2014 Integrated Internal Control Plan. FRCC Compliance Workshop May 13-15, 2014

Transcription

1 2014 Integrated Internal Control Plan FRCC Compliance Workshop

2 Contents Definitions Integrated Components of COSO Internal Control Framework The COSO Internal Control Framework and Seminole Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Effective Internal Control: Present and Functioning Summary 2

3 Questions Why use an Internal Control Framework? What are the Framework components? How do we know that an internal control program is Present and Functioning? 3

4 Introduction Basis of Seminole s 2014 Integrated Control Plan The Committee of Sponsoring Organizations of the Treadway Commissions (COSO) Internal Control Integrated Framework, 2013 version Provides direction for formation, implementation, and maintenance of an internal control program Enables organizations to effectively and efficiently develop and maintain systems of internal control Enhances likelihood of achieving entity objectives and to adapt to changes in business and operating environments 4

5 Introduction NERC Reliability Assurance Initiative (RAI) Purpose: Identify and implement, where appropriate, changes that enhance effectiveness of NERC CMEP Goal: Establishment of a risk based compliance monitoring policy and a mature CMEP by 2016 Benefit: Move away from zero-defect compliance audits Seminole Internal Control Plan formalizes NERC RAI Current NERC RAI compliance principles Risk management framework Internal control best practices Goal: To complete implementation of internal control plan by end 2014 Be audit-ready under RAI for 2015 CIP and O&P audits 5

6 Definitions Internal Control (in context of NERC compliance) A method, affected by Seminole s Board of Trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance Framework (from Merriam-Webster) The basic structure of something; a set of ideas or facts that provide support for something 6

7 Integrated Components of COSO Framework Principles-based approach to internal control composed of five integrated components Control Environment Monitoring Optimal Internal Control Risk Assessment Information and Communication Control Activities FRCC Spring Compliance Workshop April 8-10,

8 Integrated Components of COSO Framework Control Environment Standards, processes, management support, structure providing the basis for carrying out internal control Risk Assessment Dynamic, iterative process for identifying and assessing risks to the BES and the achievement of compliance objectives Control Activities Actions using technology, people, policies, and procedures that ensure the implementation of management directives to mitigate risks and achieve compliance 8

9 Integrated Components of COSO Framework Information and Communication Essential to carry out internal control Generates & uses relevant high quality information Both internal and external sources support the internal control function Monitoring Activities Both ongoing and periodic evaluation types Determine whether each internal control is present, functioning, and integrative Evaluations, built into business processes and work teams Provide timely information as feedback 9

10 The Internal Control Environment For Seminole s management and the Board of Trustees, the COSO Framework provides the following: Consistent way to apply risk-based internal control to Seminole Control of Controls Principles-based approach provides flexibility and allows judgment in designing, implementing, and conducting the internal controls Define the requirements for an internal control system Identify and analyze risks Develop and manage appropriate responses to risks Eliminate ineffective or inefficient controls that provide minimal value in reducing risks Eliminate Redundancy destroys efficiency 10

11 The Internal Control Environment Definition: A set of standards, processes, management support, and structures providing basis for carrying out internal control across Seminole Board of Trustees and senior management establish tone at the top Establish importance of internal control, including expected standards of conduct, with management reinforcement at various levels within Seminole Comprises several aspects Integrity and ethical values Parameters that enable Board of Trustees to carry out governance oversight Organizational structure - authority and responsibility Process for attracting, developing, and retaining competent individuals; Rigor surrounding performance measures, incentives, and rewards Drive accountability for performance 11

12 Integrated Components of COSO Framework ENTERPRISE COMPLIANCE RISK MANAGEMENT ENVIRONMENT, SUPPORT AND MISSION 1. NERC STANDARD 7. ALL STANDARD AND REQUIREMENT-SPECIFIC INTERNAL CONTROLS 9. HUMAN ERROR PREVENTION INTERNAL CONTROL 12. ENTITY, ERO, RRO EXPERIENCE AND FEEDBACK 13. RSAW AUDIT NOTES AND ALL OTHER COMPLIANCE GUIDANCE 10. SITUATIONAL AWARENESS INTERNAL CONTROL 2. COMPLIANCE DOCUMENT MASTER INTERNAL CONTROL (CORPORATE COMPLIANCE) 3. PROCEDURES, PLANS PRACTICES, GUIDES, WORK INSTRUCTIONS (DOCUMENTED INTERNAL CONTROLS) (CORPORATE / DEPARTMENTS) 4. WORK ACTIVITIES, FUNCTIONS, TASKS 8. INTERNAL CONTROL IMPLEMENTATION, MONITORING, ANALYSIS AND EVALUATION SYSTEM (CONTROL OF CONTROLS) EXAMPLE: Role of Internal Controls Committee to review, analyze and evaluate. 11. TRAINING PROGRAM INTERNAL CONTROL 5. WORK ACTIVITIES, FUNCTIONS, TASKS: UNWANTED EVENT 6. EVENT REVIEW AND ROOT CAUSE ANALYSIS INTERNAL CONTROL 12

