After reading the title of this article, you may have thought to yourself “everyone’s been talking about internal controls for years now; do we really need to know more about them?” And no one would blame you for feeling that way. We have been talking about them a lot. The Electric Reliability Organization (ERO) Enterprise (collectively the North American Electric Reliability Corporation (NERC) and the six Regional Entities) view them as critical components of a strong compliance program.
Most of us are well versed on the basic elements of an internal control program:
- Risk assessment
- Design
- Implementation of controls to address identified risks
- Monitoring of control activities
- Evaluation of the effectiveness of both individual controls and the overall program
Because there is no shortage of presentations and articles on these topics available online, I won’t go into detail here. Instead, the intent of this article is to provide you (finally!) with an example of one entity’s internal controls program. This article is in response to something I heard at a recent meeting signaling that while everyone has an internal control program, no two are alike and there isn’t an opportunity to see what other programs look like.
First, a disclaimer: as flattered as Central Iowa Power Cooperative (CIPCO) would be if you wanted to mimic our program, we recognize that what works for us might not be the best approach for another entity. Factors to consider when determining what approach would work best for your company include the company’s size, organizational structure, resource availability, information technology (IT) and/or operational technology (OT) environments, and applicable NERC registration and regional oversight. Moreover, your program may already be more robust than ours. You simply won’t know until you begin comparing programs and sharing findings and experiences – so let’s begin!
History
CIPCO used a software vendor for several years to help manage internal controls but found it difficult to implement effective controls beyond simple document management through that system. Following a risk assessment performed in 2014 that identified internal controls, both within the vendor program and external to it, gaps were identified and addressed. However, CIPCO stopped short of making anything more than incremental changes to its internal controls program at the time.
Then, during a 2019 audit with MRO, CIPCO staff discussed internal controls with MRO’s audit team. The audit team impressed upon us that in addition to reducing risk, a strong Internal Controls Program (ICP) might also reduce the scope and frequency of an entity’s monitoring plan. This led CIPCO to begin development of a comprehensive ICP – one that we would be excited to show to the next MRO audit team.
System Development
CIPCO discontinued using external vendors to help manage internal controls because the company had a clear vision of what its ICP should look like and none of the vendors considered aligned wholly with that vision. Next, CIPCO IT and business intelligence staff began scoping and developing a Microsoft SharePoint solution for its ICP. At the onset of the COVID-19 pandemic in 2020, CIPCO implemented Microsoft Teams (Teams) to enable remote work. Teams also offered a familiar and easy to use interface for CIPCO Subject Matter Experts (SMEs) and others using the new ICP SharePoint site to complete assigned tasks.
Next came the challenge of identifying each of the tasks that needed to be performed to keep CIPCO in a constant state of compliance. CIPCO maintains a policy document for every NERC Reliability Standard applicable to each of CIPCO’s registered functions with the goal of annually reviewing the policy document, evidence, and any related Reliability Standard Audit Worksheets (RSAW) for each applicable standard. While we consistently performed policy document and evidence reviews, we were often unable to complete the RSAW reviews. We knew we needed a more efficient, systematic method for the entire review process and determined that these tasks would be created within the SharePoint ICP as administrative tasks: scheduled, assigned, and completed annually (no ifs, ands, or buts).
Of course, administrative tasks are just the tip of the iceberg. Additional tasks were needed to ensure that every applicable standard requirement was reviewed periodically by the appropriate SME – resulting in multiple tasks for a single requirement in many cases. Additional evaluation was done to determine the timing of these reviews based on regulatory requirements versus internal (non-regulatory). These were built into the system with predetermined schedules.
Once all the recurring, known requirement tasks were established, CIPCO began developing processes for event-driven tasks. For example, Operating Instructions are not pre-scheduled by the applicable Balancing Authority or Transmission Operator. To complicate matters, the various types of events that trigger compliance activity originate from a wide variety of sources (i.e., EOP-004 reportable events, data requests from Reliability Coordinators, etc.). The challenge is ensuring that each type of event is identified by the internal recipient and translated into compliance tasks. Ideally, compliance staff are on the front line to receive immediate notification of as many of these events as possible.
In building the ICP system, other considerations included:
- How much time (in days) to allow for each assigned task to be completed.
- What notifications to send users and when (such as upon assignment, when the predecessor task is completed, when the task is ready be worked on, on due date, when past due, etc.).
- What sequencing should be assigned to tasks, (e.g., review policy, then evidence, then draft RSAW, and when to blend in requirement-specific tasks).
- What reporting capability is needed to evaluate status and effectiveness.
CIPCO worked with its responsible managers and SMEs ahead of time to develop a schedule for administrative tasks that would fit with typical work schedules, taking seasonality into account.
