Internal Controls. Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016. Property of KC Board of Public Utilities - PUBLIC

Transcription

1 Internal Controls Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016 Property of KC Board of Public Utilities - PUBLIC

2 Internal Controls The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association Property of KC Board of Public Utilities - PUBLIC

3 Internal Control Structure The dynamic, integrated processes designed to provide reasonable assurance regarding the achievement of the following general objectives: Effectiveness and efficiency of operations Reliability of management Compliance with applicable laws, regulations and internal policies Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association) Property of KC Board of Public Utilities - PUBLIC

4 Internal Control Structure Management s strategies for achieving these general objectives are affected by the design and operation of the following components: Control environment Integrity Ethical values Competence Knowledge and Aptitude Information Systems Control procedures Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association) Property of KC Board of Public Utilities - PUBLIC

5 Internal Controls Help achieve operational goals Provide information on progress meeting goals Operating Effectively or are there Exceptions? Can only provide reasonable, not absolute, assurance An internal control cannot change an inherently poor manager into a good one - COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Controls Property of KC Board of Public Utilities - PUBLIC

6 Where to Start? Effective Risk Management + Audit = Compliance Property of KC Board of Public Utilities - PUBLIC

7 Where to Start? What is the Risk? Perform Risk Assessments Perform SWOT Analysis Business Impact Analysis Review Incident Reports Property of KC Board of Public Utilities - PUBLIC

8 SWOT Analysis Internal How do you leverage strengths to minimize impacts of threats? Strengths Weaknesses Opportunities Threats External How do you mitigate or remediate weaknesses to avoid threats? Property of KC Board of Public Utilities - PUBLIC

9 BPU Policy Framework Outlines standards and guidance References multiple Authoritative Sources National Institute of Standards and Technology (NIST) COSO (Committee of Sponsoring Organizations of the Treadway Commission) ISACA (formerly known as Information Systems Audit and Control Association) COBIT 5 Risk, Process, and Information Not a check the box approach Property of KC Board of Public Utilities - PUBLIC

10 Using RSAWs Yes, we know Seriously, use them Maintain and update (quarterly) How are we meeting this requirement? (Self-Assessment) Have the SMEs changed? What are we missing? Identify Training Needs Property of KC Board of Public Utilities - PUBLIC

11 Controls Assessment IT General Controls Assessment Yes No Description of Policy, Process or Procedure Program Change Controls Change Management 1.Does BPU maintain written procedures for controlling program changes through IT management and programming personnel? 2. Do program change authorization forms or screens prepared by the user (Change Request) include: Authorizations by management before proposed program changes are made? Testing program changes? IT management and user personnel review and approval of testing methodology and test results? 3. Does BPU use library control software or other controls to manage source programs and object programs, especially production programs? 4. Does BPU have procedures for emergency program changes (or program files)? Property of KC Board of Public Utilities - PUBLIC

12 Think like an Auditor - Manage and Measure your Program like an auditor would Property of KC Board of Public Utilities - PUBLIC

13 Writing Control Objectives What is the objective of this control? Prevent Detect Correct How does it effectively mitigate risk? SMART criteria Property of KC Board of Public Utilities - PUBLIC

14 Monitoring & Controlling- Compliance Perform Quarterly Testing Identify and Correct Defects SELF REPORT Perform Root Cause Analysis Manage Change Leadership Accountability Continuous Improvement DEMING (Plan, Do, Check, Act) DMAIC (Define, Measure, Analyze, Improve & Control) Kaizen Change for the Better Share Knowledge Control Risk Identify Risk Property of KC Board of Public Utilities - PUBLIC

15 Questions? Property of KC Board of Public Utilities - PUBLIC

16 References ISACA and COBIT Online, Committee of Sponsoring Organizations of the Treadway Commission, National Institute of Standards and Technology (NIST), Special Publications, NIST NIST NIST NIST (R1) NIST NIST NIST A (Assessment Guide) NIST (R4) NIST NIST NIST NIST Cybersecurity Framework Property of KC Board of Public Utilities - PUBLIC

17 Risk Assessment & Internal Controls ITC s Implementation

18 Topics Risk Assessment Development Risk Assessment Implementation Overview of Internal Controls The Internal Controls Process ITC s Internal Controls Program OATI Internal Control Module Overview OATI Internal Control Module Discussion 2

19 Internal Control Framework Convergence of Compliance Programs Key compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self-certification to focus on risk and internal controls Add controls from 2014 Audit Lessons Learned internal survey Regional Entity self-reporting database creation of self-logging NERC 13 questions and EIE define program and demonstrate culture Creation of a Corrective Action Program including schedule of IC reviews (e.g. 3-yr Plan), root cause analysis and lessons learned centrally managed to mitigate SV/AFI/etc.; Monitoring Metrics to Reliability Compliance Steering Committee; Self-report high risk IC deficiencies Audit Lessons Learned Monitoring Metrics & Corp Goals (TBD) RAI: Change from Self Certs to IC Reviews Internal Controls Corrective Action Program RAI: Self- Reporting Database (TBD) 13 Questions or NERC EIE 3

20 NERC Reliability Assurance Initiative (RAI) Program The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS). NERC ERO Enterprise Inherent Risk Assessment Guide 4

21 Risk What is risk? The possibility of an event occurring that will have an adverse impact of the achievement of objectives (reliability of the Bulk Electric System). How do we measure risk? Risk is measured in terms of likelihood and impact. What is a risk assessment? The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. 5

22 Inherent Risk Assessment Objective of a Risk Assessment Model Identify and prioritize the most important or key areas (what really matters) Measure and prioritize risk exposures The higher the risk exposure, the higher the priority ITC s Risk Assessment Model Scores based on 11 key risk indicators that influence the likelihood of the risk event and potential impact Risk score used to prioritize control reviews Full assessment every 3 years; Annual refresh 6

23 Key Risk Indicators Key Risk Indicators Routine vs. Non-Routine Automation vs. Manual Cross-Functional (Internal) 3 rd Party Interaction (External) NERC High Risk Standards Significance of Changes in Standard or Process Key Personnel Turnover NERC VRF Reliability and/or Reputational Impact Violation History Automated Internal Controls 7

24 ITC s Risk Assessment Model How do we calculate the risk score? Rate each of the risk factors on a scale of 1 to 5. o 1 indicating lower risk, and 5 indicating higher risk Weight each factor based upon significance of each factor. Multiply each factor by it s risk weight to calculate an overall score. Rank each score from high to low Focus on the areas with the highest risk score (what really matters). 8

25 Inherent Risk Assessment Risk Indicators How/where will this information be used? ITC 2012 Reliability Compliance Risk Assessment Standard Reqmt Functions Routine vs. Non-Routine Automation vs. Manual Cross- Functional (internal) 3rd Party Interaction (external) High Risk Standards (NERC Tier 1,2,3) Significance of Changes in Standard or Process Key Personnel Turnover NERC VRF Reliability and/or Reputational Impact Violation History Automated Internal Controls Overall Risk Score CIP-005-3a 2 MISO, LBA, TOP, TO CIP-005-3a 4 MISO, LBA, TOP, TO CIP-007-3a 2 MISO, LBA, TOP, TO CIP-007-3a 3 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP Drive 5 MISO, the LBA, TOP, implementation TO of 5 future 5 4controls CIP MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO CIP-007-3a 1 MISO, LBA, TOP, TO CIP-007-3a 5 MISO, LBA, TOP, TO CIP-007-3a 6 MISO, LBA, TOP, TO CIP-007-3a 8 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO PRC Strengthen 2 TO specific 3 3 compliance related 5 2 processes MOD BA,TP MOD BA,TP MOD BA,TP MOD BA,TP MOD BA,TP CIP MISO, LBA, TOP, TO CIP-005-3a 1 MISO, LBA, TOP, TO CIP-005-3a 3 MISO, LBA, TOP, CIP MISO, LBA, TOP, CIP Prioritize 3 MISO, LBA, TOP, TOtraining 3 3and 4 communication efforts FAC TO EOP MISO,LBA,TOP FAC TO PER MISO,LBA,TOP FAC TO EOP MISO,LBA,TOP CIP-004-3a 4 MISO, LBA, TOP, TO CIP-007-3a 4 MISO, LBA, TOP, TO CIP MISO, LBA, TOP, TO EOP MISO,LBA,TOP COM MISO,LBA,TOP PRC MISO,LBA,TOP CIP-005-3a 5 MISO, LBA, TOP, TO CIP-006-3c 1 MISO, LBA, TOP, TO CIP-006-3c 4 MISO, LBA, TOP, TO

