SAS 70 Questionnaire



Similar documents
IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

INFORMATION TECHNOLOGY CONTROLS

Information Security Policies. Version 6.1

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Newcastle University Information Security Procedures Version 3

Supplier Security Assessment Questionnaire

Internal Control Guide & Resources

Data Management Policies. Sage ERP Online

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Circular to All Licensed Corporations on Information Technology Management

General Computer Controls

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Central Agency for Information Technology

Internal Control Deliverables. For. System Development Projects

ISO Controls and Objectives

IT - General Controls Questionnaire

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SRA International Managed Information Systems Internal Audit Report

PART 10 COMPUTER SYSTEMS

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Music Recording Studio Security Program Security Assessment Version 1.1

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SECTION 15 INFORMATION TECHNOLOGY

Internet Banking Internal Control Questionnaire

ISO27001 Controls and Objectives

ECSA EuroCloud Star Audit Data Privacy Audit Guide

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Chapter 7 Trustee. Internal Control Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Certified Information Systems Auditor (CISA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Supplier Information Security Addendum for GE Restricted Data

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

CHIS, Inc. Privacy General Guidelines

SNAP WEBHOST SECURITY POLICY

Information Systems and Technology

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Operational Risk Publication Date: May Operational Risk... 3

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ELECTRONIC INFORMATION SECURITY A.R.

Client Security Risk Assessment Questionnaire

Regulations on Information Systems Security. I. General Provisions

General IT Controls Audit Program

Teleran PCI Customer Case Study

Service Children s Education

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Office 365 Data Processing Agreement with Model Clauses

Remote Deposit Terms of Use and Procedures

Supplier IT Security Guide

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

PII Compliance Guidelines

mbank Introduces Personal Security Image MFA* for Consumer on-line banking *Multi-Factor Authentication

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Data Processing Agreement for Oracle Cloud Services

Estate Agents Authority

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Information Security Policy Manual

Spillemyndigheden s Certification Programme Information Security Management System

Information Security Policy

DATABASE SECURITY, INTEGRITY AND RECOVERY

Standard Operating Procedures

SECTION-BY-SECTION ANALYSIS

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Disclosure Reference Guide for Cloud Service Providers

IBX Business Network Platform Information Security Controls Document Classification [Public]

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Neutralus Certification Practices Statement

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Security and Data Protection for Online Document Management Software

University of Pittsburgh Security Assessment Questionnaire (v1.5)

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Information Technology General Controls And Best Practices

HIPAA Security COMPLIANCE Checklist For Employers

543.7 What are the minimum internal control standards for bingo?

Business ebanking Fraud Prevention Best Practices

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Transcription:

227 Oil Well Road Telephone: (731) 427-8571 Jackson, TN 38305 Fax: (731) 424-5701 Members of: American Institute of Certified Public Accountants Governmental Audit Quality Center AICPA Tennessee Society of Certified Public Accountants Center for Public Company Audit Firms Employee Benefit Plan Audit Quality Center AICPA www.atacpa.net SAS 70 Questionnaire Control Objective # 1: Correct billing rates are associated with contractual end-customer classifications in the computer system (s) used by the distributor, and only valid changes are made by authorized individuals. 1.1a Who is authorized to make billing rate changes? 1.1b How do you ensure that passwords are safeguarded? 1.1c Are passwords changed periodically? If so, how often? 1.2a Describe your rate change procedures? 1.2b What documentation exists to show that rate changes were properly authorized? Control Objective # 2: The end-use customer master file, including end-use customer classifications and applicable SIC codes, is accurate, and only valid changes are made to the file by authorized individuals. 2.1a Who sets up new customers in the system? 2.1b What documentation must this person have (in their possession) before a customer is setup? 2.2a Is a system-generated turn-on service report produced? Is this report reviewed for accuracy and appropriateness by an authorized employee? What documentation exists to verify that this review is performed? 2.3a Are commercial/industrial customers classified at the contract rate or at the minimum billing rate for energy usage until the computer system automatically reclassifies them based on actual kw and/or kwh usage? 2.4a Do appropriate staff routinely review system reports which are programmed to identify inconsistencies between credits granted and the SIC codes in system? If so, who performs this review? What documents exist to verify this review? 2.5a Do appropriate utility staffs routinely review system-generated large consumer reports for indications that customers with greater than 50 kw or greater than 36,000 kwh have appropriate contract demand and demand metering entered in billing system? If so, who performs this review? What documentation is available to verify that this review is performed? 2.6a Are changes to customer rate classification and SIC code assigned to appropriate staff? If so, who? 2.6b What procedures are in place to retain appropriate documentation for such changes? Alamo, TN Dyersburg, TN Fulton, KY Henderson, TN Jackson, TN Martin, TN Milan, TN McKenzie, TN Paris, TN Trenton, TN Union City, TN

