welcome
play

Welcome! NERC 2019 Compliance and Standards Workshop Embassy Suites - PowerPoint PPT Presentation

Dec 19, 2022 •734 likes •1.82k views

Welcome! NERC 2019 Compliance and Standards Workshop Embassy Suites by Hilton Minneapolis July 23, 201 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY NERC Antitrust Compliance Guidelines It is NERCs policy and practice to obey the antitrust

  1. Developing SCRM Plans & Internal Controls  What should I consider or include when developing my CIP-013-1 SCRM procurement plan? • R1 procurement plan and processes ◦ Part R1.1 ◦ Part 1.2 (Parts R1.2.1 – R1.2.6) ◦ CIP-005-6 (Parts 2.4, 2.5) ◦ CIP-010-3 (Part 1.6) • R2 implementation aspects (i.e., How will I document each applicable procurement implementation) • R3 review and approval processes  Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes 5

  2. Specific Vendor Risks  The Standard establishes minimum expectations for six key areas [R1.2.1 – R1.2.6] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products and/or services: 1. Notifications of vendor-identified incidents, 2. Coordination of responses to such incidents, 3. Notification of termination of remote or onsite access to BCS for vendor representatives, 4. Disclosure by vendors of known vulnerabilities, 5. Verification of software and patch integrity and authenticity, and 6. Coordination of controls for vendor-initiated IRA and system-to-system remote access. 6

  3. CIP-013-1 R1 CIP-013-1 recognizes the risks posed by compromised BCS through vendor products and/or services and expressly requires applicable Responsible Entities to: “develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. The plan(s) shall include” [see Parts R1.1 and R1.2]:  How can I comply with R1? • “ Responsible entities should consider how to leverage the various components and phases of their processes (e.g. defined requirements, request for proposal, bid evaluation, external vendor assessment tools and data, third party certifications and audit reports* , etc.) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risks . ”(NERC, 2017 April, SCRM Implementation Guidance: General Considerations , p. 1) * Bold font indicates [emphasis added], where applicable, to draw attention to specific items 7

  4. CIP-013-1 Part R1.1 One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from: i. procuring and installing vendor equipment and software; and ii. transitions from one vendor(s) to another vendor(s).  What does “ identify and assess ” mean in terms of developing and documenting the R1 SCRM plan?  Should an entity mitigate identified cyber security risks? • Yes, remember the CIP-013-1 Security Objective, “ To mitigate cyber security risks… ” (p. 1), which is reinforced by the note in the Requirement 1: Rationale section, “ The security objective is to ensure entities consider … options for mitigating these risks (Part 1.1, p. 11) 8

  5. CIP-013-1 Part R1.2 One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable :  Do I really need to include specific processes and/or procedures for each of the six R1.2 Parts in my SCRM procurement plan?  What does “ as applicable ” mean in terms of my R1 plan and R2 implementation? 9

  6. CIP-013-1 Part R1.2.1 Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity ;  How can an entity encourage vendors to provide such notifications?  What would a prudent entity do to mitigate identified risks? 10

  7. CIP-013-1 Part R1.2.2 Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity ;  How can an entity establish this coordination of responses for such incidents?  What would a prudent entity do if and when notified of vendor-identified, SCRM-related incidents? 11

  8. CIP-013-1 Part R1.2.3 Notification by vendors when remote or onsite access should no longer be granted to vendor representatives ;  How can an entity encourage vendors to provide such notifications?  What would a prudent entity do upon such access notifications? 12

  9. CIP-013-1 Part R1.2.4 Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity ;  How can an entity encourage vendors to provide such disclosures?  How would a prudent entity mitigate the risks of such vulnerabilities? 13

  10. CIP-013-1 Part R1.2.5 Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and  How can an entity verify the software integrity and authenticity of software and patches provided by vendors?  What would a prudent entity do once the integrity and authenticity of a software update or patch is verified? 14

  11. CIP-013-1 Part R1.2.6 Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to- system remote access with a vendor(s).  How would a prudent entity establish coordination of controls for remote access? 15

  12. Documenting Parts 1.2.1-1.2.6  How can an entity document compliance with Parts 1.2.1 through 1.2.6: • In its R1 procurement plan? • For each applicable R2 implementation? 16

  13. Don’t Forget CIP-005 & CIP-010  A prudent entity will prepare for compliance with CIP-005-6 Part 2.4 and Part 2.5, as well as CIP-010-3 Part 1.6, on or before the effective date (July 1, 2020)  These components will be audited by the CIP- 005 and CIP-010 audit teams, as applicable 17

  14. Auditing CIP-013-1 R1  What R1 evidence will the CIP-013 audit team expect?  What R1 internal controls would a prudent entity develop? 18

  15. Implementing the SCRM Plan (R2) Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 .  What R2 evidence demonstrating an implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date?  Archive SCRM evidence on a case-by-case basis  What R2 internal controls would a prudent entity develop? 19

  16. Approving the SCRM Plan (R3) Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months .  Initial review and approval is due on or before July 1, 2020 (NERC, 2017 July, Implementation Plan: Initial Performance section, p. 3)  No more than 15 calendar months apart thereafter  What R3 evidence will the CIP-013 audit team expect?  What R3 internal controls would a prudent entity develop ? 20

  17. Looking Ahead to CIP-013-2  Review the 2019 NERC Staff Report on SCRM • Addresses FERC’s directive to “ develop modifications to include EACMS associated with medium and high BES Cyber Systems ” (FERC, Order 850 , para. 5, p. 54994) within 24 months of the effective date of Order 850 • Also addresses FERC concerns relative to the SCRM impacts of PACS, PCA, and LIBCS • Provides insight into various industry white papers (NERC, Supply Chain Risk Mitigation Program )  Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS, with more to come later on from FERC, NERC, and the SDT  The SCWG is developing SCRM procurement documents, which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents 21

  18. ERO References  FERC. (2018 October 26). Order No. 850: CIP-013-1—Supply Chain Risk Management Reliability Standard Final Rule. 165 FERC ¶ 61, 020, 18 CFR Part 40, Docket No. RM17-13-000. In Federal Register, 83 (208), pp. 53992-54005. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2018-10-26/pdf/2018-23201.pdf  NERC. (2019 February 9). Cybersecurity Supply Chain Risks: Staff Report and Recommended Actions [Draft]. In MRC Agenda Item 9, pp. 4-43. Retrieved from https://www.rtoinsider.com/wp-content/uploads/Draft-NERC-Supply-Chain- Report-2-6-19.pdf  NERC. (2018 October 18). CIP-013-1 – Cyber Security - Supply Chain Risk Management [Reliability Standard]. Retrieved from https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf  NERC. (n. d.) Supply Chain Risk Mitigation Program [Links to Industry White Papers]. Retrieved from https://www.nerc.com/pa/comp/Pages/Supply-Chain- Risk-Mitigation-Program.aspx 22

  19. Industry References  Executive Order 13873. (2019 May 17). Securing the Information and Communications Technology and Services Supply Chain . In Federal Register, 84 (96), pp. 22689-22692. Retrieved from https://www.govinfo.gov/content/pkg/FR-2019-05-17/pdf/2019-10538.pdf  Executive Order 13636. (2013 February 19). Improving Critical Infrastructure Cybersecurity . In Federal Register, 78 (33), pp. 11739-11744. Retrieved from https://www.federalregister.gov/documents/2013/02/19/2013-03915/improving-critical- infrastructure-cybersecurity  NATF. (2017 November 6). Software Integrity & Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 1.6 [ERO Approved Guidance Document] . Retrieved from https://www.nerc.com/pa/comp/guidance/EROEndorsedImplementationGuidance/ CIP-010-3%20R1.6%20Software%20Integrity%20and%20Authenticity.pdf 24

