WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017 155 North 400 West, Suite 200 Salt Lake City, Utah 84103-1114
WECC Internal Controls Evaluation Process 2 Table of Contents 1 Introduction... 3 1.1 Purpose... 3 1.2 Document Owner... 3 1.3 Scope... 3 2 ICE Overview... 4 2.1 WECC ICE Team... 4 2.2 Entity Participation in ICE Process... 4 3 Process Workflow... 5 3.1 Identify Scope of ICE... 5 3.2 Collect Internal Controls Information... 5 3.3 Assess Internal Controls Design... 6 3.4 Test the Implementation of Internal Controls... 6 3.5 Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk 6 4 Outputs of ICE... 7 4.1 Utilization of Results... 7 4.2 Sharing ICE Results with the Entity... 7 4.3 ICE Process Feedback... 7 5 Revision History... 8 6 References... 8
WECC Internal Controls Evaluation Process 3 1 Introduction This document describes WECC s Process for Internal Controls Evaluation (ICE). 1.1 Purpose The purpose of this document is to provide guidance to registered entities and WECC staff on WECC s Internal Controls Evaluation process. 1.2 Document Owner WECC s Director of Compliance Risk Analysis is the owner of this document. The document owner may delegate coordination, but is responsible for: Reviewing, editing and updating Coordinating revisions across the Oversight Department Management Posting the process 1.3 Scope The WECC ICE process is applicable to United States registered entities within WECC s footprint. WECC s international partners are not implementing the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program at this time. The ICE process is not intended to determine an entity s compliance with the NERC Reliability Standards. Although unlikely, if during the ICE process WECC observes or discovers an instance of potential noncompliance, WECC will document the facts and circumstances of the potential noncompliance and recommend the registered entity review it further and determine the necessity of Self Report submission to WECC. In the meantime, WECC will assess the risk associated with the potential noncompliance and determine the appropriate action pursuant to the risk-based CMEP. The results of the ICE process do not change any obligation for an entity to be compliant with all NERC Reliability Standards applicable to the entity s functions. While the ICE process intends to inform the scope of WECC s Compliance Oversight Plan for a particular entity, the ICE should not be interpreted as a limitation to WECC s authority under the NERC Rules of Procedure to conduct any compliance monitoring activities as WECC may determine are appropriate.
WECC Internal Controls Evaluation Process 4 2 ICE Overview ICE is a process within NERC s Risk-Based Compliance Oversight Framework. 1 ICE participation is voluntary for registered entities. The main goal of this review is to understand the Registered Entity s internal controls program that prevents, detects, and/or corrects noncompliance with Reliability Standards. 2 The ICE results are an input into the development of the entity s Compliance Oversight Plan (COP). 3 Along with the Inherent Risk Assessment (IRA) results, ICE results are used to further determine the tools, frequency, and scope of monitoring for a Registered Entity. 2.1 WECC ICE Team The ICE Process is a shared effort of Compliance Audit Team and Compliance Risk Analysis Team. WECC relies on the collective experience and professional judgment of the Oversight staff during the ICE process. 4 2.2 Entity Participation in ICE Process WECC collaborates with the entity throughout the ICE process to ensure WECC has current, appropriate, and sufficient information necessary to conduct the ICE and reach accurate conclusions. This collaboration may include phone calls, data requests, interviews, and onsite visits. During the ICE process, WECC will follow the documentation protocols listed in the NERC Internal Controls Evaluation Guide and rely on its professional judgment when gathering information from the entity during the ICE process. Entities are encouraged to provide an accurate and timely response to WECC requests for information. 1 NERC, ERO Enterprise Guide for Compliance Monitoring. October 2016. p.1. 2 In the context of the Risk-Based Compliance Oversight Framework, internal controls are the processes, practices, policies, or procedures, system applications and technology tools, and skilled human capital and entity employs to prevent, detect, and correct noncompliance with Reliability Standards and/or address risks and/or address risks associated with the reliable operation of its business. Examples may include: oversight, risk assessment, control activities, communications, and training and monitoring. Internal controls operate at both an entity or organizational level, as well as an activity or process level. NERC, ERO Enterprise Guide for Internal Controls. December 2016. p. 10. 3 As defined by NERC, the Compliance Oversight Plan (COP) is a plan consisting of the oversight strategy for a registered entity, including the list of standard requirements for monitoring, the CMEP tool to be used, and the interval of monitoring. Id. 4 As defined by NERC, professional judgment represents the application of the collective, individual, knowledge, skills, and experiences of all the personnel involved with a CMEP activity. Id.
