing with
short-term power and telecommunications outages, the question
remains as to how well they can handle long-term disruptions in
numerous sectors that may concurrently occur because of Y2K-
related failures.
Difficulty in Assessing East European Progress. Three
countries that were part of the former ``Eastern bloc'' were
also late in getting started on Y2K remediation and generally
were still in the assessment phase at the end of 1998. However,
we found it difficult to obtain detailed information about the
Y2K programs in these countries, thus hindering our ability to
develop an overall evaluation of the progress being made. The
apparent widespread use of pirated software, and the lack of
information on when and where computer equipment and software
were obtained in the first place, further confused the
situation. Again, similar to what we found in the developing
world, the prevalence of analogue technology (or none at all)
will reduce the risk of major problems in telecommunications,
utilities, and transportation.
Overall Lack of Y2K Readiness in the Health Care Sector.
Problems related to Y2K readiness in the health care sector
were apparent in nearly every location visited. The failure of
an information system or a medical device in a clinic or a
hospital can put lives at risk. For example, it is conceivable
that a computer might cut off important life support systems
after the date change because it assumes the maintenance
interval has been exceeded by one hundred years. In most of the
countries we visited, efforts to assess the impact of Y2K on
hospital systems and medical devices did not get under way
until mid-1998, leaving very little time to remediate or
replace noncompliant software and devices.
The State Department has also recognized that the potential
for Y2K vulnerability is not restricted to its domestic
operations and has implemented measures to assess the Y2K
readiness of all countries where the United States has a
diplomatic presence. In November 1998, the Department sent a
cable to embassies instructing them to complete a Y2K survey of
their respective host country's Y2K efforts. With the survey
instrument, the posts were expected to collect information on a
wide array of subjects, including the effectiveness of the
country's Y2K program, vulnerability to short-term economic and
social turmoil, reliance on technology in key infrastructure
sectors, and the status of Y2K correctional activities.
As of February 1, 1999, the Department had received
responses from posts in 132 countries. The Department has
tasked a group of analysts to evaluate the data contained in
these surveys, as well as information from other sources, such
as USIA, the World Bank, and this office as well. Based on
these analyses, the Department will determine whether travel
warnings should be issued concerning particular countries, or
drawdown or evacuation plans should be developed for areas
where the Y2K problem may pose a risk to Americans living
abroad. Toward that end, on January 29, 1999, the Department
issued a worldwide public announcement on the Y2K problem to
inform U.S. citizens of the potential for problems throughout
the world because of the millennium ``bug.'' The notice cited
specific areas of concern, including transportation systems,
financial institutions, and medical care, as activities that
may be disrupted by Y2K-related failures. Further, this
announcement goes on to warn that all U.S. citizens planning to
be abroad in late 1999 or early 2000 should be aware of the
potential for problems and stay informed about Y2K preparedness
in the location where they will be traveling.
OIG Work Within the Department of State and USIA
OIG is also playing a significant role in assisting the
Department and USIA to meet the millennium challenge facing
their respective information technology infrastructures,
including computer software, hardware, and embedded devices.
The Department has recognized that it is vulnerable to the Y2K
problem, and over the past two years has taken steps to
remediate its systems and infrastructure to prevent disruptions
to its critical business processes.
The Department has established a Program Management Office
(PMO), which is responsible for the overall management of the
Y2K program within the Department. The PMO's responsibilities
include tracking and reporting on the progress being made by
the bureaus in remediating systems, providing technical advice
and assistance, issuing contingency planning guidance, and
certifying systems for Y2K compliancy. As of February 8, 1999,
the Department reported that 61 percent of its mission-critical
systems had been implemented, and it expects 90 percent to have
been implemented by March 31, 1999.
OIG's first series of reviews focused on assessing internal
aspects of the Department's program to ensure its systems and
devices are Y2K compliant, and we highlighted a number of key
Y2K issues. These included the need for more thorough data
collection and accurate status reporting to the Office of
Management and Budget, better tracking of applications, greater
focus on the computer networks that support Department
operations, more specific attention to the vulnerabilities of
the Department's overseas computer networks, and more timely
issuance of critical Y2K guidance.
