1 internal controls
play

1 Internal Controls Practices Group September 30, 2020 Travis - PowerPoint PPT Presentation

1 Internal Controls Practices Group September 30, 2020 Travis English Training & Outreach Specialist Antitrust Statement All WECC meetings are conducted in accordance with the WECC Antitrust Policy and the NERC Antitrust Compliance


  1. 1

  2. Internal Controls Practices Group September 30, 2020 Travis English Training & Outreach Specialist

  3. Antitrust Statement ▪ All WECC meetings are conducted in accordance with the WECC Antitrust Policy and the NERC Antitrust Compliance Guidelines. All participants must comply with the policy and guidelines. ▪ This meeting is public — confidential or proprietary information should not be discussed in open session. Please contact WECC legal counsel if you have any questions 3

  4. Agenda 1. Welcome, Introductions 2. Review WECC Antitrust Policy 3. Opening Remarks — Ruchi Shah, WECC 4. Internal Controls Overview — Jennifer Hart & Sherri Palmer, WECC 5. Interactive Group Exercises 6. Entity Practice Sharing — Chris Johnson, WAPA 7. Facility Ratings Risk and Identified Problems — Hashir Ahmad and Jay Loock, WECC 8. Question and Answer 9. Wrap-up 4

  5. Welcome September 30, 2020 Ruchi Shah Director of Entity Risk Assessment & Registration

  6. Welcome ▪ Working from Home Safety! • Remove obstructions on floor • Check your fire alarms • Escape plan in case of fire • Take breaks and stretch 6

  7. Internal Controls Practices Group ▪ Interactive event ▪ Platform to share best practices ▪ Risk and Controls discussions ▪ Wrap up by 4:00 p.m. MDT 7

  8. Contact: Ruchi Shah Director of Entity Risk Assessment & Registration rshah@wecc.org 8

  9. Internal Controls Practices Group September 30, 2020 Jennifer Hart Risk Assessment Analyst Sherri Palmer Senior Internal Controls Specialist

  10. 10

  11. 11

  12. Business Objectives, Risks, and Internal Controls Business goals Risks Processes and Internal Controls Internal Controls Business and identified and Internal Controls implemented and monitored, goals and objectives assessed created operating evaluated, and objectives identified improved achieved Note: Discussions relating to financial reporting objectives are not included in today’s webinar 12

  13. What is Internal Control? ▪ A process ▪ Effected by people ▪ Actions and supporting technology at all levels ▪ Gives reasonable assurance of — • Efficiency and effectiveness of operations • Successful compliance • Reliability and security 13

  14. ERO Definition of Internal Control The processes, practices, policies or procedures, system applications, technology tools, and skilled human capital an entity uses to prevent, detect, and correct noncompliance with Reliability Standards and address risks to the reliable operation of its business. 14

  15. Three Control Types Preventative Detective Corrective Segregation of duties Patching a system Reconciling two datasets Access privileges Passwords Data backups used to restore Reviewing data for a system appropriateness Physical control over assets Employee training Data validity check — may Conducting physical require user to re-enter data if equipment/element counts Security awareness value is outside of parameters 15

  16. Control Types Manual Controls IT Dependent Manual Controls Cybersecurity and IT Controls Application Controls Physical and Environmental Controls 16

  17. Validity of data Accurate and Other — must complete be tailored reports Input, process, Segregation of and output of responsibilities applications Internal Control Reviews and Access controls approvals Objectives Security of Timeliness assets Review of Reconciliation operations 17

  18. Benefits Measure Risk Management Accountability Achieve Objectives Adherence to Policy Effectiveness Transparency in Accuracy and Reliability and Safeguard Assets Compliance Completeness Security of BPS 18

  19. 19

  20. 20

  21. Three Lines of Defense Governing Bodies/Board /Audit Committee Senior Management 3rd Line of Defense 1st Line of Defense 2nd Line of Defense External Management Control Legal Audit Legal Legal Compliance Operational Internal Processes Risk Management Audit Internal Control Internal Control Activities Roles & Security Responsibilities Regulators Functions Provide Functions Own & Manage Risk Functions Oversee Risks Independent Oversight I I I 21

