Internal Controls
Presented by Donna Maskil-ThompsonSPP RE Workshop
03/15/2016
Property of KC Board of Public Utilities © - PUBLIC - 2016 1
Internal Controls
• The policies, procedures, practices and organizational structuresdesigned to provide reasonable assurance that business objectiveswill be achieved and undesired events will be prevented ordetected and corrected.
Reference - ISACA Glossary -(formerly known as Information SystemsAudit and Control Association
Property of KC Board of Public Utilities © - PUBLIC - 2016 2
Internal Control Structure
The dynamic, integrated processes designed to provide reasonableassurance regarding the achievement of the following generalobjectives:
• Effectiveness and efficiency of operations
• Reliability of management
• Compliance with applicable laws, regulations and internal policies
Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)
Property of KC Board of Public Utilities © - PUBLIC - 2016 3
Internal Control Structure
Management’s strategies for achieving these general objectives areaffected by the design and operation of the following components:
• Control environment
– Integrity
– Ethical values
– Competence – Knowledge and Aptitude
• Information Systems
• Control procedures
Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)
Property of KC Board of Public Utilities © - PUBLIC - 2016 4
Internal Controls
• Help achieve operational goals
• Provide information on progress meeting goals
– Operating Effectively or are there Exceptions?
• Can only provide reasonable, not absolute, assurance
“An internal control cannot change an inherently poor manager into a goodone…”
- COSO (Committee of Sponsoring Organizations of the Treadway Commission) – Internal Controls
Property of KC Board of Public Utilities © - PUBLIC - 2016 5
Where to Start?
Property of KC Board of Public Utilities © - PUBLIC - 2016 6
Effective Risk Management + Audit = Compliance
Where to Start?
• What is the Risk?
• Perform Risk Assessments
– Perform SWOT Analysis
– Business Impact Analysis
– Review Incident Reports
Property of KC Board of Public Utilities © - PUBLIC - 2016 7
SWOT Analysis
Strengths Weaknesses
Opportunities Threats
Property of KC Board of Public Utilities © - PUBLIC - 2016 8
Internal
External
• How do you leveragestrengths to minimizeimpacts of threats?
• How do you mitigate orremediate weaknessesto avoid threats?
BPU Policy Framework
• Outlines standards and guidance
• References multiple Authoritative Sources
– National Institute of Standards and Technology (NIST)
– COSO (Committee of Sponsoring Organizations of the TreadwayCommission)
– ISACA (formerly known as Information Systems Audit and ControlAssociation)
• COBIT® 5 – Risk, Process, and Information
Not a “check the box” approach
Property of KC Board of Public Utilities © - PUBLIC - 2016 9
Using RSAWs
• Yes, we know – Seriously, use them
– Maintain and update (quarterly)
• How are we meeting this requirement? (Self-Assessment)
• Have the SMEs changed?
• What are we missing?
• Identify Training Needs
Property of KC Board of Public Utilities © - PUBLIC - 2016 10
Controls Assessment
IT General Controls Assessment Yes No Description of
Policy, Process
or Procedure
Program Change Controls – Change Management
1.Does BPU maintain written procedures for controlling program changes through IT management and
programming personnel?
2. Do program change authorization forms or screens prepared by the user (Change Request) include:
Authorizations by management before proposed program changes are made?
Testing program changes?
IT management and user personnel review and approval of testing methodology and test results?
3. Does BPU use library control software or other controls to manage source programs and object
programs, especially production programs?
4. Does BPU have procedures for emergency program changes (or program files)?
Property of KC Board of Public Utilities © - PUBLIC - 2016 11
Think like an Auditor -
Property of KC Board of Public Utilities © - PUBLIC - 2016 12
Manage and Measure your Program like an auditor would
Writing Control Objectives
• What is the objective of thiscontrol?
– Prevent
– Detect
– Correct
• How does it effectively mitigaterisk?
