SAS 70 Questionnaire

Transcription

1 227 Oil Well Road Telephone: (731) Jackson, TN Fax: (731) Members of: American Institute of Certified Public Accountants Governmental Audit Quality Center AICPA Tennessee Society of Certified Public Accountants Center for Public Company Audit Firms Employee Benefit Plan Audit Quality Center AICPA SAS 70 Questionnaire Control Objective # 1: Correct billing rates are associated with contractual end-customer classifications in the computer system (s) used by the distributor, and only valid changes are made by authorized individuals. 1.1a Who is authorized to make billing rate changes? 1.1b How do you ensure that passwords are safeguarded? 1.1c Are passwords changed periodically? If so, how often? 1.2a Describe your rate change procedures? 1.2b What documentation exists to show that rate changes were properly authorized? Control Objective # 2: The end-use customer master file, including end-use customer classifications and applicable SIC codes, is accurate, and only valid changes are made to the file by authorized individuals. 2.1a Who sets up new customers in the system? 2.1b What documentation must this person have (in their possession) before a customer is setup? 2.2a Is a system-generated turn-on service report produced? Is this report reviewed for accuracy and appropriateness by an authorized employee? What documentation exists to verify that this review is performed? 2.3a Are commercial/industrial customers classified at the contract rate or at the minimum billing rate for energy usage until the computer system automatically reclassifies them based on actual kw and/or kwh usage? 2.4a Do appropriate staff routinely review system reports which are programmed to identify inconsistencies between credits granted and the SIC codes in system? If so, who performs this review? What documents exist to verify this review? 2.5a Do appropriate utility staffs routinely review system-generated large consumer reports for indications that customers with greater than 50 kw or greater than 36,000 kwh have appropriate contract demand and demand metering entered in billing system? If so, who performs this review? What documentation is available to verify that this review is performed? 2.6a Are changes to customer rate classification and SIC code assigned to appropriate staff? If so, who? 2.6b What procedures are in place to retain appropriate documentation for such changes? Alamo, TN Dyersburg, TN Fulton, KY Henderson, TN Jackson, TN Martin, TN Milan, TN McKenzie, TN Paris, TN Trenton, TN Union City, TN

2 2.7a Is a system generated report, which indicates change made to customer classification and SIC code routinely reviewed by authorized staff? If so, who? 2.7b What procedures are in place for reviewing changes made to customer classifications and SIC codes? 2.7c Do staff log-ins and passwords restrict staff access to their authorized activities and prevent access into other areas of the computer system? Control Objective # 3: Meter readings for energy use (kwh) and peak demands (kw) accurately report the service provided. 3.1 Do appropriate, experienced staff review new service load requirements and assign meter devises that record kwh and/or kw and/or KVAR based on anticipated load? If so, who? What documentation is available to verify that this review is performed? 3.2a Does the utility have meter reading policies, including the frequency of meter readings, use of estimates, how to handle damaged meters, and suspicions of theft, etc? If so, please attach a copy of this policy. 3.2b How does management communicate these policies to its meter readers? 3.2c Is meter reading contracted to a third party? If so, please attach a copy of this contract. 3.3a Has management established polices/procedures to prevent and detect fraud, including investigating suspicions of fraud? If so please attach a copy of policy. If there is no such written policy please provide a description. 3.3b How are recoveries of lost revenue recorded and reported to TVA? Control Objective # 4: All actual power usage for the period is captured and meter readings for energy usage (kwh) and peak demands (kw) are transferred completely and accurately to the computer system used to compute the Schedule 1 power invoice. 4.1 Does the utility have any un-metered services? If so, please attach a listing of these unmetered services and provide an explanation as to why these services are un-metered. 4.2a Does the utility have any non-billed accounts? If so, please attach an explanation as to why these accounts are classified as non-bill. 4.2b What procedures are in place to provide a listing of meters to be read to meter readers prior to the meters being read? 4.3a After meters are read, does the utility print a report that provides a listing of exception items (i.e. high/low ranges, number of missed readings, number of estimated readings, etc)? If so, who reviews and signs off on this report? 4.3b How are the exceptions listed on this report validated and corrected? 4.3c Does the utility also print out a consumption report after each meter reading that shows the usage for all accounts and provides route/cycle totals? Who reviews and signs off on this report? Control Objective # 5: All adjustments to energy usage (kwh) and interval meter data (kw) are valid (e.g. based on prior inaccurate meter reading or other valid support) and made by authorized personnel.

