How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.

Slides:

Advertisements

Similar presentations

Evaluation Team Chair Training

Advertisements

1 AUDIT AND AUDIT RESOLUTION Peg Rosenberry, Director of Grants Management Claire Moreno, Audit Liaison, Office of Grants Management 9/18/2009 AMERICORPS.

MONITORING OF SUBGRANTEES

Tips to a Successful Monitoring Visit

MSCG Training for Project Officers and Consultants: Project Officer and Consultant Roles in Supporting Successful Onsite Technical Assistance Visits.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Auditing, Assurance and Governance in Local Government

Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.

Internal Audit Documentation and Working Papers

CIP Spot Check Process Gary Campbell Manager of Compliance Audits ReliabilityFirst Corporation August, 2009.

OVERVIEW OF ClASS METHODS and ACTIVITIES. Session Objectives By the end of the session, participants will be able to: Describe ClASS team composition.

Internal Audit Awareness

It’s Time to Talk About Risk and Control

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Kentucky Auditor of Public Accounts Libby Carlin, Assistant State Auditor (502)

IS Audit Function Knowledge

Notice of Compliance Audit

Purpose of the Standards

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Internal Auditing and Outsourcing

Who’s the Boss? Faculty Advisor or Principal Investigator Supervision versus Student Investigator or Study Coordinator Responsibilities Gwenn Snow, MS,

Minnesota’s Internal Control Initiative National Association of State Comptrollers March 25, 2011 Speaker Jeanine Kuwik, MBA, CPA, CISA Director of Internal.

The FTA Drug & Alcohol Audit Process George Y. Gilpatrick Jr. & John B. Morrison Senior Auditors.

An Educational Computer Based Training Program CBTCBT.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

Copyright 2011 Fennemore Craig, P.C. 1 STANDARDS OF CONDUCT FOR NONPROFIT LEADERS Laura A. Lo Bianco Fennemore Craig, P.C. May 17, 2011.

Internal Control in a Financial Statement Audit

Conservation Districts Supervisor Accreditation Module 9: Employer/Employee Relations.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

Preparing for an Audit or Program Review April 17, 2011 © 2011 Global Financial Aid Services 1.

Foundations of Effective Board Operation Nicole L. Mace Vermont School Boards Association.

Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.

A Legacy of Integrity and Trust State Compliance Audits What Can We Expect? Stephen Hart Lewis and Roca LLP.

SPP.org 1. EMS Users Group – CIP Standards The Compliance Audits Are Coming… Are You Ready?

Monitoring Schedule David Chappell, or

Health Care Compliance Association Region VII Compliance Conference August 1, 2003.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

1 Texas Regional Entity 2008 Budget Update May 16, 2007.

1 Hosting an FDA Inspection: A Field Investigator ’ s Perspective Presented by Mihaly S. Ligmond Consumer Safety Officer US Food and Drug Administration,

Module 5 The Role of External and Internal Auditors Convery

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Paul Hardiman and Rob Brown SMMT IF Planning and organising an audit.

Problem Areas Updates Penalties FRCC Compliance Workshop September / October

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

1. OPERATIONS EXPERT Provides area manager/ franchisee with practical recommendations and support to improve the efficiency of daily operations 1. Has.

Employee Privacy at Risk? APPA Business & Financial Conference Austin, TX September 25, 2007 Scott Mix, CISSP Manager of Situation Awareness and Infrastructure.

Introduction This presentation is intended as an introduction to the audit process for employees of entities being audited by MACD. Please refer to the.

Compliance Monitoring and Enforcement Audit Program - The Audit Process.

Please use the following two slides as a template for your presentation at NES. A Property Management Internal Audit (PMIA) Program The Purpose & The Plan.

IAEA International Atomic Energy Agency. IAEA Outline LEARNING OBJECTIVES REVIEW TEAM AMD COUNTERPARTS Team Composition Qualification PREPARATORY PHASE.

HunterDouglas VPP TRAINING.

Projects System Protection Coordination Draft 2 of TOP Texas Reliability Entity NERC Standards Reliability Subcommittee November 2, 2015.

An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.

Compliance Program Update Lisa Milanes Manager of Compliance Administration.

Federal Reviews: What to Expect Laura Lawrence Lavonne Juhl.

Meet your Regulator Workshop with FANR licensees October 2011 Dr. John Loy Director, Radiation Safety Federal Authority for Nuclear Regulation.

AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.

The FTA Drug & Alcohol Audit Process George Gilpatrick & Michael Redington.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

CPA Gilberto Rivera, VP Compliance and Operational Risk

GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS

What You Need to Know When Meeting with the GSA SDO

Background (history, process to date) Status of CANs

Preparing for an Audit Western Region Gas Conference Robert E. Miller

WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION

TECHNOLOGY ASSESSMENT

An overview of Internal Controls Structure & Mechanism

NACUBO 2017 Student Financial Services Conference

Presentation transcript:

How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009

CIP Audit Goals & Objectives Thoroughly comply with the requirements of the cyber security standards & enhance the protection of the bulk electric system Be “prepared” to successfully pass a CIP audit with No audit findings and No financial penalties 1. Establish a “Culture of Compliance” in your company 2. Be aware of the CIP auditor’s operations activities 3. Know how to interact with auditors 4. Consider software to automate compliance 5. Conduct pre-audit walk-thru exercises 2

Exhibit and instill a “Culture of Compliance” 3 Establish a strong regulatory compliance program that is supported by the CEO and the Senior Leaders A regulatory compliance program should have direct reports to the CEO or even the Board of Directors Compliance should be a part of employees goals & objectives 3

The mission of an internal regulatory compliance program is to:  Insure that adequate resources are dedicated to compliance with NERC reliability standards  Monitor regulatory compliance through the internal Working Groups  Review and approve policies that give direction and oversight to the Working Groups How To Prepare For A CIP Audit 4

5 XYZ Compliance Structure

Be Aware NERC Compliance Monitoring Methods  Periodic reporting  Self-Certifications  Exception reporting  Compliance Violation Investigations  Random spot checks or audits  Compliance Audits (On Site and Off Site)  Self Reporting 6

Be Aware of Your Audit Cycles  Mandatory audits every 3 years for TO’s & TOP’s  Mandatory audits every 6 years for GO’s & GOP’s  Cyber Security audits will be separate from Reliability Compliance audits but will follow the same cycle 7

Be Aware of Violation Statistics 8

Interaction With CIP Auditors All initial contacts with CIP auditors should be coordinated with the Administrator of CIP Compliance Request sufficient advanced notification to ensure:  Proper persons are on hand  Relevant records are gathered together in a timely manner  The audit is scheduled to minimize disruption 9

Administrator of CIP Compliance Keep the audit focused & facilitate the audit Keep in constant communication with the CIP auditor Resolve audit issues as soon as they are identified Keep all parties informed on the progress of the audit Accompany staff members during interviews when deemed appropriate 10

Entrance Conference Demonstrate a positive attitude Clarify the audit objective and scope (areas to be tested and period covered by the audit) Understand the audit process Understand the reporting process and determine who will receive audit reports Determine space requirements Know contacts in the CIP auditor's office Consider giving the auditor a tour of your facilities 11

Interaction With CIP Auditors During the Audit All requests for specific information or interviews should be coordinated through the Administrator of CIP Compliance The CIP auditor should keep the Administrator of CIP Compliance informed of any mistakes, discrepancies, or audit questions or concerns that arise during the audit process The purpose of such contact is to expedite the audit and to provide additional information or clarify any questions 12

CIP Records Provide access in a timely manner Make copies of documents as necessary, do not permit the original documents out of the office Do not provide records that are not relevant If a request seems unnecessary, ask the CIP auditor for the purpose of reviewing the document. Recommend alternatives that would achieve the same purpose Communicate the reasons for any significant delays in providing records Maintain a list of records provided to the auditor. Ensure all records are returned at the completion of audit fieldwork 13

Exit Conference  The purpose of the exit conference is to inform CIP representatives of the audit findings  At this time, any misunderstandings are clarified  Minutes of the exit conference should be taken and made available to the CIP auditors and appropriate internal regulatory compliance representatives 14

Useful Preparation Tips Compliance Software  AssurX – CATSWeb  Symantec – Control Compliance Suite Pre-Audits / Mock Audits  Use Reliability Standards Audit Worksheets (RSAW’s) as Guidance Documents  Internal Auditors  External Auditors (DYONYX, KEMA, etc.) Attend regional meeting & workshops 15

Do’s Be honest and open Understand the purpose of each meeting and review related records prior to interviews Listen carefully and understand each question before answering. Be sure responses are complete and accurate Respond only to the question asked—keep answers simple and direct Weigh answers carefully, being certain you have the facts to back them up Limit comments to areas where you have "first hand" knowledge 16

Do not speculate or answer hypothetical questions Do not agree or disagree with opinions Do not "ramble" or provide irrelevant information (office gossip) Do not get offended by WHY questions Don’ts 17

Questions ? 18 Contact Information Scott Barker CISSP, CISA Manager, Information Planning & Security Indianapolis Power & Light Company (317)