13 Control Environment Control environment is governed by support from the top Establish comprehensive, board-approved Enterprise Risk & Compliance Policy Provide high-level direction for compliance and internal control activities Develop broadly representative advisory Internal Controls Committee as a periodic training and learning opportunity Includes compliance stakeholders, including Corporate Compliance and Departmental compliance coordinators Annual or semi-annual meetings - Employee Information Meetings or Lunch and Learn presentations Presented using our Compliance Metric Dashboard Resulting control environment has a pervasive, enabling impact on overall system of internal control 13

14 Risk Assessment Definition: A dynamic and iterative process for identifying and assessing risks to the achievement of compliance objectives Risks are relative to established risk tolerances Risk assessment forms the basis for determining how risks will be managed Precondition to risk assessment: establishment of objectives Management specifies compliance objectives to enable identification and analysis of risks Management must consider how internal and external changes may cause internal control to be weak or ineffective 14

15 Risk Assessment Three categories of Risk severity Low Risk: Reserved for standard requirements with the least risk Frequency of review: Annually. As a minimum internal control, this level should require at least annual compliance reviews Criteria Violation or potential violation in previous audit, but mitigation is satisfactory with very little chance of recurrence New standard or requirement Developed, effective and verified internal controls Risk reduction - from High or Medium Risk 15

16 Risk Assessment Medium Risk: Reserved for more exceptional standard requirements where Seminole has low familiarity, demonstrated a control or compliance weakness, or the standard has a high violation profile in the industry Frequency of Review: Semi-annual compliance reviews Criteria New or significantly revised standard within the last audit period Violation in previous audit Potential violation in previous audit (Dismissed or FFT) Undeveloped or Ineffective internal controls Internal control failure, e.g., identified by event review Identified compliance degradation or improvement - moved from High or Low Risk 16

17 Risk Assessment High Risk: Reserved for the most exceptional standard requirements that might include a record of Seminole violation in a previous audit or as a result of internal control analyses indicating a weak internal control framework, thereby increasing risk to the BES Frequency of Review: Quarterly. The increased check-point periodicity augments in-depth review, but also guides Seminole into a higher degree of assurance that it can comply with the standard requirements Criteria New, or significantly revised, standard within the last audit period Violation in previous audit Potential violation in previous audit (Dismissed or FFT) No internal controls Undeveloped or Ineffective internal controls Internal control failure, e.g., identified by event review 17

18 Risk Assessment Relationship between Risk Assessment and Internal Controls Risk Assessment Approach and Results indicative directive consistent prioritizing iterative defining risk objective independent Internal Controls identified responsive coordinated systematic method dynamic mitigating risk objective dependent 18

19 Control Activities Definition: Actions established through technology, people, policies, and procedures that help ensure the implementation of management directives to mitigate risks (achieve compliance objectives) May encompass a range of manual and automated activities Compliance reviews Authorizations and approvals Verifications Reconciliations Process performance reviews 19

20 Control Activities Three types of controls Preventive Detective Corrective 20

21 Control Activities Preventive Control Proactive control designed to discourage noncompliance with Reliability Standards Example: Documented process requiring development and maintenance of training schedule Process would include all required training, and would be scheduled to ensure completion prior to dates required by the applicable reliability standard May be implemented by use of automated training tracking tool (notifies individual of scheduled training, reminds them to complete training, and notifies management to take action if training is not completed prior to the deadline) 21

22 Control Activities Detective Control Designed to find errors or irregularities and support effective compliance Example: Documented process requiring periodic review to identify any required training not completed as scheduled, as well as training not completed per reliability standard requirements Quarterly review of completed training records to identify individuals who have not completed training by the required deadline Documentation and utilization of an event review and root cause analysis process to determine cause and effects surrounding an unwanted event 22

23 Implementing Preventive and Detective Controls 23

24 Control Activities Corrective Control Designed to assess instances of noncompliance and return to a state of compliance Example: Automation of an Automatic Voltage Regulator (AVR) status indication Would cause an alarm in the Transmission Operator s Control Center indicating an AVR status change from Automatic to Manual on a particular generating unit Would provide notification to the TOP of an AVR status change within 30 minutes as required by VAR

