Updated ERO Enterprise Guide for Internal Controls Brent Read Manager, Risk Assessment Meeting Title Date

ERO Enterprise Guide for Compliance Monitoring Agenda ERO Enterprise Guide for Compliance Monitoring ERO Enterprise Guide for Internal Controls Resources Discussion / Questions ERCOT NRWG/NSRS Meeting January 17, 2017

Risk-based Compliance Oversight Framework (“Framework”) ERCOT NRWG/NSRS Meeting January 17, 2017

ERO Enterprise Guide for Compliance Monitoring Posted October 2016 Includes all components in Framework Clarifies use of Risk Elements, ICE, & other considerations (Section 1) Includes development of Compliance Oversight Plans (COPs) 18 common risk factors across the ERO (Appendix B) Major Changes 18 common risk factors with 4 Texas RE deviations List of “Other Considerations” used in IRA and COP process Texas RE Website ERCOT NRWG/NSRS Meeting January 17, 2017

ERO Enterprise Guide for Compliance Monitoring ERCOT NRWG/NSRS Meeting January 17, 2017

ERO Enterprise Guide for Internal Controls Posted December 2016 Formalized use of internal controls during CMEP activities (Section 1.2) Streamlined testing approach (Section 2.2) Major Changes Revise methodology Conduct ICEs What’s next for Texas RE and ICE? ERCOT NRWG/NSRS Meeting January 17, 2017

Resources ERCOT NRWG/NSRS Meeting January 17, 2017 ERO Enterprise Guide for Compliance Monitoring Link to Guide Link to Webinar Link to Webinar Slides ERO Enterprise Guide for Internal Controls ERCOT NRWG/NSRS Meeting January 17, 2017

Questions? ERCOT NRWG/NSRS Meeting January 17, 2017

Differences Between Audits, Spot Checks, & Self-Certifications Brent Read Manager, Risk Assessment Meeting Title Date

Differences between Audits, Spot Checks, & Self-Certifications Talk with Texas RE December 15, 2016

Agenda Compliance Monitoring Responsibilities Audits Spot Checks Self-Certifications Compliance Monitoring Period vs. Compliance Obligation Period Self Identified Issues During an Engagement Talk with Texas RE December 15, 2016

Compliance Monitoring Compliance Monitoring is the process used to assess, investigate, evaluate, and audit in order to measure compliance with NERC Reliability Standards. Standards are developed, adopted, and approved through the Reliability Standards Development program and placed into effect pursuant to FERC orders or to applicable authorities in other North American jurisdictions. This statutory responsibility is set forth in section 215(e) of the Federal Power Act as well as 18 C.F.R. §39.7. Talk with Texas RE December 15, 2016

Regional Entity Compliance Monitoring and Enforcement NERC relies on the Regional Entities to enforce the NERC Reliability Standards with bulk power system owners, operators, and users through approved regional delegation agreements. Regional Entities are responsible for monitoring compliance of the registered entities within their regional boundaries, assuring mitigation of all violations of approved Reliability Standards and assessing penalties and sanctions for failure to comply. Talk with Texas RE December 15, 2016

Compliance Monitoring Methods Audit Spot Check Self-Certification Others per ROP Talk with Texas RE December 15, 2016

Compliance Audits Talk with Texas RE December 15, 2016

Compliance Audits Section 400 Appendix 4C, Section 3.1 Onsite audit required for RC, BA, or TOP every 3 years Rules of Procedure (ROP) Data submission is required Texas RE will identify potential noncompliance, AOCs, and recommendations Process Audit plan Candidate list Implementation Plan (IP) Talk with Texas RE December 15, 2016

Compliance Audits 90 days 10 days for unscheduled Compliance Audit Notification ROP requirement Onsite if needed Onsite vs. Offsite Requirements for generally higher areas of risk for an entity Requirements with sampling Risk Determination Talk with Texas RE December 15, 2016

Compliance Spot Checks Talk with Texas RE December 15, 2016

Compliance Spot Checks Appendix 4C, Section 3.3 Initiated by Texas RE or as directed by NERC May be as needed May be initiated in response to operating problems May be initiated in response to system events Rules of Procedure (ROP) Data submission is required Texas RE will identify potential noncompliance, AOCs, and recommendations Process Talk with Texas RE December 15, 2016

Compliance Spot Checks 20 days Notification Requirements for moderate areas of risk for an entity Requirements with sampling Risk Determination Talk with Texas RE December 15, 2016

Compliance Self Certifications Talk with Texas RE December 15, 2016

Compliance Self-Certifications Appendix 4C, Section 3.2 Initiated by Texas RE Registered Entities may identify noncompliance Rules of Procedure (ROP) Initial data submission may be required Potential noncompliance not clearly identified may result in a compliance spot check Process Talk with Texas RE December 15, 2016

Compliance Self-Certifications Notification as specified by the Reliability Standard or issued in a timely manner, if no time period specified Usually 30 days advanced notice Notification Requirements for generally lower to moderate areas of risk for an entity Risk Determination Talk with Texas RE December 15, 2016

Compliance Obligation Period vs. Compliance Monitoring Period Talk with Texas RE December 15, 2016

Compliance Obligation Period vs. Compliance Monitoring Period Time period between previous engagement and current engagement Used to ensure compliance between engagements Compliance Monitoring Period Outcome of IRA Provides initial focus of engagement Does not limit depth of engagement Talk with Texas RE December 15, 2016

Compliance Obligation Period vs. Compliance Monitoring Period Texas RE defines the compliance obligation period as the full audit period described in Appendix 4C, Section 3.1.4.2 of the Rules of Procedure. Texas RE also provides a monitoring period to indicate the initial focus of its compliance review. However, the monitoring period does not limit the engagement team from examining all necessary evidence to establish an entity’s compliance during the full compliance obligation period. Talk with Texas RE December 15, 2016

Self Identified Potential Non Compliance During an Engagement Talk with Texas RE December 15, 2016

Self Identified Potential Non Compliance During an Engagement This [engagement type] notification is intended to provide [entity] with notice regarding the requirement to submit compliance-related information to Texas RE for the NERC Reliability Standards listed herein identified in this [engagement type]. Because [entity] is required to provide such compliance information to Texas RE, [entity] is no longer eligible to receive credit for a voluntary disclosure of a noncompliance issue through the Self-Report process for the period of [engagement start date] through the exit briefing of this [engagement type]. See Order on Review of Notice of Penalty Regarding Turlock Irrigation District, 134 FERC ¶ 61,209, at P 46 (2011).  Talk with Texas RE December 15, 2016

Self Identified Issues During an Engagement I found a potential noncompliance during the engagement. Should I file a self report? No Talk with Texas RE December 15, 2016

Self Identified Non Compliance During an Engagement So what should I do if I find a potential noncompliance during the engagement time frame? Notify the Engagement Team Lead Engagement Team Lead will ask for the following: Standard & Requirement Description of potential non compliance Duration of potential non compliance Is potential non compliance mitigated? If yes, how? Root cause of potential non-compliance Talk with Texas RE December 15, 2016

NERC Rules of Procedure 2017 NERC CMEP Implementation Plan Resources NERC Rules of Procedure 2017 NERC CMEP Implementation Plan GAO General Accepted Government Auditing Standards Talk with Texas RE December 15, 2016

Questions? Talk with Texas RE December 15, 2016