In addition, my office has assisted in establishing a
process through which the Department can certify the Y2K
readiness of its mission-critical systems. The purpose of this
process, which we understand is one of the most rigorous in the
Federal Government, is to provide the Department's senior
management with assurance that every feasible step has been
taken to prevent Y2K-related failures on January 1, 2000. We
assisted in writing detailed guidelines that each bureau must
use in developing application certification packages for
submission to PMO. In addition, through an agreement with the
Under Secretary of State for Management, OIG is reviewing the
adequacy of all certification packages for mission-critical
systems before they are provided to the Y2K certification
panel. Thus far, we have evaluated and provided our comments to
the Department on seven application certification packages, and
two of those have been officially certified.
* * * * *
In conclusion Mr. Chairman, our assessments in 25 foreign
locations over the past 5 months have provided a mixed picture
of international Y2K readiness. In some places we found
convincing evidence that effective programs were in place in
both the public and private sectors. In other places, however,
the picture was either grim with no program in place and little
progress being made, or inconclusive because the information
provided did not contain sufficient detail to develop a
reliable assessment.
Faced with a relentless and unforgiving deadline, countries
have to make difficult decisions concerning the use of scarce
resources to fix a problem that has not yet occurred. As such,
over the coming months, the State Department and other U.S.
Government agencies will need to revisit the information and
the issues presented here in order to gain a better
understanding of the potential global impact of Y2K. Only a
concerted and consistent effort to collect and analyze the best
information available will allow the U.S. Government and its
overseas partners to adequately predict and prepare for those
Y2K-related failures that occur after December 31, 1999, and to
take the actions needed to protect global U.S. interests.
Statement of Thomas D. Roslewicz, Deputy Inspector General for Audit
Services, U.S. Department of Health and Human Services
Introduction
Mr. Chairman and Members of the Committee, I am Thomas D.
Roslewicz, Deputy Inspector General for Audit Services of the
Office of Inspector General (OIG), Department of Health and
Human Services (HHS). I am pleased to submit this statement for
inclusion in the permanent record of today's hearing on the
readiness of HHS' computer systems for the Year 2000 (hereafter
Y2K). Consistent with the focus of the hearing, this statement
principally discusses the remediation efforts of the Health
Care Financing Administration (HCFA) and the Administration of
Children and Families (ACF).
The OIG has taken an active role in monitoring the progress
being made by HCFA and other HHS agencies to remediate their
mission critical systems. We have an on-going presence, both at
HCFA and ACF central offices, to oversee the progress on their
internal systems. We also have focused our monitoring efforts
on the Medicare contractors, where we have participated in over
200 site visits with HCFA staff and HCFA's Independent
Verification and Validation (IV&V) contractor. We have issued
two reports to the HHS Chief Information Officer (CIO) and a
number of alerts to the HCFA CIO pointing out HCFA's
accomplishments as well as issues that were a concern to the
OIG. Previous OIG testimony before the House Appropriations
Subcommittee on Labor, HHS and Education outlined some of the
more significant actions taken by HHS as well as some of our
concerns. The following updates those actions and summarizes
the results of our current reviews.
But first I'd like to point out the benefit of the Y2K
effort. The Y2K remediation, while monumental, also created an
opportunity for HHS to collectively assess--and improve--the
efficiency of its critical core business processes.
Longstanding hardware and software problems are being
corrected, configuration management is being improved, and the
need for consistent dialogue between program managers and
Information Technology (IT) staff is now recognized. We believe
the result will be an increasingly better delivery of services
by HHS to its constituents.
Summary
The HHS continues to place Y2K remediation as its highest
IT priority, with a particular focus on the systems that
process billions of dollars each year for the Medicare program.
Bi-weekly meetings continue with the Deputy Secretary, the HHS
CIO, and Agency heads and CIOs. IV&V certification for
compliance is required for all HHS agencies and independent
testing is also required for HCFA's major systems (i.e., seven
standard or ``shared'' systems, two of its Common Working File
[CWF] host sites and eight of its most critical internal
systems). This independent testing is to be done by a
contractor other than the IV&V contractor.
