1 / 23

SAS 70 Third Party Report on Controls Overview and Timetable

SAS 70 Third Party Report on Controls Overview and Timetable. Finance / Audit Committee Meeting Austin, Texas January 14, 2003/ February 18, 2003. Overview of Project Scope and Results Scope of Project Summary of Report Commentary on Results of Testing Looking Forward. Agenda.

newman
Download Presentation

SAS 70 Third Party Report on Controls Overview and Timetable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAS 70Third Party Report on ControlsOverview and Timetable Finance / Audit Committee MeetingAustin, TexasJanuary 14, 2003/ February 18, 2003

  2. Overview of Project Scope and Results Scope of Project Summary of Report Commentary on Results of Testing Looking Forward Agenda

  3. Project is complete Final draft report issued last week Final report to be issued this week (perhaps today) Opinion is unqualified Scope of report is consistent with plan – described to the Committee in July (in depth) Overview of Project Scope and Results

  4. pwc Scope of Project 4

  5. Scope of Project – Reporting Structure What is a SAS 70 report? It is a report on internal controls based on a standard reporting structure. It is commonly referred to as a SAS 70 Report – named after the auditing standard that defines the reporting framework of an internal control examination for service organizations that must be relied upon by its users/members/participants. The Auditing Standard The American Institute of Certified Public Accountants’ (AICPA) Statement on Auditing Standards (SAS) No. 70: Reports on the Processing of Transactions by Service Organizations

  6. Processes Included in SAS 70 Registration Market Operations Power Operations Load Prof., Data Acq. and Agg. Settlement, Billing & Finance Business Process Controls • Market Participant Registration • Scheduling and Bidding • Verbal Dispatch Instructions • Transmission Control Rights • Meter Data Acquisition • Meter Data Aggregation • Losses and UFE • Ancillary Services • Balancing Energy • Replacement Reserve • Revenue Neutrality • Black Start • Other Fees • Statements, Invoicing and Clearing

  7. Processes Included in SAS 70 General Controls Communications and IT Infrastructure • Organization and Administration • Logical Security • Physical Security • Configuration Management • Computer Operations

  8. Summary of Scope Included in the SAS 70 scope: • All business processes and general controls that impact or affect financial wholesale market settlement; • Processes that are otherwise “invisible” to the members and upon which they must rely on ERCOT for controls. Not included in SAS 70 scope • Operator and control room decisions • Congestion pricing calculations • Dispute resolution process • Retail operations and customer switching

  9. Summary of Scope SAS 70 Scope

  10. pwc Summary of Report 10

  11. Summary of Report Section One – PwC opinion Section Two – Description of processes and related control objectives and activities Section Three – User control considerations Section Four – Additional information Section Five - Glossary

  12. SAS 70 Opinion PwC’s Unqualified Opinion states that: The description presents fairly, in all material respects, the ERCOT’s controls for the identified processes. And The controls have been suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with as at a specific date.

  13. Section Two – the Core of the Report Overview information - including ERCOT’s governance, oversight functions, and general control environment Business processes - Generally comprising Settlements related functions (example meter data aggregation) - 14 business processes in total Information system processes - Representing IS infrastructure activities (example configuration and change management) – 6 functional areas in total

  14. Section Two – the Core of the Report Each of the 20 process descriptions is organized as follows: - Narrative description - Control objectives - Control activities In summary, PwC’s report addresses the adequacy of the reported control activities to support the stated control objectives that are presented in this section

  15. pwc Commentary on Results of Testing 15

  16. Results of SAS 70 Execution in accordance with plan: • Consistent with plan presented to the Committee in July 2002 • October 31, 2002 “as of date” • Unqualified opinion • Scope as planned – with some relatively minor additions for late developments (example – RMR) Management took full responsibility: • Responsible for control environment • Responsible for report content

  17. Review of SAS 70 Timeline The project began almost 10 months ago • Mar 02: SAS 70 Initial Development of Control Objectives • Apr 02: SAS 70 Readiness Exercise • Business Processes – in good shape, most ready for SAS 70 testing • General Controls – some control processes needed further documentation and refinement. • Jun - Aug 02: SAS 70 Preparations • Ongoing management efforts to complete readiness for SAS 70 • PwC involved in real-time review of improvements as they are implemented • Sep - Oct 02: SAS 70 Testing • Oct 31, 2002: SAS 70 Type 1 Report “as of” Date • Jan 03: Report Issuance

  18. Results of SAS 70 PwC Observations: • ERCOT management and staff were responsive to PwC’s findings and recommendations identified during the audit process; • Certain of ERCOT’s Settlement Processes are “best practice”; • We will issue an letter to management with recommendations for further strengthening and improvement of controls; • The level of complexity of ERCOT’s markets and transaction systems will continue to increase.

  19. pwc Looking Forward 19

  20. SAS 70 Reporting Alternatives The SAS 70 standard provides for two types of reports on internal control structures of service organizations: Type I On design of controls in place at a point in time. Type II On design and effectiveness of controls in place for a period of timewith details of tests performed. (Typically performed after a period of business and systems stability) This is the report ERCOT is issuing

  21. Looking Forward ERCOT should plan to evolve to a Type 2 environment (perhaps in 2004); factors to consider: • Stability of processes • Resource requirements - time and costs • Resulting process improvement • Value of report • What ERCOT’s peers are doing PwC to present broad-based 2003 Assurance Plan at next Committee meeting

  22. pwc Questions? 22

More Related