central service association’s orbit customer management ...news.csa1.com/sas70/type ii report -...

Independent Auditor’s Report on Controls Placed in Operation and Tests of Operating Effectiveness of

Central Service Association’s Orbit Customer Management and Billing (Orbit CMB), Work Management System (WMS), and Dynamic Financial Management System (DFMS) Controls For the Period of June 1, 2010 to May 31, 2011

IMPORTANT NOTE:

This report is intended solely for the information and use of CSA's active Orbit CMB, Work Management System (WMS) and Dynamic Financial Management System (DFMS)

Members and the independent auditors of those Members, and the management and Board of Directors of CSA, and is not intended nor permitted to be used by nor distributed to

anyone other than these specified parties.

Central Service Association Orbit Customer Management and Billing (Orbit CMB), Work Management System (WMS), and Dynamic

Financial Management System (DFMS) Controls Report on Controls Placed in Operation and Tests of Operating Effectiveness

For the Period June 1, 2010 to May 31, 2011

Table of Contents

I. Report of Independent Auditor 1 II. Description of Controls Provided by Central Service Association

Scope of the Report 3 Company Overview 3 Board of Directors 3 Control Environment 3 Organizational Structure 4 System Development 5 Data Processing 5 Data Center 5 Orbit CMB Server Environment 5 Physical Security 6 Logical Security and Communications 6 Backup Procedures 6 Information Security Policy 6 Personnel Policies 7

III. Information Provided by Independent Auditor

Objectives and Scope of the Review 8 Control Environment Elements 8 Tests of Operating Effectiveness Performed 9 Control Objectives, Related Controls, and Tests of Operating Effectiveness 10

- 1 -

227 Oil Well Road Telephone:(731) 427-8571 Jackson, TN 38305 Fax: (731) 424-5701 Members of

American Institute of Certified Public Accountants AICPA Center for Public Company Audit Firms AICPA Governmental Audit Quality Center AICPA Employee Benefit Plan Audit Quality Center Tennessee Society of Certified Public Accountants Kentucky Society of Certified Public Accountants

www.atacpa.net

Report of Independent Auditor Board of Directors Central Service Association We have examined the accompanying description of controls related to the Orbit Customer Management and Billing (Orbit CMB), Work Management System (WMS), and Dynamic Financial Management System (DFMS) applications of Central Service Association (CSA). Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of CSA’s controls that may be relevant to the specified control objectives, (2) the controls included in the description were suitably designed to achieve the control objectives specified, if those controls were complied with satisfactorily, and (3) such controls had been placed in operation as of May 31, 2011. The accompanying description includes only those control objectives and related controls of CSA and does not include control objectives and related controls of a user organization. Our examination did not extend to controls of any user organization. The control objectives were specified by Central Service Association. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned system presents fairly, in all material respects, the relevant aspects of CSA’s controls that had been placed in operation as of May 31, 2011. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of CSA’s controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in our description of the tests of operating effectiveness, to obtain evidence about their effectiveness in meeting the related control objectives described in our description of those tests, during the period from June 1, 2010 to May 31, 2011. The specific controls and the nature, timing, extent, and results of the tests are listed in our description of the tests of operating effectiveness. This information has been provided to user organizations of CSA and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations.

Dyersburg, TN Milan, TN Henderson, TN McKenzie, TN Jackson, TN Paris, TN Martin, TN Trenton, TN Murray, KY Union City, TN

- 2 -

In our opinion, the controls that were tested, as described in our description of the tests of operating effectiveness, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in our description of those tests were achieved during the period from June 1, 2010 to May 31, 2011. However, the scope of our engagement did not include tests to determine whether control objectives not listed in our description of the tests of operating effectiveness were achieved; accordingly, we express no opinion on the achievement of control objectives not included in our description of the tests of operating effectiveness. The relative effectiveness and significance of specific controls at CSA and their effect on assessments of control risk at user organizations are dependent upon their interaction with controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of the controls at individual user organizations. The description of the controls at CSA is as of May 31, 2011, and information about tests of the operating effectiveness of specific controls covers the period from June 1, 2010 to May 31, 2011. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at CSA is subject to inherent limitations, and, accordingly, errors or irregularities may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to risk that changes made to the system or controls or the failure to make needed changes to the system or controls, may alter the validity of such conclusions. This report is intended solely for the information and use of the management and Board of Directors of CSA, its customers and the independent auditors of its customers, and is not intended to be, and should not be, used by anyone other than these specified parties.

Alexander Thompson Arnold PLLC Certified Public Accountants August 10, 2011

Central Service Association Orbit Customer Management and Billing (Orbit CMB) System, Work Management System

(WMS), and Dynamic Financial Management System (DFMS) Controls For the Period June 1, 2010 to May 31, 2011

