Transcription
Compliance Audit ReportCompliance Operations and Planning (FERC Order 693)CPS EnergyNERC ID # NCR04038Public VersionConfidential Information (Including Privileged andCritical Energy Infrastructure Information)Has Been RemovedLead Region:Texas Reliability Entity, Inc. (Texas RE)Audit Dates:March 16, 2015 - March 19, 2015Audit Location:Texas Reliability Entity, Inc. offices, Austin, TXReport Date:May 15, 2015Prepared By:Audit Team LeaderJurisdiction:United StatesPossible Violations Identified: None805 Las Cimas Parkway, Suite 200Austin, Texas 78746Tel: 512. 583.4900TEM 10.0.6
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been RemovedTABLE OF CONTENTS1.0Executive Summary . 32.0Audit Process . 42.1Objectives . 42.2Scope . 42.3Confidentiality and Conflict of Interest . 52.4Methodology . 52.5Company Profile . 52.6Audit Specifics . 62.7Audit Participants . 63.0Audit Results . 73.1Audit Findings . 73.2Other Findings . 84.0Areas of Concern and Recommendations . 85.0Compliance Culture . 8Page 2 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been Removed1.0EXECUTIVE SUMMARYTexas Reliability Entity, Inc. (Texas RE) conducted an audit with CPS Energy, NCR04038. The offsite compliance audit was conducted from March 16 - 19, 2015. At the time of the audit, CPS Energywas registered for the functions of Generator Owner (GO) and Generator Operator (GOP). The NorthAmerican Electric Reliability Corporation (NERC) Reliability Standards that were selected through theappropriate Electric Reliability Organization (ERO) processes for 2015 were reviewed based on CPSEnergy’s registration as a GO and GOP and the associated risks of a GO and GOP. AdditionalReliability Standards or additional Requirements within the Reliability Standards were added to theaudit scope based upon the judgment of Texas RE.The charter (or objective) of the audit was to evaluate the set of tools and resources available to controlroom operators for monitoring system operations and status including examining the entity'scommunication performance for accuracy and timing in comparison to actual capability and status.The audit team assessed CPS Energy’s compliance with NERC Standards and Requirements that bestapply to two interconnection-wide risk elements: Monitoring and Situational Awareness, andOperational Communication. These two risk elements were selected by Texas RE from a larger list ofknown risk areas by associating risk elements’ cause and effect with functional registrations and NERCStandards. CPS Energy’s functional registration, configuration, inherent risk, and internal controlswere analyzed to adjust the final scope to fit the specific characteristics of CPS Energy with respect tothe two selected risk elements. The audit team determined that the audit charter was fulfilled, and nosignificant concerns were found with respect to CPS Energy. The various emergency plans,communication protocols, training, situational awareness tools, procedures, interviews andcoordination protocols reviewed by the audit team indicated a managed and controlled approach withrespect to the two risk elements. A complete results discussion is included in the Findings sectionbelow.All references to the CIP audit as part of this engagement have been redacted from the public versionof this report.The audit team consisted of seven representatives from Texas RE. The audit team reviewed theevidence and documentation provided by CPS Energy and conducted interviews with CPS Energy’spersonnel to assess compliance with selected Standards applicable to CPS Energy at this time.There were a total of six NERC Reliability Standards included in the Compliance Operations andPlanning scope of the audit consisting of 11 Requirements.The audit team evaluated CPS Energy for compliance with 12 Requirements based on the 2015 EROCompliance Monitoring and Enforcement Program (CMEP) Implementation Plan and the associatedcompliance processes. The team assessed compliance with the NERC Reliability Standards for thefollowing periods summarized in Table 1 2-2.1bTOP-006-2VAR-002-3Page 3 of 9Table 1: Summary of Audit Scope PeriodsStart of Audit PeriodEnd of Audit 20143/19/2015CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been RemovedCPS Energy submitted evidence for the team’s evaluation of compliance with Requirements. The teamreviewed and evaluated all evidence provided to assess compliance with Reliability Standards selectedas applicable to CPS Energy for this audit.Based on the evidence provided, no findings were noted for the Compliance Operations and PlanningStandards and applicable Requirements within the scope of this audit.The team notified CPS Energy of 2 recommendations.There were