Time for a Y2K Audit

Time for a Y2K Audit

Validation and verification tools catch errors the second time around.

In Contra Costa County, just northeast of San Francisco, CIO Steve Steinbrecher and his team began remediating and testing 3 million lines of mainframe code in January 1996. By December 1998 the county's Team 2000 had remediated and tested every IDMS application at its Martinez, Calif., data centre and at facilities throughout the county.

One of the most expensive aspects of the effort was live testing of all the county's judicial and public safety applications, including the application for scheduling criminal court hearing dates and times in 48 courtrooms.

Steinbrecher estimates the county spent $ US66,000 to test a single court application, and that doesn't include the time volunteered by salaried workers who came in on weekends and holidays for the tests. "We felt we needed to test everything," says Steinbrecher. "We looked for an auditing tool but did not find one, and we ended up writing some of our own testing algorithms in-house." At about the time Team 2000 was finishing the testing, Steinbrecher learned of an independent validation and verification (IV&V) tool for IDMS code called SmartAudit from Alydaar Software Corp. of Charlotte, N.C. This was the kind of tool Team 2000 had hoped to find more than a year earlier. Steinbrecher realised an IV&V tool would be a good way to double-check the thoroughness of his team's efforts.

Although Contra Costa County had a choice about whether to conduct IV&V, also known as code auditing, as a step in the Y2K preparedness process, publicly traded companies, state government entities and agencies don't have a choice.

In July 1998 the U.S. Office of Management and Budget (OMB) mandated that state and federal agencies conduct an independent audit of their year 2000 remediation efforts. In August 1998 the Securities and Exchange Commission (SEC) issued a letter to publicly traded companies strongly advising them to demonstrate due diligence in their Y2K efforts. CIOs and Y2K project teams are responding to these mandates by engaging the services of Y2K vendors - but not those whose software tools and services they used in their initial remediation efforts. Using a different tool on a second pass through the same code increases the likelihood of detecting potential date errors that slipped through the first time.

You probably aren't thrilled to know that there is yet another step in correcting the Y2K problem. To compound the confusion, consultants and vendors have varying views on whether IV&V is a process or merely a product. Some prefer a narrow definition of Y2K-related IV&Vs. "Y2K remediation vendors have begun to package their Y2K remediation products as IV&V offerings," says Andrew Bochman, director of Y2K services at Aberdeen Group Inc. in Boston. "In essence, performing an IV&V simply means putting a sampling of one's remediated code through a different scanning tool for quality assurance purposes." As he sees it, an organisation can perform IV&V with any language-specific tool that checks date fields as long as the tool is different from the one used in the original remediation work.

More Than Due Diligence

Although a diverse group of people, including lawyers, elected officials, auditors and underwriters, are urging companies and agencies to conduct IV&Vs, sound technical reasons exist. "Now that the results of independent code audits are coming back, organisations are finding on average about 100 date-related errors per million lines of 'fixed' code," says William Ulrich, president of Tactical Strategy Group Inc. of Soquel, Calif. "Some organisations that outsourced their remediation efforts are finding that their vendors did not review the results. An IV&V process can impart needed discipline in cases where quality assurance procedures were lacking." Another good reason for a second, fresh examination of one's code is that newer tools are better at catching errors than are earlier versions of products that many organisations used in their initial remediation efforts. Rick Kich, now CIO for computer distributor Ingram Micro Inc. of Santa Ana, Calif., selected CA-Fix/2000 when he was overseeing Y2K remediation efforts as CIO for the Barnes & Noble Inc. retail bookselling chain. "Technologies are changing so quickly that we get updates to Fix/2000 on a monthly basis. And every new version of the tool catches some date field errors or broken windowing logic that slipped through undetected the first time," says Kich.

Vendor Management Issues

One of the challenges of selecting an IV&V is finding a vendor that can work with the mix of platforms and languages that your IT organisation has used in its mission-critical applications. A growing list of vendors, including Computer Associates International Inc. of Islandia, N.Y., AverStar Inc. of Burlington, Mass., Data Integrity Inc. of Coral Springs, Fla., MatriDigm Corp. of San Jose, Calif., Reasoning Inc. of Mountain View, Calif., and Viasoft Inc. of Phoenix, offer extensive consultant-delivered IV&V services for Cobol and other languages. These vendors often subcontract to other vendors that have tools in languages that lie outside their areas of expertise. For example, Reasoning has used MigraTec 2000 from Dallas-based MigraTec Inc. to scan C++ code.

In large, complex organisations and governments, software audit processes usually involve multiple vendors because no one vendor has the complete array of language-specific tools needed to serve the needs of organisations with multiple data centres and unique assortments of legacy systems. Managing all the vendors for these complex audits isn't easy. You can let one vendor do all the subcontracting or, at the other extreme, you can hire multiple vendors and contract separately for project management services. The states of Iowa, North Carolina and Washington have each taken a different approach to conducting IV&Vs as part of their statewide Y2K risk assessment processes.