– SMART criteria
Property of KC Board of Public Utilities © - PUBLIC - 2016 13
Monitoring & Controlling- Compliance
• Perform Quarterly Testing
• Identify and Correct Defects –SELF REPORT
• Perform Root Cause Analysis
• Continuous Improvement– DEMING (Plan, Do, Check, Act)
– DMAIC (Define, Measure, Analyze,Improve & Control)
– Kaizen “Change for the Better”
Property of KC Board of Public Utilities © - PUBLIC - 2016 14
Leadership
Accountability
Identify Risk
Control Risk
ShareKnowledge
ManageChange
Questions?
Property of KC Board of Public Utilities © - PUBLIC - 2016 15
References
ISACA® and COBIT Online® ,www.isaca.org
Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org
National Institute of Standards and Technology (NIST), Special Publications,http://csrc.nist.gov/publications/PubsSPs.html
– NIST 800-12– NIST 800-14– NIST 800-16– NIST 800-34 (R1)– NIST 800-37– NIST 800-50– NIST 800-53 A (Assessment Guide)– NIST 800-53 (R4)– NIST 800-55– NIST 800-60– NIST-800-61– NIST 800-118– Cybersecurity Framework
Property of KC Board of Public Utilities © - PUBLIC - 2016 16
Risk Assessment & Internal Controls ITC’s Implementation
2
Topics
• Risk Assessment Development
• Risk Assessment Implementation
• Overview of Internal Controls
• The Internal Controls Process
• ITC’s Internal Controls Program
• OATI Internal Control Module Overview
• OATI Internal Control Module Discussion
3
Internal Control Framework –Convergence of Compliance ProgramsKey compliance efforts integrated into the Internal Controls Framework:
NERC RAI white papers: Changing self-certification to focus on risk and internal controls Add controls from 2014 Audit Lessons Learned – internal survey Regional Entity self-reporting database – creation of self-logging NERC 13 questions and EIE – define program and demonstrate culture Creation of a Corrective Action Program including schedule of IC reviews (e.g. 3-yr Plan),
root cause analysis and lessons learned centrally managed to mitigate SV/AFI/etc.; Monitoring Metrics to Reliability Compliance Steering Committee; Self-report high risk IC
deficiencies
Internal Controls
Audit Lessons Learned
RAI: Change from Self
Certs to IC Reviews
RAI: Self-Reporting Database
(TBD)
13 Questions or NERC EIE
Corrective Action
Program
Monitoring Metrics &
Corp Goals(TBD)
4
NERC Reliability AssuranceInitiative (RAI) Program
“The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS).”
NERC ERO Enterprise Inherent Risk Assessment Guide
5
Risk
What is risk?The possibility of an event occurring that will have an
adverse impact of the achievement of objectives (reliability of the Bulk Electric System).
How do we measure risk?Risk is measured in terms of likelihood and impact.
What is a risk assessment?The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.
6
Inherent Risk Assessment
Objective of a Risk Assessment Model• Identify and prioritize the most important or key areas (what
really matters)
Measure and prioritize risk exposures• The higher the risk exposure, the higher the priority
ITC’s Risk Assessment Model• Scores based on 11 key risk indicators that influence the
likelihood of the risk event and potential impact
• Risk score used to prioritize control reviews
• Full assessment every 3 years; Annual refresh
7
Key Risk Indicators
Key Risk Indicators• Routine vs. Non-Routine• Automation vs. Manual• Cross-Functional (Internal)• 3rd Party Interaction (External)• NERC High Risk Standards • Significance of Changes in Standard or Process• Key Personnel Turnover• NERC VRF• Reliability and/or Reputational Impact• Violation History• Automated Internal Controls
8
ITC’s Risk Assessment Model
How do we calculate the risk score?• Rate each of the risk factors on a scale of “1” to “5”.
o “1” indicating lower risk, and “5” indicating higher risk
• Weight each factor based upon significance of each factor.
• Multiply each factor by it’s risk weight to calculate an overall score.
• Rank each score from high to low
• Focus on the areas with the highest risk score (what really matters).
9
Inherent Risk Assessment
How/where will this information be used?
