SAS 70 Presentation - PricewaterhouseCoopers by sdg97303

VIEWS: 59 PAGES: 23

									        SAS 70
Third Party Report on Controls
   Overview and Timetable



  Finance / Audit Committee
           Meeting
        Austin, Texas
 January 14, 2003/ February 18, 2003


PwC
Agenda

• Overview of Project Scope and Results

• Scope of Project

• Summary of Report

• Commentary on Results of Testing

• Looking Forward



PricewaterhouseCoopers                    2
Overview of Project Scope and Results

Project is complete

Final draft report issued last week

Final report to be issued this week (perhaps today)

Opinion is unqualified

Scope of report is consistent with plan – described to
the Committee in July (in depth)


PricewaterhouseCoopers                                    3
pwc




Scope of Project




                   4
Scope of Project – Reporting Structure

What is a SAS 70 report?
It is a report on internal controls based on a standard reporting
structure.
It is commonly referred to as a SAS 70 Report – named after the
auditing standard that defines the reporting framework of an internal
control examination for service organizations that must be relied
upon by its users/members/participants.


The Auditing Standard
The American Institute of Certified Public Accountants’ (AICPA)
Statement on Auditing Standards (SAS) No. 70: Reports on the
Processing of Transactions by Service Organizations

PricewaterhouseCoopers                                                  5
   Processes Included in SAS 70


Business                                                           Load Prof.,        Settlement,
                                    Market       Power
Process       Registration                                          Data Acq.            Billing
                                   Operations   Operations
Controls                                                            and Agg.           & Finance

            • Market         • Scheduling                    • Meter Data        • Ancillary
              Participant      and Bidding                     Acquisition         Services
              Registration
                             • Verbal                        • Meter Data        • Balancing
                               Dispatch                        Aggregation         Energy
                               Instructions
                                                             • Losses and        • Replacement
                             • Transmission                    UFE                 Reserve
                               Control
                                                                                 • Revenue
                               Rights
                                                                                   Neutrality
                                                                                 • Black Start
                                                                                 • Other Fees
                                                                                 • Statements,
                                                                                   Invoicing and
                                                                                   Clearing




   PricewaterhouseCoopers                                                                           6
   Processes Included in SAS 70


General
                                     Communications and IT Infrastructure
Controls

             • Organization and Administration
             • Logical Security
             • Physical Security
             • Configuration Management
             • Computer Operations




   PricewaterhouseCoopers                                                   7
Summary of Scope

Included in the SAS 70 scope:
 All business processes and general controls that impact or affect
  financial wholesale market settlement;
 Processes that are otherwise “invisible” to the members and upon
  which they must rely on ERCOT for controls.


Not included in SAS 70 scope
 Operator and control room decisions
 Congestion pricing calculations
 Dispute resolution process
 Retail operations and customer switching




PricewaterhouseCoopers                                                8
Summary of Scope

                                                                 ERCOT - OVERVIEW
             QSE               LEGAL                                      OPERATIONS                                      LOAD PROFILING &   METERED
                                                                                                                         DATA AGGREGATION     ENTITY



                                                                             Control
                                                           POWER              Data          MARKET
           Telemetry                                      OPERATING                        OPERATING
            Data                                           SYSTEM                           SYSTEM
                                                            (POS)                            (MOS)
                                                                                 Market
                                                                                  Data



                                                                                             MARKET
          Registration          Registration                                                DATABASE
         Information           Information

                                                                                                   Settlement
                                                                                                   Data

                         CLIENT
                         SERVICES
                                                                                            MOS to BE                                           ERCOT
                                                                                              File                            MV 90            Polled
                                                                                                                                               Meters

                                                  SETTLEMENT & BILLING
                                 MARKET               Registration Data                                     Meter Data     METER DATA           TDSP
                               PARTICIPANT                                                                                AGGREGATION          Meters
                                  REGN

           Settlement
        Statements &
          Invoices                                                                        SETTLEMENTS                         LOAD
                                                                                            (Lodestar)                      PROFILING
        Payments