Implementation
Program rollout took place in June 2021 and despite a few technical glitches, users reacted positively. All task notifications (in the form of Outlook email) include links to the file folder containing forms and documents needed to complete that task, so the user doesn’t need to recall or search the network for what they need. Once a user marks a task completed, compliance staff become aware of it and if a successor task exists, the next user in sequence is notified that a task is ready for completion. Evidence in any electronic form can simply be dragged and dropped into the appropriate folder.
Figure 1 below is a screen shot of the SharePoint task list that the CIPCO team developed. It illustrates tasks created for both FAC-001 and FAC-002 Reliability Standards. Each task displays the responsible individual, status, due date, a link to the folder where related documents and information are stored, and a description of the task. Note that this screen shot captures mostly administrative tasks, but also shows one requirement-specific task (R1-1 for FAC-001, assigned to Ethan Tellier). The task description provides information on what Ethan needs to do.
The display can be filtered by any column such as a single standard or responsible individual. A user can also click on “My Open Tasks” in the left navigation panel to see all their tasks that are not yet completed.
Figure 1
The “Click to open folder” link for a given task opens the folder location for that task. For example, if Ethan is ready to work his “FAC-002 Admin-2” task, he can select “Click to open folder” in that row. He will then see the following Figure 2 screen:
Figure 2
Since Ethan’s Admin-2 task is to review and update the policy document, he would click “Policy and Procedure” in Figure 2 above. This would take him to the current draft created by Kelly in her completed Admin-1 task (see Figure 1 above) and all previous versions of the FAC-002 policy document so he can complete his task. When he is finished, he can go to either the SharePoint page or back to the Microsoft Teams page. Both places contain a button that allows Ethan to “Click here for available actions,” enabling him to mark the action complete or reassign the task using the window in Figure 3 below.
Figure 3
The user can mark the task complete or use either of the other two options to notify compliance staff that the task cannot be completed or needs to be reassigned. There is also a section for relevant notes. Once a selection is made, clicking “Run Flow” will update the task status and trigger notifications to compliance and the user with the next task in the workflow, if applicable.
An easy example of an event-driven task exists with Reliability Standard PRC-004. Multiple CIPCO staff, including compliance, receive daily reports of system operations. When there is a Bulk Electric System interrupting device operation that must be evaluated for compliance with PRC-004, CIPCO compliance staff create and assign a task in the SharePoint ICP for System Protection Engineering to review the operation. Figure 4 below shows these tasks; one completed in Q4 2022 and four created in Q1 2023.
Figure 4
There were several operations on March 31, 2023. Per standard PRC-004 R1, these must be evaluated within 120 days for possible Misoperations[KL2] . CIPCO sets the due dates for these reviews at 100 days (July 9 in this case) to ensure completion of the review within the required timeframe.
ICP Effectiveness
A critical component of an ICP is the determination of whether the controls are effective. An obvious measure of this is whether the tasks are being completed. This is easy to determine through system reporting. For calendar year 2022, 504 NERC Reliability Standard Tasks were issued in CIPCO’s SharePoint ICP across 45 Reliability Standards. All but one of these were completed, with the uncompleted task awaiting clarification from the Transmission Operator on a test record. Approximately 60 percent were completed on time. The average completion timeframe was 6.85 days late. This may not seem to be a complete success, but it is a significant improvement from the days when CIPCO was unable to annually evaluate every applicable requirement or complete RSAW reviews. It also provides a baseline for comparison of future performance.
Simple reporting of the numbers does not tell the whole story of whether an ICP is effective or not. Qualitative reviews of the tasks completed should also be done. The following questions are examples of how this might be done:
- What is the resulting evidence that would be presented for compliance enforcement actions?
- Is the evidence complete?
- Most importantly, is the work shown?
It’s one thing to show that an interrupting device operated on March 31 and the evaluation of that operation was completed on June 12 (within the required 120 days), concluding that it was a correct operation. An auditor, however, should be able to see the data analyzed and how the determination was made that the device operated as designed and intended. The development of CIPCO’s SharePoint ICP system has provided us with improved capabilities for reviewing evidence and determining whether we are capturing our work and reviewing RSAWs completely.
Final Comments
I like to think that CIPCO’s ICP is more of a toddler than an infant now, but like any program there is always room for growth and development. We constantly look for potential improvements, and work with IT and business intelligence staff to implement enhancements when possible. I must also give credit to Kelly Heims, CIPCO’s Compliance Specialist. Kelly has been instrumental in the development, implementation, and management of the system.
If you have questions or suggestions for us, we would be happy to hear from you. Please contact me at [email protected] or by telephone at 319-366-8011.
By Kevin Lyons, Central Iowa Power Cooperative
DISCLAIMER
MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO.