2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

Transcription

1 2014 Integrated Internal Control Plan

2 Contents Definitions Integrated Components of COSO Internal Control Framework The COSO Internal Control Framework and Seminole Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Effective Internal Control: Present and Functioning Summary 2

3 Questions to Consider What are the benefits of adopting an Internal Control Framework? What are the functions of the Framework components? How do we know that an internal control program is Present and Functioning? 3

4 Introduction Basis of Seminole s 2014 Integrated Control Plan The Committee of Sponsoring Organizations of the Treadway Commissions (COSO) Internal Control Integrated Framework, 2013 version Provides direction for formation, implementation, and maintenance of an internal control program Enables organizations to effectively and efficiently develop and maintain systems of internal control Enhances likelihood of achieving entity objectives and to adapt to changes in business and operating environments 4

5 Introduction NERC Reliability Assurance Initiative (RAI) Purpose: Identify and implement, where appropriate, changes that enhance effectiveness of NERC CMEP Goal: Establishment of a risk based compliance monitoring policy and a mature CMEP by 2016 Benefit: Move away from zero-defect compliance audits Seminole Internal Control Plan is formalizing NERC RAI by adhering to: Current NERC RAI compliance principles Risk management framework Internal control best practices Goal: To complete implementation of internal control plan by end 2014 Be audit-ready under RAI for 2015 CIP and O&P audits 5

6 Definitions Internal Control (in context of NERC compliance) A method, affected by Seminole s Board of Trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance Framework (from Merriam-Webster) The basic structure of something; a set of ideas or facts that provide support for something 6

7 Integrated Components of COSO Framework Principles-based approach to internal control composed of five integrated components Control Environment Monitoring Optimal Internal Control Risk Assessment Information and Communication Control Activities 7

8 Integrated Components of COSO Framework (cont d) Control Environment A set of standards, processes, management support, and structures that provide the basis for carrying out internal control Risk Assessment Involves a dynamic, iterative process for identifying and assessing risks to the BES and the achievement of compliance objectives Control Activities Actions established through technology, people, policies, and procedures that help ensure the implementation of management directives to mitigate risks (achieve compliance objectives) 8

9 Integrated Components of COSO Framework (cont d) Information and Communication Essential to carry out internal control responsibilities Management obtains or generates, and uses, relevant and quality information from both internal and external sources to support the functioning of other components of internal control Monitoring Activities Ongoing, periodic, or a combination of evaluation types used to determine whether each component of internal control is present, functioning, and integrative Ongoing internal control evaluations, built into business processes and work teams at different levels of Seminole, provide timely information as feedback 9

10 Integrated Components of COSO Framework (cont d) ENTERPRISE COMPLIANCE RISK MANAGEMENT ENVIRONMENT, SUPPORT AND MISSION 1. NERC STANDARD 7. ALL STANDARD AND REQUIREMENT-SPECIFIC INTERNAL CONTROLS 9. HUMAN ERROR PREVENTION INTERNAL CONTROL 12. ENTITY, ERO, RRO EXPERIENCE AND FEEDBACK 13. RSAW AUDIT NOTES AND ALL OTHER COMPLIANCE GUIDANCE 10. SITUATIONAL AWARENESS INTERNAL CONTROL 2. COMPLIANCE DOCUMENT MASTER INTERNAL CONTROL (CORPORATE COMPLIANCE) 3. PROCEDURES, PLANS PRACTICES, GUIDES, WORK INSTRUCTIONS (DOCUMENTED INTERNAL CONTROLS) (CORPORATE / DEPARTMENTS) 4. WORK ACTIVITIES, FUNCTIONS, TASKS 8. INTERNAL CONTROL IMPLEMENTATION, MONITORING, ANALYSIS AND EVALUATION SYSTEM (CONTROL OF CONTROLS) EXAMPLE: Role of Internal Controls Committee to review, analyze and evaluate. 11. TRAINING PROGRAM INTERNAL CONTROL 5. WORK ACTIVITIES, FUNCTIONS, TASKS: UNWANTED EVENT 6. EVENT REVIEW AND ROOT CAUSE ANALYSIS INTERNAL CONTROL 10

