Add to collection(s) Add to saved
  1. Business
  2. Finance

PricewaterhouseCoopers

advertisement 
SAS 70
Third Party Report on Controls
Overview and Timetable
Finance / Audit Committee
Meeting
Austin, Texas
January 14, 2003/ February 18, 2003
PwC
Agenda
• Overview of Project Scope and Results
• Scope of Project
• Summary of Report
• Commentary on Results of Testing
• Looking Forward
PricewaterhouseCoopers
2
Overview of Project Scope and Results
Project is complete
Final draft report issued last week
Final report to be issued this week (perhaps today)
Opinion is unqualified
Scope of report is consistent with plan – described to
the Committee in July (in depth)
PricewaterhouseCoopers
3
pwc
Scope of Project
4
Scope of Project – Reporting Structure
What is a SAS 70 report?
It is a report on internal controls based on a standard reporting
structure.
It is commonly referred to as a SAS 70 Report – named after the
auditing standard that defines the reporting framework of an internal
control examination for service organizations that must be relied
upon by its users/members/participants.
The Auditing Standard
The American Institute of Certified Public Accountants’ (AICPA)
Statement on Auditing Standards (SAS) No. 70: Reports on the
Processing of Transactions by Service Organizations
PricewaterhouseCoopers
5
Processes Included in SAS 70
Business
Process
Controls
Registration
• Market
Participant
Registration
Market
Operations
Power
Operations
Load Prof.,
Data Acq.
and Agg.
Settlement,
Billing
& Finance
• Scheduling
and Bidding
• Meter Data
Acquisition
• Ancillary
Services
• Verbal
Dispatch
Instructions
• Meter Data
Aggregation
• Balancing
Energy
• Losses and
UFE
• Replacement
Reserve
• Transmission
Control
Rights
• Revenue
Neutrality
• Black Start
• Other Fees
• Statements,
Invoicing and
Clearing
PricewaterhouseCoopers
6
Processes Included in SAS 70
General
Controls
Communications and IT Infrastructure
• Organization and Administration
• Logical Security
• Physical Security
• Configuration Management
• Computer Operations
PricewaterhouseCoopers
7
Summary of Scope
Included in the SAS 70 scope:
 All business processes and general controls that impact or affect
financial wholesale market settlement;
 Processes that are otherwise “invisible” to the members and upon
which they must rely on ERCOT for controls.
Not included in SAS 70 scope
 Operator and control room decisions
 Congestion pricing calculations
 Dispute resolution process
 Retail operations and customer switching
PricewaterhouseCoopers
8
Summary of Scope
ERCOT - OVERVIEW
LEGAL
QSE
OPERATIONS
POWER
OPERATING
SYSTEM
(POS)
Telemetry
Data
Registration
Information
Control
Data
Market
Data
LOAD PROFILING &
DATA AGGREGATION
METERED
ENTITY
MARKET
OPERATING
SYSTEM
(MOS)
MARKET
DATABASE
Registration
Information
Settlement
Data
CLIENT
SERVICES
MOS to BE
File
MV 90
ERCOT
Polled
Meters
SETTLEMENT & BILLING
MARKET
PARTICIPANT
REGN
Registration Data
Meter Data
Settlement
Statements &
Invoices
SETTLEMENTS
(Lodestar)
METER DATA
AGGREGATION
TDSP
Meters
LOAD
PROFILING
Payments
SAS 70 Scope
KEY:
PricewaterhouseCoopers
Input
File
SYSTEM
OUTPUT
9
pwc
Summary of Report
10
Summary of Report
Section One – PwC opinion
Section Two – Description of processes and related
control objectives and activities
Section Three – User control considerations
Section Four – Additional information
Section Five - Glossary
PricewaterhouseCoopers
11
SAS 70 Opinion
PwC’s Unqualified Opinion states that:
The description presents fairly, in all material respects, the
ERCOT’s controls for the identified processes.
And
The controls have been suitably designed to provide reasonable
assurance that the specified control objectives would be achieved
if those controls were complied with as at a specific date.
PricewaterhouseCoopers
12
Section Two – the Core of the Report
Overview information - including ERCOT’s governance,
oversight functions, and general control environment
Business processes - Generally comprising Settlements
related functions (example meter data aggregation) 14 business processes in total
Information system processes - Representing IS
infrastructure activities (example configuration and
change management) – 6 functional areas in total
PricewaterhouseCoopers
13
Section Two – the Core of the Report
Each of the 20 process descriptions is organized as
follows:
- Narrative description
- Control objectives
- Control activities
In summary, PwC’s report addresses the adequacy of the
reported control activities to support the stated control
objectives that are presented in this section
PricewaterhouseCoopers
14
pwc
Commentary on
Results of Testing
15
Results of SAS 70
Execution in accordance with plan:
 Consistent with plan presented to the Committee in July 2002
 October 31, 2002 “as of date”
 Unqualified opinion
 Scope as planned – with some relatively minor additions for late
developments (example – RMR)
Management took full responsibility:
 Responsible for control environment
 Responsible for report content
PricewaterhouseCoopers
16
Review of SAS 70 Timeline
The project began almost 10 months ago
 Mar 02:
SAS 70 Initial Development of Control Objectives
 Apr 02:
SAS 70 Readiness Exercise
• Business Processes – in good shape, most ready for SAS 70 testing
• General Controls – some control processes needed further
documentation and refinement.
 Jun - Aug 02:
SAS 70 Preparations
• Ongoing management efforts to complete readiness for SAS 70
• PwC involved in real-time review of improvements as they are
implemented
 Sep - Oct 02:
SAS 70 Testing
 Oct 31, 2002:
SAS 70 Type 1 Report “as of” Date
 Jan 03:
Report Issuance
PricewaterhouseCoopers
17
Results of SAS 70
PwC Observations:
 ERCOT management and staff were responsive to PwC’s
findings and recommendations identified during the audit process;
 Certain of ERCOT’s Settlement Processes are “best practice”;
 We will issue an letter to management with recommendations for
further strengthening and improvement of controls;
 The level of complexity of ERCOT’s markets and transaction
systems will continue to increase.
PricewaterhouseCoopers
18
pwc
Looking Forward
19
SAS 70 Reporting Alternatives
The SAS 70 standard provides for two types of reports on
internal control structures of service organizations:
Type I
Type II
On design of controls in
place at a point in time.
On design and effectiveness of
controls in place for a period of
time with details of tests
performed.
(Typically performed after a period of
business and systems stability)
This is the report ERCOT is issuing
PricewaterhouseCoopers
20
Looking Forward
ERCOT should plan to evolve to a Type 2 environment
(perhaps in 2004); factors to consider:

Stability of processes



Resource requirements - time and costs
Resulting process improvement
Value of report

What ERCOT’s peers are doing
PwC to present broad-based 2003 Assurance Plan at next
Committee meeting
PricewaterhouseCoopers
21
pwc
Questions?
22

PricewaterhouseCoopers


23
Related documents
IET Virtual Computer Lab SAS 9.3
IET Virtual Computer Lab SAS 9.3
Requestor - PhilaSUG
Requestor - PhilaSUG
SAS Curriculum Pathways Instructional Guide
SAS Curriculum Pathways Instructional Guide
Using SAS and JMP to check if x and y ~ N
Using SAS and JMP to check if x and y ~ N
Download
advertisement