WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Similar documents
Internal Controls Evaluation (ICE) Processing

Multi-Region Registered Entity Coordinated Oversight Program

Internal Controls Procedure

Critical Infrastructure Protection Version 5

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Physical Security Reliability Standard Implementation

ERO Compliance Enforcement Authority Staff Training

Risk-Based Compliance Monitoring & Enforcement Oversight Framework. FRCC Spring Compliance Workshop April 14 16, 2015

ERO Enterprise Strategic Planning Redesign

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Compliance Enforcement Initiative

Cyber Security Incident Report

2018 MRO Regional Risk Assessment

Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

Board of Trustees Compliance Committee

Standard Development Timeline

Cyber Security Standards Drafting Team Update

Provider Monitoring Process Overview Training. Updated August Course#: C Music Only No Narration

Certification Program

TOP-010-1(i) Real-time Reliability Monitoring and Analysis Capabilities

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

CIP Cyber Security Systems Security Management

Article I - Administrative Bylaws Section IV - Coordinator Assignments

CIP Version 5 Evidence Request User Guide

Standard CIP Cyber Security Electronic Security Perimeter(s)

November 9, Revisions to the Violation Risk Factors for Reliability Standards IRO and TOP

FERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC

Standard CIP 004 3a Cyber Security Personnel and Training

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Standard CIP 007 3a Cyber Security Systems Security Management

Threat and Vulnerability Assessment Tool

New Brunswick 2018 Annual Implementation Plan Version 1

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Standard Development Timeline

Standard CIP 007 4a Cyber Security Systems Security Management

Standard COM-002-2a Communications and Coordination

ERO Certification and Review Procedure

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

CASA External Peer Review Program Guidelines. Table of Contents

Analysis of CIP-006 and CIP-007 Violations

WECC Criterion INT-001-WECC-CRT-3

Audit Report. The Prince s Trust. 27 September 2017

CIP Cyber Security Incident Reporting and Response Planning

CIP Cyber Security Security Management Controls. Standard Development Timeline

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

NERC Staff Organization Chart Budget 2019

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Chartered Member Assessment

NERC Staff Organization Chart Budget 2018

Article II - Standards Section V - Continuing Education Requirements

Registration & Certification Update

Project Posting 8 Frequently Asked Questions Guide

Compliance Exception and Self-Logging Report Q4 2014

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

EXIN BCS SIAM Foundation. Sample Exam. Edition

NERC Staff Organization Chart Budget 2017

Bryan Carr PMP, CISA Compliance Auditor Cyber Security. Audit Evidence & Attachment G CIP 101 Salt Lake City, UT September 25, 2013

Convergence of BCM and Information Security at Direct Energy

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

Lesson Learned Initiatives to Address and Reduce Misoperations

Minimum Requirements For The Operation of Management System Certification Bodies

SCO Monitoring Process Overview Revised December No narration, music playing. Course Number:

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

NERC Staff Organization Chart Budget 2017

Standard CIP Cyber Security Systems Security Management

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

NERC Management Response to the Questions of the NERC Board of Trustees on Reliability Standard COM September 6, 2013

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

SAP Security Remediation: Three Steps for Success Using SAP GRC

Position Description IT Auditor

Summary of FERC Order No. 791

Reliability Standard Audit Worksheet 1

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Standard CIP Cyber Security Security Management Controls

MNsure Privacy Program Strategic Plan FY

Standard Development Timeline

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

REPORT 2015/010 INTERNAL AUDIT DIVISION

NERC Request for Data or Information: Protection System Misoperation Data Collection August 14, 2014

Standard Development Timeline

Standards Authorization Request Form

CIP Cyber Security Recovery Plans for BES Cyber Systems

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

CIP Cyber Security Recovery Plans for BES Cyber Systems

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

Violation Risk Factor and Violation Severity Level Justification Project Modifications to CIP-008 Cyber Security Incident Reporting

Registered Entity Self-Report and Mitigation Plan User Guide

Standard COM Communication and Coordination

American Association for Laboratory Accreditation

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Records Retention Policy

Standard CIP Cyber Security Systems Security Management

Instructions for Participating in ASHRAE s. Commissioning Process Management Professional (CPMP) Certification Program

Transcription:

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017 155 North 400 West, Suite 200 Salt Lake City, Utah 84103-1114

WECC Internal Controls Evaluation Process 2 Table of Contents 1 Introduction... 3 1.1 Purpose... 3 1.2 Document Owner... 3 1.3 Scope... 3 2 ICE Overview... 4 2.1 WECC ICE Team... 4 2.2 Entity Participation in ICE Process... 4 3 Process Workflow... 5 3.1 Identify Scope of ICE... 5 3.2 Collect Internal Controls Information... 5 3.3 Assess Internal Controls Design... 6 3.4 Test the Implementation of Internal Controls... 6 3.5 Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk 6 4 Outputs of ICE... 7 4.1 Utilization of Results... 7 4.2 Sharing ICE Results with the Entity... 7 4.3 ICE Process Feedback... 7 5 Revision History... 8 6 References... 8