25 Information and Communication Information is essential to carry out internal control responsibilities Management obtains or generates, and uses, relevant and quality information from both internal and external sources to support the functioning of other components of internal control Communication is the continual, iterative process of providing, sharing, and obtaining necessary information Internal: Enables personnel to receive clear message from senior management that control responsibilities must be taken seriously External: Enables inbound communication of relevant external information; also provides information to external parties in response to requirements and expectations 25

26 Information and Communication Enhancing information and communication Periodic evaluations of Seminole Corporate Compliance Department solicits feedback from compliance and internal control stakeholders within Seminole Information gained from training, combined with results of evaluations, adds substance to periodic self-assessments and potential corrective action plans Builds on components of Compliance Program Assessment Worksheet (CPAW) 26

27 Monitoring Activities Definition: Ongoing, periodic, or a combination of evaluation types used to determine whether each component of internal control is present, functioning, and integrative Ongoing internal control evaluations, built into business processes and work teams at different levels of Seminole, provide timely information as feedback Periodic evaluations Vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations Results Evaluate findings against criteria established by Corporate Compliance Department, management, and Board of Trustees Communicate deficiencies to management / Board of Trustees as appropriate 27

28 Monitoring Activities Accomplish internal control monitoring through a standing Internal Controls Committee Review internal control program, processes, and outcomes every quarter (formally and continuously) Identify what works and where potential gaps might exist within the five integrated components Encourage informal feedback from management and subject matter experts Perform planned and periodic compliance reviews of NERC standard requirements Determine compliance with reliability standards Evaluate effectiveness of primary internal controls applied to each requirement 28

29 Monitoring Activities Develop a high-level document summarizing risk and controls Contains information for each reliability-related process Applicable NERC standard Description of risks and associated controls Description of plans for testing controls 29

30 Process ID Residual Risk (L, M, H) Control Type (Preventive, Detective, Corrective) Control Function (Manual, Automatic) Frequency (Continuous, Periodic) Date Due Date Performed Monitoring Activities Reliability- Related Process Applicable NERC Standards Risk Descriptions Control Descriptions Test Plans Test Assignment and Activity Record CC--02 CIP Training CIP (Cyber Security Personnel and Training), R2.2, R2.3; 1.0 Training considered inadequate to cover required topics. 1.1 Review by Manager of Compliance using checklist L P M P Annual review of guideline providing materials for manager to review prior to approving training Scheduled Periodic Review to verify completion of training materials, development and review. CIP Program Advisor 2.0 Failure to identify proper personnel scheduled to receive annual training 2.1 Automated list of personnel requiring training manually peer-review by CIP Program Advisor or Manager of Compliance L P M P Scheduled periodic Review to verify completion peer-review. CIP Program Advisor 3.0 Failure of all required personnel to complete required training 3.1 Training department verifies all personnel scheduled for training using automated tools within training tool L P A C Testing provided in summary by test plan Final review of personnel trained using list of personnel requiring training, not planned training list H D M Scheduled periodic Review to verify the final review of training has occurred. CIP Program Advisor 30

31 Monitoring Activities Identifying processes, risks, controls, and refinement Business Need (E.g., Practice, Procedure) Business Process Workflow Risk Assessment Internal Controls NERC Standard Requirements Audit Approach Mature Workflow Compliance Document (e.g. Memo) Why we pass 31

32 Effective Internal Control: Present and Functioning Effective system of internal control reduces, to an acceptable level, the risk of not achieving a Seminole compliance objective Each of the five components and relevant principles of internal control must be present and functioning Present: components and relevant principles exist in the design and implementation of the system of internal control Functioning: components and relevant principles continue to exist in the operations and conduct of the system of internal control The five components of internal control operate together in an integrated and integrative manner 32

33 Effective Internal Control: Present and Functioning COSO Framework requires judgment Designing, implementing, and conducting internal control and assessing its effectiveness Use of judgment, within legal and regulatory boundaries, enhances management s ability to make better decisions about internal control Judgment cannot guarantee perfect outcomes 33

34 Summary of Seminole s Internal Control Plan Based on COSO Implements NERC RAI Implements the five integrated components of COSO and internal control Control Environment Risk Assessment (High, Medium, Low levels of risk severity) Control Activities (Preventive, Detective, Corrective) Information and Communication Monitoring Activities Goal: To complete implementation of internal control plan by end 2014 Be audit-ready under RAI for 2015 CIP and O&P audits 34

35 Links to additional resources NERC RAI Site The Committee of Sponsoring Organizations of the Treadway Commission (COSO) COSO Internal Control Executive Summary 35

36 Questions? 36