
[Federal Register: December 19, 2008 (Volume 73, Number 245)]
[Notices]               
[Page 77665-77678]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr19de08-72]                         


[[Page 77665]]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket Nos. PA08-6-000; EL05-102-000; EL05-104-000; ER03-713-000]

 
Southern Company Services Inc., Alabama Power Company, Georgia 
Power Company, Gulf Power Company, Mississippi Power Company, Southern 
Power Company; Notice of Audit Report Issuance and Invitation To 
Comment

December 12, 2008.
    On October 5, 2006, the Commission issued an Order on Settlement 
(Settlement Order) accepting in part and rejecting in part an Offer of 
Settlement (Settlement Offer) submitted by the settling parties \1\ in 
Docket No. EL05-102-000, et al.\2\ The Settlement Order required 
numerous modifications to the Settlement Offer intended to provide 
immediate benefits to consumers and competitors that operate in the 
Southern region.
---------------------------------------------------------------------------

    \1\ Southern Company Services, Inc. (acting for itself and as 
agent for Alabama Power Company, Georgia Power Company, Gulf Power 
Company, Mississippi Power Company, Savannah Electric and Power 
Company, and Southern Power Company, collectively Southern Company), 
Calpine Corporation, Coral Power, LLC, and the Board of Water, Light 
and Sinking Fund Commissioners of the City of Dalton (collectively 
the settling parties).
    \2\ Southern Company Services, Inc., 117 FERC ] 61,021 (2006).
---------------------------------------------------------------------------

    The Settlement Order also directed the Office of Enforcement to 
conduct an audit of the Southern Operating Companies (Alabama Power 
Company, Georgia Power Company, Gulf Power Company, Mississippi Power 
Company, and Southern Power Company (Southern Power)) to: (1) ensure 
that the Southern Operating Companies are fully complying with all the 
conditions set forth in the Settlement Order, and (2) determine whether 
the conditions imposed there were sufficient to address any remaining 
opportunities for affiliate abuse under the Intercompany Interchange 
Contract (IIC) related to Southern Power.\3\
---------------------------------------------------------------------------

    \3\ Settlement Order at P 60.
---------------------------------------------------------------------------

    In the Settlement Order, the Commission advised that it will notice 
the audit report for comment and, after considering the comments on it, 
determine what, if any, further action is appropriate.\4\ The 
Commission added that if affiliate abuse concerns remain, it would 
either set such concerns for hearing or require further changes 
immediately.\5\ The Office of Enforcement has recently completed its 
audit report. A copy of the report is attached to this Notice.
---------------------------------------------------------------------------

    \4\ Id.
    \5\ Id.
---------------------------------------------------------------------------

    All interested persons desiring to comment on what, if any, further 
action is appropriate on the matters addressed by the audit report, 
including the IIC and remaining opportunities for affiliate abuse, may 
file written comments on or before January 12, 2009. After reviewing 
these comments, the Commission will determine whether further action is 
appropriate.
    The Commission encourages electronic submission of comments in lieu 
of paper using the ``eFiling'' link at http://www.ferc.gov. Persons 
unable to file electronically should submit an original and 14 copies 
of the comments to the Federal Energy Regulatory Commission, 888 First 
Street, NE., Washington, DC 20426.
    Comment Date: 5 pm Eastern Time on January 12, 2009.

Kimberly D. Bose,
Secretary.

Federal Energy Regulatory Commission

Audit Report of Southern Company's

     Compliance with the Conditions Imposed by the Commission 
in Docket No. EL05-102-000, et al., and
     Remaining Opportunities for Affiliate Abuse related to 
Southern Power under the Intercompany Interchange Contract

Docket No. PA08-06-000

December 12, 2008.

Office of Enforcement

Division of Audits

Table of Contents

I. Executive Summary
    A. Overview
    B. Southern Company
    C. Summary of Commission Proceedings in Docket No. EL05-102 et 
al.
    D. Summary of Compliance Findings
    E. Summary of Recommendations and Corrective Actions Taken
II. Southern Company's Compliance With Commission Orders
III. Introduction
    A. Objectives
    B. Scope and Methodology
IV. Findings and Recommendations
    1. Electronic Separation
    2. Employee Separation
    3. Posting of Separation Protocol Violations on OASIS
V. Southern Companies Response on the Draft Audit Report--Appendix A

I. Executive Summary

A. Overview

    On October 5, 2006, the Commission issued an Order on Settlement 
(Settlement Order) accepting in part and rejecting in part an Offer of 
Settlement (Settlement Offer) submitted by the settling parties \6\ in 
Docket No. EL05-102-000, et al.\7\ The Settlement Order required 
numerous modifications intended to provide immediate benefits to 
consumers and competitors that operate in the Southern region. The 
Settlement Order also directed the Division of Audits (DA) within the 
Office of Enforcement (OE) to conduct an audit of the Southern 
Operating Companies (Alabama Power Company, Georgia Power Company, Gulf 
Power Company, Mississippi Power Company, and Southern Power Company 
(Southern Power)) to: (1) Ensure that the Southern Operating Companies 
are fully complying with all the conditions set forth in the order, and 
(2) determine whether the conditions imposed therein were sufficient to 
address any remaining opportunities for affiliate abuse under the 
Intercompany Interchange Contract (IIC) related to Southern Power.
---------------------------------------------------------------------------

    \6\ Southern Company Services, Inc. (acting for itself and as 
agent for Alabama Power Company, Georgia Power Company, Gulf Power 
Company, Mississippi Power Company, Savannah Electric and Power 
Company, and Southern Power Company, collectively Southern Company), 
Calpine Corporation, Coral Power, LLC, and the Board of Water, Light 
and Sinking Fund Commissioners of the City of Dalton (collectively 
the settling parties).
    \7\ Southern Company Services, Inc., 117 FERC ] 61,021 (2006).
---------------------------------------------------------------------------

    The Southern Operating Companies made a compliance filing on 
November 6, 2006, notifying the Commission that they had implemented 
the modifications required by the Settlement Order. The Southern 
Operating Companies also provided a projected implementation schedule 
reflecting the compliance efforts to date and a seven-month timeline to 
complete the remaining compliance milestones. The Commission accepted 
the compliance filing on April 19, 2007 (Acceptance Order), subject to 
further modifications to the IIC, Separation of Functions and 
Communications Protocol (Separation Protocol), and Generator Support 
Service Tariff (GSS Tariff).\8\ The Commission required the Southern 
Operating Companies to fully implement all the compliance efforts 
included in its implementation schedule within seven months from the 
issuance of the Acceptance Order. The Commission also directed OE to 
monitor the Southern Operating Companies' implementation progress and, 
once the implementation is complete, to commence its audit and finish 
the audit within 12 months. The Southern Operating Companies completed 
the implementation on November 16, 2007, and filed a Notice of 
Completion with

[[Page 77666]]

the Commission. The Commission accepted the Southern Operating 
Companies' Notice of Completion on January 11, 2008.\9\ OE commenced 
the audit of the Southern Operating Companies on November 19, 2007.
---------------------------------------------------------------------------

    \8\ Southern Company Services, Inc., 119 FERC ] 61,065 (2007).
    \9\ Southern Company Services, Inc., Docket Nos. EL05-102-005 
and EL05-102-006 (January 11, 2008) (unpublished letter order).
---------------------------------------------------------------------------

    OE has completed its audit of the Southern Operating Companies. The 
audit examined whether the Southern Operating Companies are fully 
complying with the modifications the Commission set forth in the 
Settlement and Acceptance Orders and whether the conditions imposed 
therein are sufficient to address any remaining opportunities for 
affiliate abuse under the IIC related to Southern Power. The audit 
covered the period from November 19, 2007 through August 29, 2008.
    Audit staff concluded that the Southern Operating Companies 
properly implemented the modifications and generally complied with the 
conditions imposed by the Commission in the Settlement and Acceptance 
Orders. However, audit staff determined that Southern Company should 
implement additional corrective actions to prevent the potential for 
Southern Power employees to access non-public market information. 
Moreover, Southern Company should follow the Commission's and its 
company's policies for posting non-public market information on its 
Open Access Same-Time Information System (OASIS). OE's audit findings 
and recommendations are summarized below in sections D and E of this 
audit report (report), and discussed comprehensively in section IV of 
this report.
    Audit staff's conclusions are based on evidence obtained through 85 
employee interviews, four face-to-face meetings, weekly phone 
conferences, four site visits, facility inspections, extensive data 
inquiries and examinations, and review of approximately 7,000 e-mails 
and 2,800 voice recordings.

