Internal Controls. Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016. Property of KC Board of Public Utilities - PUBLIC
|
|
- Charles Turner
- 5 years ago
- Views:
Transcription
1 Internal Controls Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016 Property of KC Board of Public Utilities - PUBLIC
2 Internal Controls The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association Property of KC Board of Public Utilities - PUBLIC
3 Internal Control Structure The dynamic, integrated processes designed to provide reasonable assurance regarding the achievement of the following general objectives: Effectiveness and efficiency of operations Reliability of management Compliance with applicable laws, regulations and internal policies Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association) Property of KC Board of Public Utilities - PUBLIC
4 Internal Control Structure Management s strategies for achieving these general objectives are affected by the design and operation of the following components: Control environment Integrity Ethical values Competence Knowledge and Aptitude Information Systems Control procedures Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association) Property of KC Board of Public Utilities - PUBLIC
5 Internal Controls Help achieve operational goals Provide information on progress meeting goals Operating Effectively or are there Exceptions? Can only provide reasonable, not absolute, assurance An internal control cannot change an inherently poor manager into a good one - COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Controls Property of KC Board of Public Utilities - PUBLIC
6 Where to Start? Effective Risk Management + Audit = Compliance Property of KC Board of Public Utilities - PUBLIC
7 Where to Start? What is the Risk? Perform Risk Assessments Perform SWOT Analysis Business Impact Analysis Review Incident Reports Property of KC Board of Public Utilities - PUBLIC
8 SWOT Analysis Internal How do you leverage strengths to minimize impacts of threats? Strengths Weaknesses Opportunities Threats External How do you mitigate or remediate weaknesses to avoid threats? Property of KC Board of Public Utilities - PUBLIC
9 BPU Policy Framework Outlines standards and guidance References multiple Authoritative Sources National Institute of Standards and Technology (NIST) COSO (Committee of Sponsoring Organizations of the Treadway Commission) ISACA (formerly known as Information Systems Audit and Control Association) COBIT 5 Risk, Process, and Information Not a check the box approach Property of KC Board of Public Utilities - PUBLIC
10 Using RSAWs Yes, we know Seriously, use them Maintain and update (quarterly) How are we meeting this requirement? (Self-Assessment) Have the SMEs changed? What are we missing? Identify Training Needs Property of KC Board of Public Utilities - PUBLIC
11 Controls Assessment IT General Controls Assessment Yes No Description of Policy, Process or Procedure Program Change Controls Change Management 1.Does BPU maintain written procedures for controlling program changes through IT management and programming personnel? 2. Do program change authorization forms or screens prepared by the user (Change Request) include: Authorizations by management before proposed program changes are made? Testing program changes? IT management and user personnel review and approval of testing methodology and test results? 3. Does BPU use library control software or other controls to manage source programs and object programs, especially production programs? 4. Does BPU have procedures for emergency program changes (or program files)? Property of KC Board of Public Utilities - PUBLIC
12 Think like an Auditor - Manage and Measure your Program like an auditor would Property of KC Board of Public Utilities - PUBLIC
13 Writing Control Objectives What is the objective of this control? Prevent Detect Correct How does it effectively mitigate risk? SMART criteria Property of KC Board of Public Utilities - PUBLIC
14 Monitoring & Controlling- Compliance Perform Quarterly Testing Identify and Correct Defects SELF REPORT Perform Root Cause Analysis Manage Change Leadership Accountability Continuous Improvement DEMING (Plan, Do, Check, Act) DMAIC (Define, Measure, Analyze, Improve & Control) Kaizen Change for the Better Share Knowledge Control Risk Identify Risk Property of KC Board of Public Utilities - PUBLIC
15 Questions? Property of KC Board of Public Utilities - PUBLIC
16 References ISACA and COBIT Online, Committee of Sponsoring Organizations of the Treadway Commission, National Institute of Standards and Technology (NIST), Special Publications, NIST NIST NIST NIST (R1) NIST NIST NIST A (Assessment Guide) NIST (R4) NIST NIST NIST NIST Cybersecurity Framework Property of KC Board of Public Utilities - PUBLIC
17 Risk Assessment & Internal Controls ITC s Implementation
18 Topics Risk Assessment Development Risk Assessment Implementation Overview of Internal Controls The Internal Controls Process ITC s Internal Controls Program OATI Internal Control Module Overview OATI Internal Control Module Discussion 2
19 Internal Control Framework Convergence of Compliance Programs Key compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self-certification to focus on risk and internal controls Add controls from 2014 Audit Lessons Learned internal survey Regional Entity self-reporting database creation of self-logging NERC 13 questions and EIE define program and demonstrate culture Creation of a Corrective Action Program including schedule of IC reviews (e.g. 3-yr Plan), root cause analysis and lessons learned centrally managed to mitigate SV/AFI/etc.; Monitoring Metrics to Reliability Compliance Steering Committee; Self-report high risk IC deficiencies Audit Lessons Learned Monitoring Metrics & Corp Goals (TBD) RAI: Change from Self Certs to IC Reviews Internal Controls Corrective Action Program RAI: Self- Reporting Database (TBD) 13 Questions or NERC EIE 3