                                     SAS 70 Scope
                                               KEY:      Input            File            SYSTEM      OUTPUT


PricewaterhouseCoopers                                                                                                                                  9
pwc




Summary of Report




                    10
Summary of Report

Section One – PwC opinion

Section Two – Description of processes and related
  control objectives and activities

Section Three – User control considerations

Section Four – Additional information

Section Five - Glossary




PricewaterhouseCoopers                               11
SAS 70 Opinion


                 PwC’s Unqualified Opinion states that:



         The description presents fairly, in all material respects, the
              ERCOT’s controls for the identified processes.

                                    And
     The controls have been suitably designed to provide reasonable
    assurance that the specified control objectives would be achieved
        if those controls were complied with as at a specific date.




PricewaterhouseCoopers                                                    12
Section Two – the Core of the Report

Overview information - including ERCOT’s governance,
  oversight functions, and general control environment

Business processes - Generally comprising Settlements
  related functions (example meter data aggregation) -
  14 business processes in total

Information system processes - Representing IS
   infrastructure activities (example configuration and
   change management) – 6 functional areas in total




PricewaterhouseCoopers                                    13
Section Two – the Core of the Report

Each of the 20 process descriptions is organized as
  follows:
  - Narrative description
  - Control objectives
  - Control activities

In summary, PwC’s report addresses the adequacy of the
   reported control activities to support the stated control
   objectives that are presented in this section




PricewaterhouseCoopers                                         14
pwc



Commentary on
Results of Testing



                     15
Results of SAS 70

Execution in accordance with plan:
 Consistent with plan presented to the Committee in July 2002
 October 31, 2002 “as of date”
 Unqualified opinion
 Scope as planned – with some relatively minor additions for late
  developments (example – RMR)

Management took full responsibility:
 Responsible for control environment
 Responsible for report content




PricewaterhouseCoopers                                               16
Review of SAS 70 Timeline

     The project began almost 10 months ago

 Mar 02:                SAS 70 Initial Development of Control Objectives

 Apr 02:                SAS 70 Readiness Exercise
                         • Business Processes – in good shape, most ready for SAS 70 testing
                         • General Controls – some control processes needed further
                           documentation and refinement.

 Jun - Aug 02:          SAS 70 Preparations
                         • Ongoing management efforts to complete readiness for SAS 70
                         • PwC involved in real-time review of improvements as they are
                           implemented

 Sep - Oct 02:          SAS 70 Testing

 Oct 31, 2002:          SAS 70 Type 1 Report “as of” Date

 Jan 03:                Report Issuance


PricewaterhouseCoopers                                                                         17
Results of SAS 70

PwC Observations:
 ERCOT management and staff were responsive to PwC’s
  findings and recommendations identified during the audit process;
 Certain of ERCOT’s Settlement Processes are “best practice”;
 We will issue an letter to management with recommendations for
  further strengthening and improvement of controls;
 The level of complexity of ERCOT’s markets and transaction
  systems will continue to increase.




PricewaterhouseCoopers                                                18
pwc




Looking Forward




                  19
SAS 70 Reporting Alternatives

   The SAS 70 standard provides for two types of reports on
      internal control structures of service organizations:


                   Type I                                Type II
      On design of controls in            On design and effectiveness of
      place at a point in time.           controls in place for a period of
                                             time with details of tests
                                                     performed.
                                           (Typically performed after a period of
                                              business and systems stability)
    This is the report ERCOT is issuing




PricewaterhouseCoopers                                                              20
Looking Forward


ERCOT should plan to evolve to a Type 2 environment
  (perhaps in 2004); factors to consider:
            Stability of processes
            Resource requirements - time and costs
            Resulting process improvement
            Value of report
            What ERCOT’s peers are doing

PwC to present broad-based 2003 Assurance Plan at next
  Committee meeting


PricewaterhouseCoopers                                   21
pwc




Questions?




             22
                           

PricewaterhouseCoopers           23

								
To top