no open or recently completed mitigation plans for the NERC registered functions includedin the scope of this audit. Therefore, none were reviewed by the audit team.The Texas RE audit team lead certifies the audit team adhered to all applicable requirements of theNERC Rules of Procedure (ROP).2.0AUDIT PROCESSThe compliance audit process is detailed in the NERC ROP and the 2015 ERO CMEP ImplementationPlan, available at www.nerc.com. The NERC CMEP generally conforms to the United StatesGovernment Accountability Office (GAO) – Generally Accepted Government Auditing Standards(GAGAS).2.1ObjectivesAll registered entities are subject to audit for compliance with all Reliability Standards applicable to thefunctions for which the registered entity is registered.1 The audit objectives are: Independently review CPS Energy’s compliance with the Requirements of the NERC ReliabilityStandards that were selected as applicable to CPS Energy based on CPS Energy’s registeredfunctions included in the scope of this audit Validate compliance with applicable NERC Reliability Standards from the 2015 ERO CMEPImplementation Plan and associated compliance processes Evaluate how CPS Energy addressed the risk elements associated with this audit’s charter Validate evidence of self-reported violations and previous self-certifications, confirmcompliance with other Requirements of the NERC Reliability Standards, and review the statusof associated mitigation plans Observe and document CPS Energy’s compliance culture Review the status of open mitigation plans2.2ScopeThe scope of this NERC compliance audit included the NERC Reliability Standards from the 2015 EROCMEP Implementation Plan and associated compliance processes. The Standards and Requirementsin scope for this audit are listed in Table 2 below:Table 2: Compliance Operations and Planning Audit ScopeStandardsRequirementsEOP-005-2R151NERC CMEP, paragraph 3.1, Compliance Audits.Page 4 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been AR-002-32.3R2, R3, R5R3, R6, R7R3, R14R1R2Confidentiality and Conflict of InterestConfidentiality agreements and code of conduct documentation for the Regional Entity staff aregoverned by Texas RE’s Delegation Agreement with NERC and Section 1500 of the NERC ROP. CPSEnergy was informed of Texas RE’s obligations and responsibilities under the agreement andprocedures. The work history for each audit team member was provided to CPS Energy, who wasgiven an opportunity to object to a team member’s participation on the basis of a possible conflict ofinterest or the existence of other circumstances that could interfere with an audit team member’simpartial performance of duties. CPS Energy had not submitted any objections by the stated objectiondue date and accepted the audit team member participants without objection. There were no denialsor access limitations placed upon this audit team by CPS Energy.2.4MethodologyOnce an audit date was set by Texas RE, CPS Energy was sent an audit notification package and theReliability Standard Audit Work Sheets (RSAWs) for the NERC Standards determined to be in scope.CPS Energy provided pre-audit evidence at the time requested, or as agreed upon, by Texas RE.Additional evidence could be submitted until the agreed-upon deadline prior to the exit briefing. Afterthat date, only data or information that was relevant to the content of the report or its finding could besubmitted with the agreement of the audit team lead.The audit team reviewed the documentation provided by CPS Energy and requested additionalevidence and sought clarification from subject matter experts (SMEs) during the audit. Evidencesubmitted in the form of policies, procedures, emails, logs, studies, data sheets, etc. were validated,substantiated, and cross-checked for accuracy as appropriate. Where sampling is applicable to aRequirement, the sample set was determined by a specific methodology, along with professionaljudgment.Findings were based on the facts and documentation reviewed by the audit team, the team’sknowledge of the Bulk Electric System (BES), the NERC Reliability Standards, and professionaljudgment. All findings were developed based upon the consensus of the team.The audit team verbally shared its preliminary results with CPS Energy’s management. The audit teamconducted an exit briefing immediately following the audit with CPS Energy.2.5Company ProfileCPS Energy is the nation’s largest municipally-owned energy utility providing both natural gas andelectric service. CPS Energy was acquired by the City of San Antonio in 1942 and serves more than741,000 electric customers and 331,000 natural gas customers in and around the seventh-largest cityin the nation. CPS Energy has a 1,514-square-mile service area and serves customers in BexarCounty and portions of Atascosa, Bandera, Comal, Guadalupe, Kendall, Medina, and Wilson Counties.Page 5 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been RemovedCPS Energy’s daily generation mix is comprised by approximately 47 percent coal, 32 percent nuclearenergy, 9 percent renewable energy including wind, solar and landfill-generated methane gas, with theremaining 12 percent comprised of natural gas and purchased power.CPS Energy’s transmission system is within the Electric Reliability Council of Texas (ERCOT)Interconnection and is located in South Central Texas with connections to neighboring utilities includingAustin Energy, American Electric Power, Brazos Electric, CenterPoint Energy, Lower Colorado RiverAuthority, South Texas Electric Coop, Floresville Electric Light and Power System, and the SouthTexas Project. CPS Energy owns approximately 96 substations and over 1,500 miles of transmissionlines and operates with two primary voltages, 138 kV and 345 kV. The transmission system is a loopeddesign system, thus providing redundancy to substations. Control of the system is through asupervisory control and data acquisition (SCADA) system operated from a primary control center witha backup control center available in case of loss of the primary control center.2.6Audit SpecificsAudit Dates:Audit Location:2.7March 16, 2015 - March 19, 2015Texas RE offices, Austin, TXAudit ParticipantsAudit Team RoleAudit Team LeaderAudit Team MemberAudit Team MemberAudit Team MemberAudit Team MemberAudit Team MemberAudit Team MemberEntityCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyPage 6 of 9Table 3a: Texas RE Audit TeamEntityTitleTexas RECompliance Analyst 3Texas RECompliance CoordinatorTexas RECompliance Analyst 1Texas RECIP Security Auditor SeniorTexas RECIP Security Auditor 3Texas RERisk Assessment & Mitigation Analyst 3Texas RECompliance Team LeadTable 3b: CPS Energy’s Audit ParticipantsTitleManager of ComplianceDirector of Compliance & Senior CounselVice President Energy Supply & Market OperationsSenior Director, Chief Audit Ethics & Compliance OfficerVP & Chief Information OfficerSenior Director SecurityEnterprise IT SecurityRegulatory Compliance AnalystRegulatory Compliance AnalystRegulatory Compliance AnalystRegulatory Compliance AnalystRegulatory Compliance AnalystManager of ComplianceRegulatory Compliance AnalystRegulatory Compliance AnalystCPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been RemovedEntityCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyCPS EnergyExperisTitleTransmission Compliance ManagerSystem Operations Compliance ManagerSupervisor Remote SCADA SystemsManager Energy Market ITManager Day Ahead OperationsManager Real Time OperationsEnergy ControllerEnergy ControllerEngineering AssociateEngineering AssociateManager Operations Analysis & ReportingAnalyst Program/SystemEngineering AssociateEngineering AssociateAnalyst Program/SystemSCADA ManagerIT Contractor3.0AUDIT RESULTS3.1Audit Findings2Based on the results of this audit, no findings were noted for the Standards and applicableRequirements that were included in the scope of this engagement.The following tables summarize the auditors’ findings for the NERC Reliability Standards reviewedduring the audit:Table 4: Compliance Operations and Planning ResultsReliability 001-1.1R15R2R3NFNFNF2The following is a description of several types of possible audit findings. No finding (NF): The audit team didnot discover areas of non-compliance based on the evidence presented by the registered entity and reviewed bythe audit team. Possible violation (PV): The audit team discovered areas of possible non-compliance based onthe evidence presented by the registered entity and reviewed by the audit team. Not applicable (NA): TheRequirement did not apply to the registered entity based on the functions which the entity is registered. TheRequirement applies to the registered entity based on the functions the entity is registered for, but the entity didnot possess the system(s) which the Requirement is referencing. Examples could be the entity did not possessblackstart units, special protection systems (SPS), under-voltage load shedding (UVLS), etc. Open enforcementaction (OEA): At the time of the audit, the registered entity had an open action item regarding the Requirement.Examples of OEAs include an open mitigation plan, self-report, settlement agreement, self-logging, etc. OEA isused when the Requirement had an OEA associated with it and the audit team did not identify new possibleviolations. In circumstances where an OEA existed for a Requirement, but a new possible violation was