20 NERC Reliability Assurance Initiative (RAI) Program The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS). NERC ERO Enterprise Inherent Risk Assessment Guide 4
21 Risk What is risk? The possibility of an event occurring that will have an adverse impact of the achievement of objectives (reliability of the Bulk Electric System). How do we measure risk? Risk is measured in terms of likelihood and impact. What is a risk assessment? The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. 5
22 Inherent Risk Assessment Objective of a Risk Assessment Model Identify and prioritize the most important or key areas (what really matters) Measure and prioritize risk exposures The higher the risk exposure, the higher the priority ITC s Risk Assessment Model Scores based on 11 key risk indicators that influence the likelihood of the risk event and potential impact Risk score used to prioritize control reviews Full assessment every 3 years; Annual refresh 6
23 Key Risk Indicators Key Risk Indicators Routine vs. Non-Routine Automation vs. Manual Cross-Functional (Internal) 3 rd Party Interaction (External) NERC High Risk Standards Significance of Changes in Standard or Process Key Personnel Turnover NERC VRF Reliability and/or Reputational Impact Violation History Automated Internal Controls 7
24 ITC s Risk Assessment Model How do we calculate the risk score? Rate each of the risk factors on a scale of 1 to 5. o 1 indicating lower risk, and 5 indicating higher risk Weight each factor based upon significance of each factor. Multiply each factor by it s risk weight to calculate an overall score. Rank each score from high to low Focus on the areas with the highest risk score (what really matters). 8
25 Inherent Risk Assessment Risk Indicators How/where will this information be used? ITC 2012 Reliability Compliance Risk Assessment Standard Reqmt Functions Routine vs. Non-Routine Automation vs. Manual Cross- Functional (internal) 3rd Party Interaction (external) High Risk Standards (NERC Tier 1,2,3) Significance of Changes in Standard or Process Key Personnel Turnover NERC VRF Reliability and/or Reputational Impact Violation History Automated Internal Controls Overall Risk Score CIP-005-3a 2 MISO, LBA, TOP, TO CIP-005-3a 4 MISO, LBA, TOP, TO CIP-007-3a 2 MISO, LBA, TOP, TO CIP-007-3a 3 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP Drive 5 MISO, the LBA, TOP, implementation TO of 5 future 5 4controls CIP MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP-007-3a 1 MISO, LBA, TOP, TO CIP-007-3a 5 MISO, LBA, TOP, TO CIP-007-3a 6 MISO, LBA, TOP, TO CIP-007-3a 8 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO PRC Strengthen 2 TO specific 3 3 compliance related 5 2 processes MOD BA,TP MOD BA,TP MOD BA,TP MOD BA,TP MOD BA,TP CIP MISO, LBA, TOP, TO CIP-005-3a 1 MISO, LBA, TOP, TO CIP-005-3a 3 MISO, LBA, TOP, CIP MISO, LBA, TOP, CIP Prioritize 3 MISO, LBA, TOP, TOtraining 3 3and 4 communication efforts FAC TO EOP MISO,LBA,TOP FAC TO PER MISO,LBA,TOP FAC TO EOP MISO,LBA,TOP CIP-004-3a 4 MISO, LBA, TOP, TO CIP-007-3a 4 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO EOP MISO,LBA,TOP COM MISO,LBA,TOP PRC MISO,LBA,TOP CIP-005-3a 5 MISO, LBA, TOP, TO CIP-006-3c 1 MISO, LBA, TOP, TO CIP-006-3c 4 MISO, LBA, TOP, TO
26 2016 ITC Inherent Risk Assessment Risk priority for each requirement will be reassessed every 3 years, interim assessment every year. Last Update Feb 5, 2016 FAC R1, 3, 4 TOP-001-1a R6 PRC R1, 2 NUC R8 PRC R10 EOP R3 (57 R s) EOP b R3, 4 TPL R1, 4, 7, 8 COM R1, 2 CIP R2 EOP R1, 2, 5, 6, 8 TOP R5 EOP R2, 4, 9, 11,13 TOP b R1, 2, 4, 5, 6, 10, CIP R1, 2, 3 CIP R1 EOP R1 CIP R1, 2 (66 R s) CIP R1, 2 CIP R1, 2, 3 PRC R3, 4, 5, 6 TOP-001-1a R2,3,5,7,8 CIP R1, 2, 3, 4, 5 CIP R1, 2 EOP R1, 6, 7, 8 COM R2 TOP R1,2,3,4 IRO a CIP TOP b R9,10 EOP PRC a EOP R4 R2, 3, 4, 5 R11,16, 17 R1, 2 R1 TOP CIP R1 TOP FAC R1, 2, 3 IRO R8 NUC R3 PER R3 R3, 6, 8 PRC R2 R2, 3, 4, 6, 9 FAC PRC b FAC R5 CIP CIP R3 PRC R2 R5 R1, 2, 4, 5, 6 MOD R5 IRO-010-1a R3 R1 PRC b TOP PER CIP FAC R5 IRO R3 R1,2 R1 R1, 2 Risk Score R1 EOP R7 Risk Score Risk Score EOP Risk Score PRC-017 R3 EOP b R1, 2 TOP MOD BAL b R6 CIP R3, 6, 7 R2 R1, 12, 13, 15 COM R1 EOP R3, 5 MOD MOD VAR PRC R1, 2 R6, 7, 8 R1, R2, R3 R1 R2, 3, 4, 6 TOP R1, 2, 3 TOP R4 TOP-001-1a R1 PER EOP COM EOP IRO a R5 R2 R2, 5 R4 COM R1 R3, 5, 10, 12 FAC R2 TOP b BAL EOP b FAC R2 R18 PRC a R3, 4 R2, 5 PER R1,2 R3 MOD R1 MOD FAC CIP R3, 4 R1, 2 PRC MOD R1 TOP R6 MOD R1, 3 R2, 3, 4, 5 MOD R1 CIP R2,3,4 PRC R1, 2 MOD R1, 2, 3, R1, 2, 3 EOP R3, 4 PRC R1 TPL , 5, 6 PRC FAC R2, 5, 6 TOP CIP R3 R3 R3, 4, 6, 7 PRC R2 TPL R1, 2, 4, 5 PRC-015-1b TOP-005-2a R1, 2 VAR R1,5 R3 R1, 2, 3 (43 R s) (61 R s)
27 NERC Reliability Assurance Initiative (RAI) Program As described in the ERO Enterprise Internal Control Evaluation Guide (ICE Guide),3 the ICE may inform whether a registered entity has implemented effective internal controls that provide reasonable assurance of compliance with Reliability Standards associated with areas of risk identified through the IRA. NERC Guidance Document: The Application of Risk-based Compliance Monitoring and Enforcement Program Concepts to CIP Version 5 11
28 Internal Controls Framework Monitoring, Metrics & Reporting ID and Assess Risks; Establish/Review Controls People Functional Processes Information Systems/Technology Remediation & AFI Internal Control Testing and Assurance Review; Risk Response 12
29 Controls What is a control? A point where you create evidence of compliance An action [taken by you, me, management, the board of directors, and / or other parties] to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls should be designed to bring about appropriate responses to risks. In other words, controls help to reduce or mitigate risk. Controls should address the root cause of a risk event, not the symptom(s). 13
30 INTERNAL CONTROL CYCLE Continuous Improvement 14
31 INTERNAL CONTROL TYPES Internal Controls should be designed to: Prevent undesired outcomes Detect deviations in performance Correct broken processes Internal Controls are also of two varieties Automated preferred over manual Manual should have additional controls, cannot verify source of data 15
