Internal Controls Procedure

Transcription

1 Internal Controls Procedure September 30, 2017 MON Bayport Drive, Suite 600 Tampa, Florida (813) Phone (813) Fax

2

3 Table of Contents Page 3 of 7 Page 1.0 Purpose and Scope Purpose Scope Background Terms and Definitions Responsibilities Procedure Owner Procedure Reference Section... 7

4 Page 4 of Purpose and Scope 1.1 Purpose This procedure provides the steps to be taken by FRCC s Compliance Staff necessary to perform an internal controls review during compliance monitoring activities of a Registered Entity (entity). This review may inform FRCC s development of the entity Compliance Oversight Plan (COP). It will use the output of the Inherent Risk Assessment (IRA) to determine the potential standards and requirements for review. This document covers tools to be used. 1.2 Scope 2.0 Background This procedure applies to the performance of internal controls review by the Compliance Monitoring team within FRCC. 2.1 Terms and Definitions Preventive controls controls established as the first line of defense since they are designed to prevent the fault/error from occurring. This type of controls will prevent a determined consequence, issue, threat, loss, or harm from occurring Detective controls controls designed to detect the potential error condition or fault after it has occurred, or identify instances where practices or procedures were not followed Corrective controls controls designed to correct the error condition or fault after it has been detected. These controls restore the system or the process back to a stable state prior to the error condition. They fix the problem during, or immediately after, the issue has occurred minimizing the impact Compliance Oversight Plan (COP) A plan consisting of the oversight strategy for a registered entity, including the list of Standard requirements for monitoring, the CMEP tool to be used, and the interval of monitoring. 1 NERC ERO Enterprise Guide for Internal Controls Version 2

5 Page 5 of Responsibilities 3.1 Procedure Owner This procedure is the responsibility of the FRCC Manager of Critical Infrastructure Protection (CIP) and FRCC Manager of Operations and Planning (O&P) to maintain as necessary to keep the procedure current with the latest North American Electric Reliability Corporation (NERC) Rules of Procedure - Compliance Monitoring and Enforcement Program Appendix 4C and established FRCC procedures The review of this procedure will be performed when changes to departmental or NERC Rules of Procedure occur and have a potential impact to this processing. In addition, a review will be performed at least once every three (3) years from the last update. The review shall be documented in the Review/Modification section of this document This procedure will be approved by the FRCC Manager of CIP Monitoring, the FRCC Manager of O&P Monitoring, and the VP Compliance, Enforcement and Reliability Performance. 4.0 Procedure 4.1 At least ninety days before the audit start date, the Audit Team Lead (ATL) in concert with the manager, will review the entity s COP to determine the Standards/Requirements to be included for internal control review during the audit. 4.2 The ATL shall ensure that the Audit Notification letter (ANL) includes the Standard(s) /Requirement(s) selected for internal controls review. 4.3 The day after the ANL is sent to entity, the ATL will conference with the entity s Primary Compliance Contact (PCC) on the expectations of the internal controls review and suggest the entity upload any internal controls supporting documentation for those Standard(s)/Requirement(s) selected for review. 4.4 The audit team shall review internal controls supporting documentation during the time period allowed for pre-audit review and on-site audit review. The review of internal controls may include inquires, on-site interviews, observations,

6 Page 6 of 7 inspection of documentation and records, review the work of others and direct tests. 4.5 The ATL may issue an appropriate information request if additional information is required. 4.6 The ATL and audit team should complete an assessment of the entity s internal controls using the Internal Control Review Worksheet to determine the effectiveness of the controls. The assessment may include, but is not limited to, a review of the following: Automation of the internal controls Compensating and supporting internal controls Entity identification of key controls Level of available internal controls documentation Peer review of key controls within the registered entity Feedback on controls design processes (are there reviews of the control design from others in the entity) Registered entity s internal review and testing of existing internal controls Frequency of execution Maturity of internal controls (length of time in use)

7 Page 7 of The audit team will use a binary effective/not effective method for assessing internal control implementation effectiveness. 4.8 The initial on-site internal control assessment will be included in the Audit Exit presentation. 4.9 On completion of the on-site audit, the ATL in coordination with the FRCC Risk Assessment and Mitigation (RAM) representative will finalize the assessment The ATL will call the entity and coordinate the method of delivery (face-to-face, WebEx, etc.) of the final Internal Controls assessment 4.11 The ATL will provide a copy of the final Internal Controls assessment to the RAM group for consideration for the entity s next Inherent Risk Assessment. 5.0 Reference Section 5.1 NERC ERO Enterprise Guide for Internal Controls Version 2, September, 2017.