WECC Internal Controls Evaluation Process 3 1 Introduction This document describes WECC s Process for Internal Controls Evaluation (ICE). 1.1 Purpose The purpose of this document is to provide guidance to registered entities and WECC staff on WECC s Internal Controls Evaluation process. 1.2 Document Owner WECC s Director of Compliance Risk Analysis is the owner of this document. The document owner may delegate coordination, but is responsible for: Reviewing, editing and updating Coordinating revisions across the Oversight Department Management Posting the process 1.3 Scope The WECC ICE process is applicable to United States registered entities within WECC s footprint. WECC s international partners are not implementing the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program at this time. The ICE process is not intended to determine an entity s compliance with the NERC Reliability Standards. Although unlikely, if during the ICE process WECC observes or discovers an instance of potential noncompliance, WECC will document the facts and circumstances of the potential noncompliance and recommend the registered entity review it further and determine the necessity of Self Report submission to WECC. In the meantime, WECC will assess the risk associated with the potential noncompliance and determine the appropriate action pursuant to the risk-based CMEP. The results of the ICE process do not change any obligation for an entity to be compliant with all NERC Reliability Standards applicable to the entity s functions. While the ICE process intends to inform the scope of WECC s Compliance Oversight Plan for a particular entity, the ICE should not be interpreted as a limitation to WECC s authority under the NERC Rules of Procedure to conduct any compliance monitoring activities as WECC may determine are appropriate.

WECC Internal Controls Evaluation Process 4 2 ICE Overview ICE is a process within NERC s Risk-Based Compliance Oversight Framework. 1 ICE participation is voluntary for registered entities. The main goal of this review is to understand the Registered Entity s internal controls program that prevents, detects, and/or corrects noncompliance with Reliability Standards. 2 The ICE results are an input into the development of the entity s Compliance Oversight Plan (COP). 3 Along with the Inherent Risk Assessment (IRA) results, ICE results are used to further determine the tools, frequency, and scope of monitoring for a Registered Entity. 2.1 WECC ICE Team The ICE Process is a shared effort of Compliance Audit Team and Compliance Risk Analysis Team. WECC relies on the collective experience and professional judgment of the Oversight staff during the ICE process. 4 2.2 Entity Participation in ICE Process WECC collaborates with the entity throughout the ICE process to ensure WECC has current, appropriate, and sufficient information necessary to conduct the ICE and reach accurate conclusions. This collaboration may include phone calls, data requests, interviews, and onsite visits. During the ICE process, WECC will follow the documentation protocols listed in the NERC Internal Controls Evaluation Guide and rely on its professional judgment when gathering information from the entity during the ICE process. Entities are encouraged to provide an accurate and timely response to WECC requests for information. 1 NERC, ERO Enterprise Guide for Compliance Monitoring. October 2016. p.1. 2 In the context of the Risk-Based Compliance Oversight Framework, internal controls are the processes, practices, policies, or procedures, system applications and technology tools, and skilled human capital and entity employs to prevent, detect, and correct noncompliance with Reliability Standards and/or address risks and/or address risks associated with the reliable operation of its business. Examples may include: oversight, risk assessment, control activities, communications, and training and monitoring. Internal controls operate at both an entity or organizational level, as well as an activity or process level. NERC, ERO Enterprise Guide for Internal Controls. December 2016. p. 10. 3 As defined by NERC, the Compliance Oversight Plan (COP) is a plan consisting of the oversight strategy for a registered entity, including the list of standard requirements for monitoring, the CMEP tool to be used, and the interval of monitoring. Id. 4 As defined by NERC, professional judgment represents the application of the collective, individual, knowledge, skills, and experiences of all the personnel involved with a CMEP activity. Id.

WECC Internal Controls Evaluation Process 5 3 Process Workflow WECC follows five steps during the ICE process: 1. Identify scope of ICE. 2. Collect internal controls information. 3. Assess internal control design. 4. Test the implementation of internal controls. 5. Determine maturity and effectiveness of the Entity s Internal Controls Program to address risk. 3.1 Identify Scope of ICE During this step, WECC uses the results of the IRA and COP to identify Standards and requirements that will be considered during the ICE. Any previous ICE results will be considered during the review of the COP before identifying new ICE scope. ICE will be performed on requirements that are associated with areas of medium or high inherent risk and have been identified for on-site monitoring based on the IRA and COP processes. Consideration will be given to the NERC and WECC CMEP IP Areas of Focus, performance based requirements, and other trends noticed during COP review. At the end of this step, WECC notifies the Registered Entity of the Standard and requirements that will be considered for ICE. 3.2 Collect Internal Controls Information During this step, WECC collects internal control information from the entity through information requests for specific Standards and requirements determined for ICE Scope. WECC will customize requests for information-based internal controls information already available to WECC through the IRA process and past CMEP activities (e.g., mitigation plan review or prior ICE). Entities participating in the ICE process will receive instruction on how to submit internal controls information to WECC. WECC will evaluate the sufficiency, timeliness, and credibility of the controls information prior to making any decisions about the effectiveness of the internal controls. At the end of this step, WECC has collected the entity s internal controls information relating to the inherent risks and associated requirements in scope of the ICE.