32 INTERNAL CONTROL EXAMPLES Preventive Controls Policies and Procedures Training and Awareness Three-Part Communication Forward Studies and Day ahead studies Configuration Documentation ID badges and door locks Asset Inventory Annual Plans (Vegetation Management, SRP, Security) Operating guides Defined testing and/or maintenance program 16
33 INTERNAL CONTROL EXAMPLES Detective Controls Review of logged activity for Control Room Review of phone logs for three-part communication Review of system access logs Management Review Self Certifications and Audits Activity and Exception Reports 17
34 INTERNAL CONTROL EXAMPLES Automated Controls An automated control will prevent improper activities from occurring Advantages No manual intervention Reliable Time-stamp Activity is repeatable Programmed alarms in a system like TMS System generated logs Password Controls over access into a system 18
35 INTERNAL CONTROL EXAMPLES Manual Controls Manual controls can often be circumvented Manual controls are often performed after the fact Often time developed in a spreadsheet Some type of control that is handwritten 19
36 INTERNAL CONTROL EXAMPLES For an Internal Control to be effective the following should be present The control activity should be assigned to a specific function/individual The control activity must be executed in a defined time period (daily, weekly, monthly, yearly) The control activity should be repeatable 20
37 Internal Control Development Document Controls Review and Improve Design Design, Test and Evaluate Test Effectiveness Implement Identify and Correct Deficiencies Test Design 21
38 Internal Control Monitoring Benefits of monitoring the effectiveness of Internal Controls: Ensures that there exists a sustainable and repeatable process. Identifies potential improvements to process efficiencies and internal control value. Provides timely information for improved assessment and management of risk. Improves the overall value of internal controls towards compliance efforts as they relate to the reliability of the BES. Ensures that there has been no degradation of the controls over time. Identification and correction of control deviations and failures. Elimination of unnecessary or inefficient controls. 22
39 INTERNAL CONTROL PROGRAM Detective Controls Review of logged Activity Training Three-Part Communication Forward Studies Day-ahead Studies 23
40 ITC Internal Control Program Tasks Completed: Conducted initial risk assessment Developed Heat Map based on results of risk assessment Determined controls to target in initial roll out Met with SOs and SMEs to review process and document controls Developed workflow for Internal Control process Developed Use Cases for loading into OATI Internal Controls Module Loaded controls into OATI Internal Controls Module Conducted internal testing to validate workflow Developed Internal Controls schedule Completed Initial Pilot 24
41 ITC Internal Control Calendar An Internal Controls calendar has been developed based on: Timing of Process/Event Frequency of controls Relationship to timing of reviews in the Compliance Monitoring Calendar 25
42 ITC Internal Control Workflow Following is an example of a typical OATI procedure work flow for Internal Controls. There will generally be 6 steps. (1) Initial OATI procedure to notify SME to kick-off control activity (e.g., procedure, review, assessment, etc.) and attach/load evidence Rejected (2) Std. Owner approval of evidence sample. (recursive) (3) If evidence/sample is not approved, send back to SME for new or additional example. (recursive) Resubmit Clean Outcome Approved OR CA Needed (4) Std. Owner approves control evidence review without further action. (5) Std. Owner approves control evidence review but Corrective Actions are needed. Trigger CA procedure. (6) Control evidence provided to Reliability Assurance for review End Process 26
43 Internal Control Execution The Internal Control workflow will be initiated by a notification to the Subject Matter Expert (SME) for evidence The notification may be based on the calendar, i.e. first day of the quarter, something that is time based The notification may be based on the completion of another control procedure, something that is process based The SME will load requested evidence into OATI and mark complete 27
44 Internal Control Execution Once the evidence is loaded by the SME it will trigger a review process by the designated Standard Owner (SO) The SO will review the evidence and either: Accept the evidence provided Request additional evidence from the SME Initiate a corrective action if the evidence indicates a potential issue Controls in which evidence was Accepted or requiring Corrective Action will be sent to Reliability Assurance for review Reliability Assurance will review evidence of Control and complete the workflow 28
45 OATI Internal Control Module OATI s Internal Control (IC) Module was developed in response to NERC s Reliability Assurance Initiative (RAI) ITC is one of the Companies that had worked with OATI in the development of the IC module and actively participated in the Beta testing process and Acceptance Testing of the module. ITC has worked closely with OATI in the loading of identified controls to the production site 29
46 OATI Internal Control Module The IC Module is a flexible workflow tool The IC module will allow us to record and track controls as they relate to Reliability Requirements The IC Module will allow us to show we have controls in place and that we are following these controls Reports can be generated from Summary pages Future reports will be developed as needs are identified by the User Community 30
47 OATI Internal Control Module OATI webcompliance Main Dashboard 31
48 OATI Internal Control Module Internal Controls Dashboard 32
49 OATI Internal Control Module Task Summary 33
50 OATI Internal Control Module Task Screen 34
51 OATI Internal Control Module Attachment Screen 35