11 The COSO Internal Control Framework and Seminole For Seminole s management and the Board of Trustees, the COSO Framework provides the following: A consistent way to apply risk-based internal control to Seminole A principles-based approach providing flexibility and allowing for judgment in designing, implementing, and conducting internal control The requirements for an effective system of internal control A means to identify and analyze risks, and to develop and manage appropriate responses to risks A means to expand the application of internal control beyond financial reporting to other forms of reporting, operations, and compliance objectives A way to analyze and eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks 11

12 Control Environment Definition: A set of standards, processes, management support, and structures providing basis for carrying out internal control across Seminole Board of Trustees and senior management establish tone at the top Establish importance of internal control, including expected standards of conduct, with management reinforcement at various levels within Seminole Comprises several aspects Integrity and ethical values of Seminole Parameters that enable Board of Trustees to carry out governance oversight Organizational structure, with assignment of authority and responsibility Process for attracting, developing, and retaining competent individuals; and Rigor surrounding performance measures, incentives, and rewards to drive accountability for performance 12

13 Control Environment (continued) Control environment is governed by support from the top Establish comprehensive, board-approved Enterprise Risk & Compliance Policy Provide high-level direction for compliance and internal control activities Develop broadly representative advisory Internal Controls Committee as a periodic training and learning opportunity Should be composed of all compliance stakeholders, including Corporate Compliance Department staff and departmental compliance coordinators Should hold annual or semi-annual meetings, including Employee Information Meetings or Lunch and Learn presentations sponsored by the Corporate Compliance Department Should be presented with a periodic Corporate Compliance Department management update, with the use of Compliance Metric Dashboard Resulting control environment has a pervasive, enabling impact on overall system of internal control 13

14 Risk Assessment Definition: A dynamic and iterative process for identifying and assessing risks to the achievement of compliance objectives Risks are relative to established risk tolerances Risk assessment forms the basis for determining how risks will be managed Precondition to risk assessment: establishment of objectives Management specifies compliance objectives to enable identification and analysis of risks Management must consider how internal and external changes may cause internal control to be weak or ineffective 14

15 Risk Assessment (continued) Three categories of Risk severity Low Risk: Reserved for standard requirements with the least risk Frequency of review: Annually. As a minimum internal control, this level should require at least annual compliance reviews Criteria Violation or potential violation in previous audit, but mitigation is satisfactory with very little chance of recurrence New standard or requirement Developed, effective and verified internal controls Risk reduction - from High or Medium Risk 15

16 Risk Assessment (continued) Medium Risk: Reserved for more exceptional standard requirements where Seminole has low familiarity, demonstrated a control or compliance weakness, or the standard has a high violation profile in the industry Frequency of Review: Semi-annual compliance reviews Criteria New or significantly revised standard within the last audit period Violation in previous audit Potential violation in previous audit (Dismissed or FFT) Undeveloped or Ineffective internal controls Internal control failure, e.g., identified by event review Identified compliance degradation or improvement - moved from High or Low Risk 16

17 Risk Assessment (continued) High Risk: Reserved for the most exceptional standard requirements that might include a record of Seminole violation in a previous audit or as a result of internal control analyses indicating a weak internal control framework, thereby increasing risk to the BES Frequency of Review: Quarterly. The increased check-point periodicity augments in-depth review, but also guides Seminole into a higher degree of assurance that it can comply with the standard requirements Criteria New, or significantly revised, standard within the last audit period Violation in previous audit Potential violation in previous audit (Dismissed or FFT) No internal controls Undeveloped or Ineffective internal controls Internal control failure, e.g., identified by event review 17

