SAS 70 Presentation - PricewaterhouseCoopers by sdg97303


									        SAS 70
Third Party Report on Controls
   Overview and Timetable

  Finance / Audit Committee
        Austin, Texas
 January 14, 2003/ February 18, 2003


• Overview of Project Scope and Results

• Scope of Project

• Summary of Report

• Commentary on Results of Testing

• Looking Forward

PricewaterhouseCoopers                    2
Overview of Project Scope and Results

Project is complete

Final draft report issued last week

Final report to be issued this week (perhaps today)

Opinion is unqualified

Scope of report is consistent with plan – described to
the Committee in July (in depth)

PricewaterhouseCoopers                                    3

Scope of Project

Scope of Project – Reporting Structure

What is a SAS 70 report?
It is a report on internal controls based on a standard reporting
It is commonly referred to as a SAS 70 Report – named after the
auditing standard that defines the reporting framework of an internal
control examination for service organizations that must be relied
upon by its users/members/participants.

The Auditing Standard
The American Institute of Certified Public Accountants’ (AICPA)
Statement on Auditing Standards (SAS) No. 70: Reports on the
Processing of Transactions by Service Organizations

PricewaterhouseCoopers                                                  5
   Processes Included in SAS 70

Business                                                           Load Prof.,        Settlement,
                                    Market       Power
Process       Registration                                          Data Acq.            Billing
                                   Operations   Operations
Controls                                                            and Agg.           & Finance

            • Market         • Scheduling                    • Meter Data        • Ancillary
              Participant      and Bidding                     Acquisition         Services
                             • Verbal                        • Meter Data        • Balancing
                               Dispatch                        Aggregation         Energy
                                                             • Losses and        • Replacement
                             • Transmission                    UFE                 Reserve
                                                                                 • Revenue
                                                                                 • Black Start
                                                                                 • Other Fees
                                                                                 • Statements,
                                                                                   Invoicing and

   PricewaterhouseCoopers                                                                           6
   Processes Included in SAS 70

                                     Communications and IT Infrastructure

             • Organization and Administration
             • Logical Security
             • Physical Security
             • Configuration Management
             • Computer Operations

   PricewaterhouseCoopers                                                   7
Summary of Scope

Included in the SAS 70 scope:
 All business processes and general controls that impact or affect
  financial wholesale market settlement;
 Processes that are otherwise “invisible” to the members and upon
  which they must rely on ERCOT for controls.

Not included in SAS 70 scope
 Operator and control room decisions
 Congestion pricing calculations
 Dispute resolution process
 Retail operations and customer switching

PricewaterhouseCoopers                                                8
Summary of Scope

                                                                 ERCOT - OVERVIEW
             QSE               LEGAL                                      OPERATIONS                                      LOAD PROFILING &   METERED
                                                                                                                         DATA AGGREGATION     ENTITY

                                                           POWER              Data          MARKET
           Telemetry                                      OPERATING                        OPERATING
            Data                                           SYSTEM                           SYSTEM
                                                            (POS)                            (MOS)

          Registration          Registration                                                DATABASE
         Information           Information


                                                                                            MOS to BE                                           ERCOT
                                                                                              File                            MV 90            Polled

                                                  SETTLEMENT & BILLING
                                 MARKET               Registration Data                                     Meter Data     METER DATA           TDSP
                               PARTICIPANT                                                                                AGGREGATION          Meters

        Statements &
          Invoices                                                                        SETTLEMENTS                         LOAD
                                                                                            (Lodestar)                      PROFILING

                                     SAS 70 Scope
                                               KEY:      Input            File            SYSTEM      OUTPUT

PricewaterhouseCoopers                                                                                                                                  9

Summary of Report

Summary of Report

Section One – PwC opinion

Section Two – Description of processes and related
  control objectives and activities

Section Three – User control considerations

Section Four – Additional information

Section Five - Glossary

PricewaterhouseCoopers                               11
SAS 70 Opinion

                 PwC’s Unqualified Opinion states that:

         The description presents fairly, in all material respects, the
              ERCOT’s controls for the identified processes.

     The controls have been suitably designed to provide reasonable
    assurance that the specified control objectives would be achieved
        if those controls were complied with as at a specific date.

PricewaterhouseCoopers                                                    12
Section Two – the Core of the Report

Overview information - including ERCOT’s governance,
  oversight functions, and general control environment

Business processes - Generally comprising Settlements
  related functions (example meter data aggregation) -
  14 business processes in total

Information system processes - Representing IS
   infrastructure activities (example configuration and
   change management) – 6 functional areas in total

PricewaterhouseCoopers                                    13
Section Two – the Core of the Report

Each of the 20 process descriptions is organized as
  - Narrative description
  - Control objectives
  - Control activities

In summary, PwC’s report addresses the adequacy of the
   reported control activities to support the stated control
   objectives that are presented in this section

PricewaterhouseCoopers                                         14

Commentary on
Results of Testing

Results of SAS 70

Execution in accordance with plan:
 Consistent with plan presented to the Committee in July 2002
 October 31, 2002 “as of date”
 Unqualified opinion
 Scope as planned – with some relatively minor additions for late
  developments (example – RMR)

Management took full responsibility:
 Responsible for control environment
 Responsible for report content

PricewaterhouseCoopers                                               16
Review of SAS 70 Timeline

     The project began almost 10 months ago

 Mar 02:                SAS 70 Initial Development of Control Objectives

 Apr 02:                SAS 70 Readiness Exercise
                         • Business Processes – in good shape, most ready for SAS 70 testing
                         • General Controls – some control processes needed further
                           documentation and refinement.

 Jun - Aug 02:          SAS 70 Preparations
                         • Ongoing management efforts to complete readiness for SAS 70
                         • PwC involved in real-time review of improvements as they are

 Sep - Oct 02:          SAS 70 Testing

 Oct 31, 2002:          SAS 70 Type 1 Report “as of” Date

 Jan 03:                Report Issuance

PricewaterhouseCoopers                                                                         17
Results of SAS 70

PwC Observations:
 ERCOT management and staff were responsive to PwC’s
  findings and recommendations identified during the audit process;
 Certain of ERCOT’s Settlement Processes are “best practice”;
 We will issue an letter to management with recommendations for
  further strengthening and improvement of controls;
 The level of complexity of ERCOT’s markets and transaction
  systems will continue to increase.

PricewaterhouseCoopers                                                18

Looking Forward

SAS 70 Reporting Alternatives

   The SAS 70 standard provides for two types of reports on
      internal control structures of service organizations:

                   Type I                                Type II
      On design of controls in            On design and effectiveness of
      place at a point in time.           controls in place for a period of
                                             time with details of tests
                                           (Typically performed after a period of
                                              business and systems stability)
    This is the report ERCOT is issuing

PricewaterhouseCoopers                                                              20
Looking Forward

ERCOT should plan to evolve to a Type 2 environment
  (perhaps in 2004); factors to consider:
            Stability of processes
            Resource requirements - time and costs
            Resulting process improvement
            Value of report
            What ERCOT’s peers are doing

PwC to present broad-based 2003 Assurance Plan at next
  Committee meeting

PricewaterhouseCoopers                                   21


                           

PricewaterhouseCoopers           23

To top