52 OATI Internal Control Module Graph Workflow Display 36
53 OATI Internal Control Module Task Screen Status Change 37
54 ITC Internal Control Roadmap QTR 3 & Document medium priority IC s in OATI Develop Metrics & Compliance dashboard Evaluate medium priority ICs in OATI QTR Evaluate IC program for effectiveness Make adjustments as needed QTR 1 & Standardize IC Evaluation procedure Evaluate and refine IC based on IC reviews Update Inherent Risk Assessment Develop Reliability Compliance Steering Committee reporting 5 QTR 1 & Completed Full-scale Inherent Risk Assessment Documented high priority IC s in OATI (Control Monitoring System) Evaluated effectiveness of Internal Controls Conducted SME and SO training on OATI QTR 3 & Documented formal Inherent Risk Assessment Procedure Documented additional high priority IC s in OATI Performed Internal Control evaluations of completed Controls Update Compliance Program Manual to include Internal Controls 38
55 Internal Controls Questions? 39
2014 Integrated Internal Control Plan. FRCC Compliance Workshop May 13-15, 2014
2014 Integrated Internal Control Plan FRCC Compliance Workshop Contents Definitions Integrated Components of COSO Internal Control Framework The COSO Internal Control Framework and Seminole Control Environment
More information2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014
2014 Integrated Internal Control Plan Contents Definitions Integrated Components of COSO Internal Control Framework The COSO Internal Control Framework and Seminole Control Environment Risk Assessment
More informationCompliance Oversight Plan
October 31, 2017.0 MON-111 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8411 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com Table of Contents Page 3 of 13 Page 1.0 Purpose and Scope 4 1.1
More informationBP Wind Energy s Perspective on Internal Controls. Carla Holly, Regulatory Compliance Manager October 8, 2013
BP Wind Energy s Perspective on Internal Controls Carla Holly, Regulatory Compliance Manager October 8, 2013 BP Wind Energy BP Wind Energy is a principal owner and operator of wind power facilities with
More informationPerformance Standards Issues. Donald Lamontagne Principal Engineer Arizona Public Service
Performance Standards Issues Donald Lamontagne Principal Engineer Arizona Public Service Free Template from www.brainybetty.com 2 Regulatory Entities FERC Energy Policy Act of 2005 NERC Designated Electric
More informationReview of Standards Becoming Enforceable in 2014
Review of Standards Becoming Enforceable in 2014 Laura Hussey, NERC Director of Standards Development Standards and Compliance Workshop April 3, 2014 New BAL and VAR Standards in 2014 BAL-001-1 Real Power
More information4.1 Violation Reporting Remedial Action Directives Mitigation Plans Internal Training Self Assessments...
NERC Compliance Monitoring and Enforcement Program Florida Reliability Coordinating Council, Inc. Table of Contents 1. Introduction... 1 2. Florida Reliability Coordinating Council Compliance Monitoring
More informationReliability Standards Development Plan
Reliability Standards Development Plan 2018-2020 October 18, 2017 NERC Report Title Report Date I Table of Contents Background... iii Executive Summary... iv 2017 Progress Report...1 FERC Directives...1
More informationQuébec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan
Québec Reliability Standards Compliance Enforcement Program Implementation Plan 2018 Annual Implementation Plan Effective Date: January 1, 2018 Approved by the Régie: December 1, 2017 Table of Contents
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability Corporation ) ) Docket Nos. RM05-17-000 RM05-25-000 RM06-16-000 NORTH AMERICAN ELECTRIC RELIABILITY
More informationDRAFT Reliability Standards Development Plan. June 15, 2016
DRAFT Reliability Standards Development Plan 2017 2019 June 15, 2016 I Table of Contents Background... iii Executive Summary... iv 2016 Progress Report...1 FERC Directives...1 Projects Completed in 2016...1
More informationRAI Compliance Activities Overview
RAI Compliance Activities Overview Updated on July 10, 2014 NERC Report Title Report Date I 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 www.nerc.com 1. The End State Vision
More informationAppendix A3: Northeast Power Coordinating Council (NPCC) 2018 CMEP Implementation Plan
Appendix A3: Northeast Power Coordinating Council (NPCC) 2018 CMEP Implementation Plan This Appendix contains the CMEP Implementation Plan (IP) for NPCC as required by the NERC Rules of Procedure (ROP).
More informationReliability Assurance Initiative. Sonia Mendonca, Associate General Counsel and Senior Director of Enforcement
Reliability Assurance Initiative Sonia Mendonca, Associate General Counsel and Senior Director of Enforcement Agenda Reliability Assurance Initiative (RAI) Overview 2015 ERO CMEP Implementation Plan Inherent
More informationPER System Personnel Training ERO Auditor Workshop. Pete Knoetgen, Director of Training September 20, 2012
PER-005-1 System Personnel Training ERO Auditor Workshop Pete Knoetgen, Director of Training September 20, 2012 Agenda Purpose of the standard Requirements and compliance approach from RSAW Frequently
More informationERO Enterprise Guide for Compliance Monitoring
ERO Enterprise Guide for Compliance Monitoring October 2016 NERC Report Title Report Date I Table of Contents Preface... iv Revision History... v 1.0 Introduction...1 1.1 Processes within the Overall Risk-Based
More informationERO Enterprise Internal Control Evaluation Guide
ERO Enterprise Internal Control Evaluation Guide October 2014 I Table of Contents Preface... iii Introduction... iv Revision History... iv 1.0 Internal Control Evaluation...1 1.1 ICE role within the overall
More informationInternal Oversight Division. Audit Report. Audit of Enterprise Risk Management
Internal Oversight Division Reference: IA 2016-08 Audit Report Audit of Enterprise Risk Management December 16, 2016 IA 2016-08 2. TABLE OF CONTENTS LIST OF ACRONYMS... 3 EXECUTIVE SUMMARY... 4 1. INTRODUCTION...
