AICPA SOC Service Organizations - Certrec

Evaluate Internal Controls for Assurance of NERC Compliance

Evaluate Internal Controls for Assurance of NERC Compliance - Certrec

Does your internal control system provide security for the fulfillment of your objectives, assure the efficiency of your processes, verify the reliability of your financial information, and ensure your compliance?

Management may use a variety of internal controls to provide reasonable assurance regarding the achievement of grid reliability, security of the BPS, and compliance with NERC Standards. Senior management and those responsible for each area of the organization need to remember that the control environment influences all members of the organization, impacts all components of risk management, and affects the control of all activities.
Internal control designs are living and dynamic. Yet, because business environments change over time, internal controls can become ineffective or obsolete. Internal control is not effective if a properly designed control exists but does not operate as designed or if a person performing the control does not possess the necessary authority or qualifications to perform the control.

Mitigate your risks

To mitigate the risk of ineffective or obsolete controls, your internal controls program should define a process to assess control design and implementation and evaluate whether your controls continue to meet risk objectives. These evaluations may start in response to changes in the operational and governance environments, control failures, changes in operational responsibilities, system events or compliance activities, and process improvements.

Evaluate Internal Controls for Assurance of NERC Compliance - Certrec

Ongoing evaluations of control activities and periodic internal audits is vital to preserving and continually improving any internal control environment. This involves evaluating your internal controls as they relate to meeting an objective. A control will be less effective if there are missing attributes or the existing design does not meet its established objective. Internal controls should be commensurate with a registered entity’s size and potential risk of the registered entity’s operations to the BPS.

The takeaway:

Monitoring control activities with ongoing evaluations and periodic internal audits is vital to preserving and continually improving any internal control environment.

What can you do?

The monitoring of internal controls is an ongoing process. Assessments of internal controls are not limited to an annual exercise. They may be conducted multiple times per year, especially in areas that have high inherent risk or are central to mission fulfillment.

  • Test the effectiveness of controls already in place. Are they functioning effectively and performing their designated objectives?
  • Identify gaps in internal controls.
  • Document the results of internal controls evaluations.
  • Retain documentation to support the conclusions reached.
  • Identify significant control deficiencies or indications of potential weaknesses. These issues must be reported.

Many entities assess compliance with their risk management strategy that includes adherence to NERC Reliability Standards. An independent internal control review may be done by a specialist hired by the registered entity as a disinterested third party or by an internal department that is independent of the department performing Reliability Standards operations.

Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.