B. Southern Company

    Southern Company is an electric utility holding company and the 
parent company of the Southern Operating Companies, Southern Company 
Services, Inc., and other direct and indirect subsidiaries. The primary 
business of Southern Company is the supply and sale of electricity in 
the Southeast region of the United States. Southern Power, a wholesale 
energy provider, constructs, acquires, and manages generation assets in 
the wholesale market, where it sells electricity at market-based rates. 
Southern Power is the large wholesale energy provider in the Southeast, 
owning and operating more than 6,500 megawatts of generating assets. 
The other Southern Operating Companies are vertically integrated 
utilities that provide electric service in the states of Alabama, 
Georgia, Florida, and Mississippi.
    Southern Company Services, Inc. is a centralized service company 
which provides various services, at cost, to the Southern Operating 
Companies and its subsidiaries. For example, Southern Company Services, 
Inc. acts as agent to the Southern Operating Companies for 
administering and carrying out the operational activities under the IIC 
and for the sale of wholesale power at market-based rates. Southern 
Company Services, Inc. also acts as agent to the Southern Operating 
Companies for providing transmission service under Southern Company's 
OATT. Further, Southern Company Services, Inc. enters into gas purchase 
and sales agreements, and transportation and storage contracts, as 
agent on behalf of the Southern Operating Companies.
    The Southern Operating Companies function as an integrated public 
utility system through the joint commitment and economic dispatch of 
their generating resources to meet their collective load obligations. 
The integrated operation of their respective electric generating 
facilities and system operations (generally referred to as the pool) is 
governed by the IIC, which is a rate schedule on file with the 
Commission pursuant to the Federal Power Act.\10\ The IIC provides for 
the coordinated and integrated operation of the generating facilities 
and resources owned, contractually controlled, and operated by the 
Southern Operating Companies, as well as the pooling of surplus energy 
for short-term wholesale energy sale opportunities. In essence, the 
IIC: (1) Specifies the types of transactions involved in system 
operations; (2) provides for the sharing of the benefits and burdens 
associated with the operation of facilities that are used for the 
mutual benefit of the Southern Operating Companies; and (3) provides 
guidance for pool operations. Southern Company Services, Inc. operates 
the pool in accordance with the IIC using a centralized economic 
dispatch model to serve the obligations of the Southern Operating 
Companies with the lowest cost resources while at the same time 
reliably operating the interconnected system. Any energy generated in 
excess of these obligations becomes available to the pool for making 
short-term wholesale energy sales to third parties on behalf of the 
Southern Operating Companies. Southern Company Services, Inc. is 
responsible for billing the Southern Operating Companies for 
transactions and services under the IIC on a monthly basis.
---------------------------------------------------------------------------

    \10\ Second Revised Rate Schedule FERC Number 138.
---------------------------------------------------------------------------

    The Southern Operating Companies also make wholesale sales at 
market-based rates, pursuant to market-based rate tariffs, which 
include a code of conduct and a Separation Protocol. The code of 
conduct provides important protections concerning the business 
relationship amongst the Southern Operating Companies and marketing 
affiliates with market-based rate authority. The Separation Protocol 
places protections between Southern Power and the other Southern 
Operating Companies in the codes of conduct. Specifically, the 
Separation Protocol requires the functional separation of the wholesale 
activities that Southern Power carries out for the sole benefit of its 
shareholders from the activities of the other Southern Operating 
Companies. Further, the Separation Protocol allows Southern Power to 
use employees of Southern Company Services, Inc. or any other affiliate 
as long as those employees are dedicated exclusively to Southern Power. 
Southern Power is also permitted to use shared support employees as 
long as it does so consistent with the independent functioning 
requirements of the Standards of Conduct.\11\ In addition, the 
Separation Protocol contains other restrictions designed to protect 
against Southern Power's physical and electronic access to non-public 
market information, receiving preferential treatment with regard to the 
purchase or sale of transmission service or electric energy, and abuses 
related to the purchase or the sale of non-power goods and services.
---------------------------------------------------------------------------

    \11\ 18 CFR 358.4(a)(5)(2008).
---------------------------------------------------------------------------

C. Summary of Commission Proceedings in Docket No. EL05-102 et al.

    Southern Power is a wholly-owned subsidiary of Southern Company and 
affiliate of the other Southern Operating Companies. Southern Power is 
a competitive generation provider that does not have a franchised 
obligation to serve at retail. In this capacity, it raises several 
regulatory concerns, which were described by the Commission in the 
Settlement Order. As the Commission explained therein, when a 
competitive affiliate is a member of a power pool with its regulated 
operating company

[[Page 77667]]

affiliates, an incentive exists for the regulated affiliates to 
subsidize the sales of the competitive affiliate to benefit their 
mutual shareholders.\12\ Second, when Southern Power sells power to 
other Southern Operating Companies, there is a concern that the 
competitive affiliate not be granted an undue preference.\13\ When the 
competitive affiliate sells to a regulated affiliate, the Commission's 
concern is that the price not be set too high.\14\ Conversely, when the 
regulated affiliate sells to a competitive affiliate, the Commission's 
principal concern is that the price not be set too low.\15\ When sales 
are made to third parties, the Commission's principal concern is that 
the regulated Southern Operating Companies continue to compete for such 
sales rather than favoring sales by Southern Power.\16\ Finally, the 
Commission expressed concerns that the integration of the companies 
created by the pool could lead to potential violations of the Standards 
of Conduct and hence the obligation to provide transmission service on 
a nondiscriminatory basis.\17\ Together, these concerns form the basis 
for the conditions and modifications the Commission imposed on Southern 
Company that is the subject of this audit.
---------------------------------------------------------------------------

    \12\ Settlement Order, 117 FERC ] 61,021 at P 31.
    \13\ Id. at P 38.
    \14\ Id.
    \15\ Id. at P 43.
    \16\ Id. at P 47.
    \17\ Id. at P 51.
---------------------------------------------------------------------------

    The proceeding in Docket No. EL05-102-000 began on May 5, 2005, 
when the Commission instituted an investigation to determine whether 
the role of Southern Power in Southern Company's pool continued to be 
appropriate and consistent with the Commission's regulations and 
precedents regarding affiliate abuse.\18\ Specifically, the Commission 
set for hearing the following issues: (1) The justness and 
reasonableness of the IIC, including the justness and reasonableness of 
Southern Power's inclusion in the pool and whether such inclusion 
involves undue preference and undue discrimination that adversely 
affected wholesale competition and wholesale customers in the 
Southeast; (2) whether any of the Southern Operating Companies had 
violated or were violating the Commission's Standards of Conduct which 
were in effect at the time; and (3) whether the Southern Operating 
Companies' Code of Conduct was just and reasonable and whether the Code 
of Conduct should continue to define Southern Power as a ``system 
company.''
---------------------------------------------------------------------------

    \18\ Southern Company Services, Inc., 111 FERC ] 61,146 (Hearing 
Order), clarified, 112 FERC ] 61,015 (2005).
---------------------------------------------------------------------------

    On April 11, 2006, Southern Company Services, Inc., on behalf of 
the Southern Operating Companies, filed the Settlement Offer to resolve 
the regulatory proceedings in Docket No. EL05-102 and other related 
proceedings. The purpose of the Settlement Offer was to resolve all 
allegations that the IIC and certain other aspects of the Southern 
Operating Companies' structure and operations provided Southern Power 
with an undue preference over non-affiliated power suppliers. The 
Settlement Offer also encompassed other measures that the Southern 
Operating Companies were planning to implement in response to 
allegations that their operations improperly favored affiliates. On 
October 5, 2006, the Commission issued its Settlement Order, which 
accepted in part and rejected in part the Settlement Offer.\19\ The 
Commission explained that the Settlement Offer did not adequately 
protect customers against affiliate abuse. As a result, the Commission 
ordered the Southern Operating Companies to make significant changes to 
the Settlement relating to the IIC, Separation Protocol, and GSS 
Tariff, to adequately protect customers from affiliate abuse in the 
sale of wholesale power and the provision of transmission service. In 
the Settlement Order, the Commission directed the OE to conduct an 
audit of Southern Power and its regulated Operating Company affiliates. 
Further, the Commission advised that it will notice the audit report 
for comment and after considering the comments on it, determine what 
further action is appropriate.\20\ Moreover, the Commission stated that 
if affiliate abuse concerns remained, it will either set such concerns 
for hearing or require further changes immediately. Lastly, the 
Commission advised that it would keep the section 206 investigation 
open until receiving the audit, any public comments on it, and 
determine what further action is appropriate in this docket.
---------------------------------------------------------------------------

    \19\ Settlement Order at P 3.
    \20\ Settlement Order at P 60.
---------------------------------------------------------------------------

    On November 6, 2006, Southern Company Services, Inc., acting as 
agent for the Southern Operating Companies, submitted a modified 
compliance filing, as directed by the Settlement Order. The compliance 
filing included the required amendments to the IIC, Separation 
Protocol, and GSS Tariff, as well as a projected implementation 
schedule outlining the actions taken to date and the expected timeframe 
for implementing the Separation Protocol over a seven-month period. On 
April 19, 2007, the Commission issued an Acceptance Order, which 
accepted the modified compliance filing and projected implementation 
schedule, but directed a further compliance filing be made.\21\ On May 
18, 2007, Southern Company Services, Inc. filed a revised compliance 
filing in Docket No. EL05-102-003, as directed by the Commission in its 
Acceptance Order. The Commission accepted, by delegated authority, this 
revised compliance filing with minor modifications on July 16, 
2007.\22\ On August 13, 2007, Southern Company Services, Inc. filed 
these minor modifications in Docket No. EL05-102-004, which the 
Commission accepted by delegated authority on September 12, 2007.\23\
---------------------------------------------------------------------------

    \21\ Acceptance Order, at P. 2.
    \22\ Southern Company Services, Inc., Docket No. EL05-102-003 
(July 16, 2007) (unpublished letter order).
    \23\ Southern Company Services, Inc., Docket No. EL05-102-004 
(September 12, 2007) (unpublished letter order).
---------------------------------------------------------------------------

    On November 16, 2007, Southern Company Services, Inc. filed, on 
behalf of the Southern Operating Companies, a Notice of Completion and 
Conformed Compliance Filing in connection with the Settlement and 
Acceptance Orders. The Southern Operating Companies stated that the 
implementation of the requirements set forth in the Settlement and 
Acceptance Orders was complete. Moreover, the Southern Operating 
Companies submitted an effective conformed version of the Separations 
Protocol. The filing also conformed the definition of ``market 
information'' used in the Separation Protocol and IIC to the definition 
of that term established by the Commission in Order No. 697.\24\ The 
Southern Operating Companies requested that the Commission accept the 
Order No. 697 conformed rates for filing.\25\ The Southern Operating 
Companies later determined that the November 16, 2007 filing should not 
have included the section 205 request that the definition of ``market 
information'' established by the Commission in Order No. 697 apply to 
that same term as used in the Southern Operating Companies' Separation 
Protocol. Accordingly, on December 4, 2007, the Southern Operating 
Companies amended its Notice of Completion filing to remove the section

[[Page 77668]]

205 aspect of its submission. On January 11, 2008, the Commission, by 
delegated authority, accepted the Southern Operating Companies' Notice 
of Completion and the Separation Protocol with an effective date of 
November 19, 2007.\26\
---------------------------------------------------------------------------

    \24\ Market-Based Rates for Wholesale Sales of Electric Energy, 
Capacity and Ancillary Services by Public Utilities, Order No. 697, 
FERC Stats. & Regs. ] 31,252, clarified, 121 FERC ] 61,260 (2007), 
order on reh'g, Order No. 697-A, 73 Fed. Reg. 25,832 (May 7, 2008), 
FERC Stats. & Regs. ] 31,268 (2008).
    \25\ Southern Company Services' November 16, 2007 transmittal 
letter, page 1.
    \26\ Southern Company Services, Inc., Docket Nos. EL05-102-005 
and EL05-102-006 (January 11, 2008) (unpublished letter orders).
---------------------------------------------------------------------------

    On November 19, 2007, OE commenced the audit of the Southern 
Operating Companies in Docket No. PA08-6-000.

