Internal Controls Evaluation Overview Introduction

The North American Electric Reliability Corporation (“NERC”) and the Regional Entities (together, the “ERO Enterprise”) continue to transition to a more risk-based compliance monitoring and enforcement approach. To date, the ERO Enterprise has performed its compliance monitoring activities with limited or no consideration towards the risk posed, or not posed, by a specific Registered Entity and risks posed due to interactions between Registered Entities. Rather, two generic instruments have dictated the scoping and timing of compliance monitoring activities: the Actively Monitored List of Reliability Standards (“AML”) and the mandatory compliance audit cycles. Similarly, the ERO Enterprise has had limited discretion when performing its enforcement activities, processing all compliance deficiencies as violations via the Compliance Monitoring and Enforcement Program (“CMEP”)and obtaining final approval through the Federal Energy Regulatory Commission (“FERC”). In the initial era of the ERO enterprise, i.e., shortly following implementation of mandatory and enforceable Reliability Standards, this approach was acceptable and necessary because the process was still new. Now, the ERO Enterprise has matured such that it is positioned to proactively address reliability risks and adapt within the dynamic nature of the Bulk Power System (“BPS”). The ERO Enterprise seeks to do this through the Reliability Assurance Initiative (“RAI”). The ERO Enterprise’s Risk-based Compliance Oversight Framework (“Framework”) consists of processes that involve reviewing system-wide risk elements, assessing an Entity’s inherent risk, and, on a voluntary basis, an evaluation of an Entity’s internal controls prior to establishing a monitoring plan that is tailored to a particular Entity or group of entities. Figure 1 below illustrates the ERO Enterprise’s transformation from an entity with a static compliance approach to a dynamic one. Reliability risk is not the same for all registered entities; therefore, this Framework examines BPS risk as well as individual Entity risk to determine the most appropriate CMEP tool to use when monitoring an Entity’s compliance with Reliability Standards. This Framework also promotes examination of how Registered Entities operate. As illustrated by the blue arrows in Figure 1, the Framework focuses compliance monitoring on those areas that pose the greatest risk to BPS reliability. The elements in Figure 1 are dynamic and are not independent; rather, they are complementary and interdependent.

Page 1 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

Figure 1: Risk-based Compliance Oversight Framework

What is an internal control? The most generally accepted definition of the term “internal control” comes from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO 1”). It is defined as: “…a process, effected by an entity's board of directors, management and other personnel, designed to provide ‘reasonable assurance’ regarding the achievement of objectives…” In the context of the BPS, internal controls refer to processes, procedures, systems, tools or any other resource implemented by an Entity to proactively identify, assess, and minimize the risk of noncompliance with the NERC Reliability Standards and reduce risks to the reliability of the BPS. While internal controls can range in nature and complexity, internal controls are commonly categorized as preventive, detective, or corrective. Examples are provided below: •

•

1

Preventive Internal Control: A preventive internal control is designed to prevent an error or event from occurring. An example would be an automated training tracking tool that would not only alert responsible personnel of upcoming training due dates but also automatically send a notification to security staff to revoke access after training has expired. Detective Internal Control: A detective internal control is designed to find an error or event that may have occurred. An example would be a Security Information and Event Monitoring (“SIEM”) system that sends an automatic notification when a Cyber Asset does not communicate with a http://www.coso.org/documents/internal%20control-integrated%20framework.pdf

Page 2 of 7

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

•

centralized logging server. The SIEM system would detect if an error in a configuration prevents a device from sending its logs to the server where they are monitored for events Corrective Internal Control: A corrective internal control is designed to correct an error or event that may have occurred and return to a normal state. An example of a corrective control is a documented process to periodically verify testing records for protection system devices and promptly testing a device upon discovering that the device has missed maintenance and testing at the due date.

