55
Internal Controls Presented by Donna Maskil-Thompson SPP RE Workshop 03/15/2016 Property of KC Board of Public Utilities © - PUBLIC - 2016 1

Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Internal Controls

Presented by Donna Maskil-ThompsonSPP RE Workshop

03/15/2016

Property of KC Board of Public Utilities © - PUBLIC - 2016 1

Page 2: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Internal Controls

• The policies, procedures, practices and organizational structuresdesigned to provide reasonable assurance that business objectiveswill be achieved and undesired events will be prevented ordetected and corrected.

Reference - ISACA Glossary -(formerly known as Information SystemsAudit and Control Association

Property of KC Board of Public Utilities © - PUBLIC - 2016 2

Page 3: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Internal Control Structure

The dynamic, integrated processes designed to provide reasonableassurance regarding the achievement of the following generalobjectives:

• Effectiveness and efficiency of operations

• Reliability of management

• Compliance with applicable laws, regulations and internal policies

Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)

Property of KC Board of Public Utilities © - PUBLIC - 2016 3

Page 4: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Internal Control Structure

Management’s strategies for achieving these general objectives areaffected by the design and operation of the following components:

• Control environment

– Integrity

– Ethical values

– Competence – Knowledge and Aptitude

• Information Systems

• Control procedures

Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)

Property of KC Board of Public Utilities © - PUBLIC - 2016 4

Page 5: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Internal Controls

• Help achieve operational goals

• Provide information on progress meeting goals

– Operating Effectively or are there Exceptions?

• Can only provide reasonable, not absolute, assurance

“An internal control cannot change an inherently poor manager into a goodone…”

- COSO (Committee of Sponsoring Organizations of the Treadway Commission) – Internal Controls

Property of KC Board of Public Utilities © - PUBLIC - 2016 5

Page 6: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Where to Start?

Property of KC Board of Public Utilities © - PUBLIC - 2016 6

Effective Risk Management + Audit = Compliance

Page 7: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Where to Start?

• What is the Risk?

• Perform Risk Assessments

– Perform SWOT Analysis

– Business Impact Analysis

– Review Incident Reports

Property of KC Board of Public Utilities © - PUBLIC - 2016 7

Page 8: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

SWOT Analysis

Strengths Weaknesses

Opportunities Threats

Property of KC Board of Public Utilities © - PUBLIC - 2016 8

Internal

External

• How do you leveragestrengths to minimizeimpacts of threats?

• How do you mitigate orremediate weaknessesto avoid threats?

Page 9: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

BPU Policy Framework

• Outlines standards and guidance

• References multiple Authoritative Sources

– National Institute of Standards and Technology (NIST)

– COSO (Committee of Sponsoring Organizations of the TreadwayCommission)

– ISACA (formerly known as Information Systems Audit and ControlAssociation)

• COBIT® 5 – Risk, Process, and Information

Not a “check the box” approach

Property of KC Board of Public Utilities © - PUBLIC - 2016 9

Page 10: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Using RSAWs

• Yes, we know – Seriously, use them

– Maintain and update (quarterly)

• How are we meeting this requirement? (Self-Assessment)

• Have the SMEs changed?

• What are we missing?

• Identify Training Needs

Property of KC Board of Public Utilities © - PUBLIC - 2016 10

Page 11: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Controls Assessment

IT General Controls Assessment Yes No Description of

Policy, Process

or Procedure

Program Change Controls – Change Management

1.Does BPU maintain written procedures for controlling program changes through IT management and

programming personnel?

2. Do program change authorization forms or screens prepared by the user (Change Request) include:

Authorizations by management before proposed program changes are made?

Testing program changes?

IT management and user personnel review and approval of testing methodology and test results?

3. Does BPU use library control software or other controls to manage source programs and object

programs, especially production programs?

4. Does BPU have procedures for emergency program changes (or program files)?

Property of KC Board of Public Utilities © - PUBLIC - 2016 11

Page 12: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Think like an Auditor -

Property of KC Board of Public Utilities © - PUBLIC - 2016 12

Manage and Measure your Program like an auditor would

Page 13: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Writing Control Objectives

• What is the objective of thiscontrol?