• Drive the implementation of future controls
• Strengthen specific compliance related processes
• Prioritize training and communication efforts
ITC 2012 Reliability Compliance Risk AssessmentRisk Indicators
Standard Reqmt FunctionsRoutine vs.
Non-RoutineAutomation vs.
Manual
Cross-Functional (internal)
3rd Party Interaction (external)
High Risk Standards
(NERC Tier 1,2,3)
Significance of Changes in Standard or
Process
Key Personnel Turnover
NERC VRF
Reliability and/or Reputational
ImpactViolation History
Automated Internal Controls
Overall Risk Score
CIP-005-3a 2 MISO, LBA, TOP, TO 4 3 4 5 5 4 3 5 5 4.6CIP-005-3a 4 MISO, LBA, TOP, TO 4 3 4 5 5 4 3 5 5 4.6CIP-007-3a 2 MISO, LBA, TOP, TO 4 4 3 4 5 5 3 5 5 4.6CIP-007-3a 3 MISO, LBA, TOP, TO 4 4 3 4 5 5 3 5 5 4.6CIP-009-3 4 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 5 5 4.5CIP-009-3 5 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 5 5 4.5CIP-003-3 1 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-003-3 5 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-003-3 6 MISO, LBA, TOP, TO 3 4 5 2 5 4 5 5 5 4.4CIP-007-3a 1 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 5 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 6 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-007-3a 8 MISO, LBA, TOP, TO 4 4 3 4 5 4 3 4 5 4.4CIP-009-3 2 MISO, LBA, TOP, TO 3 3 4 5 5 4 3 4 5 4.4PRC-005-1 2 TO 3 3 3 3 5 5 2 5 5 4.3MOD-004-1 6 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 8 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 9 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 10 BA,TP 5 5 3 5 5 5 5 3 3 4.3MOD-004-1 11 BA,TP 5 5 3 5 5 5 5 3 3 4.3CIP-003-3 4 MISO, LBA, TOP, TO 3 4 4 2 5 4 5 5 5 4.3CIP-005-3a 1 MISO, LBA, TOP, TO 3 3 3 3 5 5 3 5 5 4.3CIP-005-3a 3 MISO, LBA, TOP, TO 4 3 3 3 5 4 3 5 5 4.3CIP-009-3 1 MISO, LBA, TOP, TO 3 3 4 5 4 5 3 5 5 4.3CIP-009-3 3 MISO, LBA, TOP, TO 3 3 4 5 4 5 3 5 5 4.3FAC-003-1 1 TO 3 4 4 2 5 2 5 5 5 4.1EOP-005-1 6 MISO,LBA,TOP 5 5 1 3 5 1 3 5 5 4.1FAC-003-1 2 TO 2 4 5 2 5 2 5 5 5 4.1PER-002-0 3 MISO,LBA,TOP 2 3 4 3 5 3 3 5 5 4.1FAC-009-1 1 TO 3 5 4 4 5 4 3 3 4 4.1EOP-005-1 8 MISO,LBA,TOP 3 5 3 5 4 3 1 5 5 4.1CIP-004-3a 4 MISO, LBA, TOP, TO 3 3 2 3 5 4 3 4 5 4.1CIP-007-3a 4 MISO, LBA, TOP, TO 4 4 3 4 4 5 3 5 4 4.1CIP-008-3 1 MISO, LBA, TOP, TO 4 3 4 5 3 4 3 5 5 4.1EOP-008-0 1 MISO,LBA,TOP 4 5 3 2 5 2 1 5 5 4.0COM-002-2 2 MISO,LBA,TOP 3 5 1 5 5 3 1 3 5 4.0PRC-001-1 4 MISO,LBA,TOP 2 5 4 5 4 2 2 5 5 4.0CIP-005-3a 5 MISO, LBA, TOP, TO 4 3 3 4 4 3 3 4 5 4.0CIP-006-3c 1 MISO, LBA, TOP, TO 4 4 4 4 4 4 4 4 4 4.0CIP-006-3c 4 MISO, LBA, TOP, TO 4 3 4 4 4 4 4 4 4 4.0
10
2016 ITC Inherent Risk Assessment
Risk Score 3.7 - 4.8Risk Score 3.1 - 3.6Risk Score 1.0 - 2.4 Risk Score 2.5 - 3.0
IRO-004-2 R1
PRC-001-1 R3, 4, 5, 6
NUC-001-2.1R2, 3, 4, 6, 9 FAC-003-3
R2
PRC-005-1.1b R3
CIP-008-5 R1, 2, 3
CIP-007-6R1, 2, 3, 4, 5
EOP-005-2R1, 6, 7, 8
CIP-011-1 R1
EOP-008-0R1 COM-002-2 R2
(66 R’s)(57 R’s)
(61 R’s)(43 R’s)
Risk priority for each requirement will be reassessed every 3 years, interim assessment every year.
