Internal Controls Evaluation (ICE) September 28, 2017 RAM-102 3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8411 (813) 289-5644 - Phone (813) 289-5646 Fax www.frcc.com
Table of Contents Page 3 of 8 Page 1.0 Purpose and Scope... 4 1.1 Purpose... 4 1.2 Scope... 4 2.0 Background... 4 2.1 Terms and Definitions... 4 3.0 Responsibilities... 5 3.1 Procedure Owner... 5 4.0 Procedure... 5 5.0 Reference Section... 7 Appendix A Using the Work of Others... 8 Overview... 8 Evaluation... 8
Page 4 of 8 1.0 Purpose and Scope 1.1 Purpose 1.2 Scope 2.0 Background This procedure provides the steps to be taken by FRCC Risk Assessment and Mitigation (RAM) Specialist(s) to perform an Internal Controls Evaluation (ICE) for a Registered Entity (entity). The ICE will be performed upon request from an entity. It will use the output of the Inherent Risk Assessment (IRA) to determine the potential standards and requirements for review. This document covers tools to be used. This procedure applies to the performance of Internal Controls Evaluations by the RAM team within FRCC. 2.1 Terms and Definitions 1 2.1.1 Preventive controls controls established as the first line of defense since they are designed to prevent the fault/error from occurring. This type of controls will prevent a determined consequence, issue, threat, loss, or harm from occurring. 2.1.2 Detective controls controls designed to detect the potential error condition or fault after it has occurred, or identify instances where practices or procedures were not followed. 2.1.3 Corrective controls controls designed to correct the error condition or fault after it has been detected. These controls restore the system or the process back to a stable state prior to the error condition. They fix the problem during, or immediately after, the issue has occurred minimizing the impact. 1 NERC ERO Enterprise Guide for Internal Controls Version 2
Page 5 of 8 3.0 Responsibilities 3.1 Procedure Owner 3.1.1 This procedure is the responsibility of the FRCC Manager of Risk Assessment and Mitigation to maintain as necessary to keep the procedure current with the latest North American Electric Reliability Corporation (NERC) Rules of Procedure - Compliance Monitoring and Enforcement Program Appendix 4C and established FRCC procedures. 3.1.2 The review of this procedure will be performed when changes to departmental or NERC Rules of Procedure occur and have a potential impact to this processing. In addition, a review will be performed at least once every three (3) years from the last update. The review shall be documented in the Review/Modification section of this document. 3.1.3 This procedure will be approved by the FRCC Manager of Risk Assessment and Mitigation, the FRCC Director of Enforcement, Risk Assessment and Mitigation, and the VP Compliance, Enforcement and Reliability Performance. 4.0 Procedure 4.1 Within thirty days of receipt of the request for ICE, the RAM Specialist will use the output from the IRA to review the list of Standards/Requirements identified as moderate or high-risk, and will collaborate with the entity to determine the Standards/Requirements to be included in the ICE. FRCC will only perform ICE for selected moderate and high-risk requirements as identified in the IRA. 4.2 When selection of the Standards/Requirements is complete, the RAM Specialist will notify the entity by sending an email with the Registered Entity Internal Controls by Standard worksheet (worksheet) and ICE Entity Guide (guide) attached. The guide provides the entity with instructions on completing the worksheet. The email is to contain instructions on returning the completed worksheet and any supporting materials within 15 days to the FRCC Secure Transfer site. 4.3 Within 15 days of receiving the worksheet the RAM Specialist will review the information provided to determine if any further information is required. If further
Page 6 of 8 information is required the RAM Specialist will issue the appropriate information request. 4.4 The entity may provide the work of others as a part of the response to provide evidence that internal controls are implemented and functioning as documented (see Appendix A - Using the Work of Others). 4.5 Within ninety days the RAM Specialist will perform an assessment of the entity s internal controls using the ICE Worksheet to determine the effectiveness of the controls. The assessment will include, but is not limited to, the following: Automation of the internal controls Compensating and supporting internal controls Entity identification of key controls Level of available internal controls documentation Peer review of key controls within the registered entity Feedback on controls design processes (are there reviews of the control design from others in the entity) Registered entity s internal review and testing of existing internal controls Frequency of execution Maturity of internal controls (length of time in use) 4.6 The RAM Specialist will assess and rate the quality of the preventative, detective, and corrective controls using one of the following options: Fully Implemented (FI): Controls are in effect 24x7 and will prevent, detect, or correct the determined consequence. Entity has implemented many controls that will directly prevent, detect, or correct the consequence. The Entity has provided evidence of implementation of these controls and based on the review the controls have been implemented. Entity s personnel are very well trained on these controls. Controls cannot be overridden without management notification/resolving issue. Largely Implemented (LI): Controls are in effect most of the time and could prevent, detect, or correct the determined consequence. Entity has implemented many controls that could directly prevent, detect, or correct the consequence. The review, either based on evidence provided by the Entity, based on a site visit or an interview with the Entity, has provided
Page 7 of 8 evidence of the implementation. Entity s personnel are generally trained on these controls. Partially Implemented (PI): Entity has implemented some controls but either they are not in effect at all times or the controls are weaker (i.e. they could indirectly impact the consequence). Some reasonable assurance has been identified to indicate that these controls have been implemented. Entity s personnel are aware of these controls. Not Implemented (NI): Entity has some controls defined, but there is no assurance identified to indicate they have been implemented. Not all Entity personnel are aware of the controls. Missing: Entity does not have any controls that could directly prevent the consequence. You strongly believe that no controls have been implemented. Entity s personnel are not aware of any controls. Not Applicable: Preventative controls are not applicable to this requirement. This is not a common choice. 4.7 The RAM Specialist will document the results of the ICE using the ICE worksheet. 4.8 Once the assessment has been completed the RAM Specialist will populate the ICE Summary Report and update the entity IRA worksheets. The report is then shared with the FRCC Monitoring representative to inform potential updates to the Compliance Oversight Plan (COP). 4.9 Upon completion of the Monitoring review, the RAM Specialist will call the entity and coordinate the method of delivery (face-to-face, WebEx, etc.) of the ICE Summary Report to the entity within 15 days of completion and supply the entity with a written copy of the results. 5.0 Reference Section 5.1 NERC ERO Enterprise Inherent Risk Assessment Guide, October 2014 5.2 NERC ERO Enterprise Internal Control Evaluation Guide, October 2014 5.3 NERC ERO Enterprise Guide for Internal Controls Version 2, September 2017
Page 8 of 8 Appendix A Using the Work of Others Overview Many entities employ an independent team to assess compliance with their risk management strategy that includes adherence to NERC Reliability Standards. An independent internal control evaluation may be conducted by a specialist, government entity (such as the Government Accountability Office or Nuclear Regulatory Commission), a contractor who has been commissioned by the entity as a disinterested third party, or by an internal department within the entity that is independent of the department performing reliability standards operations. Evaluation If a registered entity seeks to have the RAM Specialist rely on the work of others, the RAM Specialist may review the independence, capabilities, and competencies of the individuals performing the review and any relevant documentation related to the assessment itself for consideration as part of the ICE assessment. In addition, the RAM Specialist will review the work of others including analysis, reports, etc. to determine its impact on the assessment. The information regarding an entity s independent review will be gathered when the entity supplies the ICE - entity Internal Controls by Standard worksheet response. Any additional information requests necessary will be sent to the entity, as necessary.