– Prevent

– Detect

– Correct

• How does it effectively mitigaterisk?

– SMART criteria

Property of KC Board of Public Utilities © - PUBLIC - 2016 13

Page 14: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Monitoring & Controlling- Compliance

• Perform Quarterly Testing

• Identify and Correct Defects –SELF REPORT

• Perform Root Cause Analysis

• Continuous Improvement– DEMING (Plan, Do, Check, Act)

– DMAIC (Define, Measure, Analyze,Improve & Control)

– Kaizen “Change for the Better”

Property of KC Board of Public Utilities © - PUBLIC - 2016 14

Leadership

Accountability

Identify Risk

Control Risk

ShareKnowledge

ManageChange

Page 15: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Questions?

Property of KC Board of Public Utilities © - PUBLIC - 2016 15

Page 16: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

References

ISACA® and COBIT Online® ,www.isaca.org

Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org

National Institute of Standards and Technology (NIST), Special Publications,http://csrc.nist.gov/publications/PubsSPs.html

– NIST 800-12– NIST 800-14– NIST 800-16– NIST 800-34 (R1)– NIST 800-37– NIST 800-50– NIST 800-53 A (Assessment Guide)– NIST 800-53 (R4)– NIST 800-55– NIST 800-60– NIST-800-61– NIST 800-118– Cybersecurity Framework

Property of KC Board of Public Utilities © - PUBLIC - 2016 16

Page 17: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

Risk Assessment & Internal Controls ITC’s Implementation

Page 18: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

2

Topics

• Risk Assessment Development

• Risk Assessment Implementation

• Overview of Internal Controls

• The Internal Controls Process

• ITC’s Internal Controls Program

• OATI Internal Control Module Overview

• OATI Internal Control Module Discussion

Page 19: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

3

Internal Control Framework –Convergence of Compliance ProgramsKey compliance efforts integrated into the Internal Controls Framework:

NERC RAI white papers: Changing self-certification to focus on risk and internal controls Add controls from 2014 Audit Lessons Learned – internal survey Regional Entity self-reporting database – creation of self-logging NERC 13 questions and EIE – define program and demonstrate culture Creation of a Corrective Action Program including schedule of IC reviews (e.g. 3-yr Plan),

root cause analysis and lessons learned centrally managed to mitigate SV/AFI/etc.; Monitoring Metrics to Reliability Compliance Steering Committee; Self-report high risk IC

deficiencies

Internal Controls

Audit Lessons Learned

RAI: Change from Self

Certs to IC Reviews

RAI: Self-Reporting Database

(TBD)

13 Questions or NERC EIE

Corrective Action

Program

Monitoring Metrics &

Corp Goals(TBD)

Page 20: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

4

NERC Reliability AssuranceInitiative (RAI) Program

“The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS).”

NERC ERO Enterprise Inherent Risk Assessment Guide

Page 21: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

5

Risk

What is risk?The possibility of an event occurring that will have an

adverse impact of the achievement of objectives (reliability of the Bulk Electric System).

How do we measure risk?Risk is measured in terms of likelihood and impact.

What is a risk assessment?The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.

Page 22: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

6

Inherent Risk Assessment

Objective of a Risk Assessment Model• Identify and prioritize the most important or key areas (what

really matters)

Measure and prioritize risk exposures• The higher the risk exposure, the higher the priority

ITC’s Risk Assessment Model• Scores based on 11 key risk indicators that influence the

likelihood of the risk event and potential impact

• Risk score used to prioritize control reviews

• Full assessment every 3 years; Annual refresh

Page 23: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

7

Key Risk Indicators

Key Risk Indicators• Routine vs. Non-Routine• Automation vs. Manual• Cross-Functional (Internal)• 3rd Party Interaction (External)• NERC High Risk Standards • Significance of Changes in Standard or Process• Key Personnel Turnover• NERC VRF• Reliability and/or Reputational Impact• Violation History• Automated Internal Controls

Page 24: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

8

ITC’s Risk Assessment Model

How do we calculate the risk score?• Rate each of the risk factors on a scale of “1” to “5”.

o “1” indicating lower risk, and “5” indicating higher risk

• Weight each factor based upon significance of each factor.

• Multiply each factor by it’s risk weight to calculate an overall score.