  20. Other References  Department of Homeland Security [DHS-CISA]. (2019 May 20) Unmanned Aircraft Systems (UAS) - Critical Infrastructure . Retrieved from https://www.dhs.gov/cisa/uas-critical-infrastructure  Network Security. (2018 August). Russian Hackers Breach US Electricity Network . Elsevier Press. ISSN 1353-4858 (pp. 1-3). Retrieved from https://www.sciencedirect.com/science/article/pii/S1353485818300722?via%3Dihub  Smith, R. (2018 July 23). Russian Hackers Reach U.S. Utility Control Rooms. The Wall Street Journal [Online]. Retrieved from https://www.wsj.com/articles/russian- hackers-reach-u-s-utility-control-rooms-homeland-security-officials- say-1532388110  Smith, R., & Barry, R. (2019 January 10). America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It . The Wall Street Journal [Online]. Retrieved from https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back- doorand-russia-walked-through-it-11547137112 25

  21. Audit Approach & IC Summary  Approach CIP-013-1 compliance as a project with well-defined tasks, timelines, and processes designed to: • Develop and document the R1 SCRM procurement plan • Develop an R2 implementation plan for the R1 SCRM plan • Approve the initial R1 SCRM plan on or before July 1, 2020 • Ensure the R1 SCRM procurement plan is reviewed, updated, and approved at least once every 15 calendar months thereafter  Maintain R1-R3 audit evidence relative to new procurement of all vendor products and/or services obtained for High and Medium BCS after July 1, 2020  Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans, processes and procedures  Be proactive and monitor for future changes in CIP-013-2  Time permitting, are there any other questions? 26

  22. Contact: Dr. Joseph B. Baugh Senior Compliance Auditor—Cyber Security jbaugh@wecc.org 27

  23. Facility Rating Internal Controls Keith Smith Manager, O& P Compliance Monitoring Meeting Title Date

  24. Objectives ● Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility  Consideration of all applicable equipment  Accurate Equipment Ratings ● Ensure established Facility Ratings are consistently utilized  Protection  Analysis  Monitoring 2

  25. Internal Controls Internal controls are the processes and tools an entity utilizes to meet the identified objectives All entities will have some level of internal controls in place Internal control expectations dependent on inherent risk of entity 3

  26. Internal Controls Methodology Inventory Verification Change Management 4

  27. Facility Rating Methodology FAC-008 requires registered entities to have a methodology and/or documentation that includes the method, assumptions, and process for determining Facility Ratings 5

  28. Facility Rating Methodology Example #1 ● Low Bar Power Company has a methodology addressing each item required by the Standard at a high level. 6

  29. Facility Rating Methodology Example #2 ● Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes:  Annual reviews  Roles and responsibilities  Identification of tools  Step-by-step work instructions 7

  30. Inventory Inventory tracking of Facility Ratings, the equipment that comprises each Facility, and all Equipment Ratings is necessary for: - Establishing Facility Ratings - Evaluating change impacts - Verifying Facility Ratings 8

  31. Inventory Example #1 ● Low Bar Power Company maintains a spreadsheet that identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities 9

  32. Inventory Example #2 ● Max Reliability Power Company maintains a database that identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities, and includes:  Equipment Rating documentation  Flagging when Equipment Rating changes impact Facility Ratings  Identification of Facilities with unique characteristics  Required fields dependent on characteristics of Facilities  Automated notification for Facility Rating changes 10

  33. Verification Verification of Facility Ratings is a detective control to help ensure Facility Ratings respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility. 11

  34. Verification Example #1 ● Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings 12

  35. Verification Example #2 ● Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate.  Anomalies evaluated for applicability to other Facilities  Identified Facilities prioritized for future field inspections 13

  36. Change Management Change management processes are necessary to ensure: • Equipment Rating changes are evaluated to identify impacts to Facility Ratings • Facility Rating changes are evaluated to identify impacts to protection, analysis, and monitoring of the Bulk Electric System 14

  37. Change Management Example TOP- 003-3 PRC- TOP- 023-4 001-4 Facility Ratings TOP- MOD- 032-1 002-4 IRO- TPL- 010-2 001-4 15