WECC’s Internal Controls Evaluation Process This section describes WECC’s process for evaluating a Registered Entity’s internal controls. The internal controls evaluation (“ICE”) is a voluntary process that is used to further determine the focus and selection of appropriate tools to be used by WECC under the CMEP. In an effective program, an Entity’s internal control components work together to provide reasonable assurance to achieve an organization’s objectives, which, for purposes of this document, refer to compliance with mandatory NERC Reliability Standards. When an Entity undergoes an inherent risk assessment (“IRA”), WECC identifies specific risks (and their associated Reliability Standards) to which the Entity is susceptible. Those risks (and associated NERC Reliability Standards and Requirements) are relevant to the ICE. Effectively designed and implemented internal controls will greatly increase the likelihood that a Registered Entity will be in compliance with NERC’s Reliability Standards. This document describes a method that WECC will use to evaluate the design and effectiveness of an Entity’s internal controls to support the creation of an effective compliance oversight plan, recognizing the need to appropriately scale the internal controls evaluation to take into account the wide range of Entity size and risk characteristics. If an Entity chooses to not provide internal controls information, WECC will use the results of the IRA to scope the Entity’s compliance oversight plan.

WECC ICE Process Flow The below diagram depicts the process WECC will use during an ICE.

Identify scope of ICE

Collect internal controls information

Test effectiveness of internal controls

Determine how well internal controls address risks

A detailed description of each step in WECC’s ICE process is provided below:

Page 3 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

Step 1: Identify scope of ICE During this step, WECC will determine the scope of the ICE process by using the results of the Entity’s IRA. The scope of the ICE will consider risks posed by the Entity due to intrinsic factors such as registered functions and applicable standards. The scope of the ICE will also consider size, geography, technological capability, and past performance. Step 2: Collect internal controls information Participating Registered Entities must use WECC’s ICE Template to provide internal controls information to WECC. The template is a spreadsheet outlining WECC identified regional risks, associated NERC standards, and controls information. The template is available from WECC’s website. The completed template must be uploaded using WECC’s EFT Server under “/ Risk Analysis” folder. It is important to note that in the request for controls information, WECC does not expect the Entity to create anything new. Rather, the Entity should provide information in the ICE Template on what the Entity already does to address the risks and ensure compliance. During this step, WECC will review the completed ICE Template submitted by the Entity and determine the sufficiency, timeliness, and credibility of controls information. If required, WECC may issue further data requests to help WECC complete its review. Step 3: Test effectiveness of internal controls During this step, WECC will evaluate the effectiveness of internal controls implemented by an entity. As part of this evaluation, WECC will test the design and implementation of these controls. WECC’s evaluation will be based on professional auditing standards recognized in the U.S. including Generally Accepted Auditing Standards, Generally Accepted Government Auditing Standards, and standards sanctioned by the Institute of Internal Auditors. If required, WECC may issue further data requests to the Entity during this step in the evaluation. Step 4: Determine how well controls address risk During this step, WECC will assess the strength and maturity of controls implemented by the Entity. WECC’s assessment may consider the following factors: 1. 2. 3. 4. 5. 6. 7.

Types of controls implemented (i.e., preventive, detective or corrective) Strength of controls evidence submitted Depth of controls documentation Ability to override controls Management supervision and oversight of controls Use of technology (manual versus automated) in implementing the controls Conflict of interest and segregation of duties for personnel implementing the controls

As part of the maturity assessment of internal controls, WECC will identify best practices the Entity is following. These are key areas in which the Entity is proficient and has implemented internal controls Page 4 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

that help the Entity detect, prevent, and correct non-compliance with NERC Reliability Standards and foster a reliable BPS. In addition, WECC will identify recommendations for the Entity that could further improve the Entity’s internal controls to ensure reliability of the Entity’s operations and ensure compliance with the NERC Reliability Standards. WECC will prepare and share with the Entity an ICE report containing the internal controls observed, evidence reviewed and maturity of controls along with any best practices and recommendations WECC identifies. In addition, WECC will share the results of the ICE with WECC Cyber Security and Operations and Planning Audits and Investigations teams.