• Rank each score from high to low

• Focus on the areas with the highest risk score (what really matters).

Page 25: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

9

Inherent Risk Assessment

How/where will this information be used?

• Drive the implementation of future controls

• Strengthen specific compliance related processes

• Prioritize training and communication efforts

ITC 2012 Reliability Compliance Risk AssessmentRisk Indicators

Standard Reqmt FunctionsRoutine vs.

Non-RoutineAutomation vs.

Manual

Cross-Functional (internal)

3rd Party Interaction (external)

High Risk Standards

(NERC Tier 1,2,3)

Significance of Changes in Standard or

Process

Key Personnel Turnover

NERC VRF

Reliability and/or Reputational

ImpactViolation History

Automated Internal Controls

Overall Risk Score

CIP-005-3a 2 MISO, LBA, TOP, TO 4 3 4 5 5 4 3 5 5 4.6CIP-005-3a 4 MISO, LBA, TOP, TO 4 3 4 5 5 4 3 5 5 4.6CIP-007-3a 2 MISO, LBA, TOP, TO 4 4 3 4 5 5 3 5 5 4.6CIP-007-3a 3 MISO, LBA, TOP, TO 4 4 3 4 5 5 3 5 5 4.6CIP-009-3 4 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 5 5 4.5CIP-009-3 5 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 5 5 4.5CIP-003-3 1 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-003-3 5 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-003-3 6 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-007-3a 1 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 5 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 6 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 8 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-009-3 2 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 4 5 4.4PRC-005-1 2 TO 3 3 3 3 5 5 2 5 5 4.3MOD-004-1 6 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 8 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 9 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 10 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 11 BA,TP 5 5 3 5 5 5 5 3 3 4.3CIP-003-3 4 MISO, LBA, TOP, TO 3 4 4 2 5 4 5 5 5 4.3CIP-005-3a 1 MISO, LBA, TOP, TO 3 3 3 3 5 5 3 5 5 4.3CIP-005-3a 3 MISO, LBA, TOP, TO 4 3 3 3 5 4 3 5 5 4.3CIP-009-3 1 MISO, LBA, TOP, TO 3 3 4 5 4 5 3 5 5 4.3CIP-009-3 3 MISO, LBA, TOP, TO 3 3 4 5 4 5 3 5 5 4.3FAC-003-1 1 TO 3 4 4 2 5 2 5 5 5 4.1EOP-005-1 6 MISO,LBA,TOP 5 5 1 3 5 1 3 5 5 4.1FAC-003-1 2 TO 2 4 5 2 5 2 5 5 5 4.1PER-002-0 3 MISO,LBA,TOP 2 3 4 3 5 3 3 5 5 4.1FAC-009-1 1 TO 3 5 4 4 5 4 3 3 4 4.1EOP-005-1 8 MISO,LBA,TOP 3 5 3 5 4 3 1 5 5 4.1CIP-004-3a 4 MISO, LBA, TOP, TO 3 3 2 3 5 4 3 4 5 4.1CIP-007-3a 4 MISO, LBA, TOP, TO 4 4 3 4 4 5 3 5 4 4.1CIP-008-3 1 MISO, LBA, TOP, TO 4 3 4 5 3 4 3 5 5 4.1EOP-008-0 1 MISO,LBA,TOP 4 5 3 2 5 2 1 5 5 4.0COM-002-2 2 MISO,LBA,TOP 3 5 1 5 5 3 1 3 5 4.0PRC-001-1 4 MISO,LBA,TOP 2 5 4 5 4 2 2 5 5 4.0CIP-005-3a 5 MISO, LBA, TOP, TO 4 3 3 4 4 3 3 4 5 4.0CIP-006-3c 1 MISO, LBA, TOP, TO 4 4 4 4 4 4 4 4 4 4.0CIP-006-3c 4 MISO, LBA, TOP, TO 4 3 4 4 4 4 4 4 4 4.0

Page 26: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

10

2016 ITC Inherent Risk Assessment

Risk Score 3.7 - 4.8Risk Score 3.1 - 3.6Risk Score 1.0 - 2.4 Risk Score 2.5 - 3.0

IRO-004-2 R1

PRC-001-1 R3, 4, 5, 6

NUC-001-2.1R2, 3, 4, 6, 9 FAC-003-3

R2

PRC-005-1.1b R3

CIP-008-5 R1, 2, 3

CIP-007-6R1, 2, 3, 4, 5

EOP-005-2R1, 6, 7, 8

CIP-011-1 R1

EOP-008-0R1 COM-002-2 R2

(66 R’s)(57 R’s)

(61 R’s)(43 R’s)

Risk priority for each requirement will be reassessed every 3 years, interim assessment every year.