  38. Change Management Example #1 ● Low Bar Power Company has no documented change management processes but states:  Its personnel will know to review Facility Ratings if equipment changes occur  Appropriate personnel should receive an email when Facility Ratings change 16

  39. Change Management Example #2 ● Max Reliability Power Company has robust documented change management processes for equipment changes that include:  Evaluation of changes by subject matter experts  Required change approvals prior to changes being implemented  Notification to update inventory after changes implemented  Confirmation that changes implemented as planned 17

  40. Change Management Example #2 ● Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include:  Automated notification of Facility Rating changes • Protection Engineering • System Planning • System Operations • Operations Support  Checklist to verify appropriate follow-up action(s) taken  Periodic comparisons with internal and external models 18

  41. Questions? Meeting Title Date 19

  42. Break Webinar participants: We will return at 3:45 p.m. Central RELI ABI LI TY | RESI LI ENCE | SECURI TY

  43. NERC 2019 Compliance & Standards Workshop Eversource Energy Service Company July 23 – 24 th , 2019 Minneapolis, MN 55402 Paolo D’ D’Alessandro, J JD Senio ior S Specia ialist Relia iabil ilit ity C Compliance Safety First and Always

  44. Eversource Energy: Service Territories  Eversource provides electric service in CT, MA, and NH states through the following regulated subsidiaries (all doing business as Eversource Energy): – Connecticut Light & Power with over 1,270,000 electric customers – NSTAR Electric, including former Western Massachusetts Electric Company with 1,380,000 electric customers – Public Service of New Hampshire with 528,000 electric customers  Eversource Energy Service Company provides certain functions, such as transmission operations and transmission planning. ESCC  Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas, delivering natural gas to approximately 524,000 customers. NSTAR ISO-NE  Eversource serves nearly 230,000 water customers through Aquarion Water Company.  Eversource has approx. 8,000 employees . CONVEX 2 Safety First and Always

  45. Eversource Energy: One Registered Entity Effective January 1, 2018, Eversource Energy Service Company (NCR07176) registration was • consolidated with: Connecticut Light and Power (NCR07044) • NSTAR Electric Company (NCR7180) • Public Service of New Hampshire (NCR07203) • Western Massachusetts Electric (NCR07232) • Benefits of registration consolidation include the following: • Supports efforts for consistency and best practice across 3 states • Efficiency through consolidation of external audits • In January 2018, PSNH completed the sale of its fossil fuel and generation units, therefore • Eversource is no longer a GO or GOP As of January 2018, Eversource Energy’s functional registration is now: • r e d n n n n i v o o o o o n i i i i s s s s r o P s s s s i r t r i i o i i r u e m m m m e e r t b d a c e s s s n s i i r i r v n n n n n n v e t o r a w a a a a s p e r i r r r l r O O D P P S T T T T DP TO TOP TP TSP Eversource Energy Service Company NCR07176 X X X X X Safety First and Always

  46. A Strong Compliance Culture Continued efforts to consolidate three state organizations for consistency and identification • of best practices, tools and controls. Strong senior management commitment. Executives are regularly engaged in supporting • compliance related activities. Dedicated departments to focus on compliance (Reliability Compliance, Operational • Compliance and Internal Audit). Work activities foster a systematic approach to operational excellence and compliance. •  Reportability Determinations / Root Cause Analysis  Self Assessments > Lessons Learned > Roadshow Presentations Internal Audits   Events Analysis  Training (i.e. CIP annual training) Eversource SMEs lead on embedding compliance within their respective functional teams. • SME responsibilities primarily effect the following enterprise level groups: Safety First and Always

  47. Organization: Dedicated Committees & Departments to Ensure Compliance Comm mmittees es Compliance and Ethics Committee Reliability Steering Committee - Quarterly Compliance Work Plan (CWP) - Monthly Departments Reliability Compliance / Operational Compliance Internal Audit Enterprise Risk Management Safety First and Always

