On October 5, 2006, the Commission issued an Order on Settlement (Settlement Order) accepting in part and rejecting in part an Offer of Settlement (Settlement Offer) submitted by the settling parties ^[1] in Docket No. EL05-102-000, et al.^[2] The Settlement Order required numerous modifications to the Settlement Offer intended to provide immediate benefits to consumers and competitors that operate in the Southern region.

The Settlement Order also directed the Office of Enforcement to conduct an audit of the Southern Operating Companies (Alabama Power Company, Georgia Power Company, Gulf Power Company, Mississippi Power Company, and Southern Power Company (Southern Power)) to: (1) ensure that the Southern Operating Companies are fully complying with all the conditions set forth in the Settlement Order, and (2) determine whether the conditions imposed there were sufficient to address any remaining opportunities for affiliate abuse under the Intercompany Interchange Contract (IIC) related to Southern Power.^[3]

In the Settlement Order, the Commission advised that it will notice the audit report for comment and, after considering the comments on it, determine what, if any, further action is appropriate.^[4] The Commission added that if affiliate abuse concerns remain, it would either set such concerns for hearing or require further changes immediately.^[5] The Office of Enforcement has recently completed its audit report. A copy of the report is attached to this Notice.

All interested persons desiring to comment on what, if any, further action is appropriate on the matters addressed by the audit report, including the IIC and remaining opportunities for affiliate abuse, may file written comments on or before January 12, 2009. After reviewing these comments, the Commission will determine whether further action is appropriate.

The Commission encourages electronic submission of comments in lieu of paper using the “eFiling” link at http://www.ferc.gov. Persons unable to file electronically should submit an original and 14 copies of the comments to the Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426.

Comment Date: 5 pm Eastern Time on January 12, 2009.

Federal Energy Regulatory Commission

Audit Report of Southern Company's

• Compliance with the Conditions Imposed by the Commission in Docket No. EL05-102-000, et al., and
• Remaining Opportunities for Affiliate Abuse related to Southern Power under the Intercompany Interchange Contract

Office of Enforcement

Division of Audits

Table of Contents

I. Executive Summary

A. Overview

B. Southern Company

C. Summary of Commission Proceedings in Docket No. EL05-102 et al.

D. Summary of Compliance Findings

E. Summary of Recommendations and Corrective Actions Taken

II. Southern Company's Compliance With Commission Orders

III. Introduction

A. Objectives

B. Scope and Methodology

IV. Findings and Recommendations

1. Electronic Separation

2. Employee Separation

3. Posting of Separation Protocol Violations on OASIS

V. Southern Companies Response on the Draft Audit Report—Appendix A

I. Executive Summary

A. Overview

On October 5, 2006, the Commission issued an Order on Settlement (Settlement Order) accepting in part and rejecting in part an Offer of Settlement (Settlement Offer) submitted by the settling parties ^[6] in Docket No. EL05-102-000, et al.^[7] The Settlement Order required numerous modifications intended to provide immediate benefits to consumers and competitors that operate in the Southern region. The Settlement Order also directed the Division of Audits (DA) within the Office of Enforcement (OE) to conduct an audit of the Southern Operating Companies (Alabama Power Company, Georgia Power Company, Gulf Power Company, Mississippi Power Company, and Southern Power Company (Southern Power)) to: (1) Ensure that the Southern Operating Companies are fully complying with all the conditions set forth in the order, and (2) determine whether the conditions imposed therein were sufficient to address any remaining opportunities for affiliate abuse under the Intercompany Interchange Contract (IIC) related to Southern Power.

The Southern Operating Companies made a compliance filing on November 6, 2006, notifying the Commission that they had implemented the modifications required by the Settlement Order. The Southern Operating Companies also provided a projected implementation schedule reflecting the compliance efforts to date and a seven-month timeline to complete the remaining compliance milestones. The Commission accepted the compliance filing on April 19, 2007 (Acceptance Order), subject to further modifications to the IIC, Separation of Functions and Communications Protocol (Separation Protocol), and Generator Support Service Tariff (GSS Tariff).^[8] The Commission required the Southern Operating Companies to fully implement all the compliance efforts included in its implementation schedule within seven months from the issuance of the Acceptance Order. The Commission also directed OE to monitor the Southern Operating Companies' implementation progress and, once the implementation is complete, to commence its audit and finish the audit within 12 months. The Southern Operating Companies completed the implementation on November 16, 2007, and filed a Notice of Completion with Start Printed Page 77666the Commission. The Commission accepted the Southern Operating Companies' Notice of Completion on January 11, 2008.^[9] OE commenced the audit of the Southern Operating Companies on November 19, 2007.

OE has completed its audit of the Southern Operating Companies. The audit examined whether the Southern Operating Companies are fully complying with the modifications the Commission set forth in the Settlement and Acceptance Orders and whether the conditions imposed therein are sufficient to address any remaining opportunities for affiliate abuse under the IIC related to Southern Power. The audit covered the period from November 19, 2007 through August 29, 2008.

Audit staff concluded that the Southern Operating Companies properly implemented the modifications and generally complied with the conditions imposed by the Commission in the Settlement and Acceptance Orders. However, audit staff determined that Southern Company should implement additional corrective actions to prevent the potential for Southern Power employees to access non-public market information. Moreover, Southern Company should follow the Commission's and its company's policies for posting non-public market information on its Open Access Same-Time Information System (OASIS). OE's audit findings and recommendations are summarized below in sections D and E of this audit report (report), and discussed comprehensively in section IV of this report.

Audit staff's conclusions are based on evidence obtained through 85 employee interviews, four face-to-face meetings, weekly phone conferences, four site visits, facility inspections, extensive data inquiries and examinations, and review of approximately 7,000 e-mails and 2,800 voice recordings.

B. Southern Company

Southern Company is an electric utility holding company and the parent company of the Southern Operating Companies, Southern Company Services, Inc., and other direct and indirect subsidiaries. The primary business of Southern Company is the supply and sale of electricity in the Southeast region of the United States. Southern Power, a wholesale energy provider, constructs, acquires, and manages generation assets in the wholesale market, where it sells electricity at market-based rates. Southern Power is the large wholesale energy provider in the Southeast, owning and operating more than 6,500 megawatts of generating assets. The other Southern Operating Companies are vertically integrated utilities that provide electric service in the states of Alabama, Georgia, Florida, and Mississippi.

Southern Company Services, Inc. is a centralized service company which provides various services, at cost, to the Southern Operating Companies and its subsidiaries. For example, Southern Company Services, Inc. acts as agent to the Southern Operating Companies for administering and carrying out the operational activities under the IIC and for the sale of wholesale power at market-based rates. Southern Company Services, Inc. also acts as agent to the Southern Operating Companies for providing transmission service under Southern Company's OATT. Further, Southern Company Services, Inc. enters into gas purchase and sales agreements, and transportation and storage contracts, as agent on behalf of the Southern Operating Companies.

The Southern Operating Companies function as an integrated public utility system through the joint commitment and economic dispatch of their generating resources to meet their collective load obligations. The integrated operation of their respective electric generating facilities and system operations (generally referred to as the pool) is governed by the IIC, which is a rate schedule on file with the Commission pursuant to the Federal Power Act.^[10] The IIC provides for the coordinated and integrated operation of the generating facilities and resources owned, contractually controlled, and operated by the Southern Operating Companies, as well as the pooling of surplus energy for short-term wholesale energy sale opportunities. In essence, the IIC: (1) Specifies the types of transactions involved in system operations; (2) provides for the sharing of the benefits and burdens associated with the operation of facilities that are used for the mutual benefit of the Southern Operating Companies; and (3) provides guidance for pool operations. Southern Company Services, Inc. operates the pool in accordance with the IIC using a centralized economic dispatch model to serve the obligations of the Southern Operating Companies with the lowest cost resources while at the same time reliably operating the interconnected system. Any energy generated in excess of these obligations becomes available to the pool for making short-term wholesale energy sales to third parties on behalf of the Southern Operating Companies. Southern Company Services, Inc. is responsible for billing the Southern Operating Companies for transactions and services under the IIC on a monthly basis.

The Southern Operating Companies also make wholesale sales at market-based rates, pursuant to market-based rate tariffs, which include a code of conduct and a Separation Protocol. The code of conduct provides important protections concerning the business relationship amongst the Southern Operating Companies and marketing affiliates with market-based rate authority. The Separation Protocol places protections between Southern Power and the other Southern Operating Companies in the codes of conduct. Specifically, the Separation Protocol requires the functional separation of the wholesale activities that Southern Power carries out for the sole benefit of its shareholders from the activities of the other Southern Operating Companies. Further, the Separation Protocol allows Southern Power to use employees of Southern Company Services, Inc. or any other affiliate as long as those employees are dedicated exclusively to Southern Power. Southern Power is also permitted to use shared support employees as long as it does so consistent with the independent functioning requirements of the Standards of Conduct.^[11] In addition, the Separation Protocol contains other restrictions designed to protect against Southern Power's physical and electronic access to non-public market information, receiving preferential treatment with regard to the purchase or sale of transmission service or electric energy, and abuses related to the purchase or the sale of non-power goods and services.

C. Summary of Commission Proceedings in Docket No. EL05-102 et al.

Southern Power is a wholly-owned subsidiary of Southern Company and affiliate of the other Southern Operating Companies. Southern Power is a competitive generation provider that does not have a franchised obligation to serve at retail. In this capacity, it raises several regulatory concerns, which were described by the Commission in the Settlement Order. As the Commission explained therein, when a competitive affiliate is a member of a power pool with its regulated operating company Start Printed Page 77667affiliates, an incentive exists for the regulated affiliates to subsidize the sales of the competitive affiliate to benefit their mutual shareholders.^[12] Second, when Southern Power sells power to other Southern Operating Companies, there is a concern that the competitive affiliate not be granted an undue preference.^[13] When the competitive affiliate sells to a regulated affiliate, the Commission's concern is that the price not be set too high.^[14] Conversely, when the regulated affiliate sells to a competitive affiliate, the Commission's principal concern is that the price not be set too low.^[15] When sales are made to third parties, the Commission's principal concern is that the regulated Southern Operating Companies continue to compete for such sales rather than favoring sales by Southern Power.^[16] Finally, the Commission expressed concerns that the integration of the companies created by the pool could lead to potential violations of the Standards of Conduct and hence the obligation to provide transmission service on a nondiscriminatory basis.^[17] Together, these concerns form the basis for the conditions and modifications the Commission imposed on Southern Company that is the subject of this audit.

The proceeding in Docket No. EL05-102-000 began on May 5, 2005, when the Commission instituted an investigation to determine whether the role of Southern Power in Southern Company's pool continued to be appropriate and consistent with the Commission's regulations and precedents regarding affiliate abuse.^[18] Specifically, the Commission set for hearing the following issues: (1) The justness and reasonableness of the IIC, including the justness and reasonableness of Southern Power's inclusion in the pool and whether such inclusion involves undue preference and undue discrimination that adversely affected wholesale competition and wholesale customers in the Southeast; (2) whether any of the Southern Operating Companies had violated or were violating the Commission's Standards of Conduct which were in effect at the time; and (3) whether the Southern Operating Companies' Code of Conduct was just and reasonable and whether the Code of Conduct should continue to define Southern Power as a “system company.”

On April 11, 2006, Southern Company Services, Inc., on behalf of the Southern Operating Companies, filed the Settlement Offer to resolve the regulatory proceedings in Docket No. EL05-102 and other related proceedings. The purpose of the Settlement Offer was to resolve all allegations that the IIC and certain other aspects of the Southern Operating Companies' structure and operations provided Southern Power with an undue preference over non-affiliated power suppliers. The Settlement Offer also encompassed other measures that the Southern Operating Companies were planning to implement in response to allegations that their operations improperly favored affiliates. On October 5, 2006, the Commission issued its Settlement Order, which accepted in part and rejected in part the Settlement Offer.^[19] The Commission explained that the Settlement Offer did not adequately protect customers against affiliate abuse. As a result, the Commission ordered the Southern Operating Companies to make significant changes to the Settlement relating to the IIC, Separation Protocol, and GSS Tariff, to adequately protect customers from affiliate abuse in the sale of wholesale power and the provision of transmission service. In the Settlement Order, the Commission directed the OE to conduct an audit of Southern Power and its regulated Operating Company affiliates. Further, the Commission advised that it will notice the audit report for comment and after considering the comments on it, determine what further action is appropriate.^[20] Moreover, the Commission stated that if affiliate abuse concerns remained, it will either set such concerns for hearing or require further changes immediately. Lastly, the Commission advised that it would keep the section 206 investigation open until receiving the audit, any public comments on it, and determine what further action is appropriate in this docket.

On November 6, 2006, Southern Company Services, Inc., acting as agent for the Southern Operating Companies, submitted a modified compliance filing, as directed by the Settlement Order. The compliance filing included the required amendments to the IIC, Separation Protocol, and GSS Tariff, as well as a projected implementation schedule outlining the actions taken to date and the expected timeframe for implementing the Separation Protocol over a seven-month period. On April 19, 2007, the Commission issued an Acceptance Order, which accepted the modified compliance filing and projected implementation schedule, but directed a further compliance filing be made.^[21] On May 18, 2007, Southern Company Services, Inc. filed a revised compliance filing in Docket No. EL05-102-003, as directed by the Commission in its Acceptance Order. The Commission accepted, by delegated authority, this revised compliance filing with minor modifications on July 16, 2007.^[22] On August 13, 2007, Southern Company Services, Inc. filed these minor modifications in Docket No. EL05-102-004, which the Commission accepted by delegated authority on September 12, 2007.^[23]

On November 16, 2007, Southern Company Services, Inc. filed, on behalf of the Southern Operating Companies, a Notice of Completion and Conformed Compliance Filing in connection with the Settlement and Acceptance Orders. The Southern Operating Companies stated that the implementation of the requirements set forth in the Settlement and Acceptance Orders was complete. Moreover, the Southern Operating Companies submitted an effective conformed version of the Separations Protocol. The filing also conformed the definition of “market information” used in the Separation Protocol and IIC to the definition of that term established by the Commission in Order No. 697.^[24] The Southern Operating Companies requested that the Commission accept the Order No. 697 conformed rates for filing.^[25] The Southern Operating Companies later determined that the November 16, 2007 filing should not have included the section 205 request that the definition of “market information” established by the Commission in Order No. 697 apply to that same term as used in the Southern Operating Companies' Separation Protocol. Accordingly, on December 4, 2007, the Southern Operating Companies amended its Notice of Completion filing to remove the section Start Printed Page 77668205 aspect of its submission. On January 11, 2008, the Commission, by delegated authority, accepted the Southern Operating Companies' Notice of Completion and the Separation Protocol with an effective date of November 19, 2007.^[26]

On November 19, 2007, OE commenced the audit of the Southern Operating Companies in Docket No. PA08-6-000.

D. Summary of Compliance Findings

Although audit staff determined that the Southern Operating Companies generally complied with the conditions in the Settlement and Acceptance Orders, audit staff identified three areas where the Southern Operating Companies should strengthen and further its compliance measures related to electronic separation, employee separation, and posting of Separation Protocol violations on OASIS.^[27] Below is a summary of audit staff's compliance findings. A more detailed discussion of audit staff's compliance findings is included in section IV.

• Electronic Separation—Although Southern Company implemented electronic controls to prevent Southern Power employees from accessing non-public market information, audit staff detected some gaps in the controls that potentially provided Southern Power employees with access to non-public market information. Specifically, a Southern Power employee was able to breach Southern Company's network access restrictions through a non-Southern Power computer workstation and the wireless network. Additionally, Southern Company did not have adequate procedures in place to review for non-public market information available through: (1) Personal network drives of employees who transferred jobs and (2) files transferred to shared network drives by non-Southern Power employees.
• Employee Separation—Audit staff observed an employee performing transmission activities that support the long-term wholesale energy transactions of Southern Power, while at the same time performing transmission and energy trading activities that support the short-term wholesale energy transactions made by the pool on behalf of the Southern Operating Companies. Audit staff believes that Southern Company should dedicate separate employees to perform the transmission activities supporting Southern Power's long-term wholesale energy transactions and the transmission activities supporting the short-term wholesale energy transactions made for the pool on behalf of the Southern Operating Companies to prevent the potential for any undue preference.
• Posting of Separation Protocol Violations on OASIS—Southern Company did not immediately post, date, and time stamp all the postings it made to OASIS in accordance with the Commission's Standards of Conduct requirements in effect during the audit period.

