CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.

Slides:



Advertisements
Similar presentations
MONITORING OF SUBGRANTEES
Advertisements

EVALUATOR ORIENTATION Serving on Off-Site and On-Site Committees OVERVIEW.
(Individuals with Disabilities Education Improvement Act) and
MSCG Training for Project Officers and Consultants: Project Officer and Consultant Roles in Supporting Successful Onsite Technical Assistance Visits.
Auditing, Assurance and Governance in Local Government
Frequently Asked Questions Alberta Reliability Standards Compliance Version 1.0 – Effective April 30, 2013 (Please visit the website to download the latest.
CIP Cyber Security – Security Management Controls
Q1 Q – The data retention period for Standards CIP-002 to CIP-009 versions 2 and 3 state: “The Responsible Entity shall keep all documentation and records.
Preparing for Compliance Monitoring Reviews Understanding CMS Protocols Used by Review Organizations January 14, 2009 Presented by: Margaret deHesse, RN,
More CMM Part Two : Details.
[ENTITY NAME] [FUNCTION CERTIFYING] Certification for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE VISIT] [ Presenter Name, Title] Closing Presentation.
OVERVIEW OF ClASS METHODS and ACTIVITIES. Session Objectives By the end of the session, participants will be able to: Describe ClASS team composition.
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
Compliance Application Notice Process Update and Discussion with NERC MRC.
Office of Inspector General (OIG) Internal Audit
Notice of Compliance Audit
The Camp Audit “Keep your friends close and your auditor closer”
FPSC Safety, LLC ISO AUDIT.
Conducting the IT Audit
[ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name, Title] Closing Presentation.
Compliance Monitoring Audit Tutorial Version 1.0 April 2013.
CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.
Peer Review Readiness What State’s Can do to Prepare.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE.
United Nations Counter-Terrorism Committee Executive Directorate (CTED) Revised documents and procedures for assessing Member States’ implementation efforts.
How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.
Monitoring & Oversight Adult Education and Literacy (AEL) Programs Brenda B. Williams Project Manager Texas Workforce Commission Regulatory Integrity Division.
ISO 9001: 2000 Certified Audit Process What to do.
Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.
SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?
Monitoring Schedule David Chappell, or
Texas Regional Entity Update Sam Jones Interim CEO and President Board of Directors July 18, 2006.
NERC Data Collection & Coordination. Rules of Procedure: Section 1600 Overview  NERC’s authority to issue a mandatory data request in the U.S. is contained.
SUMMARY OF INFORMAL COMMENTS Temporary Waiver of Terms Regulations May 2006.
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
QUALITY OF EVIDENCE FRCC Compliance Workshop September/October 2008.
1 Texas Regional Entity 2008 Budget Update May 16, 2007.
“NERC Hot Topics” Marc Butts May 9, 2008 Marc Butts May 9, 2008.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Monitoring and 638 Contract Close-out. Contract Monitoring and Close-out After Award ▫ Meet with Tribe to discuss the Agreement  Include Monitoring Plan.
Problem Areas Updates Penalties FRCC Compliance Workshop September / October
Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.
Presented by: Jan Stanley, State Title I Director Office of Assessment and Accountability June 10, 2008 Monitoring For Results.
Introduction This presentation is intended as an introduction to the audit process for employees of entities being audited by MACD. Please refer to the.
WLUSA/OSSTF Annual Performance Review Process Human Resources & WLUSA| 2015.
Compliance Monitoring and Enforcement Audit Program - The Audit Process.
Audit and Compliance Rosemary Carter Associate Director of Regulatory Compliance.
Tony Purgar June 22,  Background  Portal Update ◦ CIP 002 thru 009 Self Certification Forms  Functional Specific (i.e. BA, RC, TOP – SCC, Other)
2011 CIP Compliance Monitoring – On-site Audits for Entities with Critical Cyber Assets Lew Folkerth January 31,
2011 ReliabilityFirst 693 Compliance Audit Process for 6 Year Audit Cycle Entities Glenn Kaht Senior Consultant - Compliance ReliabilityFirst Corporation.
1 Audit Preparation. 2 September 8 – 11, 2008 ERCOT will be audited as the Reliability Coordinator (RC) Transmission Operator ( TOP) Balancing Authority.
Texas Regional Entity ROS Presentation January 15, 2009 T EXAS RE ROS P RESENTATION J ANUARY 2009.
1 Power System Restoration. 2 Not Active 3 4 Compliance Audit Process APPA E&O Technical Conference – Atlanta April 16, 2007.
Compliance Program Update Lisa Milanes Manager of Compliance Administration.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
District Validation Review (DVR) Nonpublic School Preparation Information Division of Special Education.
Preparation of the Self-Study and Documentation
What every benchmarking coordinator needs to know
process and procedures for assessments
Updated ERO Enterprise Guide for Internal Controls
Background (history, process to date) Status of CANs
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
Indian Policies and Procedures (IPPs) OASIS December 7, 2017
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO]
WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION
Pantry System Overview
Notice of Compliance Audit
TECHNOLOGY ASSESSMENT
Presentation transcript:

CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009

5/1/20152 Presentation Goals The audience should be :  Aware of the ReliabilityFirst CIP Spot Check Process to be used for review of the thirteen requirements for Table 1 entities or CIP Spot Checks in general  Cognizant of differences between an audit and spot check processes  Have an understanding of the auditors perspective in performance of the audits/spot check

5/1/20153 Compliance Audits ReliabilityFirst performs compliance audits:  Once every three years for BA, TOP, RC, TO/LCC  Once every six years on all other functional designations starting from 2008  Proper notice as per standard or CMEP  Unscheduled as required to monitor compliance  Can be on-site or off-site  CIP standards audit intervals have not been determined at this time  At this time, assume a three /six year interval for applicable functions  Public and Non-Public Reports sent to NERC, Registered Entities, FERC and maintained on file at ReliabilityFirst

5/1/20154 Spot Checks RFC performs spot checks  Proper notice as per standard or CMEP  Performed as discussed in CMEP  Can be triggered by an event, concern, trend, NERC or FERC request, etc.  Verify/confirm self certification, self reporting, data submittals  Any functional designations or registered entities can be subject to spot check  Report maintained on file at ReliabilityFirst  Registered Entity receives copy  NERC does not receive a copy, at this time

5/1/20155 ReliabilityFirst Audit & Spot Check Goals To be Performed:  To the highest standard  Government auditing standards. CMEP, NERC RoP  Professionally  Consistently  Auditor tools – QRSAWs, Surveys, RFI’s  Regional agreed upon practices  Credibly  With reasonable assurance, sufficient and appropriate evidence to substantiate the findings

5/1/20156 Audit Team Member Goals The audit team will strive to be:  Consistent and fair  Cooperative  Professional  Substantiate their findings  Providing credibility for their findings  Findings which can withstand scrutiny of review  Develop a complete record of its findings Documentation Notes

5/1/20157 The Audited Entity The audited entity should present Just the Facts by providing the evidence through documentation to meet the requirements of a standard as :  A complete record and understanding demonstrating compliance to a standard  Evidence that is valid  Evidence that can be substantiated?  And evidence which can withstand the scrutiny of the auditor and the public

5/1/20158 Compliance Advice The ReliabilityFirst staff and audit teams can not :  Tell an entity how to be compliant  Specify which practice, process to implement  Provide assurance of being compliant outside of the audit process The staff or audit team can:  Listen and provide guidance  Direct registered regional entities to seek the assistance of a consultant if the staff cannot direct the person to available documentation addressing the question

5/1/20159 Confidentiality Agreements Audit Team members are:  Bound by their Code of Conducts or applicable Confidentiality Agreements  provided to the Audited Entity  NERC staff falls under the statement of NERC's obligation on the ROP (Section 1500) and code of conduct  FERC is bound by its agreements  Regional staff fall under their Code of Conduct and confidentiality statement per our delegation agreement  Contractors and industry volunteers will sign regional confidentiality agreements  Regional staff shall not sign an entity specific confidentiality agreement

5/1/ Team Member Review of Information The team will:  Have a conference call with the entity 85 days before the spot check review  Clear up an items of concern or understanding in the process  Have a team meeting to discuss the audit teams review of submitted information approximately 2 weeks before the review date  Request additional information for clarification or understanding  Discuss preliminary requirement findings  This effort allow auditors to focus on those areas of importance, lacking information or understanding at the review.

5/1/ CIP Spot Check Scope The current CIP Spot Check Scope:  For Table 1 entities - 13 requirements identified for review by NERC for the period xxxxxxxxxxxxxxxxxxxxxxxxx  After July 1, 2010 – Table 1 and 2 entities – 41 requirements Not yet determined to be a spot check/audit

5/1/ CIPS Compliance Review Team Consist of:  Usually at least 3 – 4 members with experience with CIPS, IT and Operations  Lead (RFC Compliance Staff)  NERC observer or participant NERC’s discretion)  FERC participant FERC’s discretion)

5/1/ Audit Team Members Roles Team Members:  Utilize technical experience  Exercise professional judgment  Gather data and information  Perform Interviews  Determine validity of the evidence  Substantiate the evidence