TOP-004-2 R1,2,3,4

TOP-002-2.1bR11,16, 17

TOP-001-1a R2,3,5,7,8

TOP-007-0R3

FAC-008-3 R3, 6, 8

PRC-023-3 R1

CIP-006-6 R1, 2

EOP-003-2R1, 2, 5, 6, 8

COM-001-1.1 R1, 2

EOP-005-2 R2, 4, 9, 11,13

EOP-001-2.1b R3, 4

TOP-002-2.1b R1, 2, 4, 5,6, 10, 19

TOP-004-2 R5

IRO-001-1.1 R8

TPL-001-4R1, 4, 7, 8

PRC-001-1 R1, 2

IRO-005-3.1a R9,10

PRC-008-0 R2

NUC-001-2 R8

PRC-005-1.1b R5

FAC-002-2 R1, 3, 4

TOP-001-1a R6

IRO-010-1a R3FAC-003-3 R5

TOP-007-0 R1,2

CIP-003-6 R1TOP-008-1 R1, 2, 3

MOD-027-1 R5

PER-005-1 R3

EOP-008-1 R6, 7, 8

IRO-005-3.1a R5

TOP-006-2R3, 6, 7

PRC-017 R1, 2

EOP-004-2 R3

PRC-016-1 R1, 2

FAC-014-2 R5

PRC-015-1b R1, 2, 3

TOP-003-1 R1, 2, 3

CIP-004-6 R1

TOP-004-2 R6

TPL-001-4R2, 5, 6

FAC-014-2 R2

EOP-005-2R3, 5, 10, 12

MOD-018-0 R1MOD-019-0.1R1

COM-002-2 R1

EOP-001-2.1b R2, 5

CIP-003-6 R2,3,4

PRC-017-0 R2

EOP-004-2 R1, 2

CIP-006-6 R3

TOP-005-2a R1, 2

FAC-003-3 R3, 4, 6, 7

PRC-008-0 R1

PRC-023-3 R2, 3, 4, 5

EOP-003-2 R3, 4

PER-001-0.2R1

CIP-014-1 R3, 4

MOD-027-1 R1

VAR-001-4 R1,5

VAR-001-4 R2, 3, 4, 6

MOD-018-0 R2

BAL-005-0.2b R1, 12, 13, 15

MOD-020-0 R1

BAL-006-2 R3, 4

EOP-008-1 R2, 5

COM-001-1.1R4

TOP-001-1a R1

EOP-001-2.1b R6

MOD-021-1 R1, R2, R3

MOD-032-1R1, 2, 3

FAC-002-2 R2

TOP-006-2 R1, 2, 4, 5

PRC-006-1 R10

EOP-010-1 R3

PER-003-1R2

TOP-002-2.1b R18 PRC-004-2.1a

R3

MOD-012-0R1, 2

MOD-010-0 R1, 2

FAC-001-2 R1, 3

EOP-003-2 R7

CIP-011-2 R2

TOP-008-1 R4

PRC-018-1 R1, 2, 3,4, 5, 6

PER-005-1 R1,2

PRC-004-2.1aR1

CIP-010-1R1, 2, 3

CIP-005-5 R1, 2

CIP-009-6 R1, 2

CIP-014-1R1, 2, 4, 5, 6

CIP-004-6R2, 3, 4, 5

CIP-002-5.1 R1, 2

CIP-009-6 R3

COM-001-1.1R3, 5

EOP-008-1 R4

PRC-016-1R3

TPL-001-4 R3

Last Update Feb 5, 2016

Page 27: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

11

NERC Reliability AssuranceInitiative (RAI) Program

“As described in the ERO Enterprise Internal Control Evaluation Guide (ICE Guide),3 the ICE may inform whether a registered entity has implemented effective internal controls that provide reasonable assurance of compliance with Reliability Standards associated with areas of risk identified through the IRA.”