- 3 -

II. Description of Controls Provided by Central Service Association Scope of the Report This report has been prepared to provide information on specific system controls of CSA’s Orbit Customer Management and Billing (Orbit CMB) System, Work Management System (WMS), and Dynamic Financial Management System (DFMS). Information not covered in this report can be provided upon request. This examination was conducted in accordance with the guidance contained in the American Institute of Certified Public Accountants (“AICPA”) Statement on Auditing Standards No. 70, Service Organizations. Special Note: In addition to providing its Members with the Customer Management and Billing (CMB) System, WMS and DFMS, CSA also provides hosting and backup services to Members that request this additional service. This SAS 70 report does not address the hosting and backup services. Members that subscribe to the hosting and backup service should refer to the separate report on controls for CSA’s Orbit Customer Management and Billing – CSA Hosted, WMS, and DFMS Company Overview CSA’s primary mission is to provide computerized public utility information systems and related products and services. These products and services include utility billing, financial management, mapping, meter reading systems, statement mailing coordination, technical support, and consulting. The Association is 100% owned by the utility systems that use its services and is operated without profit and solely for the benefit of its member/owners. CSA serves over one hundred utilities in eight southeastern states. Its corporate offices are located in Tupelo, Mississippi. Board of Directors The governing body for the Association is comprised of fifteen elected directors. The prerequisite for the Board members is that they must be a general manager of a utility service cooperative or municipality (fourteen Board members are elected from TVA electric service utilities and one is elected from all non-TVA utilities). Board members serve three year staggered terms and are elected by the full membership of the Association. Control Environment CSA’s control environment reflects the overall attitude, awareness, and actions of management, the Board of Directors, and others concerning the importance of controls and the emphasis given to controls in the company’s policies, procedures, methods, and organizational structure.



- 4 -

Organizational Structure CSA is governed by a Board of Directors that has the responsibility for establishing broad corporate policies and for the overall performance of the Association. Day to day operation is performed by employees who work in one of seven different departments:

General Office Provides most upper management functions for the company Manages the Association’s accounting functions (financial planning, accounts payable,

accounts receivable, payroll, etc.) Human Resources and Billing Services Deals with employee related issues (interviewing, hiring, terminations, etc.) Coordinates employee benefits (insurance, 401K, etc.) Provides billing verification function to members in customer billing related matters

Business Development Actively involved with marketing CSA products and services

Customer Service Assists utility personnel on a daily basis with questions and problems relating to information

systems Develops contracts and other agreements with CSA’s members

Systems Operations Provides advanced technical support and training in hardware, software, and networks for

CSA and its members Schedules and runs all batch processing on the mainframe computer Manages the offsite backup process Manages IT related business functions such as contracts and billing with third parties Manages the CSA hosted server environment

Application Services Develops and maintains billing and financial related application software

Engineering Provides IT solutions for engineering mapping and operational applications

Each department’s different mission provides for significant separation of duties. Logical access to information systems is based on this structure. For example, software development and testing is done in one department. Another department is responsible for putting this software into production. Processes and controls exist to support this.



- 5 -

System Development All system development at CSA is monitored and controlled by the CSA Change Control Standards and Procedures document. This procedure ensures that all new development and modifications are done in a test environment and then goes through a formal approval process before being placed into production. Data Processing CSA offers a variety of information systems which are either server based or processed on CSA’s mainframe computer. Operators maintain a log of processing performed and any major problems are reported immediately to the technical staff and management. Minor problems not affecting billing are noted and reviewed by the appropriate staff the next morning. This processing includes the transmittal of the TVA Schedule 1 reports. Data Center CSA’s data center is located inside its corporate office building in Tupelo, Mississippi. The data center occupies approximately 4,000 square feet of the 30,000 square foot building. The data center is constructed with steel reinforced concrete walls and ceiling. The building is higher than surrounding property and is not located near any body of water, which reduces flood risk. Smoke detectors are installed under the raised flooring. The control panels for the building security system and the fire detection system are located in the data center. Fire extinguishers are located throughout the room and are clearly marked. In the event of a power failure, an uninterruptible power supply (UPS) provides power to the data center, phone system, building security system, power strips in all cubicles, and some overhead lights. If external power fails and is not restored within one minute, a diesel generator is automatically started. It supplies power to all areas previously indicated. The generator is tested weekly. Orbit CMB Server Environment Orbit CMB servers are Intel based machines running on Microsoft’s operating system. All application system software and the member's customer data are loaded and processed on these servers. These servers reside in the utility’s office. CSA maintains a connection to each remote server in order to support the application and system software for its customers. Controls surrounding the operation and environment of the remote Orbit CMB servers are the responsibility of the member.



- 6 -

Physical Security The data center has four doors, each of which can be opened via a 4-character code entered on a keypad. Each CSA department is given its own access code. When an employee of a department leaves CSA or transfers to another department, the department is given a new code. Anyone entering the data center other than Systems Operations staff must sign a logbook before entering. Anyone bringing a tour through the data center must sign in on behalf of the group. Unless special arrangements are made, tours are led only by members of the Systems Operations staff. CSA’s office building is protected by an alarm system and is monitored by several CCTV cameras. These cameras cover the building’s exterior, all entrances, and the data center. The monitors are located in the data center and are monitored by the data center staff. The output from all cameras is recorded on a DVR and kept for approximately three weeks. The Systems Operations Department controls the setting of the building’s door alarm code that must be entered on the weekends to disable the alarm system. The building is staffed 24 hours a day, except for the period from 7:00 AM Saturday through 6:00 AM Monday. Door cards and keys are issued by the General Office. Logical Security and Communications

Local Area Network (LAN) Access Every employee is provided a user ID for signing on to CSA’s LAN. Access to various file servers is provided based on job responsibilities. VPN connection via the Internet to the LAN is provided to employees when appropriate.

Access to Other Applications Employees are given access to various applications depending on their job responsibilities. This access may be modified or terminated depending on changes in those responsibilities.