More informationGeneral Engagement Plan Briefing Compliance Audits & Spot Checks
General Engagement Plan Briefing Compliance Audits & Spot Checks TEXAS RELIABILITY ENTITY, INC. TEM 10.0.76 805 LAS CIMAS PARKWAY, SUITE 200 AUSTIN, TEXAS 78746 (512) 583-4900 Contents INTRODUCTION...
More informationSarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit
Sarbanes-Oxley: A Focus on IT Controls Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts Anthony Noble VP, IT Internal Audit Today s Agenda Introduction Viacom Methodology
More informationInternal Controls. Tiffany Lake WESTAR Terri Pyle OG&E Jim Nail - IPL
Internal Controls Tiffany Lake WESTAR Terri Pyle OG&E Jim Nail - IPL Compliance a: the act or process of complying to a desire, demand, proposal, or regimen or to coercion b : conformity in fulfilling
More informationERO Enterprise Strategic Plans
ERO Enterprise Strategic Plans Goals and Measures through 2016 Gerry Cauley, President and CEO Member Representatives Committee Meeting February 6, 2013 Failures of Complex Systems Do They Have to Happen?
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability Corporation ) ) Docket Nos. RM05-17-000 RM05-25-000 RM06-16-000 NORTH AMERICAN ELECTRIC RELIABILITY
More informationAnalysis of CIP-001 Violations v1.1
Electric Reliability Organization (ERO) Compliance Analysis Report Reliability Standard CIP-001 Sabotage Reporting Version 1.1 Table of Contents ERO Compliance Analysis Reports... 2 Summary of Practical
More informationCompliance Operations Update
Compliance Operations Update The Reliability Assurance Initiative Earl Shockley, Senior Director of Compliance Operations 2013 NERC Standards and Compliance Fall Workshop September 26, 2013 Table of Contents
More informationCompliance Operations Update
Compliance Operations Update The Reliability Assurance Initiative Earl Shockley, Senior Director of Compliance Operations 2013 NERC Standards and Compliance Fall Workshop September 26, 2013 Table of Contents
More informationAugust 1, ReliabilityFirst Compliance Contacts ReliabilityFirst Compliance Program Update Letter August Update
To: Subject: ReliabilityFirst Compliance Contacts 2017 ReliabilityFirst Compliance Program Update Letter August Update For your convenience, the ReliabilityFirst (RF) Data Submittal Schedule is attached
More informationDESCRIPTION OF NERC AND NPCC STANDARD & CRITERIA DOCUMENTS
DESCRIPTION OF NERC AND NPCC STANDARD & CRITERIA DOCUMENTS NERC RELIABILITY STANDARDS A NERC Reliability Standard includes a set of Requirements that define specific obligations of owners, operators, and
More informationMACD - Ontario Reliability Compliance Program Reliability Standards Compliance Monitoring Plan
MACD - Ontario Reliability Compliance Program 2018 Reliability Standards Compliance Monitoring Plan December 2017 Document Change History Date December, 2017 Reason for Issue Publication of first release
More informationBrent Read Compliance Engineer - Enforcement. Root Cause Analysis for Commonly Violated Requirements October 23, 2013 Compliance User Group
Brent Read Compliance Engineer - Enforcement Root Cause Analysis for Commonly Violated Requirements October 23, 2013 Compliance User Group Summary Methodology Root Causes and Effective Solutions for: o
More informationReliability Assurance Initiative (RAI) Update. June 19, 2014, 3 pm 5 pm EDT Industry Webinar
Reliability Assurance Initiative (RAI) Update June 19, 2014, 3 pm 5 pm EDT Industry Webinar Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust laws and
More informationA Discussion About Internal Controls February 2016
A Discussion About Internal Controls February 2016 What we will cover today 001 Introductions 002 Defining Internal Controls 003 COSO Internal Controls Integrated Framework 004 Approach to Designing Internal
More informationRegistered Entities and ERO Enterprise IT Applications Update
Registered Entities and ERO Enterprise IT Applications Update Stan Hoptroff, Vice President, Chief Technology Officer, and Director of Information Technology Standards Oversight and Technology Committee
More informationExecutive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update
1 Page THE OFFICE OF THE INTERNAL AUDITOR The Office of Internal Audit focuses its attention on areas where it can contribute the most by working with the organization to reduce risk and increase operational
More informationStandards Committee Strategic Work Plan
2016-2018 Standards Committee Strategic Work Plan I. Introduction The 2016-2018 Standards Committee (SC) Strategic Work Plan (Plan) is a continuation of the 2015-2017 Strategic Plan in that it also reinforces
More informationExecutive Summary THE OFFICE OF THE INTERNAL AUDITOR. Committee Meeting, June 19, 2017 Board of Governors Meeting, June 20, 2017.
