Internal Controls - Southwest Power Pool Key compliance efforts integrated into the Internal...

download Internal Controls - Southwest Power Pool Key compliance efforts integrated into the Internal Controls

of 55

  • date post

    27-Apr-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Internal Controls - Southwest Power Pool Key compliance efforts integrated into the Internal...

  • Internal Controls

    Presented by Donna Maskil-Thompson SPP RE Workshop

    03/15/2016

    Property of KC Board of Public Utilities © - PUBLIC - 2016 1

  • Internal Controls

    • The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.

    Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association

    Property of KC Board of Public Utilities © - PUBLIC - 2016 2

  • Internal Control Structure

    The dynamic, integrated processes designed to provide reasonable assurance regarding the achievement of the following general objectives:

    • Effectiveness and efficiency of operations

    • Reliability of management

    • Compliance with applicable laws, regulations and internal policies

    Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)

    Property of KC Board of Public Utilities © - PUBLIC - 2016 3

  • Internal Control Structure

    Management’s strategies for achieving these general objectives are affected by the design and operation of the following components:

    • Control environment

    – Integrity

    – Ethical values

    – Competence – Knowledge and Aptitude

    • Information Systems

    • Control procedures

    Reference - ISACA Glossary -(formerly known as Information Systems Audit and Control Association)

    Property of KC Board of Public Utilities © - PUBLIC - 2016 4

  • Internal Controls

    • Help achieve operational goals

    • Provide information on progress meeting goals

    – Operating Effectively or are there Exceptions?

    • Can only provide reasonable, not absolute, assurance

    “An internal control cannot change an inherently poor manager into a good one…”

    - COSO (Committee of Sponsoring Organizations of the Treadway Commission) – Internal Controls

    Property of KC Board of Public Utilities © - PUBLIC - 2016 5

  • Where to Start?

    Property of KC Board of Public Utilities © - PUBLIC - 2016 6

    Effective Risk Management + Audit = Compliance

  • Where to Start?

    • What is the Risk?

    • Perform Risk Assessments

    – Perform SWOT Analysis

    – Business Impact Analysis

    – Review Incident Reports

    Property of KC Board of Public Utilities © - PUBLIC - 2016 7

  • SWOT Analysis

    Strengths Weaknesses

    Opportunities Threats

    Property of KC Board of Public Utilities © - PUBLIC - 2016 8

    Internal

    External

    • How do you leverage strengths to minimize impacts of threats?

    • How do you mitigate or remediate weaknesses to avoid threats?

  • BPU Policy Framework

    • Outlines standards and guidance

    • References multiple Authoritative Sources

    – National Institute of Standards and Technology (NIST)

    – COSO (Committee of Sponsoring Organizations of the Treadway Commission)

    – ISACA (formerly known as Information Systems Audit and Control Association)

    • COBIT® 5 – Risk, Process, and Information

    Not a “check the box” approach

    Property of KC Board of Public Utilities © - PUBLIC - 2016 9

  • Using RSAWs

    • Yes, we know – Seriously, use them

    – Maintain and update (quarterly)

    • How are we meeting this requirement? (Self-Assessment)

    • Have the SMEs changed?

    • What are we missing?

    • Identify Training Needs

    Property of KC Board of Public Utilities © - PUBLIC - 2016 10

  • Controls Assessment

    IT General Controls Assessment Yes No Description of Policy, Process

    or Procedure

    Program Change Controls – Change Management

    1.Does BPU maintain written procedures for controlling program changes through IT management and

    programming personnel?

    2. Do program change authorization forms or screens prepared by the user (Change Request) include:

    Authorizations by management before proposed program changes are made?

    Testing program changes?

    IT management and user personnel review and approval of testing methodology and test results?

    3. Does BPU use library control software or other controls to manage source programs and object

    programs, especially production programs?

    4. Does BPU have procedures for emergency program changes (or program files)?

    Property of KC Board of Public Utilities © - PUBLIC - 2016 11

  • Think like an Auditor -

    Property of KC Board of Public Utilities © - PUBLIC - 2016 12

    Manage and Measure your Program like an auditor would

  • Writing Control Objectives

    • What is the objective of this control?