TOP-004-2 R1,2,3,4
TOP-002-2.1bR11,16, 17
TOP-001-1a R2,3,5,7,8
TOP-007-0R3
FAC-008-3 R3, 6, 8
PRC-023-3 R1
CIP-006-6 R1, 2
EOP-003-2R1, 2, 5, 6, 8
COM-001-1.1 R1, 2
EOP-005-2 R2, 4, 9, 11,13
EOP-001-2.1b R3, 4
TOP-002-2.1b R1, 2, 4, 5,6, 10, 19
TOP-004-2 R5
IRO-001-1.1 R8
TPL-001-4R1, 4, 7, 8
PRC-001-1 R1, 2
IRO-005-3.1a R9,10
PRC-008-0 R2
NUC-001-2 R8
PRC-005-1.1b R5
FAC-002-2 R1, 3, 4
TOP-001-1a R6
IRO-010-1a R3FAC-003-3 R5
TOP-007-0 R1,2
CIP-003-6 R1TOP-008-1 R1, 2, 3
MOD-027-1 R5
PER-005-1 R3
EOP-008-1 R6, 7, 8
IRO-005-3.1a R5
TOP-006-2R3, 6, 7
PRC-017 R1, 2
EOP-004-2 R3
PRC-016-1 R1, 2
FAC-014-2 R5
PRC-015-1b R1, 2, 3
TOP-003-1 R1, 2, 3
CIP-004-6 R1
TOP-004-2 R6
TPL-001-4R2, 5, 6
FAC-014-2 R2
EOP-005-2R3, 5, 10, 12
MOD-018-0 R1MOD-019-0.1R1
COM-002-2 R1
EOP-001-2.1b R2, 5
CIP-003-6 R2,3,4
PRC-017-0 R2
EOP-004-2 R1, 2
CIP-006-6 R3
TOP-005-2a R1, 2
FAC-003-3 R3, 4, 6, 7
PRC-008-0 R1
PRC-023-3 R2, 3, 4, 5
EOP-003-2 R3, 4
PER-001-0.2R1
CIP-014-1 R3, 4
MOD-027-1 R1
VAR-001-4 R1,5
VAR-001-4 R2, 3, 4, 6
MOD-018-0 R2
BAL-005-0.2b R1, 12, 13, 15
MOD-020-0 R1
BAL-006-2 R3, 4
EOP-008-1 R2, 5
COM-001-1.1R4
TOP-001-1a R1
EOP-001-2.1b R6
MOD-021-1 R1, R2, R3
MOD-032-1R1, 2, 3
FAC-002-2 R2
TOP-006-2 R1, 2, 4, 5
PRC-006-1 R10
EOP-010-1 R3
PER-003-1R2
TOP-002-2.1b R18 PRC-004-2.1a
R3
MOD-012-0R1, 2
MOD-010-0 R1, 2
FAC-001-2 R1, 3
EOP-003-2 R7
CIP-011-2 R2
TOP-008-1 R4
PRC-018-1 R1, 2, 3,4, 5, 6
PER-005-1 R1,2
PRC-004-2.1aR1
CIP-010-1R1, 2, 3
CIP-005-5 R1, 2
CIP-009-6 R1, 2
CIP-014-1R1, 2, 4, 5, 6
CIP-004-6R2, 3, 4, 5
CIP-002-5.1 R1, 2
CIP-009-6 R3
COM-001-1.1R3, 5
EOP-008-1 R4
PRC-016-1R3
TPL-001-4 R3
Last Update Feb 5, 2016
11
NERC Reliability AssuranceInitiative (RAI) Program
“As described in the ERO Enterprise Internal Control Evaluation Guide (ICE Guide),3 the ICE may inform whether a registered entity has implemented effective internal controls that provide reasonable assurance of compliance with Reliability Standards associated with areas of risk identified through the IRA.”