THE OFFICE OF THE INTERNAL AUDITOR 1 Page The Office of Internal Audit focuses its attention on areas where it can contribute the most by working with the organization to reduce risk and increase operational
More information2013 SPP RE Annual CMEP Implementation Plan
2013 SPP RE Annual CMEP Implementation Plan December 3, 2012 Jeff Rooker, Lead Compliance Engineer jrooker.re@spp.org 501.614.3261 Leesa Oakes, Compliance Specialist II loakes.re@spp.org 501.614.3274 Outline
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationERO Compliance. Compliance Monitoring and Enforcement Program. Texas Reliability Entity, Inc Implementation Plan. November 1, Version 0.
ERO Compliance Compliance Monitoring and Enforcement Program Texas Reliability Entity, Inc. 2013 Implementation Plan Version 0.1 November 1, 2013 3353 Peachtree Road NE Suite 600, North Tower Atlanta,
More informationERO Com plia nce Monitoring and Enforcement Program
ERO Com plia nce Monitoring and Enforcement Program 2013 Implementation Plan September 4, 2012 NOTE: CMEP Implementation Plan and the 2013 Actively Monitored Reliability Standards List are posted on the
More informationDocument Updated: 12/5/2018
Vice President Energy Delivery Document Updated: 12/5/2018 * Blue shading indicates a qualifying Transmission Function Employee Manager System Operations Manager Substation Supervisor System Control Supervisor
More informationSecurity Guideline for the Electricity Sector: Identifying Critical Assets
Note: The guideline was developed for CIP-002-1 but is also applicable to CIP- 002-2 and CIP-002-3. Security Guideline for the Electricity Sector: Identifying Critical Assets Disclaimer: This supporting
More informationInternal Controls Evaluations
Internal Controls Evaluations Better practices, Lessons Learned, and Industry Look Ahead NPCC Compliance Workshop May 23, 2018 1 NPCC Entity Risk Assessment Ben Eng, Manager Entity Risk Assessment Duong
More informationSPP Reliability Standards Development Group Implementation Process Part 1 of 2
SPP Reliability Standards Development Group Implementation Process Part 1 of 2 Jason Smith, SPP Manager September 21, 2016 1 Process Intro Why? Embrace full compliance program Assure all opportunities
More informationReading, Understanding, and Following NERC Standards
Reading, Understanding, and Following NERC Standards September 15, 2011 Greg Sorenson, PE Senior Compliance Engineer gsorenson.re@spp.org 501.688.1713 Outline Philosophy behind standards Reading standards
More informationPerforming a Successful Audit. Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight
Performing a Successful Audit Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight Objectives At the end of this session, participants will be able to:
More informationElectric Reliability Organization Enterprise Performance Metrics
Electric Reliability Organization Enterprise Performance Metrics In 2014, NERC and the Regional Entities introduced a common set of ERO Enterprise performance metrics. These metrics are intended as indicators
More informationVendor Cloud Platinum Package: Included Capabilities
Solution Overview Third-Party Risk Management Vendor Cloud Platinum Package: Included Capabilities The Vendor Cloud Platinum package provides the highest level of risk management capabilities, offering
More informationAudit Management - Software. Internal Audit Refresher Course Technical Session 6 27 August, 2016
Audit Management - Software Internal Audit Refresher Course Technical Session 6 27 August, 2016 Step towards.. Pre An d Pos t What, When, Where and Why?? What is Audit Management Software... A platform,
More informationNERC Reliability Update Power System Reliability Regulation Overview
NERC Reliability Update Power System Reliability Regulation Overview Herb Schrayshuen Principal Power Advisors, LLC November 3, 2014 CNY Engineering Expo 1 Learning Objectives By the conclusion of this
More informationReliability Assurance Initiative Implementation Status
MIDWEST RELIABILITY ORGANIZATION Risk-Based Compliance Monitoring and Enforcement Reliability Assurance Initiative Implementation Status MRO Board of Directors Meeting October 5, 2016 Improving RELIABILITY
More informationQ ERO Enterprise Compliance Monitoring and Enforcement Program Report
Q1 2018 ERO Enterprise Compliance Monitoring and Enforcement Program Report May 9, 2018 NERC Report Title Report Date I Table of Contents Preface... iii Executive Summary... iv Chapter 1: CMEP Activities...1
More informationImplementation Plan Project Operations Personnel Training
Implementation Plan Project 2010-01 Operations Personnel Training Implementation Plan for PER-005-2 Operations Personnel Training Approvals Required PER-005-2 Operations Personnel Training Prerequisite
More informationCOSO Updates and Expectations. IIA San Diego Chapter January 8, 2014
COSO Updates and Expectations IIA San Diego Chapter January 8, 2014 Agenda Overview of 2013 Internal Control-Integrated Framework and Companion Guidance 2013 Framework General Enhancements by Component
More informationThe definition of a deficiency is also set forth in the attached Appendix I.
