Entities should be “prepared to discuss internal controls at [a] deeper level” during compliance audits and show regional entity staff how they plan to address reliability risks, members of a NERC task force said in a webinar hosted by the Texas Reliability Entity.
Speaking in the regular Talk with Texas RE webinar Sept. 9, William Braun, Texas Reliability Entity’s senior risk assessment analyst, and Molly Elliott, senior technical analyst for oversight planning at WECC, discussed the importance of internal controls for registered entities and how the ERO’s thinking on the issue has evolved in recent years.
Elliott is co-chair, and Braun is a member, of the Internal Controls Task Force, an organization comprising members from NERC and all six REs. The group includes auditors, risk practitioners, managers and others “from either an audit or risk discipline,” Elliott said.
The purpose of internal controls is to anticipate and address risks that could affect the compliance of a registered entity, along with risks that do not necessarily affect compliance but could impact the entity’s reliability. The ERO considers internal controls a useful index for a registered entity’s overall level of risk, Braun said, with strong internal controls indicating a less risky environment and a less developed regime correlated with higher risk. He added that “well defined internal controls give us predictability about the future.”
The goal of the ICTF is to ensure that REs “understand internal controls and their contributions to mitigating risk to the [electric grid] the same way,” Elliott said. The task force is working on a public-facing guide to internal controls, as well as a handbook for auditors. While each region likely will establish its own approach to examining entities’ internal controls, the plan is for all to follow the same basic strategy.
Noting that “most [entities] have room for improvement” in their internal controls, Braun and Elliott held up the COSO model — named for its developer, the Committee of Sponsoring Organizations of the Treadway Commission — as a useful guide for upgrades. The model is found in the Government Accounting Office’s Green Book, which presents standards for internal control in the federal government.
The model is presented as a cube, with one face representing five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring. These components operate across the four levels of organizational structure presented on the second face: function, operating unit, division and entity. The last face includes operations, reporting and compliance, the objectives the entity aims to meet through its internal controls.
Elliott called the COSO model “a very helpful guide [that] fits in well with our audit approach,” which uses government auditing standards found in the GAO’s Yellow Book. But she emphasized that the purpose of an internal controls program is not just “making a regional entity happy.” A robust set of internal controls can ensure an entity is meeting its business objectives beyond compliance. It also can enhance internal communications and external relationships, particularly with regulators that can see the improvements.
“Information and communication is a key component of the Green Book model, and our entities tell us that they have improved relationships between compliance and operations, and they found the different business units are more aware of how their work affects others in the organization and vice versa when they put in an intentional controls program,” Elliott said. “An entity [that’s] been successful in reducing reliability and security risk may [also] see less frequent monitoring [or] smaller scope or less in-depth audits.”