Firewalls Firewalls are used to protect the internal network from unauthorized access via the Internet.

Backup Procedures Backups are performed on a daily, weekly, and monthly basis for all hardware platforms. Tapes created during the backup process are sent off-site daily. The off-site facility is a secure climate controlled storage locker located several miles from CSA’s office building. Only CSA employees have access to this locker. Information Security Policy CSA has adopted an Information Security Policy that serves as a foundation for classifying and protecting information of all types. All employees are required to read, understand, and follow this policy. An Information Security Team consisting of a representative from each department meets when required to identify, discuss, and resolve information security issues.



- 7 -

Personnel Policies The Human Resources department performs background reference checks and vocational evaluations on prospective hires. Contingent employment offers are made to prospective employees pending results of pre-employment drug screening and criminal background checks. New employees are required to sign CSA’s “Acknowledgement of Receipt of CSA Employee Handbook” during new hire orientation. The Employee Handbook requires employees to protect proprietary information, subject to disciplinary actions or criminal charges. A software code of ethics is also a component of the Employee Handbook. Human Resources notifies Application Service and Systems Operations departments of employee transfers or terminations to ensure that any assigned card-key, printed material, and user sign-on privileges are appropriately returned or deactivated.



- 8 -

III. Information Provided by the Independent Auditor Objectives and Scope of the Review This report on controls placed in operation and tests of operating effectiveness provides interested parties with sufficient information to understand the general information system controls relative to the CSA Orbit CMB System, Work Management System (WMS), and Dynamic Financial Management System (DFMS) applications. This report, when coupled with an understanding of controls in place at user organizations, is intended to assist in the assessment of the controls surrounding transactions processed through the Orbit Customer Management and Billing (Orbit CMB) System, WMS, and DFMS and to assist the user’s independent auditors in planning the audit of client organizations and in assessing the control risk for assertions in client financial statements that may be affected by the controls of CSA’s Orbit CMB System, WMS, and DFMS applications. Our examination was restricted to those control objectives and related controls outlined by CSA in the matrices contained in this section of this document and, accordingly, did not extend to controls in effect at user organizations. The examination was conducted in accordance with the SAS No. 70, Service Organizations, its amendments, and its interpretations. It is each interested party’s responsibility to evaluate this information relative to the controls in place at each user organization in order to make a complete assessment. The user organization’s and CSA’s controls must be evaluated together. If effective user organization controls are not in place, CSA’s controls may not compensate for such weaknesses. The description of controls and control objectives is the responsibility of CSA’s management. Alexander Thompson Arnold PLLC’s responsibility is to express an opinion that the controls are operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives, specified by CSA, were achieved during the period covered by our report. The description of the independent auditor’s tests of operating effectiveness and the results of those tests are presented in this section of this report, adjacent to the service organization’s descriptions of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the independent auditor and should be considered information provided by the independent auditor. Control Environment Elements The control environment represents the collective effect of various factors on establishing, enhancing or mitigating the effectiveness of specific controls. In addition to the tests of operating effectiveness described below, our procedures included tests of the relevant elements of CSA’s control environment, including CSA’s organization structure and approach to segregation of duties and management control methods as they relate to the Orbit CMB System, WMS, and DFMS applications.



- 9 -

Our tests of the control environment included the following procedures, to the extent necessary:

A review of CSA’s organizational structure, including the segregation of functional responsibilities, personnel policies, and policy and procedure manuals as they relate to the CSA Orbit CMB, WMS, and DFMS applications.

Discussions with management, operations, administrative, and other personnel who are

responsible for developing, assuring adherence to, and applying polices and procedures as they relate to the CSA Orbit CMB, WMS, and DFMS applications, and

Observations of personnel in the performance of their assigned duties as they relate to the CSA

Orbit CMB, WMS, and DFMS applications. The results of these tests were considered in planning the nature, timing, and extent of our testing of the control objectives in the matrices within this section. Tests of Operating Effectiveness Performed Our tests of the effectiveness of controls included such tests as were considered necessary in the circumstances to evaluate whether those controls, and the extent of compliance with them, are sufficient to provide reasonable, but not absolute, assurance that the specified control objectives were achieved during the period June 1, 2010 to May 31, 2011. Our tests of the operating effectiveness of the controls were designed to cover a representative number of events throughout the period. In selecting particular tests of operational effectiveness of control structure policies and procedures, we considered:

The nature of items being tested;

The types and competence of available evidential matter;

The nature of the audit objectives to be achieved;

The assessed level of control risk; and

The expected efficiency and effectiveness of the test.



- 10 -

Control Objectives, Related Controls, and Tests of Operating Effectiveness The following tables describe the tests of operating effectiveness of controls that were performed, the control objectives, and the controls that were specified by the management of CSA. Control Objective #1 The customer master file, including customer classifications and applicable industry codes, is accurate, and only valid changes are made to the file by authorized individuals.

Controls Specified by Central Service Association

Testing Performed by Alexander Thompson Arnold PLLC

Test Results

Produce a Turn-On/Turn-Off Report (CS058) for utilities showing new customers with their corresponding rate class and tested to ensure that the report is working properly.

Reviewed CSA’s testing of CS058 report and determined that testing appeared reasonable and test results were approved by appropriate personnel.

No relevant exceptions noted.

Billing system is programmed to have rate classes automatically reclassify customers based on usage. General power customers are set up as class 40, and as usage increases, their rate class will also increase.