3 5.1a Please provide a system-generated listing of billing adjustments for the months of and. Also please provide the source documents (billing adjustment forms) for the same time period. 5.1b Please provide a summary of the utility s billing adjustment process and include a list of those who are authorized to approve billing adjustments. 5.2 Please provide a summary of the utility s policy for reviewing and authorizing billing adjustments. Control Objective # 6: Processes are in place to periodically verify the proper performance of commercial and industrial meters used form demand charge calculations. 6.1a Please provide a copy of the utility s meter testing policy for commercial and industrial meters used for demand charge calculations. 6.1b Please provide a copy of the latest test data for a meter and provide evidence that these reports are forwarded to management for review. Also include what member of management is responsible for reviewing these reports. 6.1c Does the utility maintain statistics on meter re-reads and is route performance tracked and reviewed by management. If so, please provide supporting documentation. 6.2 Please provide a summary of the utility s procedures related to disposal or repair of failed meters. Control Objective # 7: Schedule 1 summaries are accurately calculated (using the correct power usage, product and credit charge codes, customer classifications, usage classifications, credit classifications, contract terms, valid rates and appropriate factors) and conveyed completely and accurately to TVA on a timely basis. 7.1a Please provide a summary of the utility s procedures for verifying that all route/cycles have been billed before initiation of reports used to compile the Schedule 1 power invoice. 7.1b Who is responsible for balancing the appropriate sales statistics reports against the appropriate end-use billing reports. Please provide documentation that the reconciliation is performed and signed off by the appropriate member of management. 7.2a What procedures are in place to ensure that the Schedule 1 report is filed in a timely manner with TVA? Please provide a copy of these procedures. 7.2b Please provide documentation for the months of and that show that the Schedule 1 power invoice is filed in a timely manner. Control Objective # 8: Logical access controls exist in distributor and/or third party processor systems for proper system security and segregation of duties. 8.1a Does the utility have an information security policy? If so, please attach a copy. 8.1b If no such policy exists, provide a description of the authentication mechanisms used to validate user credentials for the customer information systems. Include a description of controls used to safeguard an employee s computer from use by another employee. 8.1c Is there a means of tracking computer usage by specific employee? 8.2a Provide a summary of security practices that includes usage of user IDs and passwords.

4 8.2b How often are passwords changed? Are passwords kept secret from other employees? Are passwords alphanumeric? 8.3a Provide a description pertaining to the creation and deletion of user IDs. 8.3b When an employee is terminated or leaves the utility permanently, how soon is that employee s password and user id removed from the system? 8.3c Are employees limited to specific areas of the system based on their job description? If so, please provide documentation pertaining to how access is limited to different areas. 8.4 How often does management review access rights of employees? 8.5a Does the utility have a firewall installed on its network? If so, please provide details about the firewall. 8.5b Has management performed an independent assessment of controls within the last year? 8.5c Does the utility have an anti-virus system installed. If so, please provide a description of the antivirus system. How often is the virus definitions updated? 8.6a Does the utility have a policy related to facility security (i.e. key and card access, etc.) If so please attach a copy. If no such policy exists, please provide a description pertaining to how the utility safeguards access to the facility. 8.6b Is access to different areas of the utility limited based on job description? If so, please provide a summary of how access is limited based on job descriptions. Control Objective # 9: Data that has been recorded, processed, and reported remains complete, accurate, and valid throughout the update and storage process. 9.1 If the utility uses a third-party billing service provider, provide a copy of the product documentation (Provider Document). 9.2 If the utility s computer operations are handled in-house, please provide a policy or describe the procedures for the processing, distribution, and retention of data and reported output. Please include details regarding how timely reports are distributed to the appropriate personnel. 9.3a Provide a description of how sensitive information is protected both logically and physically in storage and during transit against unauthorized access or modification. 9.3b If a third party carrier is used, include a description of how information transported is safeguarded against unauthorized access or modification. 9.3c If information is stored at off-site locations, how is protected from unauthorized access of modification? 9.4 If computer operations are handled in-house, attached a policy pertaining to data retention periods and storage terms. If no policy exists, please provide a description. Control Objective # 10: Controls are in place for computer operations, program development and change, and records management If the utility uses a third-party billing service provider, please attach a copy of the product documentation (Provider Document obtained in step 9.1) that adequately describes the program development and change processes to software applications. This document can be obtained from the software provider/vendor. 10.2a If computer operations are handled in-house, please attach a copy of the utility s IT policy (procedures for IT operations).

5 10.2b How often does management review IT operations to ensure compliance with the IT policy? 10.3c Provide a description of the job-scheduling process and the procedures in place to monitor job completeness. 10.3d Provide a sample (auditor will determine sample) of system event data (logs). Control Objective # 11: Related spreadsheets and reports are controlled and validated Provide a description of the procedures used to download data from the TVA website for proper validation and transfer into the billing system. 11.2a Please provide a list of external spreadsheets used to make calculations for the Schedule 1 power invoice. 11.2b How are these spreadsheets reviewed and tested to ensure accuracy? Include a description of the frequency and approaches followed to review these programs/spreadsheets for processing integrity 11.2c Are these spreadsheets password protected and is access restricted to authorized personnel only? 11.2d Please a copy of all spreadsheets related to the preparation of Schedule 1 power invoice for the months of and. Control Objective # 12: System backups are maintained and tested to ensure that recovery of systems can occur If the utility uses a third-party billing service, attach a copy Provider Document (this document was obtained for steps 9.1 and 10.1) 12.2 If computer operations are handled in-house, provide a description of the utility s system back-up policy How often is the back-up data tested for integrity? Has a restoration of the back-up data been performed during the past six months? 12.4 How does management safeguard back-up data?