Monitor Your Internal Controls – Minimize Risk and Stay Compliant
Chinese Hackers are spying on Zimbra opensource email users
February 18, 2022
Evaluate Internal Controls for Assurance of NERC Compliance
March 14, 2022
What is risk-based compliance monitoring?
Risk-based compliance monitoring focuses on identifying, prioritizing, and addressing risks an organization’s activities may pose to the Bulk Power System as well as monitoring those risks for deficiencies that may arise as a result of ongoing activities or if your organization undergoes organizational or process changes.
Monitoring internal controls is an ongoing process. If left unmonitored, internal controls may tend to deteriorate over time. Even with all your controls in place, any complacency may reduce your NERC compliance status.
Where should your focus be?
The core of effective and efficient monitoring lies in designing and executing monitoring
procedures that evaluate important controls over meaningful risks to your organization’s
objectives.
Personnel with appropriate skills, authority, and resources should consider:
- Have the meaningful risks to objectives been properly identified?
- Which “key controls” best support a conclusion regarding the effectiveness of internal controls in those risk areas?
- What information is needed to determine the controls are operating effectively?
How does monitoring provide value to your company?
Monitoring considers the collective effectiveness of all components of internal control.
The monitoring component of an internal controls program provides value to the organization in three ways:
- It lets management determine whether the internal control system operates effectively over time, providing assurance of the system’s ongoing value in risk reduction.
- It provides insights into potential changes or additions to the internal controls that support a more meaningful risk-reduction posture.
- It promotes a sustainable internal control culture. When people who are responsible for an internal control know their work is subject to oversight through monitoring, they are more likely to perform their duties properly over time (what is measured gets done).
What can you do?
To get the most effective results from the monitoring process, you should:
- Analyze
- Consider Options
- Take Action
| Analyze | Consider Options | Take Action |
|---|---|---|
| Stay up-to-date on industry standards, laws, rules, and regulations to avoid “blind spots” and the regulatory risks and violations associated with non-compliance. | Conduct reviews of regulatory information sources on a regular basis to capture any potential impacts. Subscribe to a third-party resource to receive "pushed" information important to your organization’s ongoing compliance. | Modify your internal controls as needed to address any new or revised regulatory obligations |
| Know your high-risk areas and routinely monitor your controls that are associated with them. | Prioritize any identified deficiencies according to risk to help you allocate the right time and resources to the most important risk mitigation projects. | Develop corrective action plans so deficient or inadequate control implementation maybe mitigated and program corrections made as appropriate. |
| Establish where you are in your utility compliance efforts to plan for the future, to stay current on regulations, and to reduce violations. | Consider using compliance management software to establish and support the company’s regulatory compliance program; to store information; to extract data from daily work to create, submit, and organize reports; and to trigger alerts for non-compliance. | Report deficiencies to the appropriate individuals who can effectively make change. Correct deficiencies on a timely basis. |
| Evaluate your compliance program baseline and whether your internal controls are appropriate and functioning. | Conduct periodic spot- checks or audits of your internal controls process (consider third-party involvement). |
In our next blog, we will discuss evaluation of internal controls.