18 Risk Assessment (continued) Relationship between Risk Assessment and Internal Controls Risk Assessment Approach and Results indicative directive consistent prioritizing iterative defining risk objective independent Internal Controls identified responsive coordinated systematic method dynamic mitigating risk objective dependent 18

19 Control Activities Definition: Actions established through technology, people, policies, and procedures that help ensure the implementation of management directives to mitigate risks (achieve compliance objectives) May encompass a range of manual and automated activities Compliance reviews Authorizations and approvals Verifications Reconciliations Process performance reviews 19

20 Control Activities (continued) Three types of controls Preventive Detective Corrective 20

21 Control Activities (continued) Preventive Control Proactive control designed to discourage noncompliance with Reliability Standards Example: Documented process requiring development and maintenance of training schedule Process would include all required training, and would be scheduled to ensure completion prior to dates required by the applicable reliability standard May be implemented by use of automated training tracking tool (notifies individual of scheduled training, reminds them to complete training, and notifies management to take action if training is not completed prior to the deadline) 21

22 Control Activities (continued) Detective Control Designed to find errors or irregularities and support effective compliance Example: Documented process requiring periodic review to identify any required training not completed as scheduled, as well as training not completed per reliability standard requirements Quarterly review of completed training records to identify individuals who have not completed training by the required deadline Documentation and utilization of an event review and root cause analysis process to determine cause and effects surrounding an unwanted event 22

23 Control Activities (continued) Corrective Control Designed to assess instances of noncompliance and return to a state of compliance Example: Automation of an Automatic Voltage Regulator (AVR) status indication Would cause an alarm in the Transmission Operator s Control Center indicating an AVR status change from Automatic to Manual on a particular generating unit Would provide notification to the TOP of an AVR status change within 30 minutes as required by VAR

24 Information and Communication Information is essential to carry out internal control responsibilities Management obtains or generates, and uses, relevant and quality information from both internal and external sources to support the functioning of other components of internal control Communication is the continual, iterative process of providing, sharing, and obtaining necessary information Internal: Enables personnel to receive clear message from senior management that control responsibilities must be taken seriously External: Enables inbound communication of relevant external information; also provides information to external parties in response to requirements and expectations 24

25 Information and Communication (continued) Enhancing information and communication Periodic evaluations of Seminole Corporate Compliance Department solicits feedback from compliance and internal control stakeholders within Seminole Information gained from training, combined with results of evaluations, adds substance to periodic self-assessments and potential corrective action plans Builds on components of Compliance Program Assessment Worksheet (CPAW) 25

26 Monitoring Activities Definition: Ongoing, periodic, or a combination of evaluation types used to determine whether each component of internal control is present, functioning, and integrative Ongoing internal control evaluations, built into business processes and work teams at different levels of Seminole, provide timely information as feedback Periodic evaluations Vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations Results Evaluate findings against criteria established by Corporate Compliance Department, management, and Board of Trustees Communicate deficiencies to management / Board of Trustees as appropriate 26

27 Monitoring Activities (continued) Accomplish internal control monitoring through a standing Internal Controls Committee Review internal control program, processes, and outcomes every quarter (formally and continuously) Identify what works and where potential gaps might exist within the five integrated components Encourage informal feedback from management and subject matter experts Perform planned and periodic compliance reviews of NERC standard requirements Determine compliance with reliability standards Evaluate effectiveness of primary internal controls applied to each requirement 27

28 Monitoring Activities (continued) Develop a high-level document summarizing risk and controls Contains information for each reliability-related process Applicable NERC standard Description of risks and associated controls Description of plans for testing controls 28