    – Prevent

    – Detect

    – Correct

    • How does it effectively mitigate risk?

    – SMART criteria

    Property of KC Board of Public Utilities © - PUBLIC - 2016 13

  • Monitoring & Controlling- Compliance

    • Perform Quarterly Testing

    • Identify and Correct Defects – SELF REPORT

    • Perform Root Cause Analysis

    • Continuous Improvement – DEMING (Plan, Do, Check, Act)

    – DMAIC (Define, Measure, Analyze, Improve & Control)

    – Kaizen “Change for the Better”

    Property of KC Board of Public Utilities © - PUBLIC - 2016 14

    Leadership

    Accountability

    Identify Risk

    Control Risk

    Share Knowledge

    Manage Change

  • Questions?

    Property of KC Board of Public Utilities © - PUBLIC - 2016 15

  • References

    ISACA® and COBIT Online® ,www.isaca.org

    Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org

    National Institute of Standards and Technology (NIST), Special Publications, http://csrc.nist.gov/publications/PubsSPs.html

    – NIST 800-12 – NIST 800-14 – NIST 800-16 – NIST 800-34 (R1) – NIST 800-37 – NIST 800-50 – NIST 800-53 A (Assessment Guide) – NIST 800-53 (R4) – NIST 800-55 – NIST 800-60 – NIST-800-61 – NIST 800-118 – Cybersecurity Framework

    Property of KC Board of Public Utilities © - PUBLIC - 2016 16

  • Risk Assessment & Internal Controls ITC’s Implementation

  • 2

    Topics

    • Risk Assessment Development

    • Risk Assessment Implementation

    • Overview of Internal Controls

    • The Internal Controls Process

    • ITC’s Internal Controls Program

    • OATI Internal Control Module Overview

    • OATI Internal Control Module Discussion

  • 3

    Internal Control Framework – Convergence of Compliance Programs Key compliance efforts integrated into the Internal Controls Framework:

     NERC RAI white papers: Changing self-certification to focus on risk and internal controls  Add controls from 2014 Audit Lessons Learned – internal survey  Regional Entity self-reporting database – creation of self-logging  NERC 13 questions and EIE – define program and demonstrate culture  Creation of a Corrective Action Program including schedule of IC reviews (e.g. 3-yr Plan),

    root cause analysis and lessons learned centrally managed to mitigate SV/AFI/etc.;  Monitoring Metrics to Reliability Compliance Steering Committee; Self-report high risk IC

    deficiencies

    Internal Controls

    Audit Lessons Learned

    RAI: Change from Self

    Certs to IC Reviews

    RAI: Self- Reporting Database

    (TBD)

    13 Questions or NERC EIE

    Corrective Action

    Program

    Monitoring Metrics &

    Corp Goals (TBD)

  • 4

    NERC Reliability Assurance Initiative (RAI) Program

    “The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS).”

    NERC ERO Enterprise Inherent Risk Assessment Guide

  • 5

    Risk

    What is risk? The possibility of an event occurring that will have an

    adverse impact of the achievement of objectives (reliability of the Bulk Electric System).

    How do we measure risk? Risk is measured in terms of likelihood and impact.

    What is a risk assessment? The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.

  • 6

    Inherent Risk Assessment

    Objective of a Risk Assessment Model • Identify and prioritize the most important or key areas (what

    really matters)

    Measure and prioritize risk exposures • The higher the risk exposure, the higher the priority

    ITC’s Risk Assessment Model • Scores based on 11 key risk indicators that influence the

    likelihood of the risk event and potential impact

    • Risk score used to prioritize control reviews

    • Full assessment every 3 years; Annual refresh

  • 7

    Key Risk Indicators

    Key Risk Indicators • Routine vs. Non-Routine • Automation vs. Manual • Cross-Functional (Internal) • 3rd Party Interaction (External) • NERC High Risk Standards