E. Summary of Recommendations and Corrective Actions Taken

Audit staff provides the following recommendations to ensure adequate corrective actions are taken by Southern Company to address the remaining opportunities for potential affiliate abuse under the IIC related to Southern Power.

• Create procedures for reviewing files posted to Southern Power shared drives by non-Southern Power employees for non-public market information. Additionally, create procedures for reviewing the personal network drives of all employees who transfer into Southern Power for non-public market information. For each review, remove all files that contain non-public market information from the personal network drive of the transferred employee.

On November 14, 2008, Southern Company implemented new policies governing the monitoring and review of Southern Power shared drives and the personnel network drives of employees transferring into Southern Power.

• Perform periodic reviews to ensure that Southern Power employees do not have access rights to applications, databases, and shared network drives containing non-public market information. Additionally, these periodic reviews should include testing of the segmented network to determine whether Southern Power employees can bypass the segmented network and potentially access non-public market information.

On November 14, 2008, Southern Company implemented new procedures requiring a periodic review of Southern Power shared drives and periodic testing of the segmented network.

• Add the “SPC” designator to Southern Power employee names in Cool Compliance, as is already done in the Global Address List for e-mails, to spotlight a Southern Power employee having access rights granted in Cool Compliance.^[28]

On November 10, 2008, Southern Company informed audit staff that it will identify and label all Southern Power employees in Cool Compliance. However, Southern Company did not provide an implementation date.

• Dedicate employees performing transmission activities that support Southern Power's long-term wholesale energy transactions solely to Southern Power.

On November 7, 2008, Southern Company informed audit staff that it transferred the responsibilities associated with the procurement of transmission service for Southern Power's long-term wholesale energy transactions to Southern Power.

• Post all violations of the Separation Protocol immediately, in accordance with the Standards of Conduct at 18 CFR 358.5(b)(3). In addition to the date the violation occurred, include on each document the date and time Southern Company posted the violation in accordance with the OASIS regulations at 18 CFR 37.6(g)(2).

On November 14, 2008, Southern Company revised its Separation Protocol Violations Investigative Procedure to reflect that upon determining an actual violation has occurred, the incident must immediately be posted on OASIS. Further, Southern Company implemented a procedural change to include a date and time stamp for each document posted on OASIS relating to the violation.

• Strengthen procedures and controls for maintaining e-mail distribution lists and providing reports to Southern Power that may contain non-public market information. Incorporate these procedures and other pertinent procedural enhancements in the Separation Protocol compliance training program to achieve a reduction in the number of future violations.

On November 14, 2008, Southern Company implemented new procedures requiring employees to maintain and periodically review their e-mail distribution lists to verify employee memberships. Further, Southern Company revised its Separation Protocol training regarding electronic communications with Southern Power employees and the development and maintenance of e-mail distribution lists.Start Printed Page 77669

II. Southern Company's Compliance With Commission Orders

The Southern Operating Companies' efforts to comply with the Settlement and Acceptance Orders included the following activities: (1) Tariff modifications filed with the Commission; (2) functional separation through organizational restructuring, relocation of employees and infrastructure changes; (3) electronic access controls (information technology); (4) training of employees; and (5) a compliance filing to conform to the definition of “market information” used in the Separation Protocol and IIC to the definition of that term established by the Commission in Order No. 697. Further, the Southern Operating Companies expended almost $20 million to implement the modifications required by the Commission's Settlement and Acceptance Orders. In addition, the Southern Operating Companies anticipate there will be on-going costs for compliance, including the purchasing of equipment, additional staffing, training, and other costs that are difficult to quantify at this time.

Tariff Modifications

Subsequent to the issuance of the Settlement Order, the Southern Operating Companies made several compliance filings, which the Commission has approved, that changed the tariff language of the IIC, Separation Protocol, and GSS Tariff to comply with the Commission's Settlement and Acceptance Orders.^[29] The IIC changes pertained to sales between the Southern Operating Companies that were outside the pool operating window, but less than a year in length, opportunity sales made on behalf of the pool members, Southern Power taking transmission service under the OATT, Southern Power as an Energy Affiliate under the Standards of Conduct in effect at the time, and defining “market information” consistently with Order No. 697.

The Separation Protocol changes pertained to broadening the separated functions responsibilities to any function undertaken for the benefit of Southern Power's shareholders (except joint economic dispatch and reserve sharing), prohibiting the sharing of any information, protecting against preferential treatment in regard to the purchase or sale of transmission service or electric energy between the Southern Operating Companies, and the pricing of non-power goods and services. The GSS tariff changes pertained to filing the GSS tariff with the Commission to provide all similarly situated merchant generators access to back-up power by the Southern Operating Companies, and requiring the just and reasonable standard, as opposed to the public interest standard, to govern all revisions to the GSS tariff. The Commission accepted all of these modifications to the IIC, Separation Protocol, and GSS tariff.

Functional Separation

In addition to the tariff filings, the Southern Operating Companies made several organizational and structural changes to comply with the Settlement and Acceptance Orders. The Southern Operating Companies began to evaluate the measures necessary to comply with the Settlement Order in late 2006 and, after the Commission issued the Acceptance Order in April 2007, initiated the compliance effort. Based on the schedule accepted by the Commission, the Southern Operating Companies were afforded seven months to complete the functional separation of Southern Power, implement the required information sharing restrictions, and provide Separation Protocol training to its employees.

Southern Company evaluated its corporate structure and made various organizational changes. To functionally separate Southern Power's wholesale activities from the other Southern Operating Companies, Southern Company created Southern Wholesale Energy and Southern Power as divisions within Southern Company Services, Inc. Southern Wholesale Energy, a business unit within Southern Company Services, Inc. performs all of the bilateral, long-term wholesale activities of the Southern Operating Companies, with the exception of Southern Power. Southern Power, as subsidiary of Southern Company performs wholesale activities including asset management and trading, market analysis and structure, generation development, and asset acquisition on behalf of its shareholders. Southern Power also created its own finance, accounting, budgeting, and compliance groups separate from the other Southern Operating Companies. In addition, Southern Power established separate officer positions, including President, Chief Commercial Officer, Senior Production Officer, Chief Financial Officer, and Compliance Officer.

Southern Company reviewed its physical facilities and, as a result, relocated employees, made changes to its electronic infrastructure, and implemented physical access controls. Southern Company relocated 65 Southern Power employees and 90 other Southern Operating Companies employees within the Birmingham, Alabama, and Atlanta, Georgia, offices as a result of functionally separating Southern Power from the other Southern Operating Companies. In Birmingham, Southern Company physically separated employees solely dedicated to Southern Power to a separate floor and developed Southern Power's own trading floor. Southern Power's separate floor contains its asset management and trading, market analysis and structure, generation development, and asset acquisition functions. Southern Power installed electronic card key access controls on this separate floor to provide access only to employees solely dedicated to Southern Power. Southern Company also implemented electronic card key access controls to restrict Southern Power employees' access to non-public market information in other areas of the building where the other Southern Operating Companies perform operating and trading activities. Further, Southern Company instituted sign-in procedures for all non-authorized visitors in these areas to provide extra protection. Southern Company included these same protections in its Atlanta facilities and the generating plants owned and operated by Southern Power.

Electronic Access Controls

Southern Company conducted an extensive review of its computer and e-mail systems, business software applications and databases, and intranet sites to establish controls that prevent Southern Power employees from having electronic access to or receiving non-public market information from the other Southern Operating Companies. As a result of this review, Southern Company installed a segmented network to comply with the electronic separation requirements ordered by the Commission's Settlement and Acceptance Orders. The segmented network allows Southern Power to coexist on the same information technology infrastructure as the rest of Southern Company, yet at the same time precludes Southern Power from obtaining non-public market information electronically. Southern Company also created separate intranet Web sites for Southern Power and the other Southern Operating Companies to ease the burden of electronic separation Start Printed Page 77670and Southern Power's restriction to non-public market information. Further, all shared drives that contain non-public market information are electronically protected and restrict Southern Power employees' access. In addition to these protective measures, Southern Company added an “SPC” notation next to the e-mail addresses of Southern Power employees to clearly distinguish them from non-Southern Power employees and avoid the inadvertent exchange of non-public market information.

Employee Training

Southern Company informed audit staff that the Southern Operating Companies provided the Separation Protocol training required by the Commission's Settlement Order to over 15,000 employees. This training educated employees on functional separation requirements, physical separation requirements, “prohibited information” definitions, electronic access requirements, no conduit rules, and violation reporting instructions. The type of training provided (instructor-led or on-line) was based on the priority level of employees. Employees in the high priority level included employees of Southern Power, generation employees, transmission employees, shared support service employees and corporate officers of the other Southern Operating Companies responsible for these areas. These high priority level employees received instructor-led training while others participated in an on-line training program. Continued education and training on the Separation Protocol is provided on an annual basis. Additionally, training materials for the Separation Protocol are available on the intranets of both Southern Company and Southern Power.

Order No. 697 Compliance Filing

In the Acceptance Order, the Commission directed Southern Company Services, Inc. to revise its Separation Protocol and IIC to prohibit the sharing of any market information, whether or not such information is public.^[30] Subsequent to the Acceptance Order, the Commission issued Order No. 697, which, among other things, codified a new definition of “market information.” Pursuant to the Commission's regulations, “market information” means non-public information related to the electric energy and power business including, but not limited to, information regarding sales, cost of production, generator outages, generator heat rates, unconsummated transactions, and historical generator volumes. Market information includes information from either affiliates or non-affiliates.^[31] This new definition not only provides greater specificity regarding the type of information falling within its scope, but also limits its application to non-public information.

On December 4, 2007, Southern Company Services, Inc., on behalf of the Southern Operating Companies, made a section 205 filing in Docket No. ER08-298-000 to conform the definition of “market information” as used in the Separation Protocol and the IIC to the definition of that term established in Order No. 697. On January 11, 2008, the Commission accepted the filing.^[32]

Standards of Conduct Compliance

In the Settlement Order, the Commission directed Southern Operating Companies to revise section 4.4 of the IIC to make clear that the IIC is not to serve as a means whereby transmission information is shared in a manner contrary to the Commission's Standards of Conduct.^[33] The Settlement Order also required revision of section 4.4 of the IIC to make clear that Southern Power is treated as an Energy Affiliate under the Standards of Conduct and therefore cannot receive any nonpublic transmission information. ^[34]

While the Commission recently revised its Standards of Conduct regulations, the fundamental principle prohibiting a transmission provider's transmission function employees from disclosing nonpublic transmission information (which includes customer information) to marketing function employees is retained. The revisions do not affect either Southern Operating Company's compliance with the recommendations regarding shared employees or the information restrictions discussed herein. We also note that the Southern Operating Companies are subject to restrictions similar to those in the Standards of Conduct regulations based on its market-based rate authority.^[35] In addition to restricting information sharing between a franchised public utility with captive customers and a market-regulated power sales affiliate, those rules contain separation of function requirements and a no conduit provision.

Introduction

A. Objectives

The primary objective of the audit was to determine whether the Southern Operating Companies fully complied with the conditions and modifications imposed by the Commission in its Settlement and Acceptance Orders. The audit also evaluated whether the conditions and modifications set forth in both orders are sufficient to address any remaining opportunities for affiliate abuse related to Southern Power under the IIC. The audit covered the period from November 19, 2007 through August 29, 2008.

B. Scope and Methodology

Audit staff conducted a series of reviews prior to the commencement of the audit to gain an understanding of Southern Company's corporate environment, and state and federal regulatory affairs. Audit staff also monitored the implementation of the modifications imposed upon the Southern Operating Companies by the Commission in Docket No. EL05-102-000 through a series of phone conferences and compliance filing reviews. The audit activities conducted included:

• Corporate Review—Audit staff conducted a corporate review prior to the commencement of the audit to obtain a preliminary understanding of Southern Company's corporate structure, system design and operations, and market and financial activities. Audit staff reviewed publicly available materials and references including Southern Company's: OASIS and corporate Web sites; Federal Energy Regulatory Commission (FERC) Electric Quarterly Reports (EQR); FERC Forms No. 1, 60, and 714; IIC Annual Informational Filing; Securities and Exchange Commission (SEC) Forms 8-K, 10-Q, and 10-K; annual stockholder reports; various industry Web sites; and trade press releases.
• Internal Auditor and External Accountant Review—Audit staff reviewed relevant audit reports and workpapers of the Southern Companies' internal audit department and external audit firm, Deloitte & Touche LLP. The audit staff also reviewed the prior SEC audit report relating to service company costs and revenue allocations.
• Federal Regulatory Review—Audit staff reviewed numerous company filings and Commission orders to obtain Start Printed Page 77671an understanding of the issues involved in the audit, including: Docket Nos. EL05-102, EL05-104, and ER03-713; market-based rate tariffs and authorizations, including Docket Nos. ER95-1468, ER96-780, ER00-1655, ER03-3240, ER01-1633, and ER03-1383; and various dockets authorizing Southern Power to sell power to Alabama Power and Georgia Power. Additionally, audit staff reviewed company filings and orders relating to Southern Company's OATT and Order No. 697 compliance filings.
• State Regulatory Review—Audit staff performed a comprehensive review of each State Commission's (Georgia, Alabama, Mississippi, and Florida) Web site to obtain an understanding of their oversight responsibilities and regulatory involvement with Southern Company. Additionally, audit staff conducted phone conferences with staff at each State Commission to establish points of contact for the audit and to discuss its past regulatory review of Southern Company. In particular, audit staff inquired about each State Commission's compliance audits related to affiliated transactions and cross-subsidization, their understanding and review of the terms and conditions of the IIC and related billing process, and their involvement in solicitation of competitive bids for generation suppliers.
• Monitoring of Compliance Implementation—To ensure that Southern Company adhered to the Commission-approved compliance implementation schedule, audit staff monitored Southern Company's progress prior to the audit. Specifically, audit staff reviewed compliance filings made with the Commission by Southern Company Services, Inc. on behalf of the Southern Operating Companies. Further, audit staff held three phone conferences with Southern Company regarding the status and completion of its projected compliance implementation plan before the commencement of the audit on November 19, 2007.

Audit staff also reviewed specific areas related to the objectives of the audit and conducted testing in those areas to evaluate the Southern Operating Companies' compliance with the conditions imposed by the Settlement and Acceptance Orders, and whether those conditions were sufficient to address any remaining opportunities for affiliate abuse by Southern Power under the IIC. Audit staff held regular conference calls and formal meetings with Southern Company, and performed three site visits at Southern Company's facilities in Birmingham, Alabama, and one site visit in Atlanta, Georgia. Further, audit staff issued nearly two hundred data requests to obtain information for review and testing purposes, and to collect evidence to support its conclusions. The specific areas audit staff reviewed and tested include the Separation Protocol, wholesale sales, transmission, and GSS tariff.

• Separation Protocol—Audit staff conducted multiple tests to evaluate the Southern Operating Companies' compliance with the conditions imposed by the Commission and remaining opportunities for affiliate abuse relating to the separation of functions and employee workspace, restriction of non-public market information, separation protocol training, and sale of non-power goods and services. Specifically, audit staff:

○ Reviewed Southern Company's organizational structure and conducted interviews with several employees to ensure that Southern Company functionally separated all wholesale activities carried out for the sole benefit of Southern Power shareholders, including its trading activities by the other Southern Operating Companies.

○ Toured and inspected Southern Power and other facilities in Birmingham, Alabama, and Atlanta, Georgia, to ensure that the workspace of all employees conducting separated functions of Southern Power were separated from the workspace of the other Southern Operating Companies.

○ Inspected the physical and electronic information security restrictions in place and tested the information system processes and controls in place at the network, application, and workstation level to ensure non-public market information is protected from employees conducting the separated functions of Southern Power.

○ Reviewed various physical and electronic means by which Southern Power could access or receive non-public market information from the other Southern Operating Companies to ensure they did not violate the Separation Protocol. The various means inspected included: employee e-mails and voice recordings; access to shared drives and databases containing non-public market information; electronic card key access permissions at facilities containing non-public market information; records of joint meetings between Southern Power and other Southern Operating Companies; and visitor sign-in logs at facilities containing non-public market information. Further, audit staff conducted interviews with employees who conduct separated functions for Southern Power and interviews with employees performing pool operations and trading as a secondary level of testing.

○ Reviewed the training program Southern Company developed to educate employees affected by the Separation Protocol to assess its adequacy and completeness. Audit staff also interviewed compliance officers involved with providing training and employees receiving training to assess their knowledge and understanding of the Separation Protocol. As part of this testing, audit staff reviewed the processes in place for detecting and investigating potential violations of the Separation Protocol, and procedures for posting actual violations of the Separation Protocol on OASIS.

○ Reviewed the allocation methodologies and pricing for non-power goods and services provided and purchased amongst Southern Company Services, Inc., Southern Power, and the other Southern Operating Companies, to determine whether such allocation methodologies and pricing were consistent with the Separation Protocol and did not result in subsidization. Audit staff reviewed all service agreements in effect that provide for non-power goods and services to identify the types of non-power goods and services provided and purchased amongst Southern Company Services, Inc. and the Southern Operating Companies, and the pricing for such non-power goods and services. Audit staff also reviewed the methods used to allocate cost amongst the Southern Operating Companies.

○ Wholesale Sales—Audit staff conducted several tests to evaluate the Southern Operating Companies' compliance with the conditions imposed by the Commission and remaining opportunities for affiliate abuse relating to wholesale sales, including the IIC provisions for: reserve sharing and generation expansion plans; sales between the Southern Operating Companies; and wholesale sales to third parties. Specifically, audit staff:

○ Conducted group discussions and interviews with operational, trading, and shared employees to obtain an in-depth knowledge and understanding of the provisions of the IIC and the operation of Southern Company's integrated system. Further, audit staff reviewed business practices and procedures, observed operational and trading activities, and reviewed transactional and other business data to determine how to apply these provisions for testing compliance.Start Printed Page 77672

○ Reviewed Southern Company's annual IIC informational filing, conducted employee interviews, and analyzed data to determine how the Southern Operating Companies derived recognized capacity for the reserve sharing calculation. As part of the data analysis, audit staff reviewed expansion plans to verify Southern Power did not automatically include new capacity resources in the reserve sharing calculation as recognized capacity that was not part of the coordinated planning process. Further, audit staff analyzed reserve sharing calculations and billings to verify the payments to and receipts from the Southern Operating Companies for reserve sharing were in accordance with the provisions of the IIC.

○ Analyzed transactions, billings, and other documents to validate the payments to and receipts from the pool for interchange energy and opportunity interchange energy were in accordance with the provisions of the IIC. Audit staff reviewed pool interchange energy sale transactions between the Southern Operating Companies to validate the charges were based upon the variable costs of the generating resource supplying the interchange energy. Audit staff also reviewed pool opportunity interchange energy sales transactions to verify the Southern Operating Companies received revenues based upon approved peak period load ratios and paid costs based upon the variable dispatch costs.

○ Reviewed regulatory filings to determine whether the Commission approved any sales between the Southern Operating Companies outside the pool operating window for the periods of less than one year and greater than one year. Audit staff also analyzed transactional data and conducted employee interviews to independently assess whether any sales between the Southern Operating Companies occurred outside the pool operating window without prior Commission approval.

○ Analyzed transactional data and other supporting documents to verify Southern Power made all of its wholesale sales outside the pool operating window using its own generating capacity. Audit staff also interviewed Southern Operating Companies' employees to assess the adequacy of procedures and controls in place for ensuring all of Southern Power's wholesale sales occur outside the pool operating window and that Southern Power has available capacity from its own generating resources to support these wholesale sales.

○ Reviewed the Southern Operating Companies' coordinated planning process to verify Southern Power independently developed its generation expansion plans and did not participate in reviewing and recommending the generation expansion plans of the other Southern Operating Companies. Further, audit staff reviewed e-mails and interviewed the Southern Power Senior Production Officer on the Operating Committee to ensure Southern Power did not receive non-public market information from other Operating Committee members.

○ Transmission—Audit staff conducted several tests to evaluate the Southern Operating Companies' compliance with the conditions imposed by the Commission and remaining opportunities for affiliate abuse relating to the Southern Operating Companies' access to non-public transmission information and Southern Power's adherence to the terms and conditions of the OATT and treatment as an Energy Affiliate under the Standards of Conduct. Specifically, audit staff:

○ Conducted interviews with Southern Company transmission function managers and employees to understand the physical aspects and operations of Southern Company's electric transmission system.

○ Reviewed corporate organizational charts and employee job descriptions to assess the functional separation of Southern Power and other marketing functions from the transmission function.

○ Reviewed all transmission services provided to each of the Southern Operating Companies by Southern Company's transmission function and then analyzed transmission service agreements, reservations, schedules, and billing statements to validate that Southern Power adhered to the terms and conditions of the OATT.

○ Reviewed various physical and electronic means for Southern Power and other employees performing marketing activities to access or receive non-public transmission information to ensure that they did not violate the Commission's Standards of Conduct regulations in effect during the audit period. The various means inspected included: employee e-mails and voice recordings; marketing employees' access to shared drives and transmission databases; transmission facilities' electronic card key access permissions; records of joint meetings between transmission and marketing function employees; and records for visitor sign-in logs at the operating control center. Audit staff also conducted interviews with personnel who work in separated functions for Southern Power and interviews with employees performing pool operations and trading as a secondary level of testing.

○ Reviewed OASIS to determine whether the Southern Operating Companies made required postings in accordance with the Standards of Conduct as in effect at the time.

○ GSS Tariff—Audit staff conducted testing to evaluate the Southern Operating Companies' compliance with the conditions imposed by the Commission and remaining opportunities for affiliate abuse relating to similarly-situated merchant generators' access to back-up power. Audit staff reviewed all filings made by Southern Company Services, Inc. to validate that Southern Company complied with the Commission's order to file a GSS tariff that offered all similarly-situated merchant generators access to back-up power. Audit staff issued data requests and conducted interviews to assess the internal processes and procedures related to the administration of the GSS tariff. Audit staff also used these data requests and interviews to verify whether any scheduling entity requested service under the GSS tariff, and to determine whether any scheduling entity was improperly denied service under the GSS tariff.

III. Findings and Recommendations

1. Electronic Separation

Although Southern Company implemented electronic controls to prevent Southern Power employees from accessing non-public market information, audit staff detected gaps that could have potentially provided Southern Power employees with access to non-public market information. Specifically, as part of our audit testing, a Southern Power employee was able to breach Southern Company's network access protections through a non-Southern Power computer workstation and the wireless network.

Additionally, Southern Company did not have adequate procedures in place to review: (1) Personal network drives that may contain non-public market information when employees transferred jobs and (2) files transferred to shared network drives by non-Southern Power employees for non-public market information.

Pertinent Guidance

The Commission's Settlement Order required the Southern Operating Companies to “adopt a clear separation of functions, including restrictions on Start Printed Page 77673information sharing,” for transactions benefitting Southern Power's shareholders. The Settlement Order also required Southern to make clear that Southern Power is to be treated as an Energy Affiliate under the Standards of Conduct and therefore cannot receive any nonpublic transmission information.^[36] In response to implementing these modifications, Southern Company included language in its Separation Protocol to protect against the electronic sharing of non-public market information. Specifically, the Separation Protocol applicable to Southern Power states in paragraph no. 4:

Prohibited information will be electronically protected from employees conducting the separated functions of Southern Power through restricted access to any shared drive that includes such information. Access to these shared drives by employees conducting the separated functions of Southern Power will require pre-approval under an authorization process administered by the Southern Company Generation Compliance Officer.

Background

Southern Company conducted a comprehensive review of its computer network environment, business software applications and databases, intranet Web sites, and other computer related systems to ensure it had adequate controls in place to restrict Southern Power employees from having electronic access to non-public market information. Southern Company implemented a segmented network as its overarching control to comply with the electronic separation and information sharing requirements set forth in the Commission's Settlement Order. The segmented network allows Southern Power to co-exist on the same information technology infrastructure as the rest of Southern Company, yet at the same time is designed to preclude Southern Power from electronically accessing non-public market information. The implementation of the segmented network and other computer infrastructure related changes required extensive employee hours and cost approximately $1.3 million.