D. Summary of Compliance Findings

    Although audit staff determined that the Southern Operating 
Companies generally complied with the conditions in the Settlement and 
Acceptance Orders, audit staff identified three areas where the 
Southern Operating Companies should strengthen and further its 
compliance measures related to electronic separation, employee 
separation, and posting of Separation Protocol violations on OASIS.\27\ 
Below is a summary of audit staff's compliance findings. A more 
detailed discussion of audit staff's compliance findings is included in 
section IV.
---------------------------------------------------------------------------

    \27\ The time frame for the audit covers a period prior to the 
effective date of Order No. 717. Therefore, the audit measures 
compliance with then-existing regulations. The Commission recently 
changed certain posting requirements for Standards of Conduct 
regulations (see Standards of Conduct for Transmission Providers, 
Order No. 717, 125 FERC ] 61,064 (2008).
---------------------------------------------------------------------------

     Electronic Separation--Although Southern Company 
implemented electronic controls to prevent Southern Power employees 
from accessing non-public market information, audit staff detected some 
gaps in the controls that potentially provided Southern Power employees 
with access to non-public market information. Specifically, a Southern 
Power employee was able to breach Southern Company's network access 
restrictions through a non-Southern Power computer workstation and the 
wireless network. Additionally, Southern Company did not have adequate 
procedures in place to review for non-public market information 
available through: (1) Personal network drives of employees who 
transferred jobs and (2) files transferred to shared network drives by 
non-Southern Power employees.
     Employee Separation--Audit staff observed an employee 
performing transmission activities that support the long-term wholesale 
energy transactions of Southern Power, while at the same time 
performing transmission and energy trading activities that support the 
short-term wholesale energy transactions made by the pool on behalf of 
the Southern Operating Companies. Audit staff believes that Southern 
Company should dedicate separate employees to perform the transmission 
activities supporting Southern Power's long-term wholesale energy 
transactions and the transmission activities supporting the short-term 
wholesale energy transactions made for the pool on behalf of the 
Southern Operating Companies to prevent the potential for any undue 
preference.
     Posting of Separation Protocol Violations on OASIS--
Southern Company did not immediately post, date, and time stamp all the 
postings it made to OASIS in accordance with the Commission's Standards 
of Conduct requirements in effect during the audit period.

E. Summary of Recommendations and Corrective Actions Taken

    Audit staff provides the following recommendations to ensure 
adequate corrective actions are taken by Southern Company to address 
the remaining opportunities for potential affiliate abuse under the IIC 
related to Southern Power.
     Create procedures for reviewing files posted to Southern 
Power shared drives by non-Southern Power employees for non-public 
market information. Additionally, create procedures for reviewing the 
personal network drives of all employees who transfer into Southern 
Power for non-public market information. For each review, remove all 
files that contain non-public market information from the personal 
network drive of the transferred employee.
    On November 14, 2008, Southern Company implemented new policies 
governing the monitoring and review of Southern Power shared drives and 
the personnel network drives of employees transferring into Southern 
Power.
     Perform periodic reviews to ensure that Southern Power 
employees do not have access rights to applications, databases, and 
shared network drives containing non-public market information. 
Additionally, these periodic reviews should include testing of the 
segmented network to determine whether Southern Power employees can 
bypass the segmented network and potentially access non-public market 
information.
    On November 14, 2008, Southern Company implemented new procedures 
requiring a periodic review of Southern Power shared drives and 
periodic testing of the segmented network.
     Add the ``SPC'' designator to Southern Power employee 
names in Cool Compliance, as is already done in the Global Address List 
for e-mails, to spotlight a Southern Power employee having access 
rights granted in Cool Compliance.\28\
---------------------------------------------------------------------------

    \28\ Cool Compliance is a computer application originally 
created to maintain Sarbanes-Oxley controls, which Southern Company 
also adopted as a tool to provide a consistent automated process for 
evaluating and managing access requests.
---------------------------------------------------------------------------

    On November 10, 2008, Southern Company informed audit staff that it 
will identify and label all Southern Power employees in Cool 
Compliance. However, Southern Company did not provide an implementation 
date.
     Dedicate employees performing transmission activities that 
support Southern Power's long-term wholesale energy transactions solely 
to Southern Power.
    On November 7, 2008, Southern Company informed audit staff that it 
transferred the responsibilities associated with the procurement of 
transmission service for Southern Power's long-term wholesale energy 
transactions to Southern Power.
     Post all violations of the Separation Protocol 
immediately, in accordance with the Standards of Conduct at 18 CFR 
358.5(b)(3). In addition to the date the violation occurred, include on 
each document the date and time Southern Company posted the violation 
in accordance with the OASIS regulations at 18 CFR 37.6(g)(2).
    On November 14, 2008, Southern Company revised its Separation 
Protocol Violations Investigative Procedure to reflect that upon 
determining an actual violation has occurred, the incident must 
immediately be posted on OASIS. Further, Southern Company implemented a 
procedural change to include a date and time stamp for each document 
posted on OASIS relating to the violation.
     Strengthen procedures and controls for maintaining e-mail 
distribution lists and providing reports to Southern Power that may 
contain non-public market information. Incorporate these procedures and 
other pertinent procedural enhancements in the Separation Protocol 
compliance training program to achieve a reduction in the number of 
future violations.
    On November 14, 2008, Southern Company implemented new procedures 
requiring employees to maintain and periodically review their e-mail 
distribution lists to verify employee memberships. Further, Southern 
Company revised its Separation Protocol training regarding electronic 
communications with Southern Power employees and the development and 
maintenance of e-mail distribution lists.

[[Page 77669]]

II. Southern Company's Compliance With Commission Orders

    The Southern Operating Companies' efforts to comply with the 
Settlement and Acceptance Orders included the following activities: (1) 
Tariff modifications filed with the Commission; (2) functional 
separation through organizational restructuring, relocation of 
employees and infrastructure changes; (3) electronic access controls 
(information technology); (4) training of employees; and (5) a 
compliance filing to conform to the definition of ``market 
information'' used in the Separation Protocol and IIC to the definition 
of that term established by the Commission in Order No. 697. Further, 
the Southern Operating Companies expended almost $20 million to 
implement the modifications required by the Commission's Settlement and 
Acceptance Orders. In addition, the Southern Operating Companies 
anticipate there will be on-going costs for compliance, including the 
purchasing of equipment, additional staffing, training, and other costs 
that are difficult to quantify at this time.

Tariff Modifications

    Subsequent to the issuance of the Settlement Order, the Southern 
Operating Companies made several compliance filings, which the 
Commission has approved, that changed the tariff language of the IIC, 
Separation Protocol, and GSS Tariff to comply with the Commission's 
Settlement and Acceptance Orders.\29\ The IIC changes pertained to 
sales between the Southern Operating Companies that were outside the 
pool operating window, but less than a year in length, opportunity 
sales made on behalf of the pool members, Southern Power taking 
transmission service under the OATT, Southern Power as an Energy 
Affiliate under the Standards of Conduct in effect at the time, and 
defining ``market information'' consistently with Order No. 697.
---------------------------------------------------------------------------

    \29\ Southern Company Services, Inc., Docket No. EL05-102-003 
(July 16, 2007) (unpublished letter order); Southern Company 
Services, Inc., Docket No. EL05-102-004 (September 12, 2007) 
(unpublished letter order), Southern Company Services, Inc., Docket 
Nos. EL05-102-005 and EL05-102-006 (January 11, 2008) (unpublished 
letter order).
---------------------------------------------------------------------------

    The Separation Protocol changes pertained to broadening the 
separated functions responsibilities to any function undertaken for the 
benefit of Southern Power's shareholders (except joint economic 
dispatch and reserve sharing), prohibiting the sharing of any 
information, protecting against preferential treatment in regard to the 
purchase or sale of transmission service or electric energy between the 
Southern Operating Companies, and the pricing of non-power goods and 
services. The GSS tariff changes pertained to filing the GSS tariff 
with the Commission to provide all similarly situated merchant 
generators access to back-up power by the Southern Operating Companies, 
and requiring the just and reasonable standard, as opposed to the 
public interest standard, to govern all revisions to the GSS tariff. 
The Commission accepted all of these modifications to the IIC, 
Separation Protocol, and GSS tariff.

Functional Separation

    In addition to the tariff filings, the Southern Operating Companies 
made several organizational and structural changes to comply with the 
Settlement and Acceptance Orders. The Southern Operating Companies 
began to evaluate the measures necessary to comply with the Settlement 
Order in late 2006 and, after the Commission issued the Acceptance 
Order in April 2007, initiated the compliance effort. Based on the 
schedule accepted by the Commission, the Southern Operating Companies 
were afforded seven months to complete the functional separation of 
Southern Power, implement the required information sharing 
restrictions, and provide Separation Protocol training to its 
employees.
    Southern Company evaluated its corporate structure and made various 
organizational changes. To functionally separate Southern Power's 
wholesale activities from the other Southern Operating Companies, 
Southern Company created Southern Wholesale Energy and Southern Power 
as divisions within Southern Company Services, Inc. Southern Wholesale 
Energy, a business unit within Southern Company Services, Inc. performs 
all of the bilateral, long-term wholesale activities of the Southern 
Operating Companies, with the exception of Southern Power. Southern 
Power, as subsidiary of Southern Company performs wholesale activities 
including asset management and trading, market analysis and structure, 
generation development, and asset acquisition on behalf of its 
shareholders. Southern Power also created its own finance, accounting, 
budgeting, and compliance groups separate from the other Southern 
Operating Companies. In addition, Southern Power established separate 
officer positions, including President, Chief Commercial Officer, 
Senior Production Officer, Chief Financial Officer, and Compliance 
Officer.
    Southern Company reviewed its physical facilities and, as a result, 
relocated employees, made changes to its electronic infrastructure, and 
implemented physical access controls. Southern Company relocated 65 
Southern Power employees and 90 other Southern Operating Companies 
employees within the Birmingham, Alabama, and Atlanta, Georgia, offices 
as a result of functionally separating Southern Power from the other 
Southern Operating Companies. In Birmingham, Southern Company 
physically separated employees solely dedicated to Southern Power to a 
separate floor and developed Southern Power's own trading floor. 
Southern Power's separate floor contains its asset management and 
trading, market analysis and structure, generation development, and 
asset acquisition functions. Southern Power installed electronic card 
key access controls on this separate floor to provide access only to 
employees solely dedicated to Southern Power. Southern Company also 
implemented electronic card key access controls to restrict Southern 
Power employees' access to non-public market information in other areas 
of the building where the other Southern Operating Companies perform 
operating and trading activities. Further, Southern Company instituted 
sign-in procedures for all non-authorized visitors in these areas to 
provide extra protection. Southern Company included these same 
protections in its Atlanta facilities and the generating plants owned 
and operated by Southern Power.

Electronic Access Controls

    Southern Company conducted an extensive review of its computer and 
e-mail systems, business software applications and databases, and 
intranet sites to establish controls that prevent Southern Power 
employees from having electronic access to or receiving non-public 
market information from the other Southern Operating Companies. As a 
result of this review, Southern Company installed a segmented network 
to comply with the electronic separation requirements ordered by the 
Commission's Settlement and Acceptance Orders. The segmented network 
allows Southern Power to coexist on the same information technology 
infrastructure as the rest of Southern Company, yet at the same time 
precludes Southern Power from obtaining non-public market information 
electronically. Southern Company also created separate intranet Web 
sites for Southern Power and the other Southern Operating Companies to 
ease the burden of electronic separation

[[Page 77670]]

and Southern Power's restriction to non-public market information. 
Further, all shared drives that contain non-public market information 
are electronically protected and restrict Southern Power employees' 
access. In addition to these protective measures, Southern Company 
added an ``SPC'' notation next to the e-mail addresses of Southern 
Power employees to clearly distinguish them from non-Southern Power 
employees and avoid the inadvertent exchange of non-public market 
information.

Employee Training

    Southern Company informed audit staff that the Southern Operating 
Companies provided the Separation Protocol training required by the 
Commission's Settlement Order to over 15,000 employees. This training 
educated employees on functional separation requirements, physical 
separation requirements, ``prohibited information'' definitions, 
electronic access requirements, no conduit rules, and violation 
reporting instructions. The type of training provided (instructor-led 
or on-line) was based on the priority level of employees. Employees in 
the high priority level included employees of Southern Power, 
generation employees, transmission employees, shared support service 
employees and corporate officers of the other Southern Operating 
Companies responsible for these areas. These high priority level 
employees received instructor-led training while others participated in 
an on-line training program. Continued education and training on the 
Separation Protocol is provided on an annual basis. Additionally, 
training materials for the Separation Protocol are available on the 
intranets of both Southern Company and Southern Power.

Order No. 697 Compliance Filing

    In the Acceptance Order, the Commission directed Southern Company 
Services, Inc. to revise its Separation Protocol and IIC to prohibit 
the sharing of any market information, whether or not such information 
is public.\30\ Subsequent to the Acceptance Order, the Commission 
issued Order No. 697, which, among other things, codified a new 
definition of ``market information.'' Pursuant to the Commission's 
regulations, ``market information'' means non-public information 
related to the electric energy and power business including, but not 
limited to, information regarding sales, cost of production, generator 
outages, generator heat rates, unconsummated transactions, and 
historical generator volumes. Market information includes information 
from either affiliates or non-affiliates.\31\ This new definition not 
only provides greater specificity regarding the type of information 
falling within its scope, but also limits its application to non-public 
information.
---------------------------------------------------------------------------

    \30\ Acceptance Order at P 26.
    \31\ 18 CFR 35.36(a)(8).
---------------------------------------------------------------------------

    On December 4, 2007, Southern Company Services, Inc., on behalf of 
the Southern Operating Companies, made a section 205 filing in Docket 
No. ER08-298-000 to conform the definition of ``market information'' as 
used in the Separation Protocol and the IIC to the definition of that 
term established in Order No. 697. On January 11, 2008, the Commission 
accepted the filing.\32\
---------------------------------------------------------------------------

    \32\ See Southern Company Services, Inc., Docket No. ER08-298-
000 (January 11, 2008) (unpublished letter order).
---------------------------------------------------------------------------

Standards of Conduct Compliance

    In the Settlement Order, the Commission directed Southern Operating 
Companies to revise section 4.4 of the IIC to make clear that the IIC 
is not to serve as a means whereby transmission information is shared 
in a manner contrary to the Commission's Standards of Conduct.\33\ The 
Settlement Order also required revision of section 4.4 of the IIC to 
make clear that Southern Power is treated as an Energy Affiliate under 
the Standards of Conduct and therefore cannot receive any nonpublic 
transmission information. \34\
---------------------------------------------------------------------------

    \33\ Settlement Order, at P 55.
    \34\ The Commission recently eliminated the concept of ``energy 
affiliate'' from the Standards of Conduct regulations (see Standards 
of Conduct for Transmission Providers, Order No. 717, 125 FERC ] 
61,064 (2008).
---------------------------------------------------------------------------

    While the Commission recently revised its Standards of Conduct 
regulations, the fundamental principle prohibiting a transmission 
provider's transmission function employees from disclosing nonpublic 
transmission information (which includes customer information) to 
marketing function employees is retained. The revisions do not affect 
either Southern Operating Company's compliance with the recommendations 
regarding shared employees or the information restrictions discussed 
herein. We also note that the Southern Operating Companies are subject 
to restrictions similar to those in the Standards of Conduct 
regulations based on its market-based rate authority.\35\ In addition 
to restricting information sharing between a franchised public utility 
with captive customers and a market-regulated power sales affiliate, 
those rules contain separation of function requirements and a no 
conduit provision.
---------------------------------------------------------------------------

    \35\ 18 CFR 35.39 (2008).
---------------------------------------------------------------------------

Introduction

A. Objectives

    The primary objective of the audit was to determine whether the 
Southern Operating Companies fully complied with the conditions and 
modifications imposed by the Commission in its Settlement and 
Acceptance Orders. The audit also evaluated whether the conditions and 
modifications set forth in both orders are sufficient to address any 
remaining opportunities for affiliate abuse related to Southern Power 
under the IIC. The audit covered the period from November 19, 2007 
through August 29, 2008.

B. Scope and Methodology

    Audit staff conducted a series of reviews prior to the commencement 
of the audit to gain an understanding of Southern Company's corporate 
environment, and state and federal regulatory affairs. Audit staff also 
monitored the implementation of the modifications imposed upon the 
Southern Operating Companies by the Commission in Docket No. EL05-102-
000 through a series of phone conferences and compliance filing 
reviews. The audit activities conducted included:
     Corporate Review--Audit staff conducted a corporate review 
prior to the commencement of the audit to obtain a preliminary 
understanding of Southern Company's corporate structure, system design 
and operations, and market and financial activities. Audit staff 
reviewed publicly available materials and references including Southern 
Company's: OASIS and corporate Web sites; Federal Energy Regulatory 
Commission (FERC) Electric Quarterly Reports (EQR); FERC Forms No. 1, 
60, and 714; IIC Annual Informational Filing; Securities and Exchange 
Commission (SEC) Forms 8-K, 10-Q, and 10-K; annual stockholder reports; 
various industry Web sites; and trade press releases.
     Internal Auditor and External Accountant Review--Audit 
staff reviewed relevant audit reports and workpapers of the Southern 
Companies' internal audit department and external audit firm, Deloitte 
& Touche LLP. The audit staff also reviewed the prior SEC audit report 
relating to service company costs and revenue allocations.
     Federal Regulatory Review--Audit staff reviewed numerous 
company filings and Commission orders to obtain