  48. Eversource - Enterprise-Wide Controls Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following: Relia iabil ilit ity C Compliance Oversee and assist the business in ensuring compliance with all Department applicable Reliability Standards & Requirements Co Compl pliance a and nd E Ethics Executive level committee that oversees all compliance activity Com ommi mittee within the organization Int nternal A Aud udit Independently conducts periodic audits of compliance activities, including NERC Reliability Standards Enterprise R Risk Framework and process that enables enterprise wide view of Man anagem agement business risks and how they are appropriately managed and mitigated Co Compl pliance Work Plan n Monthly meetings to brief leadership on compliance activity including (1) KPI’s (2) standards development & implementation (3) review of compliance activity (4) emerging issues CAT ATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories Safety First and Always

  49. Eversource Cyber Strategy Risk Based, Defense In Depth strategy that evolves based on the business and industry trends Ensure OT/SCADA Ensure Cloud Ensure New Technologies Systems are Secure Technologies are Secure are Secure (IT & OT) 3 rd party reviews D evice authentication Privilege Access Mgmt. • • D evice and network Identity & Access Mgmt. Application testing • • monitoring End Point Security Penetration testing • • Strict external/remote • Application isolation • Mobile device security access protocols Secure Legacy Systems Technologies that isolate or protect vulnerable systems from being exploited Ensure Strong Cyber Hygiene Policies, Vulnerability Management, Anti-malware technology, Security Monitoring, Security Awareness, Incident Response, Encryption, Secure Architecture Safety First and Always

  50. Eversource O&P/CIP ICE Lessons Learned In 2018, Eversource participated in both an O&P and CIP ICE exercise. Positive feedback was received from SMEs and Senior Management on the following:  While resource intensive, the benefit of having a full review of internal controls, enhancement to existing controls and the reduction in audit scope outweighed the impact to the line.  Flowcharts were useful to demonstrate internal controls (detective, preventative) that support ongoing compliance.  If an entity decides to participate, don’t underestimate the time needed to work with SMEs to review controls, complete the ICE Template and create flowcharts. Safety First and Always

  51. FAC-003-4 Flowchart Safety First and Always

  52. TOP-002-4 Flowchart Safety First and Always

  53. MOD-032-1 Flowchart Safety First and Always

  54. CIP-011-2 Flowchart Safety First and Always

  55. Questions? Safety First and Always

  56. Control Development Kristen Long, Sr. Analyst C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l

  57. DRAFT NERC CONTROLS DEVELOPMENT OVERVIEW Purpose: NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective, corrective, preventative) to address compliance, reliability, security, financial, and/or operational risks, and document the updated controls in Archer Gather existing Kickoff meeting Development Approval Upload to GRC Tool information with BU meetings •NERC standard •Outline the process •Review the •Control owners standard •Current RSAW •Create schedule •NERC Compliance •Determine the need SMEs •Policies and •Define deliverables for a process map procedures •NERC Compliance •Review and management •Enforcement updated existing history controls •Existing controls •Develop new •Etc. controls and tests to address risks HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 2

  58. Archer – NERC Compliance Control Development End Goal – develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy Priority – start with CMEP standards, focus on CMEP requirements with Med/High VRF (2019) Approach – tailored to the individual standard: • CMEP med/high requirements vs entire standard • Complete process mapping where applicable • Consider all risks – compliance, reliability, security, etc. • Control & Testing rigor based on violation risk factor VRF and enforcement history • Partner with Projects SME and BU SMEs • RSAW updates – where applicable HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 3

  59. Risk Drives Robustness of Internal Controls All controls address some type of risk: compliance (RSAW measures), reliability (relay settings being in sync, preventing cascading outages), security (unauthorized physical or cyber intrusion), financial, operational. Items that could affect risk: • Monitoring objectives • Inherent risk (CMEP) • Known or potential internal deficiencies (e.g., inexperience of owners/testers, complicated manual process, etc.), and • Previous enforcement history HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 4