Deloitte & Touche LLP 361 South Marine Corps Drive Tamuning, GU 96913-3911 USA September 22, 2015 Tel: (671)646-3884 Fax: (671)649-4932 www.deloitte.com Mr. David Paul General Manager Marshalls Energy
More informationInternal Controls. Your Silent and Invisible Workforce. MRO Performance and Risk Oversight Subcommittee (PROS) Compliance Committee
Internal Controls Your Silent and Invisible Workforce MRO Performance and Risk Oversight Subcommittee (PROS) JOSEPH DEPOORTER DIRECTOR NERC COMPLIANCE & GENERATION OPERATIONS, MADISON GAS AND ELECTRIC
More informationReport on 2011 NPCC Culture of Compliance Survey Initiative
Report on 2011 NPCC Culture of Compliance Survey Initiative Development In September 2010, NPCC Staff began an initiative that would attempt to identify a registered entity s Culture of Compliance. NPCC
More informationCompliance Operations Draft Reliability Standard Compliance Guidance for MOD and MOD October 22, 2013
Compliance Operations Draft Reliability Standard Compliance Guidance for MOD-032-1 and MOD-033-1 October 22, 2013 Introduction The NERC Compliance department (Compliance) worked with the 2010-03 Modeling
More informationFEDERAL ENERGY REGULATORY COMMISSION DOCKET NO. RR14- NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
FEDERAL ENERGY REGULATORY COMMISSION DOCKET NO. RR14- NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION DRAFT FIVE-YEAR ELECTRIC RELIABILITY ORGANIZATION PERFORMANCE ASSESSMENT REPORT OVERVIEW OF NERC ACTIVITIES
More informationEnforcement Approach to CIP Version 5 under RAI. March 18, 2014 Tobias Whitney, Manager of CIP Compliance
Enforcement Approach to CIP Version 5 under RAI March 18, 2014 Tobias Whitney, Manager of CIP Compliance Purpose of the Transition Program Address V3 to V5 Transition issues. Provide a clear roadmap for
More informationStandard EOP Loss of Control Center Functionality
A. Introduction 1. Title: Loss of Control Center Functionality 2. Number: EOP-008-1 3. Purpose: Ensure continued reliable operations of the Bulk Electric System (BES) in the event that a control center
More informationFrom Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance
Sharon Hale and John Argodale May 28, 2015 2 From Dictionary.com Enterprise: A project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy
More informationNPCC Regional Feedback Mechanism process
NPCC Regional Feedback Mechanism process Review and Re Approval Requirements: The NPCC Regional Feedback Mechanism process as documented herein will be reviewed periodically as appropriate for possible
More informationDriving Accountability Through An Effective Risk Register
Version 2018.1 Driving Accountability Through An Effective Risk Register ISACA Birmingham Chapter March 20, 2018 - Lunch & Learn Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA
More informationCOSO 2013: Updated internal control framework
COSO 2013: Updated internal control framework Athens, 10 October 2013 Background COSO's structure and mission COSO 1 is a joint initiative of five sponsoring organizations - American Accounting Association
More informationERO Enterprise and Corporate Metrics
ERO Enterprise and Corporate Metrics Quarter 2 Status Mark Lauby, Senior Vice President and Chief Reliability Officer Corporate Governance and Human Resources Committee Meeting August 10, 2016 Leading
More informationProcedure for Conducting Off-Site Compliance Audits
Procedure for Conducting Off-Site Compliance Audits CP-03 Rev.6 The NERC Rules of Procedure and the Regional Delegation Agreement are the overriding documents that govern the implementation of the CMEP.
More informationReliability Assurance Initiative ATC s Participation as a MRO Pilot
Reliability Assurance Initiative ATC s Participation as a MRO Pilot Doug Johnson Manager of Operational Compliance American Transmission Company LLC (ATC) atcllc.com MRO Pilot Project American Transmission
More informationGAIT FOR BUSINESS AND IT RISK
GAIT FOR BUSINESS AND IT RISK (GAIT-R) The Institute of Internal Auditors March 2008 Table of Contents 1. Introduction...1 2. Executive Summary...2 3. Why GAIT-R?...4 4. The GAIT-R Principles...6 5. GAIT-R
More informationOperational Excellence By Automating Operational Risk Management. February 4, 2016 Doug Hatler, EVP of Sales
Operational Excellence By Automating Operational Risk Management February 4, 2016 Doug Hatler, EVP of Sales Industry is in a Paradigm Shift Stakeholders & Reputation Operational Excellence & Risk Management
More informationSeptember 17, 2012 Pittsburgh ISACA Chapter
September 17, 2012 Pittsburgh ISACA Chapter What is COBIT? Control Objectives for Information and related Technologies ISACA s guidance on the enterprise governance and management of IT. Builds on more
More informationInternal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)
Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR) Origin of IFC The first significant focus on internal control certification related to financial reporting
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationThe Ins and Outs: Audits Under FDICIA. Jennifer Gureckis and Kaylyn Landry BerryDunn February 27, 2018
The Ins and Outs: Audits Under FDICIA Jennifer Gureckis and Kaylyn Landry BerryDunn February 27, 2018 Presenters Jennifer Gureckis, CPA Kaylyn Landry, CPA Objectives Overview of Internal Controls over
More informationEnterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015
Enterprise Risk Management Program Development Update Finance & Audit Committee Meeting September 25, 2015 Enterprise Risk Management Presentation Topics Enterprise Risk Management ( ERM ) Overview Lead
More informationCompliance Monitoring and Enforcement Program Implementation Plan. Version 1.7
Compliance Monitoring and Enforcement Program Table of Contents TABLE OF CONTENTS NERC Compliance Monitoring and Enforcement Program... 1 Introduction... 2 NERC Compliance Monitoring and Enforcement Program
More informationIn Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015
In Control: Getting Familiar with the New COSO Guidelines CSMFO Monterey, California February 18, 2015 1 Background on COSO Part 1 2 Development of a comprehensive framework of internal control Internal
More informationCity of Tacoma Department of Public Utilities - Tacoma Power. NERC Reliability Standards Compliance Assessment. Select Specification No.