[[Page 77671]]

an understanding of the issues involved in the audit, including: Docket 
Nos. EL05-102, EL05-104, and ER03-713; market-based rate tariffs and 
authorizations, including Docket Nos. ER95-1468, ER96-780, ER00-1655, 
ER03-3240, ER01-1633, and ER03-1383; and various dockets authorizing 
Southern Power to sell power to Alabama Power and Georgia Power. 
Additionally, audit staff reviewed company filings and orders relating 
to Southern Company's OATT and Order No. 697 compliance filings.
     State Regulatory Review--Audit staff performed a 
comprehensive review of each State Commission's (Georgia, Alabama, 
Mississippi, and Florida) Web site to obtain an understanding of their 
oversight responsibilities and regulatory involvement with Southern 
Company. Additionally, audit staff conducted phone conferences with 
staff at each State Commission to establish points of contact for the 
audit and to discuss its past regulatory review of Southern Company. In 
particular, audit staff inquired about each State Commission's 
compliance audits related to affiliated transactions and cross-
subsidization, their understanding and review of the terms and 
conditions of the IIC and related billing process, and their 
involvement in solicitation of competitive bids for generation 
suppliers.
     Monitoring of Compliance Implementation--To ensure that 
Southern Company adhered to the Commission-approved compliance 
implementation schedule, audit staff monitored Southern Company's 
progress prior to the audit. Specifically, audit staff reviewed 
compliance filings made with the Commission by Southern Company 
Services, Inc. on behalf of the Southern Operating Companies. Further, 
audit staff held three phone conferences with Southern Company 
regarding the status and completion of its projected compliance 
implementation plan before the commencement of the audit on November 
19, 2007.
    Audit staff also reviewed specific areas related to the objectives 
of the audit and conducted testing in those areas to evaluate the 
Southern Operating Companies' compliance with the conditions imposed by 
the Settlement and Acceptance Orders, and whether those conditions were 
sufficient to address any remaining opportunities for affiliate abuse 
by Southern Power under the IIC. Audit staff held regular conference 
calls and formal meetings with Southern Company, and performed three 
site visits at Southern Company's facilities in Birmingham, Alabama, 
and one site visit in Atlanta, Georgia. Further, audit staff issued 
nearly two hundred data requests to obtain information for review and 
testing purposes, and to collect evidence to support its conclusions. 
The specific areas audit staff reviewed and tested include the 
Separation Protocol, wholesale sales, transmission, and GSS tariff.
     Separation Protocol--Audit staff conducted multiple tests 
to evaluate the Southern Operating Companies' compliance with the 
conditions imposed by the Commission and remaining opportunities for 
affiliate abuse relating to the separation of functions and employee 
workspace, restriction of non-public market information, separation 
protocol training, and sale of non-power goods and services. 
Specifically, audit staff:
    [cir] Reviewed Southern Company's organizational structure and 
conducted interviews with several employees to ensure that Southern 
Company functionally separated all wholesale activities carried out for 
the sole benefit of Southern Power shareholders, including its trading 
activities by the other Southern Operating Companies.
    [cir] Toured and inspected Southern Power and other facilities in 
Birmingham, Alabama, and Atlanta, Georgia, to ensure that the workspace 
of all employees conducting separated functions of Southern Power were 
separated from the workspace of the other Southern Operating Companies.
    [cir] Inspected the physical and electronic information security 
restrictions in place and tested the information system processes and 
controls in place at the network, application, and workstation level to 
ensure non-public market information is protected from employees 
conducting the separated functions of Southern Power.
    [cir] Reviewed various physical and electronic means by which 
Southern Power could access or receive non-public market information 
from the other Southern Operating Companies to ensure they did not 
violate the Separation Protocol. The various means inspected included: 
employee e-mails and voice recordings; access to shared drives and 
databases containing non-public market information; electronic card key 
access permissions at facilities containing non-public market 
information; records of joint meetings between Southern Power and other 
Southern Operating Companies; and visitor sign-in logs at facilities 
containing non-public market information. Further, audit staff 
conducted interviews with employees who conduct separated functions for 
Southern Power and interviews with employees performing pool operations 
and trading as a secondary level of testing.
    [cir] Reviewed the training program Southern Company developed to 
educate employees affected by the Separation Protocol to assess its 
adequacy and completeness. Audit staff also interviewed compliance 
officers involved with providing training and employees receiving 
training to assess their knowledge and understanding of the Separation 
Protocol. As part of this testing, audit staff reviewed the processes 
in place for detecting and investigating potential violations of the 
Separation Protocol, and procedures for posting actual violations of 
the Separation Protocol on OASIS.
    [cir] Reviewed the allocation methodologies and pricing for non-
power goods and services provided and purchased amongst Southern 
Company Services, Inc., Southern Power, and the other Southern 
Operating Companies, to determine whether such allocation methodologies 
and pricing were consistent with the Separation Protocol and did not 
result in subsidization. Audit staff reviewed all service agreements in 
effect that provide for non-power goods and services to identify the 
types of non-power goods and services provided and purchased amongst 
Southern Company Services, Inc. and the Southern Operating Companies, 
and the pricing for such non-power goods and services. Audit staff also 
reviewed the methods used to allocate cost amongst the Southern 
Operating Companies.
    [cir] Wholesale Sales--Audit staff conducted several tests to 
evaluate the Southern Operating Companies' compliance with the 
conditions imposed by the Commission and remaining opportunities for 
affiliate abuse relating to wholesale sales, including the IIC 
provisions for: reserve sharing and generation expansion plans; sales 
between the Southern Operating Companies; and wholesale sales to third 
parties. Specifically, audit staff:
    [cir] Conducted group discussions and interviews with operational, 
trading, and shared employees to obtain an in-depth knowledge and 
understanding of the provisions of the IIC and the operation of 
Southern Company's integrated system. Further, audit staff reviewed 
business practices and procedures, observed operational and trading 
activities, and reviewed transactional and other business data to 
determine how to apply these provisions for testing compliance.

[[Page 77672]]

    [cir] Reviewed Southern Company's annual IIC informational filing, 
conducted employee interviews, and analyzed data to determine how the 
Southern Operating Companies derived recognized capacity for the 
reserve sharing calculation. As part of the data analysis, audit staff 
reviewed expansion plans to verify Southern Power did not automatically 
include new capacity resources in the reserve sharing calculation as 
recognized capacity that was not part of the coordinated planning 
process. Further, audit staff analyzed reserve sharing calculations and 
billings to verify the payments to and receipts from the Southern 
Operating Companies for reserve sharing were in accordance with the 
provisions of the IIC.
    [cir] Analyzed transactions, billings, and other documents to 
validate the payments to and receipts from the pool for interchange 
energy and opportunity interchange energy were in accordance with the 
provisions of the IIC. Audit staff reviewed pool interchange energy 
sale transactions between the Southern Operating Companies to validate 
the charges were based upon the variable costs of the generating 
resource supplying the interchange energy. Audit staff also reviewed 
pool opportunity interchange energy sales transactions to verify the 
Southern Operating Companies received revenues based upon approved peak 
period load ratios and paid costs based upon the variable dispatch 
costs.
    [cir] Reviewed regulatory filings to determine whether the 
Commission approved any sales between the Southern Operating Companies 
outside the pool operating window for the periods of less than one year 
and greater than one year. Audit staff also analyzed transactional data 
and conducted employee interviews to independently assess whether any 
sales between the Southern Operating Companies occurred outside the 
pool operating window without prior Commission approval.
    [cir] Analyzed transactional data and other supporting documents to 
verify Southern Power made all of its wholesale sales outside the pool 
operating window using its own generating capacity. Audit staff also 
interviewed Southern Operating Companies' employees to assess the 
adequacy of procedures and controls in place for ensuring all of 
Southern Power's wholesale sales occur outside the pool operating 
window and that Southern Power has available capacity from its own 
generating resources to support these wholesale sales.
    [cir] Reviewed the Southern Operating Companies' coordinated 
planning process to verify Southern Power independently developed its 
generation expansion plans and did not participate in reviewing and 
recommending the generation expansion plans of the other Southern 
Operating Companies. Further, audit staff reviewed e-mails and 
interviewed the Southern Power Senior Production Officer on the 
Operating Committee to ensure Southern Power did not receive non-public 
market information from other Operating Committee members.
    [cir] Transmission--Audit staff conducted several tests to evaluate 
the Southern Operating Companies' compliance with the conditions 
imposed by the Commission and remaining opportunities for affiliate 
abuse relating to the Southern Operating Companies' access to non-
public transmission information and Southern Power's adherence to the 
terms and conditions of the OATT and treatment as an Energy Affiliate 
under the Standards of Conduct. Specifically, audit staff:
    [cir] Conducted interviews with Southern Company transmission 
function managers and employees to understand the physical aspects and 
operations of Southern Company's electric transmission system.
    [cir] Reviewed corporate organizational charts and employee job 
descriptions to assess the functional separation of Southern Power and 
other marketing functions from the transmission function.
    [cir] Reviewed all transmission services provided to each of the 
Southern Operating Companies by Southern Company's transmission 
function and then analyzed transmission service agreements, 
reservations, schedules, and billing statements to validate that 
Southern Power adhered to the terms and conditions of the OATT.
    [cir] Reviewed various physical and electronic means for Southern 
Power and other employees performing marketing activities to access or 
receive non-public transmission information to ensure that they did not 
violate the Commission's Standards of Conduct regulations in effect 
during the audit period. The various means inspected included: employee 
e-mails and voice recordings; marketing employees' access to shared 
drives and transmission databases; transmission facilities' electronic 
card key access permissions; records of joint meetings between 
transmission and marketing function employees; and records for visitor 
sign-in logs at the operating control center. Audit staff also 
conducted interviews with personnel who work in separated functions for 
Southern Power and interviews with employees performing pool operations 
and trading as a secondary level of testing.
    [cir] Reviewed OASIS to determine whether the Southern Operating 
Companies made required postings in accordance with the Standards of 
Conduct as in effect at the time.
    [cir] GSS Tariff--Audit staff conducted testing to evaluate the 
Southern Operating Companies' compliance with the conditions imposed by 
the Commission and remaining opportunities for affiliate abuse relating 
to similarly-situated merchant generators' access to back-up power. 
Audit staff reviewed all filings made by Southern Company Services, 
Inc. to validate that Southern Company complied with the Commission's 
order to file a GSS tariff that offered all similarly-situated merchant 
generators access to back-up power. Audit staff issued data requests 
and conducted interviews to assess the internal processes and 
procedures related to the administration of the GSS tariff. Audit staff 
also used these data requests and interviews to verify whether any 
scheduling entity requested service under the GSS tariff, and to 
determine whether any scheduling entity was improperly denied service 
under the GSS tariff.