26 2016 ITC Inherent Risk Assessment Risk priority for each requirement will be reassessed every 3 years, interim assessment every year. Last Update Feb 5, 2016 FAC R1, 3, 4 TOP-001-1a R6 PRC R1, 2 NUC R8 PRC R10 EOP R3 (57 R s) EOP b R3, 4 TPL R1, 4, 7, 8 COM R1, 2 CIP R2 EOP R1, 2, 5, 6, 8 TOP R5 EOP R2, 4, 9, 11,13 TOP b R1, 2, 4, 5, 6, 10, CIP R1, 2, 3 CIP R1 EOP R1 CIP R1, 2 (66 R s) CIP R1, 2 CIP R1, 2, 3 PRC R3, 4, 5, 6 TOP-001-1a R2,3,5,7,8 CIP R1, 2, 3, 4, 5 CIP R1, 2 EOP R1, 6, 7, 8 COM R2 TOP R1,2,3,4 IRO a CIP TOP b R9,10 EOP PRC a EOP R4 R2, 3, 4, 5 R11,16, 17 R1, 2 R1 TOP CIP R1 TOP FAC R1, 2, 3 IRO R8 NUC R3 PER R3 R3, 6, 8 PRC R2 R2, 3, 4, 6, 9 FAC PRC b FAC R5 CIP CIP R3 PRC R2 R5 R1, 2, 4, 5, 6 MOD R5 IRO-010-1a R3 R1 PRC b TOP PER CIP FAC R5 IRO R3 R1,2 R1 R1, 2 Risk Score R1 EOP R7 Risk Score Risk Score EOP Risk Score PRC-017 R3 EOP b R1, 2 TOP MOD BAL b R6 CIP R3, 6, 7 R2 R1, 12, 13, 15 COM R1 EOP R3, 5 MOD MOD VAR PRC R1, 2 R6, 7, 8 R1, R2, R3 R1 R2, 3, 4, 6 TOP R1, 2, 3 TOP R4 TOP-001-1a R1 PER EOP COM EOP IRO a R5 R2 R2, 5 R4 COM R1 R3, 5, 10, 12 FAC R2 TOP b BAL EOP b FAC R2 R18 PRC a R3, 4 R2, 5 PER R1,2 R3 MOD R1 MOD FAC CIP R3, 4 R1, 2 PRC MOD R1 TOP R6 MOD R1, 3 R2, 3, 4, 5 MOD R1 CIP R2,3,4 PRC R1, 2 MOD R1, 2, 3, R1, 2, 3 EOP R3, 4 PRC R1 TPL , 5, 6 PRC FAC R2, 5, 6 TOP CIP R3 R3 R3, 4, 6, 7 PRC R2 TPL R1, 2, 4, 5 PRC-015-1b TOP-005-2a R1, 2 VAR R1,5 R3 R1, 2, 3 (43 R s) (61 R s)

27 NERC Reliability Assurance Initiative (RAI) Program As described in the ERO Enterprise Internal Control Evaluation Guide (ICE Guide),3 the ICE may inform whether a registered entity has implemented effective internal controls that provide reasonable assurance of compliance with Reliability Standards associated with areas of risk identified through the IRA. NERC Guidance Document: The Application of Risk-based Compliance Monitoring and Enforcement Program Concepts to CIP Version 5 11

28 Internal Controls Framework Monitoring, Metrics & Reporting ID and Assess Risks; Establish/Review Controls People Functional Processes Information Systems/Technology Remediation & AFI Internal Control Testing and Assurance Review; Risk Response 12

29 Controls What is a control? A point where you create evidence of compliance An action [taken by you, me, management, the board of directors, and / or other parties] to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls should be designed to bring about appropriate responses to risks. In other words, controls help to reduce or mitigate risk. Controls should address the root cause of a risk event, not the symptom(s). 13

30 INTERNAL CONTROL CYCLE Continuous Improvement 14

31 INTERNAL CONTROL TYPES Internal Controls should be designed to: Prevent undesired outcomes Detect deviations in performance Correct broken processes Internal Controls are also of two varieties Automated preferred over manual Manual should have additional controls, cannot verify source of data 15

32 INTERNAL CONTROL EXAMPLES Preventive Controls Policies and Procedures Training and Awareness Three-Part Communication Forward Studies and Day ahead studies Configuration Documentation ID badges and door locks Asset Inventory Annual Plans (Vegetation Management, SRP, Security) Operating guides Defined testing and/or maintenance program 16

33 INTERNAL CONTROL EXAMPLES Detective Controls Review of logged activity for Control Room Review of phone logs for three-part communication Review of system access logs Management Review Self Certifications and Audits Activity and Exception Reports 17

34 INTERNAL CONTROL EXAMPLES Automated Controls An automated control will prevent improper activities from occurring Advantages No manual intervention Reliable Time-stamp Activity is repeatable Programmed alarms in a system like TMS System generated logs Password Controls over access into a system 18

35 INTERNAL CONTROL EXAMPLES Manual Controls Manual controls can often be circumvented Manual controls are often performed after the fact Often time developed in a spreadsheet Some type of control that is handwritten 19

36 INTERNAL CONTROL EXAMPLES For an Internal Control to be effective the following should be present The control activity should be assigned to a specific function/individual The control activity must be executed in a defined time period (daily, weekly, monthly, yearly) The control activity should be repeatable 20