29 Residual Risk (L, M, H) Control Function (Manual, Automatic) Frequency (Continuou s, Periodic) The COSO Internal Control Framework and Seminole: Monitoring Activities (continued) Process ID Reliability- Related Process Applicable NERC Standards Risk Descriptions Control Descriptions Control Type (Preventive, Detective, Corrective) Test Plans Test Assignment and Activity Record Date Due Date Performed Cross- Reference Generating Capacity Deficiency (Emergency Operations) EOP (Emergency Operations Planning), all requirements; EOP (Capacity and Energy Emergencies), all requirements 1.0 Failure to reduce electrical demand as necessitated by a regional generating capacity deficiency. 1.1 System Operations has a generating capacity deficiency plan which provides procedures to follow in the event of a capacity deficiency. 1.2 System Operations utilizes a formal root cause analysis (RCA) procedure in the event that an unwanted event occurs. Outcomes of the RCA can provide corrective controls. L P / D / C M P Corporate Compliance Department (CCD) verifies the annual review of System Operations Capacity Deficiency Plan. This includes adequacy and accuracy with respect to applicable NERC Standard Requirements CCD requests outcomes of RCA and verifies implementation of any corrective controls. Dr. Marc Lamoureux Flow Chart; Master List; Other work product 2.0 Failure to adequately respond to a generating capacity deficiency. 3.0 Failure to ensure that communications and associated actions with Member Systems are effectively coordinated during SECI's response to a generating capacity deficiency. 4.0 Appropriate actions not taken by SECI in coordination with its Member Systems. 2.1 Annual EOP Training is required for every System Coordinator which provides procedural review and simulated response to a capacity deficiency. 3.1 Annual EOP Training is required which provides procedural review and simulated response to a capacity deficiency. 3.2 Additionally, SECI and Member Systems conduct an annual capacity deficiency drill that provides a simulated response. Both training and annual drill activity provide formal assessments that can provide corrective controls. 4.1 Annual EOP Training is required which provides procedural review and simulated response to a capacity deficiency. 4.2 Additionally, SECI and Member Systems conduct an annual capacity deficiency drill that provides a simulated response. Both training and annual drill activity provide formal assessments that can provide corrective controls. L P M P CCD verifies that capacity deficiency training was conducted at least annually. L P / D / C M P CCD verifies that capacity deficiency training was conducted at least annually CCD reviews and verifies the application of any corrective controls identified in training or drill assessments. L P / D / C M P CCD verifies that capacity deficiency training was conducted at least annually CCD reviews and verifies the application of any corrective controls identified in training or drill assessments. Dr. Marc Lamoureux Dr. Marc Lamoureux Dr. Marc Lamoureux 29

30 Monitoring Activities (continued) Identifying processes, risks, controls, and refinement Business Need (E.g., Practice, Procedure) Business Process Workflow Risk Assessment Internal Controls NERC Standard Requirements Audit Approach Mature Workflow Compliance Document (e.g. Memo) Why we pass 30

31 Effective Internal Control: Present and Functioning Effective system of internal control reduces, to an acceptable level, the risk of not achieving a Seminole compliance objective Each of the five components and relevant principles of internal control must be present and functioning Present: components and relevant principles exist in the design and implementation of the system of internal control Functioning: components and relevant principles continue to exist in the operations and conduct of the system of internal control The five components of internal control operate together in an integrated and integrative manner 31

32 Effective Internal Control: Present and Functioning (continued) COSO Framework requires judgment Designing, implementing, and conducting internal control and assessing its effectiveness Use of judgment, within legal and regulatory boundaries, enhances management s ability to make better decisions about internal control Judgment cannot guarantee perfect outcomes 32

33 Summary of Seminole s Internal Control Plan Based on COSO Implements NERC RAI Implements the five integrated components of COSO and internal control Control Environment Risk Assessment (High, Medium, Low levels of risk severity) Control Activities (Preventive, Detective, Corrective) Information and Communication Monitoring Activities Goal: To complete implementation of internal control plan by end 2014 Be audit-ready under RAI for 2015 CIP and O&P audits 33

34 Links to additional resources NERC RAI Site The Committee of Sponsoring Organizations of the Treadway Commission (COSO) COSO Internal Control Executive Summary 34

35 Questions? 35