III. Findings and Recommendations

1. Electronic Separation

    Although Southern Company implemented electronic controls to 
prevent Southern Power employees from accessing non-public market 
information, audit staff detected gaps that could have potentially 
provided Southern Power employees with access to non-public market 
information. Specifically, as part of our audit testing, a Southern 
Power employee was able to breach Southern Company's network access 
protections through a non-Southern Power computer workstation and the 
wireless network.
    Additionally, Southern Company did not have adequate procedures in 
place to review: (1) Personal network drives that may contain non-
public market information when employees transferred jobs and (2) files 
transferred to shared network drives by non-Southern Power employees 
for non-public market information.
Pertinent Guidance
    The Commission's Settlement Order required the Southern Operating 
Companies to ``adopt a clear separation of functions, including 
restrictions on

[[Page 77673]]

information sharing,'' for transactions benefitting Southern Power's 
shareholders. The Settlement Order also required Southern to make clear 
that Southern Power is to be treated as an Energy Affiliate under the 
Standards of Conduct and therefore cannot receive any nonpublic 
transmission information.\36\ In response to implementing these 
modifications, Southern Company included language in its Separation 
Protocol to protect against the electronic sharing of non-public market 
information. Specifically, the Separation Protocol applicable to 
Southern Power states in paragraph no. 4:
---------------------------------------------------------------------------

    \36\ Settlement Order at P. 3.

    Prohibited information will be electronically protected from 
employees conducting the separated functions of Southern Power 
through restricted access to any shared drive that includes such 
information. Access to these shared drives by employees conducting 
the separated functions of Southern Power will require pre-approval 
under an authorization process administered by the Southern Company 
Generation Compliance Officer.

Background

    Southern Company conducted a comprehensive review of its computer 
network environment, business software applications and databases, 
intranet Web sites, and other computer related systems to ensure it had 
adequate controls in place to restrict Southern Power employees from 
having electronic access to non-public market information. Southern 
Company implemented a segmented network as its overarching control to 
comply with the electronic separation and information sharing 
requirements set forth in the Commission's Settlement Order. The 
segmented network allows Southern Power to co-exist on the same 
information technology infrastructure as the rest of Southern Company, 
yet at the same time is designed to preclude Southern Power from 
electronically accessing non-public market information. The 
implementation of the segmented network and other computer 
infrastructure related changes required extensive employee hours and 
cost approximately $1.3 million.
    The compliance measures taken by Southern Company required re-
engineering of its existing computer infrastructure with the 
implementation of a segmented network. Audit staff's review of the 
segmented network determined that it is an effective first line of 
defense in electronically protecting Southern Power employees' access 
to non-public market information. However, audit staff's testing of 
Southern Company's electronic separation control environment for the 
segmented network detected some minor weaknesses that could have 
potentially provided Southern Power employee's access to non-public 
market information through personal employee computers workstations and 
the wireless network had they been left unresolved.
    Further, Southern Company did not have adequate procedures in place 
to review for non-public market information: (1) personal network 
drives when employees transferred jobs and (2) files transferred to 
shared network drives by non-Southern Power employees.

Segmented Network

    The segmented network was achieved by installing dedicated computer 
infrastructure, such as dedicated servers, switches and firewalls, and 
by implementing automated rules with Microsoft's Active Directory and 
Group Policy within the infrastructure to electronically separate 
Southern Power from the remainder of Southern Company and to control 
access to non-public market information. Southern Company's segmented 
network is an effective first line of defense in electronically 
protecting non-public market information from Southern Power employees.
    The segmented network is ultimately controlled through Microsoft's 
Active Directory and relies on an internally designed set of scripts to 
ensure that Southern Power employees cannot access non-public market 
information. The scripts, known as the Validator program, ensure that 
three conditions are met before allowing Southern Power employees 
electronic access: the employee must be a member of the restricted user 
group, the workstation must be a member of the restricted workstation 
group, and the location must be a restricted site. If any of these 
three conditions is not met, the Validator program should shut down the 
workstation for Southern Power employees.
    Audit staff conducted testing at non-Southern Power computer 
workstations to determine whether the segmented network controls 
adequately blocked Southern Power employees' access to restricted areas 
containing non-public market information. One test confirmed that the 
segmented network successfully blocked a Southern Power employee from 
gaining access to the protected segmented network using a non-Southern 
Power computer workstation located in an employee's office. However, 
the other test detected that the segmented network could be breached by 
a Southern Power employee through the use of a non-Southern Power 
computer workstation located in a non-Southern Power conference room. 
In comparing the two different outcomes, Southern Company explained 
that the Southern Power employee successfully logged onto the 
conference room computer workstation because it resided on the SOCOGEN 
network.
    Upon discovery, Southern Company took immediate action to resolve 
the conference room workstation breach. Southern Company explained that 
most of the workstations on the SOCOGEN network are in secure areas to 
which Southern Power employees do not have access privileges. 
Therefore, Southern Company believed it was not necessary to implement 
the ``deny access'' log-on controls applied to Southern Power employees 
on the SOCOGEN network. Rather than applying the ``deny access'' log-on 
controls to these conference room workstations, Southern Company 
addressed this breach by applying the log-on restrictions across the 
entire SOCOGEN network, in case there were additional SOCOGEN 
workstations in non-secure areas of the building. Had this problem been 
left uncorrected, this breach could have potentially provided a 
Southern Power employee access to non-public market information.

Wireless Network

    Southern Company implemented a separate wireless network for 
Southern Power in order to restrict access to non-public market 
information. Southern Power employees should be capable of accessing 
only the Southern Power wireless network, placing them behind Southern 
Power's dedicated firewalls and subjecting them to all of the rules 
applied to a Southern Power workstation connected to the network 
through wired access. Southern Company's other employees can connect to 
the ``Office wireless network.'' Southern Power employees should not be 
able to connect to the Office wireless network.
    Audit staff's testing of the wireless network from a Southern Power 
laptop computer revealed that the employee using a Southern Power 
restricted workstation was able to connect to the Office wireless 
network. Essentially, by successfully connecting to Southern Company's 
Office wireless network, a Southern Power employee was able to bypass 
the segmented network. This connection potentially allowed the Southern 
Power employee access to non-public market information. According to 
Southern Company, some users had Active Directory permission

[[Page 77674]]

inadvertently enabled on their laptop computers for remote access. This 
permission superseded the Active Directory ``deny access'' 
configuration applied to all Southern Power users for the Office 
wireless network. To correct this issue, Southern Company modified the 
configuration to ignore this Active Directory property for remote 
access, removing the conflict in permissions. Audit staff's re-testing 
of the wireless network demonstrated that the system did not allow the 
Southern Power employee connection.

Employee Computer Workstations

    Audit staff conducted testing of Southern Power employee computer 
workstations to determine whether they could access non-public market 
information through personal network drives, shared network drives, and 
applications and databases. Audit staff's testing did not detect any 
evidence that Southern Power employees accessed or received non-public 
market information through its personal computer workstations. However, 
audit staff observed that Southern Company had some procedural 
weaknesses related to personal network drives, shared drives, and 
computer applications and databases that could potentially provide 
Southern Power the opportunity to access non-public market information.
    During interviews, audit staff learned that each employee has a 
personal network drive and if an employee transfers from one area of 
Southern Company to another, such as from the Transmission function 
into Southern Power, the employee's personal network drive is 
transferred with the employee. However, Southern Company did not have a 
policy in place to review the contents of the transferred employees' 
personal network drive for non-public market information. Audit staff 
also learned that the network server access restrictions are one-
directional (i.e. Southern Power to the other Southern Operating 
Companies). As a result, a non-Southern Power employee with write 
access to a shared network drive could transfer files containing non-
public market information to the network drive it shares with Southern 
Power. Southern Company also did not have a policy in place to review 
shared network drives for non-public market information. Currently, the 
Separation Protocol and Standards of Conduct training programs are the 
only control mechanisms in place to prevent Southern Power access to 
non-public market information through personal and shared network 
drives.
    To prevent the type of breaches audit staff detected during its 
examination of the segmented network and wireless network, Southern 
Company should implement multiple strategies to electronically restrict 
Southern Power employees' access to non-public market information. For 
example, Southern Company should implement procedures to ensure 
Southern Power employees are electronically restricted from obtaining 
non-public market information through access rights to shared network 
drives. Further, Southern Company should develop procedures to review 
and remove non-public market information from personal network drives 
for employees who transfer to Southern Power from another area of the 
company.