37 Internal Control Development Document Controls Review and Improve Design Design, Test and Evaluate Test Effectiveness Implement Identify and Correct Deficiencies Test Design 21

38 Internal Control Monitoring Benefits of monitoring the effectiveness of Internal Controls: Ensures that there exists a sustainable and repeatable process. Identifies potential improvements to process efficiencies and internal control value. Provides timely information for improved assessment and management of risk. Improves the overall value of internal controls towards compliance efforts as they relate to the reliability of the BES. Ensures that there has been no degradation of the controls over time. Identification and correction of control deviations and failures. Elimination of unnecessary or inefficient controls. 22

39 INTERNAL CONTROL PROGRAM Detective Controls Review of logged Activity Training Three-Part Communication Forward Studies Day-ahead Studies 23

40 ITC Internal Control Program Tasks Completed: Conducted initial risk assessment Developed Heat Map based on results of risk assessment Determined controls to target in initial roll out Met with SOs and SMEs to review process and document controls Developed workflow for Internal Control process Developed Use Cases for loading into OATI Internal Controls Module Loaded controls into OATI Internal Controls Module Conducted internal testing to validate workflow Developed Internal Controls schedule Completed Initial Pilot 24

41 ITC Internal Control Calendar An Internal Controls calendar has been developed based on: Timing of Process/Event Frequency of controls Relationship to timing of reviews in the Compliance Monitoring Calendar 25

42 ITC Internal Control Workflow Following is an example of a typical OATI procedure work flow for Internal Controls. There will generally be 6 steps. (1) Initial OATI procedure to notify SME to kick-off control activity (e.g., procedure, review, assessment, etc.) and attach/load evidence Rejected (2) Std. Owner approval of evidence sample. (recursive) (3) If evidence/sample is not approved, send back to SME for new or additional example. (recursive) Resubmit Clean Outcome Approved OR CA Needed (4) Std. Owner approves control evidence review without further action. (5) Std. Owner approves control evidence review but Corrective Actions are needed. Trigger CA procedure. (6) Control evidence provided to Reliability Assurance for review End Process 26

43 Internal Control Execution The Internal Control workflow will be initiated by a notification to the Subject Matter Expert (SME) for evidence The notification may be based on the calendar, i.e. first day of the quarter, something that is time based The notification may be based on the completion of another control procedure, something that is process based The SME will load requested evidence into OATI and mark complete 27

44 Internal Control Execution Once the evidence is loaded by the SME it will trigger a review process by the designated Standard Owner (SO) The SO will review the evidence and either: Accept the evidence provided Request additional evidence from the SME Initiate a corrective action if the evidence indicates a potential issue Controls in which evidence was Accepted or requiring Corrective Action will be sent to Reliability Assurance for review Reliability Assurance will review evidence of Control and complete the workflow 28

45 OATI Internal Control Module OATI s Internal Control (IC) Module was developed in response to NERC s Reliability Assurance Initiative (RAI) ITC is one of the Companies that had worked with OATI in the development of the IC module and actively participated in the Beta testing process and Acceptance Testing of the module. ITC has worked closely with OATI in the loading of identified controls to the production site 29

46 OATI Internal Control Module The IC Module is a flexible workflow tool The IC module will allow us to record and track controls as they relate to Reliability Requirements The IC Module will allow us to show we have controls in place and that we are following these controls Reports can be generated from Summary pages Future reports will be developed as needs are identified by the User Community 30

47 OATI Internal Control Module OATI webcompliance Main Dashboard 31

48 OATI Internal Control Module Internal Controls Dashboard 32

49 OATI Internal Control Module Task Summary 33

50 OATI Internal Control Module Task Screen 34

51 OATI Internal Control Module Attachment Screen 35

52 OATI Internal Control Module Graph Workflow Display 36

53 OATI Internal Control Module Task Screen Status Change 37

54 ITC Internal Control Roadmap QTR 3 & Document medium priority IC s in OATI Develop Metrics & Compliance dashboard Evaluate medium priority ICs in OATI QTR Evaluate IC program for effectiveness Make adjustments as needed QTR 1 & Standardize IC Evaluation procedure Evaluate and refine IC based on IC reviews Update Inherent Risk Assessment Develop Reliability Compliance Steering Committee reporting 5 QTR 1 & Completed Full-scale Inherent Risk Assessment Documented high priority IC s in OATI (Control Monitoring System) Evaluated effectiveness of Internal Controls Conducted SME and SO training on OATI QTR 3 & Documented formal Inherent Risk Assessment Procedure Documented additional high priority IC s in OATI Performed Internal Control evaluations of completed Controls Update Compliance Program Manual to include Internal Controls 38

55 Internal Controls Questions? 39