Internal Controls. Tiffany Lake WESTAR Terri Pyle OG&E Jim Nail - IPL
|
|
|
- Quentin Weaver
- 5 years ago
- Views:
Transcription
1 Internal Controls Tiffany Lake WESTAR Terri Pyle OG&E Jim Nail - IPL
2
3 Compliance a: the act or process of complying to a desire, demand, proposal, or regimen or to coercion b : conformity in fulfilling official requirements (Merriam Webster definition) In other words..the things we do to fulfill the Requirements of the NERC Standards.
4 Internal Controls systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to.deter and detect errors.ensure accuracy and completeness of its data..and ensure adherence to its policies and plans. (Business Dictionary.com) In other words. Internal Controls are those additional things we do to ensure our Compliance activities Get Done On Time Get Done Correctly Get Documented Properly
5 Internal Controls come in many shapes and sizes Processes and Procedures Checklists Spreadsheets Calendar/ reminders Training and Qualification
6 Westar Energy s Approach to Internal Controls Traditional vs. Risk-Based Compliance Approach What is the impact to Westar Energy? Roles and Responsibilities Assessing Process-Level Risks Identifying Internal Controls SPP RE FALL COMPLIANCE WORKSHOP 6
7 Transition to Risk-Based Compliance Traditional Approach Review all applicable standards every year Collect evidence Conduct testing Update RSAWs Risk-Based Compliance Review higher risk standards Utilize internal risk assessment results Collect evidence Conduct testing Conduct process-reviews Identify and prioritize processlevel risk Identify and document internal controls Perform gap analysis NERC 693 COMPLIANCE WORKSHOP 7
8 How does Risk-Based Compliance Impact Westar? Focus resources on higher risk areas Positive effect on reliability Better internal controls and management processes Incorporate 2015 lessons learned into 2016 work plan CIP Audit April Audit November 2016 NERC 693 COMPLIANCE WORKSHOP 8
9 Roles and Responsibilities Internal Audit NERC Compliance Business Units SPP RE FALL COMPLIANCE WORKSHOP 9
10 Assessing Process-Level Risks Review reliability-related processes Misoperations Transmission Vegetation Management Identify process-level risks Perform a risk assessment Document risks SPP RE FALL COMPLIANCE WORKSHOP 10
11 Identifying Internal Controls 11 Identify and document existing internal controls Perform a gap assessment Implement internal controls where necessary SPP RE FALL COMPLIANCE WORKSHOP
12 Tiffany Lake Manager, NERC Reliability (785) SPP RE FALL COMPLIANCE WORKSHOP 12
13 OG&E Approach OG&E Compliance Progression Risk-Based Approach Risk Assessment Process Review & Mapping Internal Controls Documenting Internal Controls Current Focus Areas Benefits Examples OG&E
14 OG&E Compliance Process Progression Foundation - Compliance Management Program Compliance Management Tool - Define compliance, Collect evidence, Update RSAWs Compliance Assurance Process (CAP) Procedures, Process Flow Charts, Trained SMEs, Documented Evidence, RACIs, Controls Risk-Based Approach Documented risk assessment emphasis on higher risk areas In depth process review and mapping Identify and document new internal controls 14 OG&E
15 Risk Assessment Considerations NERC Risk Elements SPP Risk Elements Top 10 Most Violated Standards Standard VRFs Audit and Self-Certification Lists NERC Projects pending Standards Past OG&E Compliance History Compliance Assurance Process (CAP) Score Other OG&E
16 Process Review and Mapping Process Mapping Detailed review with process owners Understand how work is done Incorporate compliance requirements Identify touch points within processes Business groups NERC Standards Include controls already in place Identify weak areas in the process and develop new controls OG&E
17 Internal Controls Level Entity Process Compliance assurance Type Preventive Detective Corrective Application Automated Manual Hybrid Frequency Daily Weekly Monthly Quarterly Annually OG&E
18 Documenting Internal Controls Start with what you have Review processes to identify new controls Consider process mapping as a tool OGE Internal Controls Spreadsheet - CIP Standard Req. NERC Risk Element SPP Risk Element OGE Risk Ranking (High, Medium, Low) Requirement Text Internal Control ID Control Title Control Area Internal Control Description Goal of Controls Control Type (Preventative, Detective, Corrective) Control Application (Automated, Manual, Hybrid) Control Frequency (e.g. real-time, daily, monthly, quarterly, annual, etc.) Control Owner OG&E
19 Current Focus Areas OPS (693) CIP Facility Ratings Operations Personnel Training Misoperations Recovery Plans Change Management OG&E
20 Benefits Better understanding of internal processes Improved processes Better defined roles and responsibilities Improved compliance assurance Improved reliability OG&E
21 Terri Pyle Manager, NERC Compliance (405)
22 Municipal Utility Registrations: TO/TOP/GO/GOP/TP/RP/DP/LSE 26 miles of 161KV Transmission 4 BES Substations 1 BES Generation asset
23 Risk Assessment IPL system design very stable Maintenance program effective Program documents stable System events very rare Biggest risk is Awareness
24 Approach to Internal Controls Management focused Lead Team, Reliability Team, CIP Team Monthly meetings with division managers and primary SMEs Develop tools (spreadsheets, checklists, procedures) to help supervisors monitor performance of compliance activities
25 Examples
26 CMT: Compliance Event Form OG&E
27 CMT: Compliance Event Modification Form OG&E
28
29
30
31 PER-005-1: Checklist for New Tasks or Identified Task Modifications OG&E
32
33 PER-005-1: Review and Management of Training Process OG&E
34 Facility Ratings Process Map and Standard Touchpoints OG&E
35
36 Other Internal Control Examples Monthly CIP Team Meetings Review changes that could impact CIP compliance Monthly Blackstart Restoration Calls Review system changes that could impact plan Flowgate application in SCADA EMS Displays permanent and temporary flowgates and alerts Anti-virus software with automated removal and alerting
37 Questions?