The HHS permitted agencies to reassess their initial
inventory of mission critical systems, thus allowing them to
focus resources on their core business processes. This resulted
in a substantial reduction in the number of Department-wide
mission critical systems from 490 to 290. For HCFA and the ACF,
this reassessment did not result in any change in their total
number of mission critical systems. It did, however, change the
composition of the HCFA internal systems designated as mission
critical.
HHS maintained December 31, 1998 as its deadline for all
mission critical systems to be Y2K compliant, thus allowing a
full year for recertification and post-implementation testing.
Unlike ACF, which reported that it met the December 31 due date
and generally completed its IV&V certifications, HCFA stated
that it never planned IV&V certification for either its
internal or external systems. Instead the IV&V contractor was
to participate in the remediation process and to ``witness''
the certification testing being done by the internal system
owners and the Medicare contractors. In the case of the
internal systems, the IV&V contractor was to issue a ``witness
report'' on that phase of remediation.
To meet the December 31 due date, HCFA accepted self-
certification of compliance from internal system owners and
self-certifications with ``except-for'' statements from its
Medicare contractors. The OIG's review of these exception
statements found that some appear to be significant. For
example, an exception reported for the Fiscal Intermediary
Standard System (FISS), a system used by about 30 Medicare
contractors, is the inability of one of the system's modules to
recognize leap years as well as its continuing use of the two
position year instead of the four position year and century.
While apparently significant, these exceptions, given the size
of the FISS (over 2,000 individual modules), must be evaluated
to determine their true impact. In general, we believe that
exceptions such as these may have a domino affect on system
users, as they might be unable to certify their internal sub-
systems before receiving a certified version of the shared
systems.
According to HCFA, these exceptions will be resolved before
the Office of Management and Budget's (OMB) deadline of March
31, 1999. The HCFA also points out that all but one of its
external systems, that being the Arkansas Part A Standard
System (APASS) used by seven Part A contractors, are currently
in production. The HCFA believes that this extended production
period allows ample time for remediation of the exceptions
reported as well as of any unforeseen problems surfaced. The
HCFA expects to certify by the March 31 due date and to
recertify systems during the summer of 1999 with all systems
recertified by November 1, 1999.
With regard to APASS, the Arkansas Blue Cross and Blue
Shield, the system maintainer, could not both renovate and test
the quality of code changes and still meet the December 31 due
date. This became apparent when a significant number of users
began requesting software corrections that hampered the
contractor's ability to timely complete its code renovations.
The contractor subsequently requested, and HCFA approved, an
alternate remediation plan calling for date relief. On January
27, 1999, Arkansas Blue Cross and Blue Shield distributed a Y2K
compliant production version of software to all its users.
These users are now testing APASS integration with their
internal systems to determine compliancy by March 31, 1999.
Arkansas's certification statement is pending the results of
user testing. According to HCFA, all users have indicated that
they would complete certification by March 31, 1999.
Issues such as those mentioned above were due, in part, to
an underestimation of the complexity and magnitude of the Year
2000 problem. It was initially viewed as an IT problem that
could be resolved by the IT specialists when, in fact, it was
both an IT and business operation problem requiring attention
from all levels of management. This underestimation was
evidenced by the milestone schedules prepared by the HHS
agencies, especially with regard to HCFA. The early schedules
had all phases of the Year 2000 model compressed into the last
2 months of the calendar year with no recognition of system
interdependencies (i.e., ``end-end testing''). Consequently, it
was impossible for management to get a true ``snap shot'' of
its remediation progress. In the case of HCFA, this resulted in
costly delays in making key management decisions for system
conversions and transitions, contingency planning, developing
test plans, and requesting legislative relief. To remedy the
situation, HCFA centralized its Y2K remediation effort by
creating residence teams at key contractor sites. These teams
report directly to HCFA headquarters. We believe this action
further strengthens the HCFA's ability to immediately identify
an on-going or developing problem at a Medicare contractor and,
equally important, immediately strategize a solution to the
identified problem.