The compliance measures taken by Southern Company required re-engineering of its existing computer infrastructure with the implementation of a segmented network. Audit staff's review of the segmented network determined that it is an effective first line of defense in electronically protecting Southern Power employees' access to non-public market information. However, audit staff's testing of Southern Company's electronic separation control environment for the segmented network detected some minor weaknesses that could have potentially provided Southern Power employee's access to non-public market information through personal employee computers workstations and the wireless network had they been left unresolved.

Further, Southern Company did not have adequate procedures in place to review for non-public market information: (1) personal network drives when employees transferred jobs and (2) files transferred to shared network drives by non-Southern Power employees.

Segmented Network

The segmented network was achieved by installing dedicated computer infrastructure, such as dedicated servers, switches and firewalls, and by implementing automated rules with Microsoft's Active Directory and Group Policy within the infrastructure to electronically separate Southern Power from the remainder of Southern Company and to control access to non-public market information. Southern Company's segmented network is an effective first line of defense in electronically protecting non-public market information from Southern Power employees.

The segmented network is ultimately controlled through Microsoft's Active Directory and relies on an internally designed set of scripts to ensure that Southern Power employees cannot access non-public market information. The scripts, known as the Validator program, ensure that three conditions are met before allowing Southern Power employees electronic access: the employee must be a member of the restricted user group, the workstation must be a member of the restricted workstation group, and the location must be a restricted site. If any of these three conditions is not met, the Validator program should shut down the workstation for Southern Power employees.

Audit staff conducted testing at non-Southern Power computer workstations to determine whether the segmented network controls adequately blocked Southern Power employees' access to restricted areas containing non-public market information. One test confirmed that the segmented network successfully blocked a Southern Power employee from gaining access to the protected segmented network using a non-Southern Power computer workstation located in an employee's office. However, the other test detected that the segmented network could be breached by a Southern Power employee through the use of a non-Southern Power computer workstation located in a non-Southern Power conference room. In comparing the two different outcomes, Southern Company explained that the Southern Power employee successfully logged onto the conference room computer workstation because it resided on the SOCOGEN network.

Upon discovery, Southern Company took immediate action to resolve the conference room workstation breach. Southern Company explained that most of the workstations on the SOCOGEN network are in secure areas to which Southern Power employees do not have access privileges. Therefore, Southern Company believed it was not necessary to implement the “deny access” log-on controls applied to Southern Power employees on the SOCOGEN network. Rather than applying the “deny access” log-on controls to these conference room workstations, Southern Company addressed this breach by applying the log-on restrictions across the entire SOCOGEN network, in case there were additional SOCOGEN workstations in non-secure areas of the building. Had this problem been left uncorrected, this breach could have potentially provided a Southern Power employee access to non-public market information.

Wireless Network

Southern Company implemented a separate wireless network for Southern Power in order to restrict access to non-public market information. Southern Power employees should be capable of accessing only the Southern Power wireless network, placing them behind Southern Power's dedicated firewalls and subjecting them to all of the rules applied to a Southern Power workstation connected to the network through wired access. Southern Company's other employees can connect to the “Office wireless network.” Southern Power employees should not be able to connect to the Office wireless network.

Audit staff's testing of the wireless network from a Southern Power laptop computer revealed that the employee using a Southern Power restricted workstation was able to connect to the Office wireless network. Essentially, by successfully connecting to Southern Company's Office wireless network, a Southern Power employee was able to bypass the segmented network. This connection potentially allowed the Southern Power employee access to non-public market information. According to Southern Company, some users had Active Directory permission Start Printed Page 77674inadvertently enabled on their laptop computers for remote access. This permission superseded the Active Directory “deny access” configuration applied to all Southern Power users for the Office wireless network. To correct this issue, Southern Company modified the configuration to ignore this Active Directory property for remote access, removing the conflict in permissions. Audit staff's re-testing of the wireless network demonstrated that the system did not allow the Southern Power employee connection.

Employee Computer Workstations

Audit staff conducted testing of Southern Power employee computer workstations to determine whether they could access non-public market information through personal network drives, shared network drives, and applications and databases. Audit staff's testing did not detect any evidence that Southern Power employees accessed or received non-public market information through its personal computer workstations. However, audit staff observed that Southern Company had some procedural weaknesses related to personal network drives, shared drives, and computer applications and databases that could potentially provide Southern Power the opportunity to access non-public market information.

During interviews, audit staff learned that each employee has a personal network drive and if an employee transfers from one area of Southern Company to another, such as from the Transmission function into Southern Power, the employee's personal network drive is transferred with the employee. However, Southern Company did not have a policy in place to review the contents of the transferred employees' personal network drive for non-public market information. Audit staff also learned that the network server access restrictions are one-directional (i.e. Southern Power to the other Southern Operating Companies). As a result, a non-Southern Power employee with write access to a shared network drive could transfer files containing non-public market information to the network drive it shares with Southern Power. Southern Company also did not have a policy in place to review shared network drives for non-public market information. Currently, the Separation Protocol and Standards of Conduct training programs are the only control mechanisms in place to prevent Southern Power access to non-public market information through personal and shared network drives.

To prevent the type of breaches audit staff detected during its examination of the segmented network and wireless network, Southern Company should implement multiple strategies to electronically restrict Southern Power employees' access to non-public market information. For example, Southern Company should implement procedures to ensure Southern Power employees are electronically restricted from obtaining non-public market information through access rights to shared network drives. Further, Southern Company should develop procedures to review and remove non-public market information from personal network drives for employees who transfer to Southern Power from another area of the company.

Recommendations

We recommend Southern Company:

1. Create procedures for reviewing files posted to Southern Power shared drives by non-Southern Power employees for non-public market information. Additionally, create procedures for reviewing the personal network drives of all employees who transfer into Southern Power for non-public market information. For each review, remove all files that contain non-public market information from the personal network drive of the transferred employee.

2. Perform periodic reviews to ensure that Southern Power employees do not have access rights to shared network drives containing non-public market information. Additionally, these periodic reviews should include testing of the segmented network to determine whether Southern Power employees can bypass the segmented network and potentially access non-public market information.

3. Add the SPC designator to Southern Power employee names in Cool Compliance, as is already done in the Global Address List for e-mails, to spotlight a Southern Power employee having access rights granted in Cool Compliance.

Corrective Action Taken

On November 14, 2008, Southern Company implemented new procedures governing the monitoring and review of shared drives and personnel network drives. For shared drives the new procedures require any non-Southern Power employee who posts material to a Southern Power shared folder to send an e-mail notifying the Southern Power employee of the posting content. For personnel network drives the new procedures requires a Southern Power business manager and transferred employee to review and remove any documents containing non-public market information from the personnel network drive and to a complete and submit a transfer checklist to a compliance officer for review.

Southern Company also implemented new procedures that require a semi-annual review of approved access lists and content of Southern Power shared drives by a generation compliance officer. Further, the new procedures also require periodic testing of the segmented network to verify the integrity of the preventive controls and to confirm that Southern Power employees do not have access to network drives that contain non-public market information.

On November 10, 2008, Southern Company informed audit staff that it will begin identifying and labeling all Southern Power employees in Cool Compliance to help prevent inadvertent disclosure of non-public market information. However, Southern Company did not provide an the implementation date for this new procedure.

Employee Separation

Audit staff observed a shared employee performing transmission activities that support the long-term wholesale energy transactions of Southern Power, while at the same time performing transmission and energy trading activities that support the short-term wholesale energy transaction made by the pool on behalf of the Southern Operating Companies. Audit staff believes that Southern Company should dedicate separate employees to perform the transmission activities supporting Southern Power's long-term wholesale energy transactions and the transmission activities supporting the short-term wholesale energy transactions made for the pool on behalf of the Southern Operating Companies to prevent the potential for any undue preference.

Pertinent Guidance

The Settlement Order clarified that where a competitive affiliate enters into transactions for its own benefit, it must separate its functions from those of its regulated affiliates.^[37] This separation of functions obligation includes, in part, a requirement to maintain separate staffs to perform the sales functions and a restriction on the sharing of any non-public market information. These protections ensure that the parent corporation cannot favor sales by the Start Printed Page 77675competitive affiliate over those of the regulated affiliates.