Reviewed a sample of power customers to determine if they are set up as general power customers and if their rate classification is accurately determined by the system based on their usage.


Produce a Sales Statistics Large Consumer Report (NG540) report for utilities that lists accounts greater than 50KW and outdoor lighting (except for codes 77 and 78) and tested to ensure that the report is working properly.

Reviewed CSA’s testing of NG540 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce a Customer Master File (CA38) report showing the beginning rate class for a customer, the electrical usage that triggers the rate flip, and the ending rate class when the customer’s rate class has changed to a new rate class and tested to ensure that the report is working properly.

Reviewed CSA’s testing of CA38 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce a report for verification of SIC credits given to customers (SR100) and tested to ensure that the report is working properly.

Reviewed CSA’s testing of SR100 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.




- 11 -

Control Objective #1 (cont.)



Test Results

Produce a report at the end of each billing register (CA17) that notes billing exceptions are reported based on prior month’s billing or inconsistencies and tested to ensure that the report is working properly.

Reviewed CSA’s testing of CA17 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce CS02 Audit of Demand Customers that provides a listing of customers with a billed demand greater than 50 KW but have no contract demand entered in the contract field on the rate screen and tested to ensure the report is working properly.

Reviewed CSA’s testing of CS02 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce SIC Listing for Customers on TVA Special Rates (SR100), which is used to verify that customers who are receiving TVA special rates and credits are eligible in accordance with contract documents and tested to ensure report is working properly.



Produce a SR099, which logs changes made (before and after) to customer file and tested to ensure the report is working properly.



Produce a CS249 Multiple-meters-At-A-Location report and tested to ensure the report is working properly.

Reviewed CSA’s testing of CS249 Multiple-meters At A Location report to determine if testing appeared reasonable and test results were approved by appropriate personnel.




- 12 -

Control Objective #2 Usage captured for the period is properly transferred to the billing system and can be reviewed through various system reports.



Test Results

Produce SR101 non-metered electrical services report that provides a listing of electric services that are non-metered and tested to ensure that report is working properly.



A route assignment is required before a metered service can be set up ensuring that a service cannot be omitted because it does not have an assigned route.

Reviewed CSA’s testing that demonstrated that a metered service cannot be set up without being assigned a route.


Produce SS01 Meter Reading Exception Report which is an exception report that lists accounts that should be reviewed when the meter readings are uploaded to the main frame and tested to ensure that report is working properly.

Reviewed CSA’s testing of SS01 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce ST905 No Bill Electric Customer By Account Number Report which runs after control 49 billing and shows accounts with kWh that do not go through Stats and have no charges and tested to ensure report is working properly. This report is to be used to verify accounts that should not go to the Stats report.

Reviewed CSA’s testing of ST905 report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce a “bill error list” that gives any locations where billing could not execute and tested to ensure that report is working properly.

Reviewed CSA’s testing of the “bill error list” report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


Produce a “meter reading import error list” which shows any problem the system encountered during the importation of the meter reads and tested to ensure that report is working properly.

Reviewed CSA’s testing of the “meter reading import error list” report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


User Control Consideration: Meter readings are the sole responsibility of the utility.



- 13 -

Control Objective #3 All billing adjustments are calculated using the appropriate billing rate in effect at the time of the original billing and can be reviewed through various system reports.

Control Specified by Central Service Association


Test Results

Produce a CA73 Monthly and Daily Billing Adjustment Reports and tested to ensure that report is working properly.

Reviewed CSA’s testing of CA73 reports to determine if testing appeared reasonable and test results were approved by appropriate personnel.


User Control Consideration: It is the utility’s responsibility to enter the billing adjustment into the correct time period to ensure that the proper period billing rates are used for the adjustment.



- 14 -

Control Objective #4 Reports are available to assist the utility with tracking meter life cycles, test frequency, and test results.



Test Results

Produce a Meter Management Report (in Meter Management) which lists all meters entered by a utility and shows when meter is due for testing (based on utility’s testing criteria which are entered by the utility) and tested to ensure report is working properly.

Reviewed CSA’s testing of the Meter Management Report to determine if testing appeared reasonable and test results were approved by appropriate personnel.


User Control Considerations: A utility must be using the Meter Management Program in order to have access to the Meter Management report. Meter test results are fed into the system by the utility or a third party testing service if used. The accuracy of all meter information entered into the Meter Management Program is the sole responsibility of the utility.



- 15 -

Control Objective #5 Billing information is accurately calculated using the proper rates supplied by the utility.



Test Results

For most utilities, CSA restricts access for changes to wholesale rates to CSA personnel only. Changes are made only when authorized by the utility. For the utilities that do not have the ability to make rate changes, employees cannot access wholesale rates as the system will not allow them access. These utilities have no control over wholesale rates.

Reviewed a sample of rate verification forms for individual utilities to ensure that all rate changes are verified and authorized by the individual utility. Performed a series of test log-ins as a sample utility that does not enter its own rates to ensure that access to rate entry is restricted on the utility level.


The Utility notifies CSA of any Fuel Cost Adjustment (FCA) rate changes. Once TVA determines the monthly FCA, they send it to CSA. The rate schedule is updated by CSA and an email is sent to the utility for their review. The utility is required to sign a rate authorization form and send it to CSA so that monthly billing can be completed.

Reviewed a sample of rate authorization forms from various utilities to determine if they are being properly used and maintained.


When a change is made to the seasonal retail rate, the utility notifies CSA as they occur. The rate schedule is updated by CSA and an email is sent to the utility for their review. The utility is required to sign a rate authorization form and send it to CSA so that monthly billing can be completed.

Reviewed a sample of rate authorization forms from various utilities to determine if they are being properly used and maintained.


User Control Consideration: It should be noted that there are some utilities that have elected to enter rate changes themselves which shifts the responsibility of entering correct rates from CSA to those particular utilities.



- 16 -

Control Objective #6 External customer billing calculations used as data sources or inputs to the billing process are controlled and validated.



Test Results

Provide a PC program to interpolate billing data for MR interruptible and other special rates customers and tested to ensure that the program is working properly.

Reviewed CSA’s testing of the MR interruptible and other special rate programs to determine if testing appeared reasonable and test results agreed with anticipated test data from the billing system.


User Control Consideration: The possibility of other related utility generated spreadsheets and reports may exist in addition to the MR interruptible and other special rates programs; however, CSA is not responsible for such spreadsheets or reports.



- 17 -

Control Objective #7 Changes to the DFMS system are properly authorized, reviewed, and tested subsequent to program changes and prior to implementation.



Test Results

Access to source code is limited to only programmers in the accounting group.

Inquired of management to determine who has access to source code. Reviewed access logs to determine if access to source code is limited to appropriate personnel.


Program changes require authorization of management through a signed action request.

Reviewed a sample of action requests for the year to determine if they are being properly used and approved.


Program changes are done only in the test environment and are not implemented into production until the update has been properly tested.

Inquired of management to determine if program changes are done in a test environment. Reviewed documentation to determine if program changes are properly tested prior to being implemented into production.

Exception: It was noted that documentation of regular testing of program changes is not maintained. Management Response: Our current change control procedures are being expanded to include broader areas such as nonstructural enhancements and documentation retention, which were not previously part of the approval and test process.

Each major sub-system (General Ledger, Purchasing, and Inventory) is tested regularly to ensure that changes to the reporting system are functioning properly.

Inquired of management to determine if changes to the reporting system are properly tested to ensure they are performing accurately. Reviewed CSA’s testing of DFMS reports to determine if testing is properly performed and test results were approved by appropriate personnel.


User Control Consideration: DFMS software can be hosted on the utility’s server or hosted by CSA. Physical security of Non-CSA Hosted servers is the utility’s sole responsibility. This SAS 70 report does not address the hosting and backup services. Members that subscribe to the hosting and backup service should refer to the separate report on controls for CSA’s Orbit Customer Management and Billing – CSA Hosted, WMS, and DFMS.



- 18 -

Control Objective #8 Changes to the WMS system are properly authorized, reviewed, and tested subsequent to program changes and prior to implementation.



Test Results

Access to source code is limited to only programmers in the accounting group.

Inquired of management to determine who has access to source code. Reviewed access logs to determine if access to source code is limited to appropriate personnel.


Program changes require authorization of management through a signed action request.

Reviewed a sample of action requests for the year to determine if they are being properly used and approved.


Program changes are done only in the test environment and are not implemented into production until the updated has been properly tested.

Inquired of management to determine if program changes are done in a test environment. Reviewed documentation to determine if program changes are properly tested prior to being implemented into production.


Work orders flow properly through the WMS system.

Performed a walkthrough of the WMS system with a sample work order from start to finish to ensure that work orders entered into the WMS system are properly processed. Reviewed the audit trail report testing to determine if work orders are being properly processed.


Once a work order is computed and accepted, the estimate will remain unchanged even if additional material is added.

Reviewed an estimate cost report and estimated material report and compared to the work order assembly entry to determine if work orders are being properly computed.


A picking ticket is generated which shows what material should be taken from the warehouse based on the estimate that was created.

Reviewed the issue transaction report and compared to the PL25 Picking Ticket to determine the picking ticket is being properly generated.




- 19 -




Test Results

Total hours and miles used for vehicles is entered into the equipment transaction screen to allocate equipment usage to the job.

Reviewed a sample equipment transaction data entry screen and traced to the Work Order Transaction Audit Trail report to determine if equipment usage is properly reported on the work order.


Removal amounts are entered into the removal transaction screen to allocate items salvaged, retired, or junked from the work order job.

Reviewed a sample removal transaction data entry screen and traced to the Work Order Transaction Audit Trail report to determine if removals are properly reported on the work order.


Issue amounts are entered into the issue transaction screen to allocate items issued to the work order job

Reviewed a sample issue transaction data entry screen and traced to the Work Order Transaction Audit Trail report to determine if items are being properly issued in compliance with the work order.


Stores overhead is applied when the material activity such as an issue is performed. A journal entry is created on DFMS for the stores expense charged to overhead.

Reviewed a sample transaction entry and compared to the corresponding GL journal entry to determine if the stores expense entry is properly generated.


Other overhead percentages are applied based on estimated labor; however, the actual amounts applied are calculated and spread during the end of month process of spreading overhead. The base work order form contains the overhead percentages.

Reviewed a sample base work order parameter screen and a sample direct labor transaction to determine if it is being properly calculated on the work order.


Overheads are spread to the active work orders based on the percentage on the Base Work Order Parameter. The amount of the overhead is entered on specific work orders the utility has designated for each of the overheads. These amounts are entered into WMS as a direct cost.

Reviewed a sample base work order parameter screen, labor transaction screen, WO-ClassDef report, and direct cost transaction screen and compared to the Audit Trail Report to determine if overheads are being reporting properly in the WMS system.




- 20 -




Test Results

Direct labor transactions from payroll are posted directly to the utility’s work order.

Reviewed a sample close month process screen and compared to the corresponding audit trail report to determine if direct labor and indirect labor are being properly charged to the work order.


When the month is closed, overhead, indirect labor, stores, and transportation are closed to the work order.

Reviewed a close month process transaction and compared to the audit trail or the transportation work order and PL48 transportation distribution report to determine if the month end spreads are properly processed.


When a work order is complete and ready to be closed to plant, the work order system will spread the cost to the primary FERC entries.

Reviewed a sample work order closing process to determine if the amounts of the CPR ledger transactions are properly calculated and the DFMS journal entry to plant agrees with the CPR ledger transactions being closed to plant.


User Control Consideration: WMS software can be hosted on the utility’s server or hosted by CSA. Physical security of Non-CSA Hosted servers is the utility’s sole responsibility. This SAS 70 report does not address the hosting and backup services. Members that subscribe to the hosting and backup service should refer to the separate report on controls for CSA’s Orbit Customer Management and Billing – CSA Hosted, WMS, and DFMS.



- 21 -

Control Objective #9 Controls provide reasonable assurance that the I.T. organizational structure provides the organization with adequate safeguards, segregation of duties, policies, and guidance.



Test Results

The I.T. organizational structure is appropriate and facilitates the flow of information to all stakeholders.

Obtained and reviewed the current organization chart from management to ensure it is current and accurately represents the key areas of authority and responsibility throughout the organizational structure.


I.T. Management has implemented an adequate segregation of roles and responsibilities (e.g. separation of accounting and I.T., separation of programming and systems administration)

Reviewed the organization chart and interviewed key management personnel to determine if the organizational structure adequately separates roles and responsibilities among corporate divisions and key management personnel with each division.


Roles and responsibilities of the positions in the I.T. organization are defined, documented in formal job descriptions, and communicated to the appropriate individuals.

Inquired of the Human Resource department to ensure that job roles and responsibilities of positions within the I.T. organization are defined, documented, and communicated to the appropriate individuals. Obtained and reviewed copies of job descriptions for key I.T. management personnel.


Knowledge and experience of key I.T. management is adequate for their responsibilities.

Inquired of the Human Resource department and I.T. personnel to ensure availability of current certificate documentation for key I.T. management. Obtained/Reviewed documentation provided by Human Resources and key I.T. personnel to ensure knowledge and experience.


The I.T. organization subscribes to a philosophy of continuous learning, providing necessary training and skill development to its members.

Inquired of the I.T. department regarding training and skill development for employees to determine if the organization encourages and provides training reimbursement for key I.T. Personnel.




- 22 -




Test Results

IT initiatives are identified and prioritized by the appropriate members of the I.T. organization.

Inquired and obtained documentation to ensure that CSA has a Technology Board as well as a Board of Directors to identify and prioritize I.T. initiatives.


I.T. strategic plans are established, reviewed periodically for continued relevance, and linked with strategic initiatives.

Inspected list of key I.T. initiatives maintained by management to determine if it includes a description of each project, progress updates, deadline dates, and names of project personnel. Also reviewed to determine if it is reviewed, discussed, and updated at the weekly steering committee meeting.


The I.T. organization ensures that I.T. plans are communicated to the I.T. steering committee, Board of Directors, business process owners, and other relevant parties across the organization.

Inquired and observed if key I.T. management responsible for the I.T. organization are present at I.T. steering committee meetings and communicate I.T. plans to relevant management and directors.


The I.T. organization monitors its progress against the strategic plan and reacts accordingly to meet established objectives and the results are reported to the Board of Directors and/or audit committee.

Inquired of management and observed a weekly I.T. meeting to determine if the I.T. organization monitors its progress against the strategic plan through weekly meetings with management, as well as tracking progress and implementation of strategic plans in a spreadsheet, which is updated as needed to reflect the progress on any given project.


Significant I.T. events or failures (i.e., security breaches, major system failures, or regulatory failures) are reported to senior management and/or the Board of Directors on a timely basis.

Inquired of management as to whether significant I.T. events or failures are reported to senior management on a timely basis.




- 23 -

Control Objective #10 Controls provide reasonable assurance that appropriate methodology has been implemented for systems development and change management.



Test Results

A formal system development, acquisition, and change policy exists to manage request for system changes, code development, testing, and implementation.

Obtained and reviewed a copy of the formal system development, acquisition, and change policy to ensure that there are formal policies for system changes, code development, testing, and implementation.


Systems Development requests are documented and approved by management before development of new functionality begins.

Inspected I.T. systems requests and approval tracking reports to determine if requests are properly documented and approved prior to development.


Systems Development requests are approved by management prior to being placed into development.

Reviewed a sample of Project Lists to determine if they were reviewed and approved by an appropriate member of management.


Systems Development requests are accepted by Business Unit Management once changes have been promoted to production.

Reviewed a sample project documentation requested by the end user to determine if changes are accepted by an appropriate member of management.




- 24 -




Test Results

DFMS Systems Development requests are documented and approved by management before development of new functionality begins.