WECC Internal Controls Evaluation Process 5 3 Process Workflow WECC follows five steps during the ICE process: 1. Identify scope of ICE. 2. Collect internal controls information. 3. Assess internal control design. 4. Test the implementation of internal controls. 5. Determine maturity and effectiveness of the Entity s Internal Controls Program to address risk. 3.1 Identify Scope of ICE During this step, WECC uses the results of the IRA and COP to identify Standards and requirements that will be considered during the ICE. Any previous ICE results will be considered during the review of the COP before identifying new ICE scope. ICE will be performed on requirements that are associated with areas of medium or high inherent risk and have been identified for on-site monitoring based on the IRA and COP processes. Consideration will be given to the NERC and WECC CMEP IP Areas of Focus, performance based requirements, and other trends noticed during COP review. At the end of this step, WECC notifies the Registered Entity of the Standard and requirements that will be considered for ICE. 3.2 Collect Internal Controls Information During this step, WECC collects internal control information from the entity through information requests for specific Standards and requirements determined for ICE Scope. WECC will customize requests for information-based internal controls information already available to WECC through the IRA process and past CMEP activities (e.g., mitigation plan review or prior ICE). Entities participating in the ICE process will receive instruction on how to submit internal controls information to WECC. WECC will evaluate the sufficiency, timeliness, and credibility of the controls information prior to making any decisions about the effectiveness of the internal controls. At the end of this step, WECC has collected the entity s internal controls information relating to the inherent risks and associated requirements in scope of the ICE.
WECC Internal Controls Evaluation Process 6 3.3 Assess Internal Controls Design During this step, WECC evaluates the design of the internal control system as it relates to meeting a specific risk objective. Registered entities may have a variety of preventative, detective, or corrective controls that work together to support the objective of the NERC Reliability Standards. WECC considers internal controls specific to the requirements as well as overarching controls that are considered key controls implemented across all Business Units for ensuring compliance. WECC identifies whether the design of the controls provides reasonable assurance of compliance with the requirement or whether significant deficiencies exist. 3.4 Test the Implementation of Internal Controls 5 During this step, WECC reviews supporting information that demonstrates that the entity is implementing the internal controls as designed. WECC gathers implementation information through documentation review, direct observation, interviews, or by collecting evidence that demonstrates performance of the control. In most cases, WECC will perform the implementation review concurrently with the entity s scheduled on-site audit. WECC relies on the professional judgement of the Oversight staff to determine the type and amount of information that is needed to provide reasonable assurance that the controls have been implemented. 3.5 Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk During this step, WECC assesses the type, strength, and maturity of controls implemented by the entity. WECC s assessment may consider the following factors: Types of controls implemented (i.e., preventive, detective, or corrective) Strength of controls evidence submitted Depth of controls documentation Ability to override controls Management supervision and oversight of controls Use of technology (manual versus automated) in implementing the controls Conflict of interest and segregation of duties for personnel implementing the controls Independent review and testing of internal controls by the entity Process for consistent implementation of internal controls 5 WECC may perform steps 3.3 and 3.4 concurrently or as separate, but closely timed, activities.
WECC Internal Controls Evaluation Process 7 Based on these factors, WECC makes decisions about the effectiveness of the internal controls at addressing the risks in the scope of ICE. WECC documents any design or implementation deficiencies that may prevent the internal controls from meeting their objective. 4 Outputs of ICE The output of the ICE process is: A list of assessed internal controls and results of internal control design and implementation effectiveness Impact to the entity s COP based on this review 4.1 Utilization of Results WECC uses results of the ICE process to determine whether the entity has implemented internal controls that provide reasonable assurance of compliance with the Standards. WECC considers the IRA, entity performance information, regional risk information, and ICE results during development of the entity s COP. After completing the ICE process, WECC retains relevant documentation that supports the analysis performed during the ICE process. The retained documentation may be used during subsequent reviews or revisions of the entity s ICE. 4.2 Sharing ICE Results with the Entity After the ICE process is complete, WECC provides the entity with an ICE Report. The ICE Report identifies areas of strength in the entity s internal controls environment and areas of improvement in controls design or implementation. Following the ICE Report, WECC updates the entity s COP based on the results of the ICE process. The COP specifies the compliance oversight tools WECC will use to monitor the entity s risks and associated Standards. 4.3 ICE Process Feedback Entities will have the opportunity to share feedback with WECC on the ICE process. The feedback should be specific to the ICE process itself, including ideas that WECC may consider to further improve and refine the ICE process. WECC will continue to provide feedback to NERC on lessons learned during the ICE process. WECC s feedback to NERC may include metrics such as the completion of IRAs and ICEs for entities across WECC, how an entity s IRA and ICE impacts a scheduled audit, and the average time taken by WECC to initiate and complete IRA and ICE processes before a scheduled or nonscheduled compliance monitoring engagement.
WECC Internal Controls Evaluation Process 8 5 Revision History Revision Date Modified By Comments 1 6/17/2014 Keshav Sarin Original Version 2 10/1/2017 Jennifer Hart Updated to align with ERO Enterprise Guide for Internal Controls (December 2016). Clarifies process for gathering controls information, evaluating the effectiveness of controls, and performing periodic revisions to ICE. Removes concept of key controls and partially/largely/fully implemented rating scale. 6 References NERC Rules of Procedure NERC Overview of the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program NERC Annual ERO CMEP Implementation Plan NERC ERO Enterprise Guide for Compliance Monitoring NERC ERO Enterprise Guide for Internal Controls Generally Accepted Government Auditing Standards WECC CMEP Implementation Plan