Moreover, the Commission's Acceptance Order further clarified that the Southern Operating Companies must adopt a clear separation of functions, including restrictions on information sharing, and a separation of personnel, for any function that is undertaken for the benefit of Southern Power's shareholders (i.e. any function except joint economic dispatch and reserve sharing under the IIC).^[38]

To implement these modifications, Southern Company Services, Inc., included specific language in its Separation Protocol regarding the functional separation of Southern Power employees from the other Southern Operating Companies. Specifically, the Southern Company Services, Inc., Separation Protocol approved by the Commission applicable to Southern Power, Items No. 1 and 2, states:

The wholesale activities of Southern Power carried on for the sole benefit of Southern Power are to be functionally separated from the other Southern Operating Companies. These activities (collectively referred to as separated functions) consist of any function undertaken for the benefit of Southern Power's shareholders.

Personnel who conduct separated functions for Southern Power may be employees of Southern Power or they may be employees of a service company or other affiliated company. To the extent the service company or other affiliated company employees conduct these separated functions, such employees must be dedicated exclusively to Southern Power and all associated costs (direct and indirect) must be borne by Southern Power or its shareholders.

Background

The Southern Operating Companies did not solely dedicate a shared employee performing transmission activities that support the long-term wholesale energy transactions of Southern Power and a different employee to support the short-term wholesale energy transactions made by the pool on behalf of the Southern Operating Companies. Southern Power relies on a shared employee to procure transmission service (e.g., negotiate transmission service agreements and reserve transmission service) that supports its long-term wholesale energy transactions made outside the pool operating window. This same shared employee is responsible for performing energy trading and the transmission activities for the pool on behalf of the Southern Operating Companies for short-term wholesale energy transactions made under the IIC.

During the audit period, audit staff did not identify any occurrences where Southern Power received an undue preference. However, absent having an employee solely dedicated to Southern Power for performing transmission activities, there is a potential risk for Southern Power to receive an undue preference due to this shared employee's co-existing duties as a term energy trader for the pool and associated transmission responsibilities performed on behalf of the pool and Southern Power. Audit staff believes that the Commission's Settlement and Acceptance Orders and the Southern Company Services, Inc., Separation Protocol require further separation of the transmission activities performed by this shared employee by solely dedicating this person or another employee to Southern Power.

Audit staff's review of transmission service agreements between Southern Power and Southern Company's transmission function acknowledged the shared employee signed transmission service agreements on behalf of Southern Power. In addition to transmission service agreements, audit staff obtained transactional data from OASIS showing that the same shared employee made transmission service reservations to support Southern Power's wholesale energy transactions and the wholesale energy transactions made by the pool on behalf of the Southern Operating Companies. Further, audit staff reviewed the job description of this shared employee and interviewed the shared employee to confirm his job responsibilities included: (1) Optimizing daily and long-term point-to-point (PTP) transmission positions on behalf of the Southern Operating Companies including purchasing, reselling, and/or redirecting transmission through OASIS; (2) querying OASIS to determine available transfer capability on all Southern Company interfaces; (3) requesting long-term PTP transmission for the Southern Operating Companies (through OASIS); (4) executing transmission service agreements; and (5) conducting term energy trading on behalf of the pool.

Southern Company explained that when Southern Power needs long-term (i.e., one month or greater) transmission service as the result of its entry into a wholesale energy purchase or sale contract, Southern Power notifies this shared employee of that transmission need. The shared employee then pursues available long-term transmission that meets Southern Power's needs through queries on Southern Company's or a non-affiliated Transmission Provider's OASIS and through inquiries to potential counterparties. When such transmission is found, a transmission service agreement is executed on behalf of Southern Power and provided to it. This same shared employee, within the nearer-term operational window as provided by the IIC, procures transmission service for the Southern Operating Companies to support any short-term wholesale energy transactions made on behalf of the pool. This process applies to transmission procured from Southern Company's transmission function as well as from non-affiliated Transmission Providers.

Southern Company stated that it uses this shared employee to perform the transmission activities for Southern Power and the pool on behalf of the Southern Operating Companies because of the integrated operating nature of the pool. Further, Southern Company stated that the pool seeks to optimize all of the Southern Operating Companies' resources related to unit commitment and joint economic dispatch, including generation, purchased power, transmission and fuel arrangements (e.g., natural gas supply, transportation and storage). Audit staff agrees that the pool must operate on an integrated basis and that all reserved transmission capacity should be obtained by the pool in accordance with the terms and conditions of the OATT. However, as required by the Commission's Settlement and Acceptance Orders and the Southern Company Services, Inc. Separation Protocol, the procurement of transmission service supporting Southern Power's long term wholesale energy transactions should not be a pool responsibility performed by a shared employee, but rather a responsibility performed by an employee solely dedicated to Southern Power.

Audit staff is concerned that there is a potential risk for Southern Power to receive an undue preference if this shared employee continues to have co-existing duties as an energy trader for the pool, along with the transmission responsibilities associated to the wholesale energy transactions conducted on behalf of the pool and Southern Power.

Recommendation

We recommend Southern Company:

4. Dedicate employees performing transmission activities that support Southern Power's long-term wholesale energy transactions solely to Southern Power.

Corrective Action Taken

On November 7, 2008, Southern Company informed audit staff that it Start Printed Page 77676transferred the responsibilities associated with the procurement of transmission service for Southern Power's long-term wholesale energy transactions to Southern Power.

Posting of Separation Protocol Violations on OASIS

Southern Company did not immediately post, date, and time stamp the postings it made to OASIS in accordance with the Commission's Standards of Conduct requirements in effect during the audit period.

Pertinent Guidance

Pursuant to the Separation Protocol paragraph 6, the Southern Operating Companies are required to post any violation of the Separation Protocol on OASIS in a manner consistent with the process under the Standards of Conduct.^[39] The Standards of Conduct require the Transmission Provider to post immediately information that an employee of the Transmission Provider discloses in a manner contrary to the requirements of § 358.5(b)(1) on its OASIS or Internet Web site.^[40] The requirement of 18 CFR 358.5(b)(1) (2008) states:

An employee of the Transmission Provider may not disclose to its Marketing or Energy Affiliates any information concerning the transmission system of the Transmission Provider or the transmission system of another * * * through non-public communications conducted off the OASIS or Internet Web site, through access to information not posted on the OASIS or Internet Web site that is not contemporaneously available to the public, or though information on the OASIS or Internet Web site that is not at the same time publicly available.

The Commission's Standards of Conduct regulations also require all OASIS database transactions, except other transmission-related communications provided for under 18 CFR 37.6(g)(2)(2008), must be stored, dated, and time stamped.^[41] Further, the Commission explained, in 18 CFR 37.6(g)(1)(2008), that other transmission-related communications may include “want ads” or “other communications” such as using the OASIS as a transmission-related conference space or making transmission-related messaging services between OASIS users.

Background

On November 19, 2007, the Separation Protocol applicable to Southern Power became effective and in part required the Southern Operating Companies to post any violation of the Separation Protocol on OASIS in a manner consistent with the Commission's Standards of Conduct requirements. In accordance with this requirement, Southern Company has made fourteen postings covering violations of the Separation Protocol on its OASIS between November 19, 2007 and August 31, 2008. However, Southern Company did not immediately post, date and time stamp the postings it made to OASIS. The fourteen violations included the following:

• Eleven e-mails containing non-public market information that were electronically sent to Southern Power employees from employees of the other Southern Operating Companies. The non-public market information included in these e-mails pertained to non-Southern Power plant outages, unit status, plant damage, plant equipment issues, and plant performance. Some of the non-public market information shared also pertained to system load data and financial information such as mark-to-market accounting and budgets. The Compliance Officer's investigation of these violations determined that Southern Power employees viewed non-public market information in seven of the eleven e-mails received. One of the violations involved the distribution of the same non-public market information sent to Southern Power employees in a previous e-mail. The other three e-mails contained non-public market information which was received, but not viewed by, Southern Power employees. Most of the violations occurred from having outdated e-mail distribution lists that contained Southern Power employees and from reports received by Southern Power employees, where the senders did not realize the contents included non-public market information.
• One involved a Southern Power employee who obtained access to the power pool trading floor, which is a physically restricted access area. The review performed by a compliance official determined that the Southern Power employee did not view or review any non-public market information.
• One violation involved a meeting where employees from Southern Power and the other Southern Operating Companies were present. During this meeting, non-public market information pertaining to a plant outage with a third party that sold the output of the plant to Georgia Power Company was shared with Southern Power. A compliance official informed the Southern Operating employee that they should not do this going forward when meeting with Southern Power employees.
• One involved computer access to an application containing load forecast data of Georgia Power Company. The initial Separation Protocol review did not detect any problems with this application; however, a modification to the application was made subsequent to this review which granted Southern Power employees access to non-public market information. A compliance official interviewed each employee with access to the load forecast data and determined that none of these employees accessed or viewed this information. Southern Company resolved this problem by removing the Southern Power employee's access to non-public information of Georgia Power Company.