Inspected I.T. systems requests and approval tracking reports to determine if requests are properly documented and approved prior to development.

Exception: It was noted that four (4) of the sampled twenty-five (25) system change requests did not have appropriate approval prior to development. Management Response: Our current change control procedures are being expanded to include broader areas such as nonstructural enhancements and documentation retention, which were not previously part of the approval and test process.

DFMS Systems Development requests are approved by management prior to being placed into development.

Reviewed a sample of Project Lists to determine if they were reviewed and approved by an appropriate member of management.

Exception: It was noted that seven (7) of the sampled twenty-five (25) system change requests were not reviewed by an appropriate member of personnel prior to production implementation. Management Response: Our current change control procedures are being expanded to include broader areas such as nonstructural enhancements and documentation retention, which were not previously part of the approval and test process.

DFMS Systems Development requests are accepted by Business Unit Management once changes have been promoted to production.

Reviewed a sample project documentation requested by the end user to determine if changes are accepted by an appropriate member of management.

Exception: It was noted that five (5) of the sampled twenty-five (25) system change requests did not have appropriate approval for move to production. Management Response: Our current change control procedures are being expanded to include broader areas such as nonstructural enhancements and documentation retention, which were not previously part of the approval and test process.



- 25 -

Control Objective #11 Controls provide reasonable assurance that environment changes are authorized by I.T. and Business Unit Management.



Test Results

Requests for changes to production hardware are documented and approved.

Reviewed the minutes of CSA Status Meetings to determine if production hardware changes were discussed and approved.


Requests for new production hardware are documented and approved.

Reviewed the minutes of the CSA Status Meetings to determine if the implementation of new production hardware was discussed and approved.


Changes to firewall rules are appropriately documented, and back out procedures are in place.

Observed the implementation of a firewall change to determine if changes are appropriately documented, and back out procedures are in place.


Changes to firewall rules are controlled and restricted to appropriate users.

Reviewed the access rights to the firewall configuration to determine if access is controlled and restricted to appropriate personnel.


Access to FTP server is appropriately controlled.

Reviewed the access rights to the FTP server to determine if access is controlled and restricted to the appropriate members of personnel.


Clients accessing the FTP server are only allowed to view their own data.

Reviewed a sample of client online accounts to determine if the system limits access to that particular client only.




- 26 -

Control Objective #12 Controls provide reasonable assurance that computer operations are operating effectively and adequately safeguarded and backups are being performed regularly and any problems are addressed in a timely fashion.



Test Results

Routine jobs or tasks are authorized and properly scheduled.

Obtained documentation to determine that there is a nightly process that is scheduled and supervised.


The job schedule is configured so jobs are executed at the correct time and in the proper sequence. The automated system is started interactively each day by the database administrator. Upon execution, each job is written to a log to ensure completion.

Reviewed the job scheduling process and logs to determine if management assigns a member of personnel to supervise the nightly scheduled process.


Reviewed a sample of job logs to ensure that each job is written to a log, which can be reviewed as needed to ensure jobs have completed successfully.


System logs of production processing problems are reviewed, analyzed, and issues are remedied.

Reviewed a sample of system logs of production processing problems as they occurred to determine if they are being reviewed by appropriate personnel and any noted issues are remedied.


I.T. systems and data are backed up on a regular basis.

Reviewed backup selections and backup logs and interviewed backup administrators to determine if I.T. systems and data are backed up on a regular basis. Reviewed a sample of backup logs to determine if backups are being completed successfully.




- 27 -




Test Results

Backup jobs are authorized and properly scheduled.

Inquired of management to determine if the designated backup administrator is responsible for authorizing and maintaining backups.


Reviewed the backup utility scheduler to determine if backups are properly scheduled and automated.


Backups are periodically tested. Reviewed the current year test restoration to determine if the production database is restored on an annual basis.


Backup media is stored in a physically secure and remote location.

Inspected the physical location of the weekly tapes to determine if all media are stored in a secure off-site location.


Proper ID cards are required and used to control access to the facilities.

Inspected the facilities to determine if badges are required and logged to control access to all facilities.

Exception: It was noted that logging mechanisms that are in place are inaccurate and not checked on a regular basis. Management Response: Entrance to the building is restricted to employee entrance which requires an ID card or through the front desk which requires registration with the receptionist. We acknowledge that during the period covered by this SAS70 review, the reporting mechanism for logging employee entrance became ineffective. Our building entry process is now being reevaluated and steps will be taken to assure that controlled access is logged and monitored appropriately.



- 28 -




Test Results

Proper ID cards are required and used to control access to the facilities. (continued)

Reviewed user access rights to determine if special access rights, such as after hour access, is authorized and appropriately documented by H.R. and Management.

Exception: It was noted that all employees have full access to the building at all times and are not limited based on job responsibilities. Management Response: Due to the nature of our business and all of the various job responsibilities, any employee may need access to the building any time of day, seven days a week. The General Office area is locked during non-business hours and Systems Operations is controlled by unique entry code at all times. Only employees that need access to these areas are provided with an entry key or code. On weekends when there are no System Operations department employees on site, access codes to the computer room and part of the warehouse is blocked to a limited number of authorized staff. Management feels that the controls for access to the building is adequate, but will seek to include enhancements to this control in conjunction with other control reviews currently in process.

The computer room and any computer equipment, telecommunication equipment and data files are adequately protected from environmental hazards.