  60. Control & Test Balancing Approach to Control & Test Deployment • Requires a balancing of considerations Established Process Less persuasive evidence/ = No More persuasive documentation, fewer Violations evidence/ controls & tests = documentation, increased controls & Lower Risk tests Higher Risk HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 5

  61. How do I start? • Create Process Map – process map is a visual depiction of the high level process. It should include the following information: • Flowchart style picture of process(es) • Implementing Procedures/Policies • Critical steps • Area responsibilities • Known Risks • Procedure steps • Link to requirements HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 6

  62. FOR ILLUSTRATIVE PURPOSES ONLY HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 7

  63. HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 8

  64. Additional Considerations • Is the control, to the largest extent possible, automated? • Are compensating and supporting internal controls needed? • Is the level of documentation available for the control sufficient? • Are any controls necessary to meet the objective missing? • Even if the control operates as designed, will it fail to meet the objective? (if so = improperly designed) . HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Audit Committee Internal Audit Work Plan Recommendation October 6, 2016 John Mickevice

Audit Committee Internal Audit Work Plan Recommendation October 6, 2016 John Mickevice

APS Internal Audit Department Audit Committee Internal Audit Work Plan Recommendation October 6, 2016 John Mickevice Presentation Overview Overview of Internal Audit at APS Risk Assessment Analysis Factors for APS Projects

334 views • 17 slides
Internal Controls Presented by: Patrick Cowen, CPA, CIA, CISA Why Internal Controls? Prevent

Internal Controls Presented by: Patrick Cowen, CPA, CIA, CISA Why Internal Controls? Prevent

Internal Controls Presented by: Patrick Cowen, CPA, CIA, CISA Why Internal Controls? Prevent and Detect Fraud, Waste and Abuse Motive + Opportunity + Justification = Fraud 2 What Are Internal Controls? Internal Control is a process set by

547 views • 42 slides
Internal Control Integrated Framework January 2013 0 Table of Contents Project

Internal Control Integrated Framework January 2013 0 Table of Contents Project

Internal Control Integrated Framework January 2013 0 Table of Contents Project Overview Updates to Internal Control-Integrated Framework Overview of Internal Control over External Financial Reporting: Compendium of

270 views • 23 slides
Learning Objectives At the end of this session, you will be able to Recall two of the

Learning Objectives At the end of this session, you will be able to Recall two of the

5/1/2020 Fundamentals of Internal Control Presented by: Tracy Arner and Beth Horacek tarner@uga.edu beth.horacek@uga.edu Learning Objectives At the end of this session, you will be able to Recall two of the frameworks for internal control

396 views • 21 slides
The New COSO Framework: Avoiding Deficiencies and Driving Change Session #308 IASA 87 TH ANNUAL

The New COSO Framework: Avoiding Deficiencies and Driving Change Session #308 IASA 87 TH ANNUAL

The New COSO Framework: Avoiding Deficiencies and Driving Change Session #308 IASA 87 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW Speaker Introductions Greg Daniel, CISA, CRMA Kimberley Mobley, CPA, CISA Ryan Isbell, CPA Partner

577 views • 40 slides
2019 Risk & Compliance Conference Office of Internal Audit Objectives Introduce Internal

2019 Risk & Compliance Conference Office of Internal Audit Objectives Introduce Internal

April 4, 2019 2019 Risk & Compliance Conference Office of Internal Audit Objectives Introduce Internal Auditing Identify One Control Enhancement Take- away Avoid Being Boring University of Alabama System Office of

848 views • 16 slides
Organization of financial capacities training - Croatian experience Mirna Juri Central

Organization of financial capacities training - Croatian experience Mirna Juri Central

Organization of financial capacities training - Croatian experience Mirna Juri Central Harmonization Unit Ministry of Finance of the Republic of Croatia the Hague, 6 & 7 November 2018 Topics 1. Introduction State Treasury

693 views • 31 slides
Know Your Customers Who Are Your Rotary club Customers ? How Do Rotary clubs Make Money ?

Know Your Customers Who Are Your Rotary club Customers ? How Do Rotary clubs Make Money ?