WECC Internal Controls Evaluation Process 6 3.3 Assess Internal Controls Design During this step, WECC evaluates the design of the internal control system as it relates to meeting a specific risk objective. Registered entities may have a variety of preventative, detective, or corrective controls that work together to support the objective of the NERC Reliability Standards. WECC considers internal controls specific to the requirements as well as overarching controls that are considered key controls implemented across all Business Units for ensuring compliance. WECC identifies whether the design of the controls provides reasonable assurance of compliance with the requirement or whether significant deficiencies exist. 3.4 Test the Implementation of Internal Controls 5 During this step, WECC reviews supporting information that demonstrates that the entity is implementing the internal controls as designed. WECC gathers implementation information through documentation review, direct observation, interviews, or by collecting evidence that demonstrates performance of the control. In most cases, WECC will perform the implementation review concurrently with the entity s scheduled on-site audit. WECC relies on the professional judgement of the Oversight staff to determine the type and amount of information that is needed to provide reasonable assurance that the controls have been implemented. 3.5 Determine Maturity and Effectiveness of Entity s Internal Controls Program to Address Risk During this step, WECC assesses the type, strength, and maturity of controls implemented by the entity. WECC s assessment may consider the following factors: Types of controls implemented (i.e., preventive, detective, or corrective) Strength of controls evidence submitted Depth of controls documentation Ability to override controls Management supervision and oversight of controls Use of technology (manual versus automated) in implementing the controls Conflict of interest and segregation of duties for personnel implementing the controls Independent review and testing of internal controls by the entity Process for consistent implementation of internal controls 5 WECC may perform steps 3.3 and 3.4 concurrently or as separate, but closely timed, activities.

WECC Internal Controls Evaluation Process 7 Based on these factors, WECC makes decisions about the effectiveness of the internal controls at addressing the risks in the scope of ICE. WECC documents any design or implementation deficiencies that may prevent the internal controls from meeting their objective. 4 Outputs of ICE The output of the ICE process is: A list of assessed internal controls and results of internal control design and implementation effectiveness Impact to the entity s COP based on this review 4.1 Utilization of Results WECC uses results of the ICE process to determine whether the entity has implemented internal controls that provide reasonable assurance of compliance with the Standards. WECC considers the IRA, entity performance information, regional risk information, and ICE results during development of the entity s COP. After completing the ICE process, WECC retains relevant documentation that supports the analysis performed during the ICE process. The retained documentation may be used during subsequent reviews or revisions of the entity s ICE. 4.2 Sharing ICE Results with the Entity After the ICE process is complete, WECC provides the entity with an ICE Report. The ICE Report identifies areas of strength in the entity s internal controls environment and areas of improvement in controls design or implementation. Following the ICE Report, WECC updates the entity s COP based on the results of the ICE process. The COP specifies the compliance oversight tools WECC will use to monitor the entity s risks and associated Standards. 4.3 ICE Process Feedback Entities will have the opportunity to share feedback with WECC on the ICE process. The feedback should be specific to the ICE process itself, including ideas that WECC may consider to further improve and refine the ICE process. WECC will continue to provide feedback to NERC on lessons learned during the ICE process. WECC s feedback to NERC may include metrics such as the completion of IRAs and ICEs for entities across WECC, how an entity s IRA and ICE impacts a scheduled audit, and the average time taken by WECC to initiate and complete IRA and ICE processes before a scheduled or nonscheduled compliance monitoring engagement.

WECC Internal Controls Evaluation Process 8 5 Revision History Revision Date Modified By Comments 1 6/17/2014 Keshav Sarin Original Version 2 10/1/2017 Jennifer Hart Updated to align with ERO Enterprise Guide for Internal Controls (December 2016). Clarifies process for gathering controls information, evaluating the effectiveness of controls, and performing periodic revisions to ICE. Removes concept of key controls and partially/largely/fully implemented rating scale. 6 References NERC Rules of Procedure NERC Overview of the ERO Enterprise s Risk-Based Compliance Monitoring and Enforcement Program NERC Annual ERO CMEP Implementation Plan NERC ERO Enterprise Guide for Compliance Monitoring NERC ERO Enterprise Guide for Internal Controls Generally Accepted Government Auditing Standards WECC CMEP Implementation Plan

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback