SAS 70 Third Party Report on Controls Overview and Timetable Finance / Audit Committee Meeting Austin, Texas January 14, 2003/ February 18, 2003
Mar 31, 2015
SAS 70Third Party Report on Controls
Overview and Timetable
Finance / Audit Committee Meeting
Austin, TexasJanuary 14, 2003/ February 18, 2003
PricewaterhouseCoopers 2
Agenda
• Overview of Project Scope and Results
• Scope of Project
• Summary of Report
• Commentary on Results of Testing
• Looking Forward
PricewaterhouseCoopers 3
Overview of Project Scope and Results
Project is complete
Final draft report issued last week
Final report to be issued this week (perhaps today)
Opinion is unqualified
Scope of report is consistent with plan – described to the Committee in July (in depth)
Scope of Project
4
PricewaterhouseCoopers 5
Scope of Project – Reporting Structure
What is a SAS 70 report?
It is a report on internal controls based on a standard reporting structure.
It is commonly referred to as a SAS 70 Report – named after the auditing standard that defines the reporting framework of an internal control examination for service organizations that must be relied upon by its users/members/participants.
The Auditing Standard
The American Institute of Certified Public Accountants’ (AICPA) Statement on Auditing Standards (SAS) No. 70: Reports on the Processing of Transactions by Service Organizations
PricewaterhouseCoopers 6
Market Operations
Power Operations
Load Prof., Data Acq. and Agg.
Settlement, Billing
& FinanceRegistration
Business Process Controls
• Meter Data Acquisition
• Meter Data Aggregation
• Losses and UFE
• Ancillary Services
• Balancing Energy
• Replacement Reserve
• Revenue Neutrality
• Black Start
• Other Fees
• Statements, Invoicing and Clearing
• Market Participant Registration
• Scheduling and Bidding
• Verbal Dispatch Instructions
• Transmission Control Rights
Processes Included in SAS 70
PricewaterhouseCoopers 7
Communications and IT InfrastructureGenera
lControl
s • Organization and Administration
• Logical Security
• Physical Security
• Configuration Management
• Computer Operations
Processes Included in SAS 70
PricewaterhouseCoopers 8
Summary of Scope
Included in the SAS 70 scope: All business processes and general controls that impact or affect
financial wholesale market settlement;
Processes that are otherwise “invisible” to the members and upon which they must rely on ERCOT for controls.
Not included in SAS 70 scope Operator and control room decisions
Congestion pricing calculations
Dispute resolution process
Retail operations and customer switching
PricewaterhouseCoopers 9
Summary of Scope
MARKETPARTICIPANT
REGN
SETTLEMENTS(Lodestar)
RegistrationInformation
QSE METEREDENTITY
LEGAL OPERATIONS LOAD PROFILING &DATA AGGREGATION
ERCOT - OVERVIEW
KEY:Input File SYSTEM OUTPUT
MARKETDATABASE
MOS to BEFile
ERCOTPolledMeters
TDSPMeters
MV 90
METER DATAAGGREGATION
LOADPROFILING
TelemetryData
SETTLEMENT & BILLING
POWEROPERATING
SYSTEM(POS)
MARKETOPERATING
SYSTEM(MOS)
SettlementStatements &
Invoices
Payments
ControlData
MarketData
SettlementData
Registration Data Meter Data
CLIENTSERVICES
RegistrationInformation
MARKETPARTICIPANT
REGN
SETTLEMENTS(Lodestar)
RegistrationInformation
QSE METEREDENTITY
LEGAL OPERATIONS LOAD PROFILING &DATA AGGREGATION
ERCOT - OVERVIEW
KEY:Input FileFile SYSTEM OUTPUT
MARKETDATABASE
MOS to BEFile
MOS to BEFile
ERCOTPolledMeters
TDSPMeters
MV 90
METER DATAAGGREGATION
LOADPROFILING
TelemetryData
SETTLEMENT & BILLING
POWEROPERATING
SYSTEM(POS)
MARKETOPERATING
SYSTEM(MOS)
SettlementStatements &
Invoices
Payments
ControlData
MarketData
SettlementData
Registration Data Meter Data
CLIENTSERVICES
RegistrationInformation
SAS 70 Scope
Summary of Report
10
PricewaterhouseCoopers 11
Summary of Report
Section One – PwC opinion
Section Two – Description of processes and related control objectives and activities
Section Three – User control considerations
Section Four – Additional information
Section Five - Glossary
PricewaterhouseCoopers 12
SAS 70 Opinion
PwC’s Unqualified Opinion states that:
The description presents fairly, in all material respects, the ERCOT’s controls for the identified processes.
The controls have been suitably designed to provide reasonable assurance that the specified control objectives would be achieved
if those controls were complied with as at a specific date.
And
PricewaterhouseCoopers 13
Section Two – the Core of the Report
Overview information - including ERCOT’s governance, oversight functions, and general control environment
Business processes - Generally comprising Settlements related functions (example meter data aggregation) - 14 business processes in total
Information system processes - Representing IS infrastructure activities (example configuration and change management) – 6 functional areas in total
PricewaterhouseCoopers 14
Section Two – the Core of the Report
Each of the 20 process descriptions is organized as follows:- Narrative description- Control objectives- Control activities
In summary, PwC’s report addresses the adequacy of the reported control activities to support the stated control objectives that are presented in this section
Commentary on Results of Testing
15
PricewaterhouseCoopers 16
Results of SAS 70
Execution in accordance with plan: Consistent with plan presented to the Committee in July 2002 October 31, 2002 “as of date” Unqualified opinion Scope as planned – with some relatively minor additions for late
developments (example – RMR)
Management took full responsibility: Responsible for control environment Responsible for report content
PricewaterhouseCoopers 17
Review of SAS 70 Timeline
Mar 02: SAS 70 Initial Development of Control Objectives
Apr 02: SAS 70 Readiness Exercise• Business Processes – in good shape, most ready for SAS 70 testing• General Controls – some control processes needed further
documentation and refinement.
Jun - Aug 02: SAS 70 Preparations• Ongoing management efforts to complete readiness for SAS 70• PwC involved in real-time review of improvements as they are
implemented
Sep - Oct 02: SAS 70 Testing
Oct 31, 2002: SAS 70 Type 1 Report “as of” Date
Jan 03: Report Issuance
The project began almost 10 months ago
PricewaterhouseCoopers 18
Results of SAS 70
PwC Observations:
ERCOT management and staff were responsive to PwC’s findings and recommendations identified during the audit process;
Certain of ERCOT’s Settlement Processes are “best practice”;
We will issue an letter to management with recommendations for further strengthening and improvement of controls;
The level of complexity of ERCOT’s markets and transaction systems will continue to increase.
Looking Forward
19
PricewaterhouseCoopers 20
SAS 70 Reporting Alternatives
The SAS 70 standard provides for two types of reports on internal control structures of service organizations:
Type I
On design of controls in place at a point in time.
This is the report ERCOT is issuing
Type II
On design and effectiveness of controls in place for a period of
time with details of tests performed.
(Typically performed after a period of business and systems stability)
PricewaterhouseCoopers 21
Looking Forward
ERCOT should plan to evolve to a Type 2 environment (perhaps in 2004); factors to consider:
Stability of processes
Resource requirements - time and costs Resulting process improvement Value of report What ERCOT’s peers are doing
PwC to present broad-based 2003 Assurance Plan at next Committee meeting
Questions?
22
PricewaterhouseCoopers 23