Recommendations

    We recommend Southern Company:
    1. Create procedures for reviewing files posted to Southern Power 
shared drives by non-Southern Power employees for non-public market 
information. Additionally, create procedures for reviewing the personal 
network drives of all employees who transfer into Southern Power for 
non-public market information. For each review, remove all files that 
contain non-public market information from the personal network drive 
of the transferred employee.
    2. Perform periodic reviews to ensure that Southern Power employees 
do not have access rights to shared network drives containing non-
public market information. Additionally, these periodic reviews should 
include testing of the segmented network to determine whether Southern 
Power employees can bypass the segmented network and potentially access 
non-public market information.
    3. Add the SPC designator to Southern Power employee names in Cool 
Compliance, as is already done in the Global Address List for e-mails, 
to spotlight a Southern Power employee having access rights granted in 
Cool Compliance.

Corrective Action Taken

    On November 14, 2008, Southern Company implemented new procedures 
governing the monitoring and review of shared drives and personnel 
network drives. For shared drives the new procedures require any non-
Southern Power employee who posts material to a Southern Power shared 
folder to send an e-mail notifying the Southern Power employee of the 
posting content. For personnel network drives the new procedures 
requires a Southern Power business manager and transferred employee to 
review and remove any documents containing non-public market 
information from the personnel network drive and to a complete and 
submit a transfer checklist to a compliance officer for review.
    Southern Company also implemented new procedures that require a 
semi-annual review of approved access lists and content of Southern 
Power shared drives by a generation compliance officer. Further, the 
new procedures also require periodic testing of the segmented network 
to verify the integrity of the preventive controls and to confirm that 
Southern Power employees do not have access to network drives that 
contain non-public market information.
    On November 10, 2008, Southern Company informed audit staff that it 
will begin identifying and labeling all Southern Power employees in 
Cool Compliance to help prevent inadvertent disclosure of non-public 
market information. However, Southern Company did not provide an the 
implementation date for this new procedure.

Employee Separation

    Audit staff observed a shared employee performing transmission 
activities that support the long-term wholesale energy transactions of 
Southern Power, while at the same time performing transmission and 
energy trading activities that support the short-term wholesale energy 
transaction made by the pool on behalf of the Southern Operating 
Companies. Audit staff believes that Southern Company should dedicate 
separate employees to perform the transmission activities supporting 
Southern Power's long-term wholesale energy transactions and the 
transmission activities supporting the short-term wholesale energy 
transactions made for the pool on behalf of the Southern Operating 
Companies to prevent the potential for any undue preference.

Pertinent Guidance

    The Settlement Order clarified that where a competitive affiliate 
enters into transactions for its own benefit, it must separate its 
functions from those of its regulated affiliates.\37\ This separation 
of functions obligation includes, in part, a requirement to maintain 
separate staffs to perform the sales functions and a restriction on the 
sharing of any non-public market information. These protections ensure 
that the parent corporation cannot favor sales by the

[[Page 77675]]

competitive affiliate over those of the regulated affiliates.
---------------------------------------------------------------------------

    \37\ Southern Company Services, Inc., 117 FERC ] 61,021 (2006).
---------------------------------------------------------------------------

    Moreover, the Commission's Acceptance Order further clarified that 
the Southern Operating Companies must adopt a clear separation of 
functions, including restrictions on information sharing, and a 
separation of personnel, for any function that is undertaken for the 
benefit of Southern Power's shareholders (i.e. any function except 
joint economic dispatch and reserve sharing under the IIC).\38\
---------------------------------------------------------------------------

    \38\ Acceptance Order at P. 16-17.
---------------------------------------------------------------------------

    To implement these modifications, Southern Company Services, Inc., 
included specific language in its Separation Protocol regarding the 
functional separation of Southern Power employees from the other 
Southern Operating Companies. Specifically, the Southern Company 
Services, Inc., Separation Protocol approved by the Commission 
applicable to Southern Power, Items No. 1 and 2, states:

    The wholesale activities of Southern Power carried on for the 
sole benefit of Southern Power are to be functionally separated from 
the other Southern Operating Companies. These activities 
(collectively referred to as separated functions) consist of any 
function undertaken for the benefit of Southern Power's 
shareholders.
    Personnel who conduct separated functions for Southern Power may 
be employees of Southern Power or they may be employees of a service 
company or other affiliated company. To the extent the service 
company or other affiliated company employees conduct these 
separated functions, such employees must be dedicated exclusively to 
Southern Power and all associated costs (direct and indirect) must 
be borne by Southern Power or its shareholders.

Background

    The Southern Operating Companies did not solely dedicate a shared 
employee performing transmission activities that support the long-term 
wholesale energy transactions of Southern Power and a different 
employee to support the short-term wholesale energy transactions made 
by the pool on behalf of the Southern Operating Companies. Southern 
Power relies on a shared employee to procure transmission service 
(e.g., negotiate transmission service agreements and reserve 
transmission service) that supports its long-term wholesale energy 
transactions made outside the pool operating window. This same shared 
employee is responsible for performing energy trading and the 
transmission activities for the pool on behalf of the Southern 
Operating Companies for short-term wholesale energy transactions made 
under the IIC.
    During the audit period, audit staff did not identify any 
occurrences where Southern Power received an undue preference. However, 
absent having an employee solely dedicated to Southern Power for 
performing transmission activities, there is a potential risk for 
Southern Power to receive an undue preference due to this shared 
employee's co-existing duties as a term energy trader for the pool and 
associated transmission responsibilities performed on behalf of the 
pool and Southern Power. Audit staff believes that the Commission's 
Settlement and Acceptance Orders and the Southern Company Services, 
Inc., Separation Protocol require further separation of the 
transmission activities performed by this shared employee by solely 
dedicating this person or another employee to Southern Power.
    Audit staff's review of transmission service agreements between 
Southern Power and Southern Company's transmission function 
acknowledged the shared employee signed transmission service agreements 
on behalf of Southern Power. In addition to transmission service 
agreements, audit staff obtained transactional data from OASIS showing 
that the same shared employee made transmission service reservations to 
support Southern Power's wholesale energy transactions and the 
wholesale energy transactions made by the pool on behalf of the 
Southern Operating Companies. Further, audit staff reviewed the job 
description of this shared employee and interviewed the shared employee 
to confirm his job responsibilities included: (1) Optimizing daily and 
long-term point-to-point (PTP) transmission positions on behalf of the 
Southern Operating Companies including purchasing, reselling, and/or 
redirecting transmission through OASIS; (2) querying OASIS to determine 
available transfer capability on all Southern Company interfaces; (3) 
requesting long-term PTP transmission for the Southern Operating 
Companies (through OASIS); (4) executing transmission service 
agreements; and (5) conducting term energy trading on behalf of the 
pool.
    Southern Company explained that when Southern Power needs long-term 
(i.e., one month or greater) transmission service as the result of its 
entry into a wholesale energy purchase or sale contract, Southern Power 
notifies this shared employee of that transmission need. The shared 
employee then pursues available long-term transmission that meets 
Southern Power's needs through queries on Southern Company's or a non-
affiliated Transmission Provider's OASIS and through inquiries to 
potential counterparties. When such transmission is found, a 
transmission service agreement is executed on behalf of Southern Power 
and provided to it. This same shared employee, within the nearer-term 
operational window as provided by the IIC, procures transmission 
service for the Southern Operating Companies to support any short-term 
wholesale energy transactions made on behalf of the pool. This process 
applies to transmission procured from Southern Company's transmission 
function as well as from non-affiliated Transmission Providers.
    Southern Company stated that it uses this shared employee to 
perform the transmission activities for Southern Power and the pool on 
behalf of the Southern Operating Companies because of the integrated 
operating nature of the pool. Further, Southern Company stated that the 
pool seeks to optimize all of the Southern Operating Companies' 
resources related to unit commitment and joint economic dispatch, 
including generation, purchased power, transmission and fuel 
arrangements (e.g., natural gas supply, transportation and storage). 
Audit staff agrees that the pool must operate on an integrated basis 
and that all reserved transmission capacity should be obtained by the 
pool in accordance with the terms and conditions of the OATT. However, 
as required by the Commission's Settlement and Acceptance Orders and 
the Southern Company Services, Inc. Separation Protocol, the 
procurement of transmission service supporting Southern Power's long 
term wholesale energy transactions should not be a pool responsibility 
performed by a shared employee, but rather a responsibility performed 
by an employee solely dedicated to Southern Power.
    Audit staff is concerned that there is a potential risk for 
Southern Power to receive an undue preference if this shared employee 
continues to have co-existing duties as an energy trader for the pool, 
along with the transmission responsibilities associated to the 
wholesale energy transactions conducted on behalf of the pool and 
Southern Power.

Recommendation

    We recommend Southern Company:
    4. Dedicate employees performing transmission activities that 
support Southern Power's long-term wholesale energy transactions solely 
to Southern Power.

Corrective Action Taken

    On November 7, 2008, Southern Company informed audit staff that it

[[Page 77676]]

transferred the responsibilities associated with the procurement of 
transmission service for Southern Power's long-term wholesale energy 
transactions to Southern Power.

Posting of Separation Protocol Violations on OASIS

    Southern Company did not immediately post, date, and time stamp the 
postings it made to OASIS in accordance with the Commission's Standards 
of Conduct requirements in effect during the audit period.

Pertinent Guidance

    Pursuant to the Separation Protocol paragraph 6, the Southern 
Operating Companies are required to post any violation of the 
Separation Protocol on OASIS in a manner consistent with the process 
under the Standards of Conduct.\39\ The Standards of Conduct require 
the Transmission Provider to post immediately information that an 
employee of the Transmission Provider discloses in a manner contrary to 
the requirements of Sec.  358.5(b)(1) on its OASIS or Internet Web 
site.\40\ The requirement of 18 CFR 358.5(b)(1) (2008) states:
---------------------------------------------------------------------------

    \39\ Southern Company Services, FERC Electric Tariff, Second 
Revised Volume No. 4, Original Sheet No. 6.
    \40\ 18 CFR 358.5(b)(3)(2008).

