Embed Size (px)
Citation preview
Internal Controls Project July 10, 2013
Internal Controls Document Development ◦ Development Process ◦ Next Steps
Review of Current Document ◦ Basic Internal Controls Concepts ◦ Internal Controls Analysis
Q&A
Team 1 – RAI Benefits and Impacts ◦ Lead: Bob Hoopes
Team 2 – RAI Q&A Document ◦ Lead: Bob Hoopes
Team 3 – RSAW Input Team ◦ Lead: Jim Stanton
Team 4 – Data Retention ◦ Lead: Terry Bilke
Team 5 – Internal Controls Guidance ◦ Lead: Martyn Turner
Sponsored by Jerry Hedrick Prepared by Stakeholders ◦ CCC Members ◦ Other Registered Entity Participants ◦ Industry Trades Participation ◦ Regional Entity Participants
Draft provided to CCC June 12, 2013 Draft provided to NERC June 26, 2013 NERC posted to website July 8, 2013
Future papers to create a library of reference documents for industry use ◦ Practical examples provided by Registered Entities
describing internal controls programs ◦ Specific examples of internal control activities
Registered Entities use to comply with Standards ◦ Examples of audit approaches to understand
internal control programs and testing of internal control activities
Purpose ◦ A document that helps define and further the
understanding of internal control programs and activities
Table of Contents A. Objective and Purpose B. Executive Summary C. Internal Controls D. Internal Controls Activities and Function E. Consideration of Risk F. Considerations for Developing an Internal Controls Program G. Appendices
Basic purpose of the document is to initiate the dialogue to develop a common language
Risk as well as Internal Control Programs are not the same from one Registered Entity to another
Internal Control Programs are not an absolute guarantee of compliance with the Standards and can only provide “reasonable assurance” of compliance and reliable function
Control Program
Control Activities
• Processes
• Practices
• Policies
• Procedures
Outputs Compliance with the Reliability Standards
Inputs Reliability Functions
• Systems
• Approvals
• Authorizations
• Reviews
An entity’s control activities facilitate compliance to the Reliability Standards
• Information / Communication
• Control Environment (Culture)
• Risk Assessment
• Monitoring
Continuous Improvement Cycle
CIP-001 Controls Requirement 1: Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator Operator, and Load Serving Entity shall have procedures for the recognition of and for making its operating personnel aware of sabotage events on its facilities and multi-site sabotage affecting larger portions of the Interconnection. Preventative Controls:
• Sabotage Awareness and Reporting Procedures • Operating Instructions for Transmission and Power System Operators • Training of personnel on sabotage awareness • Communication materials (posted signs, etc)
Detective Controls: • Monitoring of ES-ISAC information • Detection of sabotage not reported
Assess the risk of non-compliance and mitigating activities (many already exist)
6
1
2
3
4
5
Materiality of Impact
Likelihood
Maintain / Test
Key Issues / Sub Risks Key Controls, Risk Mitigation Efforts, etc. Responsibility Timeline / Frequency
Identification of all protection system elements
Review of all system diagrams to identify protection system elements and verification by field observation
Listing of protection system elements on facility website Change management process to add or delete protection
system elements as modifications occur.
Tech Services Transmission Maintenance Generation Plant Personnel.
Ongoing
Personnel completing maintenance activities may not be aware of the compliance obligations
Annual training of maintenance personnel
Operations Compliance
Annual
Management may not be aware of compliance obligations and their organization’s state of compliance
Quarterly certification by Plant Manager of compliance with PRC-005
Plant Managers
Quarterly
Awareness of changing standards requiring changes in the maintenance methodology and programs
Transmission maintenance provided an individual to serve on the PRC-005 drafting team
Generation Tech Services provided an individual to serve on the PRC-005 drafting team
P. W.(Transmission) B.S. (Generation)
Ongoing
APRIL 2013 The existence, availability and correct operation of protection equipment, special protective relaying schemes, load shedding programs, and voice and data communication systems is essential to the reliable operation of the BES. Maintaining and testing these systems provides assurance that they will be available to operate as designed when needed. Failure to maintain these systems as specified in the NERC Reliability Standards may reduce our ability to recognize or respond to a system event.
Primary Oversight Responsibility Reliability Standards Committee
Control Associated NERC standard (s) Frequency
Det
ectiv
e In
tern
al C
ontr
ols*
Com
plia
nce
Prog
ram
M
anag
emen
t Co
ntro
ls
Self-Assessments prior to Self-Certification
All Standards Annual
Targeted Compliance Site Assessments
All Standards Annual
NYPA Internal Event Analysis Plan NERC EA process, EOP-004
Ope
ratio
ns, M
aint
enan
ce, a
nd C
yber
Sec
urity
Con
trol
s
Protection Control & Engr. (PC&E) Quarterly work order review and compliance attestations
PRC-005, PRC-006, PRC-007, PRC-008, PRC-009, PRC-010, PRC-011, PRC-015, PRC-017, PRC-018, PRC-021
PC&E peer review of Relay Operation Analysis
PRC-001, PRC-004
PC&E tracking Maintenance & Testing Exceptions
PRC-005, PRC-006, PRC-007, PRC-008, PRC-009, PRC-010, PRC-011, PRC-015, PRC-017, PRC-018, PRC-021
Operator logging review COM-002, PRC-001, VAR-002, TOP-001, TOP-002, TOP-003, TOP-006
Incident Response Program CIP-008 Ongoing
A ‘central’ logging mechanism and transmission to a third party service for the aggregation and analysis of security logs
CIP-007 Ongoing
Operator Shift turn-over compliance check lists
COM-002, PRC-001, VAR-002, TOP-001, TOP-002, TOP-003, , TOP-006
Internal Controls Analysis Review existing processes, procedures and policies to
determine if they facilitate compliance with the Reliability Standards
Questions