identifiedby the audit team, the possible violation will be included in the audit findings section.Page 7 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been Removed3.2Reliability 02-2.1bTOP-006-2VAR-002-3R3R14R1R2NFNFNFNFOther FindingsThere were no ongoing or recently completed mitigation plans for the NERC registered functionsincluded in the scope of this audit that had not been previously validated by Texas RE’s staff.Therefore, none were reviewed by the audit team.4.0AREAS OF CONCERN AND RECOMMENDATIONSAreas of ConcernThe audit team did not identify any areas of concern during the audit.RecommendationsThe audit team identified and notified CPS Energy of 2 recommendations. One recommendation hasbeen redacted for the public report. The specific details for one recommendation are described below:Documentation Develop new procedures, or update existing procedures: To fully illustrate and document actions required by Standards andRequirements To reference and include instructions for associated tools, forms, or lists To include a revision historyIt was beneficial and encouraging to observe the development of tools and internal controls by CPSEnergy to meet, and improve upon, reliability and compliance needs. Specifically, the notification,verification, and automation efforts of CPS Energy, as they relate to reliability and compliance efforts,should continue.5.0COMPLIANCE CULTURECPS Energy’s compliance culture survey was reviewed by the audit team. The team performed anassessment of CPS Energy’s compliance culture in conjunction with the audit processes. Theassessment was accomplished through review of responses to the Internal Compliance Surveyquestionnaire and additional information gathered during interviews and observations. This includedan assessment of factors that characterize vigorous and effective compliance programs including:Page 8 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Confidential Information(Including Privileged and Critical Energy Infrastructure Information)Has Been Removed Active engagement and leadership by senior managementPreventive measures appropriate to the circumstances of the company that are effective inpracticePrompt detection of problems, remediation of deficiencies, and reporting of a violationCPS Energy was cooperative with the audit team’s needs and information requests throughout theentire audit process. The organizational structure of CPS Energy, the participation during the audit byCPS Energy’s personnel, the responses provided to the compliance culture survey, the internal selfaudits, the demonstrated level of compliance and the direct observations made by the audit teamconfirmed a commitment by CPS Energy to promote a healthy compliance culture within itsorganization. The Compliance Manager’s efforts for this audit were extremely helpful and were wellsupported by the other managers and SMEs who prepared and participated during the audit process.Internal Compliance Program SummaryCPS Energy’s internal compliance program (ICP) was described in the general information requestresponse provided by CPS Energy for this audit. This survey documented what CPS Energy currentlyhas in place for compliance oversight. Summary information pertaining to the compliance culturereview of CPS Energy is as follows:1. The ICP was sufficiently documented.2. The ICP was widely disseminated in the company.3. The ICP had a named and staffed reliability compliance manager position.4. The ICP was supervised at a high level in the company.5. The compliance management staff had independent access to the CEO or Board.6. The compliance management staff had independence of operation and management.7. The ICP appears sufficiently resourced.8. The ICP was fully supported by senior management.9. The ICP was being monitored and updated in a timely manner.10. The ICP included appropriate and timely training for all relevant staff.311. The ICP included formal, internal self-auditing for compliance on a set periodic basis.12. The ICP included disciplinary action for employees involved in violations of the ICP.13. The ICP included self-assessment and self-enforcement of internal controls to prevent anyreoccurrence of violations.3The audit team did not request or examine evidence to verify that this training occurred.Page 9 of 9CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015Date of Report: May 15, 2015
Page 3 of 9 CPS Energy Compliance Audit Report 3/16/2015 - 3/19/2015 Date of Report: May 15, 2015 1.0 EXECUTIVE SUMMARY Texas Reliability Entity, Inc. (Texas RE) conducted an audit with CPS Energy, NCR04038. The off-site compliance audit was conducted from March 16 - 19, 2015. At the time of the audit, CPS Energy