City of Tacoma Department of Public Utilities - Tacoma Power NERC Reliability Standards Compliance Assessment Select Specification PS15-0231F QUESTIONS and ANSWERS All interested parties had the opportunity
More informationNYISO Reliability Compliance Status Report for NYSRC RCMS Program Year: 2008
Standard Number: BAL-001-0 (Real Power Balancing Control Performance) Description: CPS-1/2 Data Standard Number: BAL-002-0 (Disturbance Control Performance) Description: DCS Standard Number: BAL-006-1
More informationNERC 2012 Business Plan and Budget Overview. May 3, 2011
NERC 2012 Business Plan and Budget Overview May 3, 2011 NERC 2012 Business Plan and Budget Budget planning background Goals, challenges, and key resource drivers 2012 resource and financial projections
More informationContinuous Auditing/Monitoring Using Data Analytics Institute Of Internal Auditors/ISACA Conference, 27/28 August 2015 Presented by: Tricha Simon
Continuous Auditing/Monitoring Using Data Analytics Institute Of Internal Auditors/ISACA Conference, 27/28 August 2015 Presented by: Tricha Simon Agenda Background T Simon Definitions Risk, CM & CA Risk
More informationAssurance Dashboard. Audit added to review controls related to Audit Added Procurement. increased activity due to hurricane Irma 2017 CAT Travel and
1 Page Office of the Internal Auditor Overview of Audit Plan and Plan Changes The OIA continually follows development of risk and monitors delivery of projects listed in the Audit Plan. As we reassess
More informationCGEIT Certification Job Practice
CGEIT Certification Job Practice Job Practice A job practice serves as the basis for the exam and the experience requirements to earn the CGEIT certification. This job practice consists of task and knowledge
More informationA COMPLIANCE SOLUTION DESIGNED TO HELP PLANS MEET CMS REQUIREMENTS
A COMPLIANCE SOLUTION DESIGNED TO HELP PLANS MEET CMS REQUIREMENTS Founded on the Common Conditions, Improvement Strategies, and Best Practices based on 2013 Program Audit Reviews HPMS memo, dated August
More informationProcedure for Conducting On-Site Compliance Audits
Procedure for Conducting On-Site Compliance Audits CP-02 Rev. 7 The NERC Rules of Procedure and the Regional Delegation Agreement are the overriding documents that govern the implementation of the CMEP.
More informationWelcome! NERC 2016 Standards and Compliance Workshop Hyatt Regency St. Louis at The Arch. July 12-14, 2016
Welcome! NERC 2016 Standards and Compliance Workshop Hyatt Regency St. Louis at The Arch July 12-14, 2016 NERC Antitrust Compliance Guidelines It is NERC s policy and practice to obey the antitrust laws
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. NORTH AMERICAN ELECTRIC ) Docket No. RR06-1- RELIABILITY CORPORATION )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION NORTH AMERICAN ELECTRIC ) Docket No. RR06-1- RELIABILITY CORPORATION ) QUARTERLY REPORT OF THE NORTH AMERICAN ELECTRIC RELIABILITY
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. NORTH AMERICAN ELECTRIC ) Docket No. RR06-1- RELIABILITY CORPORATION )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION NORTH AMERICAN ELECTRIC ) Docket No. RR06-1- RELIABILITY CORPORATION ) QUARTERLY REPORT OF THE NORTH AMERICAN ELECTRIC RELIABILITY
More informationRSA Archer Compliance Management 5.2 Webcast
RSA Archer Compliance Management 5.2 Webcast Marshall Toburen egrc Risk Solutions Manager RSA Archer 1 Agenda Introductory Comments 5.2 Enhancements Overview RSA Archer approach to Compliance Management
More informationGleim CIA Review Updates to Part Edition, 1st Printing June 2018
Page 1 of 15 Gleim CIA Review Updates to Part 1 2018 Edition, 1st Printing June 2018 Study Unit 3 Control Frameworks and Fraud Pages 66 through 69 and 76 through 77, Subunit 3.2: In accordance with the
More informationLIST OF TABLES. Table Applicable BSS RMF Documents...3. Table BSS Component Service Requirements... 13
General Services Administration NS2020 Enterprise Infrastructure Solutions EIS RFP #QTA0015THA3003 Volume 2: Management BSS Risk Management Framework Plan LIST OF TABLES Table 8.2-1. Applicable BSS RMF
More information2019 ERO Enterprise Dashboard
2019 ERO Enterprise Dashboard Mark Lauby, Senior Vice President and Chief Reliability Officer Corporate Governance and Human Resources Committee Meeting February 6, 2019 Proposed 2019 Industry Dashboard
More informationPossible Noncompliance Review Processing
Possible Noncompliance Review Processing October 31, 2018 RAM-200 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8410 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com Table of Contents Page
More informationERO Ca s e St u d ie s
ERO Ca s e St u d ie s Three Registered Entities December 2012 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 1 of 15 404-446-2560 www.nerc.com Table of Contents Table of Contents... 2
More informationOffice of Inspector General Applications Development
Office of Inspector General Applications Development Report #A-1516-024 August 2017 Executive Summary In accordance with the Department of Education s fiscal year (FY) 2015-16 audit plan, the Office of
More informationWECC Internal Controls Evaluation Process
WECC Internal Controls Evaluation Process Ruchi Shah Manager, Compliance Risk Analysis & Phil O Donnell Manager, Operations & Planning Audit November 16, 2017 155 North 400 West, Suite 200 Salt Lake City,
More informationA Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud
A Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud July 2018 Greenlight Technologies. All rights reserved. 1 Speakers James Rice Vice President of Customer Solutions Greenlight
More informationCOSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions
COSO 2013 What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions Today s Presenter Jonathan Reiss is a Director in Protiviti s New York office in the Internal Audit Practice.
More informationPOLICY. Number: Title: Internal Control Responsible Office: USF System Audit I. PURPOSE AND INTENT
1 2 3 USF System USF USFSP USFSM POLICY 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Number: 0-023 Title: Internal Control Responsible Office:
More informationUnofficial Comment Form Project Cyber Security Supply Chain Risk Management
Project 2016-03 Cyber Security Supply Chain Risk Management DO NOT use this form for submitting comments. Use the electronic form to submit comments on proposed CIP-013-1 Cyber Security - Supply Chain
More information