2.7a Is a system generated report, which indicates change made to customer classification and SIC code routinely reviewed by authorized staff? If so, who? 2.7b What procedures are in place for reviewing changes made to customer classifications and SIC codes? 2.7c Do staff log-ins and passwords restrict staff access to their authorized activities and prevent access into other areas of the computer system? Control Objective # 3: Meter readings for energy use (kwh) and peak demands (kw) accurately report the service provided. 3.1 Do appropriate, experienced staff review new service load requirements and assign meter devises that record kwh and/or kw and/or KVAR based on anticipated load? If so, who? What documentation is available to verify that this review is performed? 3.2a Does the utility have meter reading policies, including the frequency of meter readings, use of estimates, how to handle damaged meters, and suspicions of theft, etc? If so, please attach a copy of this policy. 3.2b How does management communicate these policies to its meter readers? 3.2c Is meter reading contracted to a third party? If so, please attach a copy of this contract. 3.3a Has management established polices/procedures to prevent and detect fraud, including investigating suspicions of fraud? If so please attach a copy of policy. If there is no such written policy please provide a description. 3.3b How are recoveries of lost revenue recorded and reported to TVA? Control Objective # 4: All actual power usage for the period is captured and meter readings for energy usage (kwh) and peak demands (kw) are transferred completely and accurately to the computer system used to compute the Schedule 1 power invoice. 4.1 Does the utility have any un-metered services? If so, please attach a listing of these unmetered services and provide an explanation as to why these services are un-metered. 4.2a Does the utility have any non-billed accounts? If so, please attach an explanation as to why these accounts are classified as non-bill. 4.2b What procedures are in place to provide a listing of meters to be read to meter readers prior to the meters being read? 4.3a After meters are read, does the utility print a report that provides a listing of exception items (i.e. high/low ranges, number of missed readings, number of estimated readings, etc)? If so, who reviews and signs off on this report? 4.3b How are the exceptions listed on this report validated and corrected? 4.3c Does the utility also print out a consumption report after each meter reading that shows the usage for all accounts and provides route/cycle totals? Who reviews and signs off on this report? Control Objective # 5: All adjustments to energy usage (kwh) and interval meter data (kw) are valid (e.g. based on prior inaccurate meter reading or other valid support) and made by authorized personnel.

5.1a Please provide a system-generated listing of billing adjustments for the months of and. Also please provide the source documents (billing adjustment forms) for the same time period. 5.1b Please provide a summary of the utility s billing adjustment process and include a list of those who are authorized to approve billing adjustments. 5.2 Please provide a summary of the utility s policy for reviewing and authorizing billing adjustments. Control Objective # 6: Processes are in place to periodically verify the proper performance of commercial and industrial meters used form demand charge calculations. 6.1a Please provide a copy of the utility s meter testing policy for commercial and industrial meters used for demand charge calculations. 6.1b Please provide a copy of the latest test data for a meter and provide evidence that these reports are forwarded to management for review. Also include what member of management is responsible for reviewing these reports. 6.1c Does the utility maintain statistics on meter re-reads and is route performance tracked and reviewed by management. If so, please provide supporting documentation. 6.2 Please provide a summary of the utility s procedures related to disposal or repair of failed meters. Control Objective # 7: Schedule 1 summaries are accurately calculated (using the correct power usage, product and credit charge codes, customer classifications, usage classifications, credit classifications, contract terms, valid rates and appropriate factors) and conveyed completely and accurately to TVA on a timely basis. 7.1a Please provide a summary of the utility s procedures for verifying that all route/cycles have been billed before initiation of reports used to compile the Schedule 1 power invoice. 7.1b Who is responsible for balancing the appropriate sales statistics reports against the appropriate end-use billing reports. Please provide documentation that the reconciliation is performed and signed off by the appropriate member of management. 7.2a What procedures are in place to ensure that the Schedule 1 report is filed in a timely manner with TVA? Please provide a copy of these procedures. 7.2b Please provide documentation for the months of and that show that the Schedule 1 power invoice is filed in a timely manner. Control Objective # 8: Logical access controls exist in distributor and/or third party processor systems for proper system security and segregation of duties. 8.1a Does the utility have an information security policy? If so, please attach a copy. 8.1b If no such policy exists, provide a description of the authentication mechanisms used to validate user credentials for the customer information systems. Include a description of controls used to safeguard an employee s computer from use by another employee. 8.1c Is there a means of tracking computer usage by specific employee? 8.2a Provide a summary of security practices that includes usage of user IDs and passwords.