In Iowa, the executive branch of the state government put one vendor, Computer Technology Associates Inc. (CTA) of Bethesda, Md., in charge of a comprehensive software quality audit involving 35 different agencies. The legislative and judicial branches are considering CTA for their IV&V work. CTA audits each agency's code with a five-step process. It selects a suitable tool for IV&V, uses this tool to scan the agency's code, issues a report on problem areas within the code, identifies areas for IT process improvement and issues Colour-coded progress reports (green for satisfactory progress, blue for finished and red for behind schedule). Onsite consultants work with agency directors to assess what steps will be needed to obtain a sign-off from CTA. Of the 10 CTA staffers who work onsite at Iowa's government offices, only 2 use tools to scan production software.

In its year 2000 risk assessment project that encompasses 160 state agencies in the executive branch, the state of Washington takes a less centralised approach to IV&V than Iowa in overseeing its 103 independent Y2K projects. Each agency in that state is responsible for managing its own Y2K project and for selecting the IV&V tools best suited for scanning its own code. In a separate effort, five independent consulting firms divide the work of conducting risk assessments for each agency using uniform reporting formats and metrics.

Sterling Associates of Olympia, Wash., acts as the lead auditing firm. Sterling oversees the other consultancies and is responsible for preparing a statewide report for each of the three phases of the risk assessment process.

In North Carolina, the state auditor's office decides which vendor will conduct each agency's IV&V process. Much of the vendor selection process is done on an ad hoc basis. As a vendor's consultants finish a project for one agency, they are free to work on a new project at another agency. "At first there were dissimilarities among vendors in methods and reporting procedures. Now that we've worked out the differences, we get some cost savings when multiple vendors with similar skill sets can bid on new IV&V projects as each agency becomes ready for its software audit," says State Auditor Ralph Campbell.

Like Campbell in North Carolina, Gary Christoph, CIO for the federal Health Care Financing Administration (HCFA), the funding agency for Medicare, recognises the benefits of working with multiple vendors. For its massive IV&V effort - involving 50 million lines of code from 25 mission-critical systems owned and operated by HCFA and 78 mission-critical systems operated by private insurance companies for processing and paying Medicare claims - HCFA is using consultants from AverStar and two other vendors. "Each consultant brings an extra set of eyes and ears. The more perspectives we get, the more information.

We now have a much better idea about which of our processes exposes us to the most risk," says Christoph.

A Learning Experience

Irene Dec, vice president of operations and systems and Y2K program manager for The Prudential Insurance Co. of America in Newark, N.J., reports "Getting the results of an IV&V report tells us what steps to take to prepare a contingency strategy for all of our facilities, other assets and our business partners." It's a small price to pay for taking extra precautions.

Steinbrecher of Contra Costa County concurs. He estimates that his county spent $ US3.2 million and sustained another $ US3 million in soft costs (that is, overtime, night and weekend work) on its Y2K remediation and testing efforts.

By contrast, the county paid Alydaar only $ US18,500 to run 125,000 lines of IDMS code from four key applications through SmartAudit and to issue an audit report. "It was money well spent," says Steinbrecher. "Alydaar's report uncovered three issues in 100,000 lines of code, all of them minor. These results reaffirmed that Team 2000 did very thorough work." Despite Contra Costa County's clean IV&V report, Steinbrecher's team plans to be at "ground zero" (the data centre in Martinez, Calif.) when the calendar flips to the new millennium. In a county that has three bridges and between three and eight oil refineries, including one that was shut down in February after a major explosion, the team wants to take every available precaution for public safety.

Wireless Optical

Networks Without Obstacles

A new high-speed link offers wide bandwidth over wide terrain PROBLEM: You need the bandwidth of an optical fibre connection, but running a fibre cable is either impractical or too costly. A solution may soon become available in the form of wireless optical technology that can send data across distances of up to three miles at speeds as fast as 10Gbps. The system has the potential to provide high-speed data streams between points at a short-term event like a trade show or over hostile terrain like water or someone else's property.

This experimental networking system, being developed initially for military purposes by Bell Laboratories Inc.'s government solutions unit, uses a pair of custom telescopes built by AstroTerra Corp., a San Diego-based manufacturer of optical wireless communications equipment. Optical transmitters and receivers as well as a high-power optical amplifier from Bell Lab's parent company Lucent Technologies Inc. round out the system's other key components.

The system uses dense wavelength division multiplexing (DWDM), which is best described as a way to increase capacity by transmitting information over multiple wavelengths of light rather than over a single wavelength. It sends data through the air from a transmitting telescope to a receiving telescope, where it is focused onto the core of an optical fibre. Unlike radio-based technologies, such as microwave links, wireless optical communications doesn't require government licenses or frequency allocations. High-speed optical connections are also much faster than microwave links, which top out at 622Mbps.