Using Internal Controls Information in Risk-Based Compliance and Enforcement Decision WECC will use the results of ICE as an input into WECC’s compliance monitoring and enforcement decision-making activities. This section describes possible benefits of the ICE process for the Registered Entities: •

•

•

• • •

Feedback on Areas of Strengths: WECC may provide feedback on areas where WECC identified the Entity was proficient and had implemented good internal controls that allow the Entity to detect and prevent a violation and foster a reliable BPS. Feedback on Areas of Future Improvement: WECC may provide feedback on recommendations for the Entity to strengthen its internal controls related to the risks to the BPS and compliance with the NERC Reliability Standards. Customized Audit Scope: As stated above, WECC will provide the WECC Audit Teams with its findings from the ICE process. The Audit Teams will consider these findings when scoping an Audit for the Registered Entity. In its findings, WECC will communicate to the Audit Teams the strength of controls supporting the NERC Reliability Standards. Entities should note that the scope of the audit depends on CIP V5 transition status, Open Enforcement Action status, IRA, and modifications necessary pursuant to applicable NERC and FERC actions. Targeted Self-Certifications: WECC may customize or focus self-certifications for Registered Entities based on the Internal Controls Evaluation conclusions. Self-Reported Non-Compliance: WECC may consider this information in determining the appropriate disposition method in Enforcement. Self-Logging of Minimal Risk Issues: As part of a risk-based approach to enforcement, Registered Entities may earn ability to log, or aggregate, certain self-identified minimal risk instances of noncompliance. Specifically, the Registered Entity may identify non-compliance, characterize the risk, and implement mitigating actions without going through the formal violation reporting process. Instead, the Registered Entity periodically submits that information in the format directed by WECC Page 5 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

for WECC’s review and approval. An Entity can earn this privilege based on factors including, but not limited to, ICE results, compliance history, violation history, and Registered Entity cooperation. The self-log is subject to review at any time by WECC staff. Please contact Keshav Sarin, Manager of Compliance Risk Analysis, at 801-819-7648 or [email protected], with any questions related to WECC’s Internal Controls Evaluation process.

Appendix A

Frequently Asked Questions

Who is eligible for an Internal Controls Evaluation and when will they be notified? For 2015, any Entity having an on-site audit in the 3rd or 4th quarter of 2015 is eligible to participate in WECC’s ICE. WECC plans to contact these entities in December 2014 regarding the ICE process and due dates for submitting internal controls information to WECC. For 2016 and beyond, any Entity having an on-site audit is eligible to participate in WECC’s ICE. WECC plans to contact the identified entities throughout 2015 regarding the ICE process and due dates for submitting internal controls information to WECC. WECC recommends these entities start documenting controls using WECC’s ICE Template. Any Entity scheduled for an off-site audit is NOT eligible to participate in WECC’s ICE process at this time. WECC may open the ICE process to these Entities in the future. Currently WECC is not requiring these entities to submit Internal Controls information to WECC. When does an Entity eligible for ICE need to provide controls information to WECC? An Entity who is eligible for ICE must fill out WECC’s ICE Template no later than 160 days prior to the onsite audit start date. For example, if an Entity has an on-site audit starting on November 30, 2015, it must complete and submit WECC’s ICE Template by June 23, 2015. How long does WECC’s internal controls evaluation take to complete? Considering that ICE is a new process and 2015 is a transition year for RAI, based on the risks and the scope of ICE, WECC anticipates it could take 3-6 weeks to complete the evaluation and provide an ICE report to the Entity. When will an Entity that underwent an ICE process learn about the audit scope? There is no change to the audit scope notification process if an Entity does or does not undergo the ICE process. That is, an Entity should expect to receive the audit scope notice no later than 90 days prior to the audit start date. Page 6 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894

Page 7 of 7 W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z 155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 • PH 801.582.0353 • FX 801.883.6894