Audit staff requested copies of documents related to all potential and actual Separation Protocol violations that were investigated since November 19, 2007. Audit staff's review of these reports determined Southern Company posted many of the Separation Protocol violations days or weeks after the Southern Power employee received access to the non-public market information. For example, Southern Company posted one incident over one full month following the receipt of the non-public market information by a Southern Power employee. Moreover, audit staff determined that Southern Company identified the date of occurrence, but did not date or time stamp any of the Separation Protocol violations it posted on OASIS. As a result, non-affiliated transmission customers could not determine whether Southern Company posted the Separation Protocol violations immediately, as required by the Standards of Conduct.

The Standards of Conduct require Southern Company to immediately post information that an employee of the Transmission Provider discloses in a manner contrary to the requirements of § 358.5(b)(1) on the OASIS.^[42] Further, all OASIS database transactions, except other transmission-related communications provided for under 18 CFR 37.6(g)(2)(2008), must be stored, dated, and time stamped.^[43] Accordingly, Southern Company should immediately post all non-public market information that a Southern Power employee receives and include a date and time stamp in accordance with the Standards of Conduct.^[44]

Recommendations

We recommend Southern Company:

5. Post all violations of the Separation Protocol immediately in accordance with 18 CFR 358.5(b)(3). In addition to the date the violation occurred, Southern Company should include on each document the date and time Southern Company posted the violation to OASIS in accordance with 18 CFR 37.6(g)(2).

6. Strengthen procedures and controls for maintaining e-mail distribution lists and providing reports to Southern Power that may contain non-public market information. Incorporate these procedures and other pertinent procedural enhancements in the Separation Protocol compliance training program to achieve a reduction in the number of future violations.

Corrective Action Taken

On November 14, 2008, Southern Company revised its Separation Protocol Violations Investigative Procedure to reflect that upon determining an actual violation has occurred, the incident must immediately be posted on OASIS. Further, Southern Company implemented a procedural change to include a date and time stamp for each document posted on OASIS relating to the violation.

Southern Company also implemented new procedures requiring employees to maintain and periodically review their e-mail distribution lists to verify employee memberships. Further, Southern Company revised its Separation Protocol training to provide additional and more detailed guidance with regard to electronic communications with Southern Power employees and, the development and maintenance of e-mail distribution lists. The revised training will be conducted online, with an anticipated completion deadline of December 31, 2008.

V. Southern Companies' Comments on the Draft Audit Report

FERC Docket No. PA08-6-000

Southern Company Services, Inc., acting as agent for Alabama Power Company, Georgia Power Company, Gulf Power Company, Mississippi Power Company, and Southern Power Company (collectively, “Southern Companies”), submits the following comments on the Draft Audit Report provided by the Division of Audits on November 4, 2008.

In this submission, Southern Companies have purposefully sought to focus their comments on more substantive matters, and thus have not undertaken to address each and every aspect with which they disagree. In like manner, Southern Companies saw no need to set forth the substantive reasons for their disagreement with any recommendations that they have nonetheless agreed to implement. Accordingly, the absence of comment directed to a given statement, assertion, representation, or conclusion in the Draft Audit Report should not be interpreted as their agreement or tacit admission as to accuracy or completeness thereof.

1. Electronic Separation

Recommendation No. 1: Create procedures for reviewing files posted to Southern Power shared drives by non-Southern Power employees for non-public market information. Additionally, create procedures for reviewing the personal network drives of all employees who transfer into Southern Power for non-public market information. For each review, remove all files that contain non-public market information from the personal network drive of the transferred employee.

Southern Companies' Comments on Recommendation No. 1:

Effective November 14, 2008, Southern Companies have implemented the “Separation Protocol Policy to Govern Monitoring of the Southern Power Shared Folders,” which is a new policy regarding information posted to Southern Power Company (“Southern Power”) shared folders by non-Southern Power employees. This new procedure includes periodic reviews of approved access lists and content. The procedure also includes a requirement that any non-Southern Power employee who posts material to a Southern Power shared folder will notify the owner of such folder by e-mail of the posting. Southern Companies have submitted this policy to Audit Staff for review.

Effective November 14, 2008, Southern Companies have implemented the “Separation Protocol Policy to Govern Employee Transfers to Southern Power Company,” which is a new policy that addresses the personal network drives of employees who transfer into Southern Power. This policy will insure that these employees do not retain any documents (hard copy or electronic) containing Prohibited Information. Southern Companies have submitted this policy to Audit Staff for review.

Recommendation No. 2: Perform periodic reviews to ensure that Southern Power employees do not have access rights to shared network drives containing non-public market information. Additionally, these periodic reviews should include testing of the segmented network to determine whether Southern Power employees can bypass the segmented network and potentially access non-public market information.

Southern Companies' Comments on Recommendation No. 2:

Effective November 14, 2008, Southern Companies have implemented the “Separation Protocol Policy to Govern Monitoring of the Segmented Network,” which is a new policy that requires periodic testing of the segmented network to verify the integrity of the preventive controls and to confirm that Southern Power employees do not have access to network drives that contain Prohibited Information. Southern Companies have submitted this policy to Audit Staff for review.

Recommendation No. 3: Add the SPC designator to Southern Power employee names in Cool Compliance, as is already done in the Global Address List for e-mails, to spotlight a Southern Power employee having access rights granted in Cool Compliance.

Southern Companies' Comments on Recommendation No. 3:

The designator “(SPC)” will be added to Southern Power employee names in Cool Compliance. Southern Companies have submitted evidence of this implementation to Audit Staff.

2. Employee Separation

Recommendation No. 4: Dedicate employees performing transmission activities that support Southern Power's long-term wholesale energy transactions solely to Southern Power.

Southern Companies' Comments on Recommendation No. 4:

Southern Companies disagree with the findings in this section of the Draft Audit Report and the related recommendation. However, in order to resolve this issue, the procurement of long-term transmission service associated with the long-term wholesale energy transactions of Southern Power has been moved to Southern. Accordingly, all long-term transmission service requests associated with Southern Power's long-term energy transactions will be made on OASIS by Southern Power employees.

3. Posting of Separation Protocol Violations on OASIS

Recommendation No. 5: Post all violations of the Separation Protocol immediately in accordance with 18 CFR Start Printed Page 77678358.5(b)(3). In addition to the date the violation occurred, Southern Company should include on each document the date and time Southern Company posted the violation to OASIS in accordance with 18 CFR 37.6(g)(2).

Southern Companies' Comments on Recommendation No. 5:

Southern Companies have revised their “Separation Protocol Violations Investigative Procedure” to state that when “it is determined that an actual violation has occurred, the incident must be posted on OASIS immediately.” Southern Companies have submitted the revised protocol to Audit Staff for review.

Southern Companies have implemented the changes necessary so that the date and time a violation is posted on OASIS will be included for each posting.

Recommendation No. 6: Strengthen procedures and controls for maintaining e-mail distribution lists and providing reports to Southern Power that may contain non-public market information. Incorporate these procedures and other pertinent procedural enhancements in the Separation Protocol compliance training program to achieve a reduction in the number of future violations.

Southern Companies' Comments on Recommendation No. 6:

Effective November 14, 2008, Southern Companies have implemented the revised “Fleet Operations and Trading Floor Information, Physical Access and Visitor's Policy,” which revision requires employees to maintain their e-mail distribution lists and to periodically review such lists to verify employee memberships. Southern Companies have also revised the Separation Protocol training to provide additional and more detailed guidance with regard to electronic communications with Southern Power employees and, the development and maintenance of e-mail distribution lists. This revised training will be conducted online, with an anticipated completion deadline of December 31, 2008. In addition, Southern Companies will continue to conduct individual training and counseling for employees that are involved in Separation Protocol investigations. Southern Companies have submitted the revised policy and applicable portions of the revised training materials to Audit Staff for review.

Footnotes