8.2b How often are passwords changed? Are passwords kept secret from other employees? Are passwords alphanumeric? 8.3a Provide a description pertaining to the creation and deletion of user IDs. 8.3b When an employee is terminated or leaves the utility permanently, how soon is that employee s password and user id removed from the system? 8.3c Are employees limited to specific areas of the system based on their job description? If so, please provide documentation pertaining to how access is limited to different areas. 8.4 How often does management review access rights of employees? 8.5a Does the utility have a firewall installed on its network? If so, please provide details about the firewall. 8.5b Has management performed an independent assessment of controls within the last year? 8.5c Does the utility have an anti-virus system installed. If so, please provide a description of the antivirus system. How often is the virus definitions updated? 8.6a Does the utility have a policy related to facility security (i.e. key and card access, etc.) If so please attach a copy. If no such policy exists, please provide a description pertaining to how the utility safeguards access to the facility. 8.6b Is access to different areas of the utility limited based on job description? If so, please provide a summary of how access is limited based on job descriptions. Control Objective # 9: Data that has been recorded, processed, and reported remains complete, accurate, and valid throughout the update and storage process. 9.1 If the utility uses a third-party billing service provider, provide a copy of the product documentation (Provider Document). 9.2 If the utility s computer operations are handled in-house, please provide a policy or describe the procedures for the processing, distribution, and retention of data and reported output. Please include details regarding how timely reports are distributed to the appropriate personnel. 9.3a Provide a description of how sensitive information is protected both logically and physically in storage and during transit against unauthorized access or modification. 9.3b If a third party carrier is used, include a description of how information transported is safeguarded against unauthorized access or modification. 9.3c If information is stored at off-site locations, how is protected from unauthorized access of modification? 9.4 If computer operations are handled in-house, attached a policy pertaining to data retention periods and storage terms. If no policy exists, please provide a description. Control Objective # 10: Controls are in place for computer operations, program development and change, and records management. 10.1 If the utility uses a third-party billing service provider, please attach a copy of the product documentation (Provider Document obtained in step 9.1) that adequately describes the program development and change processes to software applications. This document can be obtained from the software provider/vendor. 10.2a If computer operations are handled in-house, please attach a copy of the utility s IT policy (procedures for IT operations).

10.2b How often does management review IT operations to ensure compliance with the IT policy? 10.3c Provide a description of the job-scheduling process and the procedures in place to monitor job completeness. 10.3d Provide a sample (auditor will determine sample) of system event data (logs). Control Objective # 11: Related spreadsheets and reports are controlled and validated. 11.1 Provide a description of the procedures used to download data from the TVA website for proper validation and transfer into the billing system. 11.2a Please provide a list of external spreadsheets used to make calculations for the Schedule 1 power invoice. 11.2b How are these spreadsheets reviewed and tested to ensure accuracy? Include a description of the frequency and approaches followed to review these programs/spreadsheets for processing integrity 11.2c Are these spreadsheets password protected and is access restricted to authorized personnel only? 11.2d Please a copy of all spreadsheets related to the preparation of Schedule 1 power invoice for the months of and. Control Objective # 12: System backups are maintained and tested to ensure that recovery of systems can occur. 12.1 If the utility uses a third-party billing service, attach a copy Provider Document (this document was obtained for steps 9.1 and 10.1) 12.2 If computer operations are handled in-house, provide a description of the utility s system back-up policy. 12.3 How often is the back-up data tested for integrity? Has a restoration of the back-up data been performed during the past six months? 12.4 How does management safeguard back-up data?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information