High-speed wireless optical connections will complement, not replace, conventional fibre-optic technology, says Jim Auborn, director of photonics applications at Bell Lab's government solutions unit in Whippany, N.J. "Fibre is certainly going to be a more reliable and available connection, but in places where fibre is very expensive or impractical to lay, over-the-air optical links would be cost-favourable." Auborn says new high-speed wireless optical hardware is compatible with most existing optical and data networking equipment. On the downside, Auborn acknowledges that adverse weather conditions, such as heavy fog and snow, can interfere with reception.

DWDM's potential applications include connecting buildings across a campus, town or small city as well as providing temporary data links at sporting events, battlefields and disaster sites.

Lucent hasn't yet set a timetable for the technology's commercial release. "We are looking at a range of options," says Auborn. "Right now, it's just being considered for commercialisation." - John EdwardsPalm Computing Goes Industrial Now that palm computing inc.'s handhelds have wormed their way into the enterprise (see "Handhelds Reach Out," CIO Section 1, Sept. 15, 1998), the company is doing more to serve corporate needs. The Palm V sports a thin industrial design and the Palm IIIx adds more memory and more expandability options (remember that the Pilot name is no more, thanks to a lawsuit from the Pilot Pen Corp. of America).

The Palm V is half the thickness of previous Palm computers and weighs only four ounces. For the first time, in addition to the traditional PalmOS applications, it includes connectivity to Microsoft Corp.'s Outlook. Among the improvements are a new battery that can recharge when the Palm V is in its synchronisation cradle and the ability to adjust the display using a software control rather than a hardware dial. Improvements to the Palm IIIx include a doubling of its RAM capacity from 2MB to 4MB. It can now import data from enterprise applications on the corporate network.

The Palm V and the Palm IIIx retail for $ US469 and $ US369, respectively; international versions are available in French, German and Spanish. For more information, call 800 881-7256 or visit

Speeding Up SAP

Other enterprise resource planning software makers haven't had much luck in slowing down SAP's R/3. However, once you install the software on a couple hundred corporate systems, any number of glitches can bog down R/3's performance. Enter Envive Corp., a Mountain View, Calif.-based company that recently released a spate of products and updates under the heading Collaborative Service Level Suite (SLS). The suite provides a single console for viewing SAP applications' performance data.

SLS works hand in hand with another Envive product, Operations Datamart, to record, store and analyse information about how well (or poorly) SAP is running. The products monitor end-to-end application response time and help pinpoint whether performance hang-ups are arising from the network or in the R/3 database itself. According to the company, Envive's single view of multiple data sources increases communication among IS functions typically responsible for keeping R/3 perking along, including network and database managers, operations workers and help desk personnel - hence the "collaborative" moniker.

Pricing for the suite starts at $ US37,500; the data mart costs $ US10,000. For more information call 650 934-4100 or visit

Working from Anywhere

One wonderful thing about the web is the way some companies are using it to rethink old ways of working. Before the Web, if you wanted to work remotely with files that resided on your desktop, you needed an application like Symantec Corp.'s PCAnywhere (and your office PC had to be running around the clock so that you could access it). Now Woodside, Calif.-based Magically Inc. has created, a Web service that lets you access your office files through a Web browser - whether or not the machine you're on has the applications in which those files were created. It's a workaholic's dream come true.

The fundamental pieces of are a personal file system and a synchronisation feature that ensures files and bookmarks are consistent. The service also offers a calendar, an address book and a to-do list. In addition, it includes 5MB of storage space and an e-mail account. Users upload files they'll need onto Magically's system before they leave the office. Once they access the system from their remote location, they can use the Magical Viewer, which translates more than 250 file formats into HTML code so that users can view documents, even without the application running on the machine they're using.

Basic service is free. Premium services include additional storage space (20MB for $ US5 per month, 50MB for $ US10 per month). The Magical Viewer costs $ US5 per month, and five additional e-mail accounts cost $ US10 per month. For more information, call 650 363-2489 or visit

Inbound and Outbound Calling

In the old days, inbound call centres answered incoming calls, while separate outbound centres made all the outgoing calls, and never the two would meet. Now blended call centres increasingly handle both types, and Davox Corp. of Westford, Mass., wants to provide the software to run the show. Davox's Ensemble platform manages both incoming and outgoing calls and provides computer-telephony integration and consolidated reporting tools as well as software for applications to manage agent workflow and scripting.

The system is modular in design, so customers can customise the capabilities according to their centre's specific needs. The inbound call management software runs on Windows NT; other modules require a Unix server. Dave also includes tools to integrate call centres with automatic call distribution systems and other call centre hardware. Pricing has not yet been determined.

For more information, call 978 952-0200 or visit

Peggy King is an Oakland, Calif.-based technology writer. She can be reached at

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Aberdeen GroupAOLBarnes & NobleBell LaboratoriesCA TechnologiesCritical SystemsDavoxHealth Care Financing AdministrationImpartIngram MicroLucentLucent TechnologiesMicrosoftOffice of Management and BudgetPalm ComputingPhoenixPhotonicsPrudentialSAP AustraliaSECSecurities and Exchange CommissionSymantecTactical Strategy GroupViasoftWilliam Ulrich

Show Comments