As agencies approach OMB's March 31, 1999 deadline, the
focus of system owners must now shift to end-to-end testing to
ensure that all critical core business processes are Y2K
compliant and functioning correctly. Testing of Medicare claims
processing systems must include testing between contractors,
testing of the interface with provider systems as well as
testing the interface with the HHS' payment system with the
U.S. Treasury. Results of recent monitoring visits to Medicare
contractors have demonstrated the importance of testing. For
example:
A November 1998 visit to the Computer Sciences
Corporation (CSC), the system maintainer for the CWF,
determined that neither CSC nor the previous system maintainer
had planned to future date test the third release of the 1998
changes to CWF. Our concern was that unless the changes made to
the CWF in the third release were future date tested prior to
January 1, 2000, the possibility existed that any changes which
were not Y2K compliant would not be detected until it was too
late. In the same alert, we reported a traceability matrix was
needed to ensure sufficient test coverage. This matrix is a
general control to ensure that all necessary tests are
conducted against pass/fail criteria and are quality reviewed.
The HCFA believes that changes made to the CWF in the third
release were future date tested during the testing of the
fourth release. We intend to follow-up on these issues.
A December visit to Blue Cross/Blue Shield of
Oklahoma (BCBSOK) identified weaknesses in the contractor's
testing plan. Although 96 percent of the claims processed by
BCBSOK are received electronically, only on-line claims that
are entered directly into the FISS are being tested. As a
result of our discussions with BCBSOK officials, the contractor
agreed to create a batch of electronic claims for additional
testing through the entire claims process.
A December visit to Blue Cross/Blue Shield of
North Carolina, a Fiscal Intermediary (FI) that uses the APASS,
determined that the contractor needed: (i) a formal Y2K test
plan, written test procedures, and documented test case
scenarios for its APASS testing; (ii) a quality assurance plan
to ensure the quality of its Y2K testing; (iii) a configuration
management plan specific to Medicare, i.e., a plan of
procedures to be followed when Medicare applications are
designed, developed, and modified, and (iv) a formal
contingency plan. We will follow-up on resolution of these
findings during our next site visit.
The Committee can be assured that we will continue our work
in this most important area. The HCFA has accomplished a lot,
but much more needs to be done. Their present remediation
strategy is aggressive, high-risk, leaving little room for
error. We will be monitoring efforts of both the HCFA central
office and the Medicare contractors, with a focus on compliance
testing, including end-to-end testing. We will continue our
practice of reporting our concerns to the appropriate HHS
officials so that timely action can be taken to facilitate the
remediation process. We appreciate this opportunity to discuss
HHS' systems' readiness for the Year 2000.
Statement of White House Conference on Small Business
The Impact of Year 2000 Transition on Small Businesses
The undersigned are the elected Regional Chairs of Taxation
representing the 2000 delegates to the White House Conference
on Small Business. We were delegated the responsibility of
advancing implementation of the conference's recommendations
with regard to the tax issues and reporting progress back to
the delegates. As the Ways and Means Committee prepares to
consider the impact that the year 2000 conversion might have on
the nation, the delegates to the White House Conference on
Small Business want to remind you to consider the importance of
the small business community to our economy. Please take into
account the cost for them of updating computer software,
computer hardware and other equipment because these issues are
important for the growth and progress of small businesses in
America.
Simplicity
The single largest concern of the White House Conference on
Small Business was dealing with the overall complexity of
government and the complexity of the tax code in particular.
Allocating and reporting income taxes and payroll taxes is the
one common experience of every business and may be the only
interaction that most businesses have with the federal
government. Simplifying the tax process would, therefore,
improve the situation for every small business. Studies have
shown that it costs small businesses more to comply with the
tax code, and considerably more in comparison to each dollar of
sales, than it costs large businesses. Small businesses have
fewer sales over which to spread the cost.
This is true for the cost allocation of the expenses
related to the year 2000 conversion. Small businesses do have
some tools, Sec. 179 expensing, for example, which could help
them, but the committee should make an extra allowance to help
them meet what could be a dramatic one-time expenditure.
