Internal Controls Assessment Ruchi Shah Director Risk Assessment

Agenda • • Internal controls assessment framework Benefits of Internal Controls Evaluation (ICE) process

Benefits of Internal Controls • Helps identify the gaps in the existing process. •

ICE Process & Timelines • RAM accepts the request • RAM identifies the scope

Expectation from Entity • During Internal Controls summary submission – Provide summary of Risk

Expectation from Entity • During Implementation Review – Interviews with SMEs to verify the

New Initiative for Internal Controls Internal controls practice group

Highlights – Internal controls practice group Purpose Serve as an industry platform to have

Highlights – Internal controls practice group Key Objectives • To facilitate/offer specific guidance on

Expectations of Internal Controls during audit • Required by GAGAS • Since it is

Internal Controls at Audit without ICE • Auditors may conduct interviews, walk throughs or

FAQ • Why was I audited on a particular Standard and Requirement even though

Thank You Ruchi Shah Ph: 801 -883 -6881 rshah@wecc. biz Deb Mc. Endaffer Ph:

Slides: 16

Download presentation

Internal Controls Assessment Ruchi Shah Director, Risk Assessment & Mitigation & Deb Mc. Endaffer Director, Compliance Monitoring

Agenda • • Internal controls assessment framework Benefits of Internal Controls Evaluation (ICE) process & Timelines New Initiative for Internal Controls Expectations regarding Internal Controls during audit Internal Controls at audit without ICE Frequently Asked Questions

Internal Controls Assessment Framework

Benefits of Internal Controls • Helps identify the gaps in the existing process. • WECC gets reasonable assurance of future compliance. • Helps determine frequency of monitoring and the type of monitoring. • Less Area of Concern and more recommendation for further strengthening the controls.

ICE Process & Timelines • RAM accepts the request • RAM identifies the scope of ICE 150 days prior to the audit 120 days prior to audit • Entity provides Internal Controls summary • RAM performs design review of Internal Controls 30 days prior to audit During Audit • Audit team performs implementation review. • RAM drafts the report and shares with the Entity 60 days after the audit 30 days after entity comments • WECC Finalizes the Report

Expectation from Entity • During Internal Controls summary submission – Provide summary of Risk and Controls for Standard and Requirement in scope of ICE – Provide general controls to explain you Internal Controls Program • During Design Review – Allow your SMEs responsible for control design to participate during phone conversation – Be prepared to share/show support documentation that describes the control design in detail

Expectation from Entity • During Implementation Review – Interviews with SMEs to verify the implementation of designed controls – Occasional walkthroughs to check for automated controls • During Draft report Review – If there is additional detail that was not discussed/requested, please provide that – Focus on the considerations provided for future improvements

New Initiative for Internal Controls

New Initiative for Internal Controls Internal controls practice group

Highlights – Internal controls practice group Purpose Serve as an industry platform to have WECC and industry thought leaders share good practices regarding development and sustainability of internal controls program, specifically for the NERC Reliability Standards.

Highlights – Internal controls practice group Key Objectives • To facilitate/offer specific guidance on the implementation of Internal Controls Program. • To increase industry knowledge of the NERC Internal Controls Guide • To build a common understanding of Internal Controls terminology • To build a catalogue of industry good practices of internal controls suitable to reduce operational risk

Expectations of Internal Controls during audit • Required by GAGAS • Since it is possible for an entity to be compliant with the Standards and requirements without the implementation of effective internal controls, there will not be any noncompliance if an entity fails to show implementation of the designed controls.

Internal Controls at Audit without ICE • Auditors may conduct interviews, walk throughs or ask for specific documentation to check the implementation of controls when there is an Area of Concern (Ao. C). The objective is to understand if the controls will help you ensure you meet your compliance objectives or what recommendations to make. • Likewise if strong internal controls are demonstrated to be repeatable and sustainable they could be considered in future COP.

FAQ • Why was I audited on a particular Standard and Requirement even though WECC informed me that I had strong internal controls? – High Inherent Risk – Changes to the Standard and Requirement – Reginal Risk identified for that Standard and Requirement • Why does audit team ask about internal controls if I did not volunteer for ICE? – GAGAS. – To determine if there areas they could make recommendation in for better reliability or security. – To learn best practices that can be shared with other WECC Entities and reinforced your good practices.

Thank You Ruchi Shah Ph: 801 -883 -6881 rshah@wecc. biz Deb Mc. Endaffer Ph: 801 -819 -7699 dmcendaffer@wecc. biz