  22. 1 st Line of Defense: Operational Management ▪ Functions that own and manage risk ▪ Maintain effective internal control ▪ Execute risk and day-to-day control ▪ Identify, assess, control, and mitigate risks ▪ Guide development and implementation of policies, processes, procedures ▪ Implement detailed procedures and Internal Controls ▪ Supervise execution 22

  23. 2 nd Line of Defense: Functions That Oversee Risks ▪ Risk management, Internal Control, and compliance functions ▪ Ensure first line is properly designed, in place, and operating as intended ▪ Support policies and define roles and responsibilities ▪ Set goals for implementation ▪ Provide framework ▪ Help management develop processes and controls to mitigate risks and manage issues 23

  24. 3 rd Line of Defense: Provide Independent Assurance ▪ Include internal audit, external auditors, and external regulators ▪ Broad range of objectives ▪ All elements of frameworks ▪ Essential governance requirement for all organizations ▪ Important for large, medium, and small organizations ▪ Ensures effective governance and risk management, Internal Control, and compliance processes 24

  25. 25

  26. Assignment and Coordination are Essential Internal Controls Specialist Security Risk Because risk management and Specialists Analysts Risk & controls specialization are being Internal Control Skill spread across multiple teams: Specialties Internal Compliance Auditors Officers Quality Inspectors 26

  27. The Stakes Are High ▪ Limited resources may not be deployed effectively ▪ Significant risks may not be identified or managed appropriately ▪ Communications among groups could become gridlocked and focus on who’s job it is to accomplish a certain task ▪ It’s not enough that risk and Internal Control functions exist! • Challenge to assign specific roles and coordinate responsibilities • Must ensure no gaps in controls nor duplication of coverage 27

  28. Internal Controls Program 28

  29. A Chat About Tailoring 29

  30. 30

  31. Reasonable Assurance of Achievement Form a basis for determining how risks should be mitigated through the design and implementation of Internal Controls Control Control Activities Objectives Must be designed and operating effectively Risk Management Entity Strategic Direction & Objectives • Business Risks • Operational Risks • Technology Innovation • Goals & Values & Emerging Risks • Efficient & Effective • Compliance Risk Operations • Reliability & Security of the BPS • Successful Compliance 31

  32. 32

  33. 33

  34. Identifying & Designing Internal Controls Facility Ratings Potential • Obtain Walk Through the process Are Not Errors • Identify who is performing each step Understanding Risk Identified Accurate • What is involved in each step of Process & Identified • When does step take place Emerging Activities Risks • Identify resulting documentation and reports Determine if • Identify systems Only Valid • Existing Identify control owners Facility Ratings Control Controls are • If Control Objectives not met or controls are Must Be Objective Sufficient ineffective - design new or improve controls Approved & • Consider Preventative vs. Detective Controls Communicated & combinations, frequency of control, manual or automated, cost vs benefit Document Identify • Draft Process Narrative/Flowchart/Key Controls Associated Activities (keep it brief) Processes, • Draft Risk, Objective, Control, Control Owner Mapping Matrices Standards, • Identify Controls to be tested Owners Document • Ensure Policies and Procedures are aligned Policies & Facility Ratings with risks and controls Procedures Process 34

  35. Failure Points and Guidance Questions www.wecc.org/Pages/Compliance-UnitedStates.aspx 35

  36. Failure Point Development Process ▪ Failure Points identify potential risks ▪ Cross-functional effort within WECC • Based on a Process Failure Modes and Effects Analysis (PFEMA) process • Experience of WECC subject matter experts • Data analysis and root cause trends ▪ Risk assessment is a dynamic and iterative process ▪ Industry feedback is welcome! • Send your comments to InternalControls@wecc.org 36

  37. Example FAC-008-3 Failure Point ▪ Potential Failure Point (R1): Failure to develop a process for identifying the most limiting element in a Facility. • How does [the entity] identify the most limiting element in a Facility? ▪ Potential Failure Point (R1): Failure to train personnel on developed Facility Ratings. • How does [the entity] identify which new hires might be subject to this requirement? • How does [the entity] ensure that existing personnel are identified for training? • What about internal transfers from one role to another? Source: Internal Controls Failure Points- Guidance Questions FAC-008-3, February 2020 37

Recommend


More recommend