Regular Expensing--Internal Revenue Code Sec. 179
The expensing limit of IRC Sec. 179 will be gradually
increased to $25,000 (by the year 2003) from its current level
as provided for in the Small Business Job Protection Act passed
by Congress in 1996. The small business community appreciated
the attention Congress gave to this issue, but would urge
greater increases and quicker implementation. Expensing is
perhaps one of the most useful tax simplifiers for small
business; however its use still remains limited. In addition,
Congress did not correspondingly raise the $200,000 limit on
purchases. These days, one piece of machinery (even for a very
small business) can exceed this limit, effectively eliminating
many small businesses from any benefits.
Software Expensing & The Year 2000
First, we, the Regional Chairs for Taxation of the White
House Conference on Small Business, would like to point out
that the allocation of costs for software is already a cloudy
area with or without the year 2000 problem. We feel a way
Congress could make a tremendous contribution is to permanently
allow expensing in the year a business purchases software
obtained for business purposes. It is practically impossible to
declare with certainty what the useful life of software is
within a business. With the pace of technology, useful life
gets shorter and shorter as better products that exploit
hardware advances seem to hit the market continuously.
This basic problem is multiplied by the year 2000
conversion that many small businesses do not fully understand.
The cost to them to upgrade their computer software and
hardware might be considerable. But software and hardware may
only scratch the surface of the problem. Identifying and
correcting buried chips in everyday equipment may really
explode the costs. Think of computerized heating, cooling, and
security systems. Consider all the cell phones, business
telephone systems, dispatcher systems, beepers, fax machines
and Xerox machines. A small business needs to also look at
their automobiles, trucks and other heavy equipment. The list
goes on and on.
We believe it serves public policy to provide incentives to
help small businesses assess their exposure to the problem and
purchase new software as soon as possible. This will insure the
continuity and free flow of business in 2000. The full cost to
small business to assess the threat and then to test and
replace equipment as necessary should be deductible in the year
of expense. The Process should be kept as simple as possible
and would not involve a major revenue outlay since these costs
are already recoverable through expensing, or depreciation--
capitalization.
In 1996, the Gartner Group estimated that the year 2000
problem would cost $600 billion to fix. Later estimates by
Lloyds of London have been as high as $1 trillion. Economist Ed
Yardeni has estimated that there is a 35% chance of a global
recession because some businesses will be unable to deal with
their year 2000 problems. And, unlike most projects, the final
due date can not be changed with the year 2000 problem--the
year 2000 will arrive whether we are ready or not.
The Federal Reserve is currently predicting that 1% to 7%
of U.S. businesses will fail because of the year 2000 problem.
The Board is encouraging all businesses to address the problem
as early as possible. The Small Business Administration and the
Department of Commerce are encouraging all small businesses to
make plans to assess the situation now so that actions can be
taken in a timely manner. Many of the affected businesses will
need new items of software and hardware, and we would urge that
the materials immediately be deemed able to be expensed.
Summary
In general, the White House Conference has urged Congress to
investigate the simplest ways to help small businesses solve their
problems. We would like to see legislation to increase Sec. 179
expensing and permit small businesses to write off in the year of
purchase any expense related to year 2000 conversion but without regard
for those expenses to the limits of the current Sec. 179. If, for
budget purposes, the bill must be limited, we suggest limits along the
lines of those in HR 179 offered by Representative Thurman, that
generously push up the expensing amount.
As always, the White House Conference Tax Chairs would like to
recommend that any changes that are considered by the Committee be
analyzed for their impact on small businesses and that representatives
of the small business community be included in future hearings on the
subject.
We would like to work with you, your colleagues, and your staff to
help you better understand the importance of these proposals to small
businesses and the U.S. economy. Thank you for your time and attention
to this matter.
The White House Conference Tax Chairs
Region 1: Debbi Jo Horton, Providence, Rhode Island
Region 2: Joy Turner, Piscataway, New Jersey
Region 3: Jill Gansler, Baltimore, Maryland
Region 4: Jack Oppenheimer, Orlando, Florida
Region 5: Paul Hense, Grand Rapids, Michigan
Region 7: Edith Quick, St. Louis, Missouri
Region 8: Jim Turner, Salt Lake City, Utah
Region 9: Sandra Abalos, Phoenix, Arizona
Region 10: Eric Blackledge, Corvallis, Oregon