5/1/ Objection to a Team Member A Registered Entity can object to an team member  On the grounds of conflict of interest, or the existence of other circumstances that could interfere with the teams impartial performance of their duties  Objection must be in writing to the Compliance Enforcement Authority no later than 15 days prior to the start of the audit or spot check  ReliabilityFirst will make the final determination if the member can participate in the audit or spot check  NERC and FERC staff can not be limited in their participation on an audit or spot check

5/1/ The Spot Check Process The Spot Check Process consists of  Initial Notification and Request for information  Conference Call with entitiy  Spot Check Team Review of Information  Spot Check Review on site  Preparation of Spot Check Assessment and Report  Distribution of Sport Check Report T

5/1/ Initial Notification Initial Notifications will be:  For the 13 requirements, will be sent at least 90 days before the scheduled the scheduled review date of a spot check or audit.  CMEP requirement is 20 days for a Spot Check and 60 days for an audit.  Contains  Notification Letter Request for information Background info on the process Audit Preparation Guidelines Audit Team Bios, Confidentiality, and COIs  An agenda  Spot Check Worksheet  Questionnaires/Reliability Standard Audit Worksheets  Pre-Audit Questionnaires

5/1/ Audit Agenda ReliabilityFirst will provide an agenda which:  Covers the expected days to complete the audit  Provide Audit sub-teams if appropriate  Schedule for standards to be audited and time allotted for presentations  Interview and group meeting schedules

Spot Check Worksheet The worksheet will:  Provide listing of all standards to be addressed in the spot check  For your use to track progress on standards 5/1/201518

5/1/ Questionnaires/Reliability Standard Auditor (QRSAWs) QRSAWs:  Must be completed and returned 30 days before your audit your scheduled review date  Provides guidelines concerning the requirements  Does not add additional requirements  Posted on NERC Website  Could be used by internal compliance programs

Pre-Audit Questionnaires The Pre-Audit Questionnaires request:  Entity Profile  Logistical Information Request Hotel, airport, and travel information  Security Considerations Identification Requirements Restrictions Escorts 5/1/201520

5/1/ The On-site Review and Post Monitoring Reporting

5/1/ Typical Audit The audit consists of:  Opening Briefing  Review of requirements with SMEs and entity personnel  Any site visits as necessary  Exit Briefing The CIP Spot Check will consist of the same basic steps

5/1/ Opening Briefing Opening Briefing with management and participants of the review process:  For audits and spot checks combined the 693 and CIPs topics will be discussed together  Allows audit team to:  State Objective and Scope  Explain process of the audit  Discuss Confidentiality and COI  Set the tone for the audit  Provide the roles of the audit team and audited entity  Opportunity to seek clarification on issues from RSAWs and any other preliminary information submitted.  Allows registered entity to:  Provide overview of the their system and operations  To provide logistic and security information  Seek clarifications on scope of the audit

5/1/ The Review The Compliance Review of evidence to the requirements is completed:  According to the Agenda  With entity personnel as they designate  SME, PCC, other personnel  With an opportunity for the team to additional information, clarification and obtain an understanding of the entities evidence and approach  Should lead to a team finding on compliance

5/1/ Exit Breifing Exit Breifing with management and all participants of the audit to:  Will perform with similar organization of the opening briefing  Provide the preliminary findings  Review the scope of the audit  Provide the findings and the team’s basis for the findings  Discuss Confidentiality  Discuss the report process and timeline  Request completion of feedback forms

Reports CIP Spot Checks will  Have an assessment and report created ( Audits do not have a documented assessment)  Assessment is the compilation of information contained in the completed QRSAWs, not sent to the entity.  Spot Check Reports are a condensed version of the audit report containing: Executive Summary Scope Requirement Findings  Draft report will sent to the entity for comments  Final Spot Check Reports will be sent to the entity and kept on file at ReliabilityFirst. Will not be sent to NERC at this time 5/1/201526

The Audit Team Lead develops a draft report The Audit Team Lead receives comments from the Audit team Audit Team provides comments The Audit Team Lead transmits the report for audit team review 20 Business days The Audit Team conducts an exit briefing with the Registered Entity with preliminary findings Audit Team Lead sends the draft report to the Audit Team for their review and comments The Audit Team Lead sends the draft report to the Registered Entity for their review and comments Audit Team Lead revises the draft compliance report The draft report is edited upon receipt of Registered Entity comments Audit Team Lead revises the report upon receipt of Audit Team’s comments Final report sent to RFC VP and Director of Compliance, Registered Entity, NERC & FERC as applicable Audit/Spot Check Report Timeline 20 business days 10 business days 5 business days Registered Entity reviews and provide comments Revision of the draft report Audit Team provides comments 5 business days Audit Team Lead completes final compliance report 5 business days

5/1/ Questions ? Gary Campbell ReliabilityFirst Corporation Senior Consultant – Compliance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.