Know Your Customers Who Are Your Rotary club Customers ? How Do Rotary clubs Make Money ? Defining Customer /Rotary club Participant Rotarians Rotaractors Interactors RYLArians Rotary Youth Exchange students

309 views • 26 slides
IT Updates Maryland Health Benefit Exchange Board Meeting January 26, 2014 Presented by: Kevin

IT Updates Maryland Health Benefit Exchange Board Meeting January 26, 2014 Presented by: Kevin

IT Updates Maryland Health Benefit Exchange Board Meeting January 26, 2014 Presented by: Kevin Yang CIO, MHBE A service of Maryland Health Benefit Exchange Agenda Key Online Enrollment Statistics HIX Program Management Consumer Experience

349 views • 9 slides
LESSONS LEARNED FROM REVIEWING 150 INFRASTRUCTURES_ JON TOPPER | @jtopper | he/him/his $ whoami

LESSONS LEARNED FROM REVIEWING 150 INFRASTRUCTURES_ JON TOPPER | @jtopper | he/him/his $ whoami

LESSONS LEARNED FROM REVIEWING 150 INFRASTRUCTURES_ JON TOPPER | @jtopper | he/him/his $ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for 20 years Infrastructure / AWS / DevOps @jtopper @jtopper REVIEWS RUN _

631 views • 49 slides
MY PERSONAL JOURNEY IN QUALITY: GROWTH AND OPPORTUNITIES Presented by Monica Daneshrad, MSQA

MY PERSONAL JOURNEY IN QUALITY: GROWTH AND OPPORTUNITIES Presented by Monica Daneshrad, MSQA

MY PERSONAL JOURNEY IN QUALITY: GROWTH AND OPPORTUNITIES Presented by Monica Daneshrad, MSQA AGENDA Change in Topic Learning Objectives Background Rock Bottom Challenges/Opportunities/Quality Theory Interpersonal Dealings

298 views • 27 slides
Andrea White, Human Resource Manager Gail Bair, Administrative Specialist Jennifer Wilfong, Clerk

Andrea White, Human Resource Manager Gail Bair, Administrative Specialist Jennifer Wilfong, Clerk

Andrea White, Human Resource Manager Gail Bair, Administrative Specialist Jennifer Wilfong, Clerk II - Payroll Wha t do e s HR Do ? Human Resource Management is the practice of recruiting, hiring and managing the organizations employees.

207 views • 17 slides
RULES OF ENGAGEMENT B E INVOLVED B E ENGAGED B E PREPARED TO BE CALLED UPON B E

RULES OF ENGAGEMENT B E INVOLVED B E ENGAGED B E PREPARED TO BE CALLED UPON B E

TOOLS FOR INTENTIONAL EXCELLENCE IN WORKING WITH INTERNAL STAKEHOLDERS D R . R UBIN C OCKRELL RULES OF ENGAGEMENT B E INVOLVED B E ENGAGED B E PREPARED TO BE CALLED UPON B E OPEN MINDED B E WILLING TO UNLEARN LEARNED

403 views • 28 slides
Addendum to Low Speed Bearing Analysis Paper Bruce Weathersby May 2015 1. Cost of

Addendum to Low Speed Bearing Analysis Paper Bruce Weathersby May 2015 1. Cost of

Addendum to Low Speed Bearing Analysis Paper Bruce Weathersby May 2015 1. Cost of outages for bearing replacement and production losses during those outages were not included in the original paper. 2. The real root cause of the bearing

128 views • 8 slides
Durable Business Drives Cash Flow and Dividend Growth September 2018 Safe Harbor Language and

Durable Business Drives Cash Flow and Dividend Growth September 2018 Safe Harbor Language and

Durable Business Drives Cash Flow and Dividend Growth September 2018 Safe Harbor Language and Reconciliation of 2 Non-GAAP Measures This presentation contains certain forward-looking statements within the meaning of the Private Securities