NERC Guidance Document: “The Application of Risk-based Compliance Monitoring and Enforcement Program Concepts to CIP Version 5”
12
Internal Controls Framework
People
Functional Processes
Information Systems/Technology
ID and Assess Risks; Establish/Review
Controls
Internal Control Testing and Assurance Review;
Risk Response
Remediation & AFI
Monitoring , Metrics & Reporting
13
Controls
What is a control?A point where you create evidence of compliance
An action [taken by you, me, management, the board of directors, and / or other parties] to manage risk and increase the likelihood that established objectives and goals will be achieved.
Controls should be designed to bring about appropriate responses to risks. In other words, controls help to reduce or mitigate risk.
Controls should address the root cause of a risk event, not the symptom(s).
14
INTERNAL CONTROL CYCLE
Continuous Improvement
15
INTERNAL CONTROL TYPES
Internal Controls should be designed to:
• Prevent undesired outcomes
• Detect deviations in performance
• Correct broken processes
Internal Controls are also of two varieties• Automated – preferred over manual
• Manual – should have additional controls, cannot verify source of data
16
INTERNAL CONTROL EXAMPLES
Preventive Controls
• Policies and Procedures• Training and Awareness• Three-Part Communication• Forward Studies and Day ahead studies• Configuration Documentation• ID badges and door locks• Asset Inventory• Annual Plans (Vegetation Management, SRP, Security)• Operating guides• Defined testing and/or maintenance program
17
INTERNAL CONTROL EXAMPLES
Detective Controls
• Review of logged activity for Control Room• Review of phone logs for three-part communication• Review of system access logs• Management Review• Self Certifications and Audits• Activity and Exception Reports
18
INTERNAL CONTROL EXAMPLES
Automated Controls
• An automated control will prevent improper activities from occurring
• AdvantagesNo manual interventionReliable Time-stamp Activity is repeatable
Programmed alarms in a system like TMSSystem generated logsPassword Controls over access into a system
19
INTERNAL CONTROL EXAMPLES
Manual Controls
Manual controls can often be circumvented
Manual controls are often performed after the fact
• Often time developed in a spreadsheet• Some type of control that is handwritten
20
INTERNAL CONTROL EXAMPLES
For an Internal Control to be effective the following should be present
• The control activity should be assigned to a specific function/individual
• The control activity must be executed in a defined time period (daily, weekly, monthly, yearly)
• The control activity should be repeatable
21
Internal Control Development
Document Controls
Design, Test and Evaluate
Implement
Test Design
Test Effectiveness
Identify and Correct
Deficiencies
Review and Improve Design
22
Internal Control Monitoring
Benefits of monitoring the effectiveness of Internal Controls:
• Ensures that there exists a sustainable and repeatable process.
• Identifies potential improvements to process efficiencies and internal control value.
• Provides timely information for improved assessment and management of risk.
• Improves the overall value of internal controls towards compliance efforts as they relate to the reliability of the BES.
• Ensures that there has been no degradation of the controls over time.
• Identification and correction of control deviations and failures.
• Elimination of unnecessary or inefficient controls.