NERC Guidance Document: “The Application of Risk-based Compliance Monitoring and Enforcement Program Concepts to CIP Version 5”

Page 28: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

12

Internal Controls Framework

People

Functional Processes

Information Systems/Technology

ID and Assess Risks; Establish/Review

Controls

Internal Control Testing and Assurance Review;

Risk Response

Remediation & AFI

Monitoring , Metrics & Reporting

Page 29: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

13

Controls

What is a control?A point where you create evidence of compliance

An action [taken by you, me, management, the board of directors, and / or other parties] to manage risk and increase the likelihood that established objectives and goals will be achieved.

Controls should be designed to bring about appropriate responses to risks. In other words, controls help to reduce or mitigate risk.

Controls should address the root cause of a risk event, not the symptom(s).

Page 30: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

14

INTERNAL CONTROL CYCLE

Continuous Improvement

Page 31: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

15

INTERNAL CONTROL TYPES

Internal Controls should be designed to:

• Prevent undesired outcomes

• Detect deviations in performance

• Correct broken processes

Internal Controls are also of two varieties• Automated – preferred over manual

• Manual – should have additional controls, cannot verify source of data

Page 32: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

16

INTERNAL CONTROL EXAMPLES

Preventive Controls

• Policies and Procedures• Training and Awareness• Three-Part Communication• Forward Studies and Day ahead studies• Configuration Documentation• ID badges and door locks• Asset Inventory• Annual Plans (Vegetation Management, SRP, Security)• Operating guides• Defined testing and/or maintenance program

Page 33: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

17

INTERNAL CONTROL EXAMPLES

Detective Controls

• Review of logged activity for Control Room• Review of phone logs for three-part communication• Review of system access logs• Management Review• Self Certifications and Audits• Activity and Exception Reports

Page 34: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

18

INTERNAL CONTROL EXAMPLES

Automated Controls

• An automated control will prevent improper activities from occurring

• AdvantagesNo manual interventionReliable Time-stamp Activity is repeatable

Programmed alarms in a system like TMSSystem generated logsPassword Controls over access into a system

Page 35: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

19

INTERNAL CONTROL EXAMPLES

Manual Controls

Manual controls can often be circumvented

Manual controls are often performed after the fact

• Often time developed in a spreadsheet• Some type of control that is handwritten

Page 36: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

20

INTERNAL CONTROL EXAMPLES

For an Internal Control to be effective the following should be present

• The control activity should be assigned to a specific function/individual

• The control activity must be executed in a defined time period (daily, weekly, monthly, yearly)

• The control activity should be repeatable

Page 37: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

21

Internal Control Development

Document Controls

Design, Test and Evaluate

Implement

Test Design

Test Effectiveness

Identify and Correct

Deficiencies

Review and Improve Design

Page 38: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

22

Internal Control Monitoring

Benefits of monitoring the effectiveness of Internal Controls:

• Ensures that there exists a sustainable and repeatable process.

• Identifies potential improvements to process efficiencies and internal control value.

• Provides timely information for improved assessment and management of risk.

• Improves the overall value of internal controls towards compliance efforts as they relate to the reliability of the BES.

• Ensures that there has been no degradation of the controls over time.

• Identification and correction of control deviations and failures.

• Elimination of unnecessary or inefficient controls.

Page 39: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

23

INTERNAL CONTROL PROGRAM

Detective Controls

• Review of logged Activity• Training• Three-Part Communication• Forward Studies• Day-ahead Studies

Page 40: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

24

ITC Internal Control Program

Tasks Completed:• Conducted initial risk assessment

• Developed Heat Map based on results of risk assessment

• Determined controls to target in initial roll out

• Met with SOs and SMEs to review process and document controls

• Developed workflow for Internal Control process

• Developed Use Cases for loading into OATI Internal Controls Module

• Loaded controls into OATI Internal Controls Module

• Conducted internal testing to validate workflow

• Developed Internal Controls schedule

• Completed Initial Pilot

Page 41: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

25

ITC Internal Control Calendar

An Internal Controls calendar has been developed based on:

• Timing of Process/Event

• Frequency of controls

• Relationship to timing of reviews in the Compliance Monitoring Calendar

Page 42: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

26

ITC Internal Control Workflow

Following is an example of a typical OATI procedure work flow for Internal Controls. There will generally be 6 steps.