565 views • 28 slides
A r t i s R e a l E s t a t e I n v e s t m e n t T r u s t Q 2 - 1 9 I n v e s t o r P r e

A r t i s R e a l E s t a t e I n v e s t m e n t T r u s t Q 2 - 1 9 I n v e s t o r P r e

A r t i s R e a l E s t a t e I n v e s t m e n t T r u s t Q 2 - 1 9 I n v e s t o r P r e s e n t a t i o n A u g u s t 2 0 1 9 Forward-Looking Information This presentation contains forward-looking statements. For this purpose, any

551 views • 19 slides
Managing the Internal and External Marketing Efforts Table of Contents Marketing Today

Managing the Internal and External Marketing Efforts Table of Contents Marketing Today

Managing the Internal and External Marketing Efforts Table of Contents Marketing Today Experiences Behaviors Implications Bite Size Messaging Good Digital Customer Service Knowing the Brand You Market Youth Sports

497 views • 26 slides
Wichita Police Department Organizational Assessment Wichita State University Hugo Wall School of

Wichita Police Department Organizational Assessment Wichita State University Hugo Wall School of

Wichita Police Department Organizational Assessment Wichita State University Hugo Wall School of Public Affairs Center for Urban Studies February 12, 2015 1 PURPOSE of the ASSESSMENT 1. To provide recommendations for the selection process

466 views • 43 slides
Embracing the paradigm shift and creating opportunity for Procurement PM Society Event

Embracing the paradigm shift and creating opportunity for Procurement PM Society Event

Digitalization in Marketing Embracing the paradigm shift and creating opportunity for Procurement PM Society Event February 26 th 2020 Philipp Schuster Global Category Lead, Creative & Digital A revolution for all parts of life!

675 views • 8 slides
Marketing reforms in Ghanas cocoa sector Partial liberalisation, partial benefits? Anna Laven

Marketing reforms in Ghanas cocoa sector Partial liberalisation, partial benefits? Anna Laven

Marketing reforms in Ghanas cocoa sector Partial liberalisation, partial benefits? Anna Laven AMIDSt-University of Amsterdam 19 November 2007 Data collection Two farmer surveys (2003 and 2005): 200 farm-owners and 80 caretakers, from 34

2.17k views • 9 slides
Endowment 101 Gary Barnes, Vice Chancellor and CFO June 26, 2017 Endowment Funds The lifeblood

Endowment 101 Gary Barnes, Vice Chancellor and CFO June 26, 2017 Endowment Funds The lifeblood

Endowment 101 Gary Barnes, Vice Chancellor and CFO June 26, 2017 Endowment Funds The lifeblood of any university is the generous financial support from its donor community. Endowment Funds, by design, are unique gifts given by donors that

354 views • 14 slides
Investor Presentation Q4 Fiscal 2018 Update November 1, 2018 National Fuel is committed to the

Investor Presentation Q4 Fiscal 2018 Update November 1, 2018 National Fuel is committed to the

Investor Presentation Q4 Fiscal 2018 Update November 1, 2018 National Fuel is committed to the safe and environmentally conscious development, transportation, storage, and distribution of natural gas and oil resources. For additional

1.03k views • 65 slides
Airports Profitability Assessments Introduction and Welcome February 2019 Introduction

Airports Profitability Assessments Introduction and Welcome February 2019 Introduction

Airports Profitability Assessments Introduction and Welcome February 2019 Introduction Commerce Commission Air New Zealand Auckland International Airport (AIAL) Board of Airline Representatives New Zealand (BARNZ)

547 views • 31 slides
3Q2019 Real Estate Performance City of Phoenix Employees Retirement System (COPERS) Data as

3Q2019 Real Estate Performance City of Phoenix Employees Retirement System (COPERS) Data as

3Q2019 Real Estate Performance City of Phoenix Employees Retirement System (COPERS) Data as of September 30, 2019 Presented by Mark Bartmann Portfolio Overview Investment COPERS Unfunded % Funded 1 Status 2 Investment Structure Period

369 views • 12 slides

More recommend