23
INTERNAL CONTROL PROGRAM
Detective Controls
• Review of logged Activity• Training• Three-Part Communication• Forward Studies• Day-ahead Studies
24
ITC Internal Control Program
Tasks Completed:• Conducted initial risk assessment
• Developed Heat Map based on results of risk assessment
• Determined controls to target in initial roll out
• Met with SOs and SMEs to review process and document controls
• Developed workflow for Internal Control process
• Developed Use Cases for loading into OATI Internal Controls Module
• Loaded controls into OATI Internal Controls Module
• Conducted internal testing to validate workflow
• Developed Internal Controls schedule
• Completed Initial Pilot
25
ITC Internal Control Calendar
An Internal Controls calendar has been developed based on:
• Timing of Process/Event
• Frequency of controls
• Relationship to timing of reviews in the Compliance Monitoring Calendar
26
ITC Internal Control Workflow
Following is an example of a typical OATI procedure work flow for Internal Controls. There will generally be 6 steps.
(1) Initial OATI procedure to notify SME to kick-off control activity (e.g., procedure, review, assessment, etc.) and attach/load evidence
(2) Std. Owner approval of evidence sample. (recursive)
(3) If evidence/sample is not approved, send back to SME for new or additional example. (recursive)
(4) Std. Owner approves control evidence review without further action.
(5) Std. Owner approves control evidence review but Corrective Actions are needed. Trigger CA procedure.
Rejected
Resubmit
OR
Approved
Clean Outcome
CA Needed
(6) Control evidence provided to Reliability Assurance for review
End Process
27
Internal Control Execution
• The Internal Control workflow will be initiated by a notification to the Subject Matter Expert (SME) for evidence
• The notification may be based on the calendar, i.e. first day of the quarter, something that is time based
• The notification may be based on the completion of another control procedure, something that is process based
• The SME will load requested evidence into OATI and mark complete
28
Internal Control Execution
• Once the evidence is loaded by the SME it will trigger a review process by the designated Standard Owner (SO)
• The SO will review the evidence and either:• Accept the evidence provided• Request additional evidence from the SME• Initiate a corrective action if the evidence indicates a potential
issue
• Controls in which evidence was Accepted or requiring Corrective Action will be sent to Reliability Assurance for review
• Reliability Assurance will review evidence of Control and complete the workflow
29
OATI – Internal Control Module
• OATI’s Internal Control (IC) Module was developed in response to NERC’s Reliability Assurance Initiative (RAI)
• ITC is one of the Companies that had worked with OATI in the development of the IC module and actively participated in the Beta testing process and Acceptance Testing of the module.
• ITC has worked closely with OATI in the loading of identified controls to the production site
30
OATI – Internal Control Module
• The IC Module is a flexible workflow tool
• The IC module will allow us to record and track controls as they relate to Reliability Requirements
• The IC Module will allow us to show we have controls in place and that we are following these controls
• Reports can be generated from Summary pages
• Future reports will be developed as needs are identified by the User Community
31
OATI – Internal Control Module
OATI webCompliance Main Dashboard
32
OATI – Internal Control Module
Internal Controls Dashboard
33
OATI – Internal Control Module
Task Summary
34
OATI – Internal Control Module
Task Screen
35
OATI – Internal Control Module
Attachment Screen
36
OATI – Internal Control Module
Graph Workflow Display
37
OATI – Internal Control Module
Task Screen – Status Change
38
ITC 2015-2016 Internal Control Roadmap
1
2
QTR 3 & 4 2016• Document medium priority IC’s in OATI• Develop Metrics & Compliance dashboard• Evaluate medium priority ICs in OATI
QTR 1 2017 • Evaluate IC program for effectiveness• Make adjustments as needed
5
QTR 1 & 2 2015• Completed Full-scale Inherent Risk Assessment• Documented high priority IC’s in OATI (Control Monitoring
System)• Evaluated effectiveness of Internal Controls • Conducted SME and SO training on OATI
QTR 3 & 4 2015• Documented formal Inherent Risk Assessment Procedure• Documented additional high priority IC’s in OATI• Performed Internal Control evaluations of completed Controls• Update Compliance Program Manual to include Internal Controls
QTR 1 & 2 2016• Standardize IC Evaluation procedure• Evaluate and refine IC based on IC reviews• Update Inherent Risk Assessment• Develop Reliability Compliance Steering
Committee reporting
3
39
Internal Controls
Questions?