(1) Initial OATI procedure to notify SME to kick-off control activity (e.g., procedure, review, assessment, etc.) and attach/load evidence

(2) Std. Owner approval of evidence sample. (recursive)

(3) If evidence/sample is not approved, send back to SME for new or additional example. (recursive)

(4) Std. Owner approves control evidence review without further action.

(5) Std. Owner approves control evidence review but Corrective Actions are needed. Trigger CA procedure.

Rejected

Resubmit

OR

Approved

Clean Outcome

CA Needed

(6) Control evidence provided to Reliability Assurance for review

End Process

Page 43: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

27

Internal Control Execution

• The Internal Control workflow will be initiated by a notification to the Subject Matter Expert (SME) for evidence

• The notification may be based on the calendar, i.e. first day of the quarter, something that is time based

• The notification may be based on the completion of another control procedure, something that is process based

• The SME will load requested evidence into OATI and mark complete

Page 44: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

28

Internal Control Execution

• Once the evidence is loaded by the SME it will trigger a review process by the designated Standard Owner (SO)

• The SO will review the evidence and either:• Accept the evidence provided• Request additional evidence from the SME• Initiate a corrective action if the evidence indicates a potential

issue

• Controls in which evidence was Accepted or requiring Corrective Action will be sent to Reliability Assurance for review

• Reliability Assurance will review evidence of Control and complete the workflow

Page 45: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

29

OATI – Internal Control Module

• OATI’s Internal Control (IC) Module was developed in response to NERC’s Reliability Assurance Initiative (RAI)

• ITC is one of the Companies that had worked with OATI in the development of the IC module and actively participated in the Beta testing process and Acceptance Testing of the module.

• ITC has worked closely with OATI in the loading of identified controls to the production site

Page 46: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

30

OATI – Internal Control Module

• The IC Module is a flexible workflow tool

• The IC module will allow us to record and track controls as they relate to Reliability Requirements

• The IC Module will allow us to show we have controls in place and that we are following these controls

• Reports can be generated from Summary pages

• Future reports will be developed as needs are identified by the User Community

Page 47: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

31

OATI – Internal Control Module

OATI webCompliance Main Dashboard

Page 48: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

32

OATI – Internal Control Module

Internal Controls Dashboard

Page 49: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

33

OATI – Internal Control Module

Task Summary

Page 50: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

34

OATI – Internal Control Module

Task Screen

Page 51: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

35

OATI – Internal Control Module

Attachment Screen

Page 52: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

36

OATI – Internal Control Module

Graph Workflow Display

Page 53: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

37

OATI – Internal Control Module

Task Screen – Status Change

Page 54: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

38

ITC 2015-2016 Internal Control Roadmap

1

2

QTR 3 & 4 2016• Document medium priority IC’s in OATI• Develop Metrics & Compliance dashboard• Evaluate medium priority ICs in OATI

QTR 1 2017 • Evaluate IC program for effectiveness• Make adjustments as needed

5

QTR 1 & 2 2015• Completed Full-scale Inherent Risk Assessment• Documented high priority IC’s in OATI (Control Monitoring

System)• Evaluated effectiveness of Internal Controls • Conducted SME and SO training on OATI

QTR 3 & 4 2015• Documented formal Inherent Risk Assessment Procedure• Documented additional high priority IC’s in OATI• Performed Internal Control evaluations of completed Controls• Update Compliance Program Manual to include Internal Controls

QTR 1 & 2 2016• Standardize IC Evaluation procedure• Evaluate and refine IC based on IC reviews• Update Inherent Risk Assessment• Develop Reliability Compliance Steering

Committee reporting

3

Page 55: Internal Controls - Southwest Power PoolKey compliance efforts integrated into the Internal Controls Framework: NERC RAI white papers: Changing self -certification to focus on risk

39

Internal Controls

Questions?