Report 98023 Summary - August 1998

Year 2000 Computer Problem: Progress May Be Overly Optimistic and Certain Implications Have Not Been Addressed

RESULTS IN BRIEF

As the year 2000 fast approaches, state agencies are rushing to fix their critical computer projects to allow the continued delivery of essential products and services to Californians. However, fixing almost 700 of the State's critical computer projects may not be as far along as reported in the April 1998 quarterly report published by the Department of Information Technology (DOIT) and reported to the Legislature.

Furthermore, many state agencies have not addressed all facets of the year 2000 problem and, therefore, may not actually be ready for the next millennium. Specifically, agencies are prematurely declaring their critical projects complete that have not been thoroughly tested. Critical projects are those so important that their failure would cause a significant negative impact on the health and safety of Californians, on the fiscal or legal integrity of state operations, or on the continuation of essential state agency programs.

Thus far, none of the agencies reporting on completed critical projects to the DOIT have rigorously tested their information-technology systems, comprised of one or more critical projects, in an isolated environment where the computer's internal clock is set to dates in the next century to make sure the systems will continue to function after the year 2000. Moreover, several agencies responsible for remediating large, complex systems have yet to even schedule such tests at either of the State's two data centers. While all critical projects may not need this type of testing, we believe the fact that none of the 10 agencies reporting completed critical projects to the DOIT has used such testing on those projects is cause for concern. Moreover, in many cases the amount of time agencies are allocating to test their critical projects falls far short of the 50 percent to 70 percent of total project time and resources that others in the industry have spent on testing.

In addition, many of the State's critical computer projects and systems depend on data exchanges with other entities, such as counties and the federal government. Yet not all agencies have completed the necessary steps to ensure that data transmitted through these interfaces will work seamlessly with the State's computer systems into the next century. Even if agencies successfully fix their own critical computer systems, they still may not be able to deliver expected products and services in the next millennium if their data-exchange partners' systems are not year 2000-ready.

Finally, the managers of most state agencies have yet to ensure that their agencies have established appropriate business-continuation plans in the event of failures or delays caused by the year 2000 problem. Agencies appear to be focusing exclusively on fixing critical computer systems and choosing not to involve the individuals responsible for program delivery in determining what to do if critical systems do not work as intended or are delayed. However, rather than using staff involved with remediation, we believe the managers responsible for the agencies' core business processes should establish work groups of program staff and dedicate sufficient resources to develop business-continuation plans to ensure that the agencies maintain the delivery of essential products and services in the event of year 2000-induced failures or delays.

RECOMMENDATIONS

To ensure uninterrupted delivery of essential products and services to Californians, the Governor's Office should ensure that all state agencies take the following steps:

In addition, to ensure that the administration and the Legislature have accurate information about state agencies' progress toward fixing their critical projects and systems threatened by year 2000 problems, the DOIT should do the following: AGENCY COMMENTS

The Department of Information Technology (DOIT), responding on its own behalf and that of the Governor's Office, stated that our observations and conclusions have substantial merit. In addition, three of the four agencies we reviewed concur with our recommendations and believe them to be consistent with industry standards and best practices.

The State Treasurer's Office (STO) believes the methodology we used to determine the accuracy of reported project status differs from that used by the STO and perhaps other agencies and, therefore, believes it projects are closer to being fully remediated than was indicated in our report.