Inspected facilities that house all critical computer equipment to determine if each room is adequately protected from environmental hazards.


The CSA owned facility is properly posted with respect to search and trespass, accurately lighted, and CCTV units are adequately installed.

Inspected the CSA facilities to determine if all CSA facilities are posted with respect to search and trespass, equipped with security lighting, and CCTV units are adequately installed.




- 29 -




Test Results

Access to the computer room and any computer equipment, data files and telecommunication equipment is appropriately restricted.

Inspected facilities that house all critical computer equipment to determine if access is restricted to appropriate personnel.

Exception: It was noted that while there is a keypad, the code is shared at the department director’s discretion and there is no documented policy for pass code change and refresh. Management Response: The following practices were in place during the review period and will be will be documented as a written policy: Each department director is given a

unique 4-digit code to enter the computer room.

When an employee leaves CSA or transfers to another department, the employee’s old department is issued a new code for computer room and a separate code for building access. The old codes are removed from the system.

At 7:00AM on Saturday morning when third shift leaves the building, they enter an override code into the system that disables the individual department computer room codes for the weekend. The codes are reactivated on Monday morning.

Employees are not permitted to share codes across departmental lines.

In addition to documenting the above policy, we are researching solutions to further restrict and log access to critical areas.

User Control Consideration: DFMS software can be hosted on the utility’s server or hosted by CSA. Physical Security for Non-CSA Hosted servers is the sole responsibility of the utility.



- 30 -

Control Objective #13 Controls provide reasonable assurance that I.T. resources are safeguarded and adequate security measures are in place.



Test Results

An information security policy exists and has been approved by an appropriate level of executive management.

Inquired of management to determine if an information security policy exists and has been approved by an appropriate member of management.


Proper authorization is required before users are added to systems and/or applications or when user rights are modified.

Inquired of management and reviewed a sample of “user authorization forms” to determine if the Human Resource Director authorizes appropriate I.T. personnel to add new users to systems and/or applications as necessary.


Timely notifications and authorizations have been implemented for suspending and closing user accounts for all affected systems.

Inquired of management and reviewed a sample of authorizations to disable/delete a specified user account to determine if when an employee leaves or is terminated, H.R. notifies the appropriate I.T. personnel and authorizes either the deletion or suspension of that employee’s user account.


User passwords require strong complexity controls (i.e. length, expiration, history, sessions, timeouts and special restrictions).

Reviewed the domain security settings parameters to determine if passwords in use on network security devices conformed to strong password requirements and adhered to the organization’s written password policy.

Exception: It was noted that password control settings for Maximum Password Age, Minimum Password Age, Password History, Password Encryption, and Password Complexity Requirements are disabled. Management Response: CSA’s Information Security Policy will be updated to specifically address password settings.

Security is configured to limit user resources, rights, and functions in which they have a direct job responsibility.

Inspected security configurations and reviewed user access rights to determine if members only have access to the appropriate resources pertaining to their job responsibilities.




- 31 -




Test Results

Access to the databases (not through application) is limited to only appropriate members of personnel.

Reviewed the user access rights to determine if database access is limited to only the appropriate members of personnel.


User IDs and passwords are utilized for individual user authentication to gain access to the databases (not through application).

Inquired of I.T. security management and inspected the company’s access rights to determine if direct access to company databases is controlled via single sign-on authentication using a login ID and password.


User IDs and passwords are utilized for individual user authentication to gain access to the system (Windows, Novell, AS/400, Unix, etc).

Inquired of I.T. security management and inspected the company’s access rights to determine if direct access to the company system is controlled via single sign-on authentication using a login ID and password.


Reviewed the group policy manager to determine if user accounts, which are stored in Microsoft Active Directory, control access rights and privileges to the company system.


Where network connectivity is used, appropriate firewalls and network security devices have been implemented.

Inspected the network and interviewed the I.T. security administrator and other key I.T. managers to determine if appropriate firewalls and network security devices are in place to secure network connectivity.


Internal vulnerability assessments are performed on a periodic basis.

Inquired of I.T. management to determine if an internal vulnerability assessment has been successfully performed within a reasonable period of time.


Third Party vulnerability assessments are performed on a periodic basis.

Inquired of I.T. management to determine if a Third Party vulnerability assessment has been successfully performed within a reasonable period of time.




- 32 -




Test Results

Updated antivirus protection has been implemented on servers.

Reviewed a sample of servers to determine if antivirus software is installed and virus definitions are current.


Updated antivirus protection has been implemented on workstations.

Reviewed a sample of client workstations to determine if antivirus software is installed and virus definitions are current.


Wireless internet connections have appropriate encryption and restrictions implemented.

Inspected and reviewed the wireless access configuration to determine if access is restricted to authorized users and is secure.


User IDs and passwords are utilized for individual user authentication to gain access to the network security devices.

Inquired of I.T. security management and inspected the company’s access rights to determine if direct access to the company’s network security devices is controlled via single sign-on authentication using a login ID and password.


User passwords require strong complexity controls to gain access to the network security devices.

Verified that the password in use on CSA’s network security devices conform to strong password standards.


Security is configured to limit user resources, rights, and functions in which they have a direct job responsibility.

Verified that user access to network security devices are strictly limited to CSA’s designated security administrators.


central service association’s orbit customer management ...news.csa1.com/sas70/type ii report -...

Documents