    An employee of the Transmission Provider may not disclose to its 
Marketing or Energy Affiliates any information concerning the 
transmission system of the Transmission Provider or the transmission 
system of another * * * through non-public communications conducted 
off the OASIS or Internet Web site, through access to information 
not posted on the OASIS or Internet Web site that is not 
contemporaneously available to the public, or though information on 
the OASIS or Internet Web site that is not at the same time publicly 
---------------------------------------------------------------------------
available.

    The Commission's Standards of Conduct regulations also require all 
OASIS database transactions, except other transmission-related 
communications provided for under 18 CFR 37.6(g)(2)(2008), must be 
stored, dated, and time stamped.\41\ Further, the Commission explained, 
in 18 CFR 37.6(g)(1)(2008), that other transmission-related 
communications may include ``want ads'' or ``other communications'' 
such as using the OASIS as a transmission-related conference space or 
making transmission-related messaging services between OASIS users.
---------------------------------------------------------------------------

    \41\ 18 CFR 37.7(a)(2008).
---------------------------------------------------------------------------

Background

    On November 19, 2007, the Separation Protocol applicable to 
Southern Power became effective and in part required the Southern 
Operating Companies to post any violation of the Separation Protocol on 
OASIS in a manner consistent with the Commission's Standards of Conduct 
requirements. In accordance with this requirement, Southern Company has 
made fourteen postings covering violations of the Separation Protocol 
on its OASIS between November 19, 2007 and August 31, 2008. However, 
Southern Company did not immediately post, date and time stamp the 
postings it made to OASIS. The fourteen violations included the 
following:
     Eleven e-mails containing non-public market information 
that were electronically sent to Southern Power employees from 
employees of the other Southern Operating Companies. The non-public 
market information included in these e-mails pertained to non-Southern 
Power plant outages, unit status, plant damage, plant equipment issues, 
and plant performance. Some of the non-public market information shared 
also pertained to system load data and financial information such as 
mark-to-market accounting and budgets. The Compliance Officer's 
investigation of these violations determined that Southern Power 
employees viewed non-public market information in seven of the eleven 
e-mails received. One of the violations involved the distribution of 
the same non-public market information sent to Southern Power employees 
in a previous e-mail. The other three e-mails contained non-public 
market information which was received, but not viewed by, Southern 
Power employees. Most of the violations occurred from having outdated 
e-mail distribution lists that contained Southern Power employees and 
from reports received by Southern Power employees, where the senders 
did not realize the contents included non-public market information.
     One involved a Southern Power employee who obtained access 
to the power pool trading floor, which is a physically restricted 
access area. The review performed by a compliance official determined 
that the Southern Power employee did not view or review any non-public 
market information.
     One violation involved a meeting where employees from 
Southern Power and the other Southern Operating Companies were present. 
During this meeting, non-public market information pertaining to a 
plant outage with a third party that sold the output of the plant to 
Georgia Power Company was shared with Southern Power. A compliance 
official informed the Southern Operating employee that they should not 
do this going forward when meeting with Southern Power employees.
     One involved computer access to an application containing 
load forecast data of Georgia Power Company. The initial Separation 
Protocol review did not detect any problems with this application; 
however, a modification to the application was made subsequent to this 
review which granted Southern Power employees access to non-public 
market information. A compliance official interviewed each employee 
with access to the load forecast data and determined that none of these 
employees accessed or viewed this information. Southern Company 
resolved this problem by removing the Southern Power employee's access 
to non-public information of Georgia Power Company.
    Audit staff requested copies of documents related to all potential 
and actual Separation Protocol violations that were investigated since 
November 19, 2007. Audit staff's review of these reports determined 
Southern Company posted many of the Separation Protocol violations days 
or weeks after the Southern Power employee received access to the non-
public market information. For example, Southern Company posted one 
incident over one full month following the receipt of the non-public 
market information by a Southern Power employee. Moreover, audit staff 
determined that Southern Company identified the date of occurrence, but 
did not date or time stamp any of the Separation Protocol violations it 
posted on OASIS. As a result, non-affiliated transmission customers 
could not determine whether Southern Company posted the Separation 
Protocol violations immediately, as required by the Standards of 
Conduct.
    The Standards of Conduct require Southern Company to immediately 
post information that an employee of the Transmission Provider 
discloses in a manner contrary to the requirements of Sec.  358.5(b)(1) 
on the OASIS.\42\ Further, all OASIS database transactions, except 
other transmission-related communications provided for under 18 CFR 
37.6(g)(2)(2008), must be stored, dated, and time stamped.\43\ 
Accordingly, Southern Company should immediately post all non-public 
market information that a Southern Power employee receives and include 
a date and time stamp in accordance with the Standards of Conduct.\44\
---------------------------------------------------------------------------

    \42\ 18 CFR 358.5(b)(3)(2008).
    \43\ 18 CFR 37.7(a)(2008).
    \44\ 18 CFR 37.6(g)(2)(2008).

---------------------------------------------------------------------------

[[Page 77677]]

Recommendations

    We recommend Southern Company:
    5. Post all violations of the Separation Protocol immediately in 
accordance with 18 CFR 358.5(b)(3). In addition to the date the 
violation occurred, Southern Company should include on each document 
the date and time Southern Company posted the violation to OASIS in 
accordance with 18 CFR 37.6(g)(2).
    6. Strengthen procedures and controls for maintaining e-mail 
distribution lists and providing reports to Southern Power that may 
contain non-public market information. Incorporate these procedures and 
other pertinent procedural enhancements in the Separation Protocol 
compliance training program to achieve a reduction in the number of 
future violations.

Corrective Action Taken

    On November 14, 2008, Southern Company revised its Separation 
Protocol Violations Investigative Procedure to reflect that upon 
determining an actual violation has occurred, the incident must 
immediately be posted on OASIS. Further, Southern Company implemented a 
procedural change to include a date and time stamp for each document 
posted on OASIS relating to the violation.
    Southern Company also implemented new procedures requiring 
employees to maintain and periodically review their e-mail distribution 
lists to verify employee memberships. Further, Southern Company revised 
its Separation Protocol training to provide additional and more 
detailed guidance with regard to electronic communications with 
Southern Power employees and, the development and maintenance of e-mail 
distribution lists. The revised training will be conducted online, with 
an anticipated completion deadline of December 31, 2008.

V. Southern Companies' Comments on the Draft Audit Report

FERC Docket No. PA08-6-000

    Southern Company Services, Inc., acting as agent for Alabama Power 
Company, Georgia Power Company, Gulf Power Company, Mississippi Power 
Company, and Southern Power Company (collectively, ``Southern 
Companies''), submits the following comments on the Draft Audit Report 
provided by the Division of Audits on November 4, 2008.
    In this submission, Southern Companies have purposefully sought to 
focus their comments on more substantive matters, and thus have not 
undertaken to address each and every aspect with which they disagree. 
In like manner, Southern Companies saw no need to set forth the 
substantive reasons for their disagreement with any recommendations 
that they have nonetheless agreed to implement. Accordingly, the 
absence of comment directed to a given statement, assertion, 
representation, or conclusion in the Draft Audit Report should not be 
interpreted as their agreement or tacit admission as to accuracy or 
completeness thereof.
1. Electronic Separation
    Recommendation No. 1: Create procedures for reviewing files posted 
to Southern Power shared drives by non-Southern Power employees for 
non-public market information. Additionally, create procedures for 
reviewing the personal network drives of all employees who transfer 
into Southern Power for non-public market information. For each review, 
remove all files that contain non-public market information from the 
personal network drive of the transferred employee.
Southern Companies' Comments on Recommendation No. 1:
    Effective November 14, 2008, Southern Companies have implemented 
the ``Separation Protocol Policy to Govern Monitoring of the Southern 
Power Shared Folders,'' which is a new policy regarding information 
posted to Southern Power Company (``Southern Power'') shared folders by 
non-Southern Power employees. This new procedure includes periodic 
reviews of approved access lists and content. The procedure also 
includes a requirement that any non-Southern Power employee who posts 
material to a Southern Power shared folder will notify the owner of 
such folder by e-mail of the posting. Southern Companies have submitted 
this policy to Audit Staff for review.
    Effective November 14, 2008, Southern Companies have implemented 
the ``Separation Protocol Policy to Govern Employee Transfers to 
Southern Power Company,'' which is a new policy that addresses the 
personal network drives of employees who transfer into Southern Power. 
This policy will insure that these employees do not retain any 
documents (hard copy or electronic) containing Prohibited Information. 
Southern Companies have submitted this policy to Audit Staff for 
review.
    Recommendation No. 2: Perform periodic reviews to ensure that 
Southern Power employees do not have access rights to shared network 
drives containing non-public market information. Additionally, these 
periodic reviews should include testing of the segmented network to 
determine whether Southern Power employees can bypass the segmented 
network and potentially access non-public market information.
Southern Companies' Comments on Recommendation No. 2:
    Effective November 14, 2008, Southern Companies have implemented 
the ``Separation Protocol Policy to Govern Monitoring of the Segmented 
Network,'' which is a new policy that requires periodic testing of the 
segmented network to verify the integrity of the preventive controls 
and to confirm that Southern Power employees do not have access to 
network drives that contain Prohibited Information. Southern Companies 
have submitted this policy to Audit Staff for review.
    Recommendation No. 3: Add the SPC designator to Southern Power 
employee names in Cool Compliance, as is already done in the Global 
Address List for e-mails, to spotlight a Southern Power employee having 
access rights granted in Cool Compliance.
Southern Companies' Comments on Recommendation No. 3:
    The designator ``(SPC)'' will be added to Southern Power employee 
names in Cool Compliance. Southern Companies have submitted evidence of 
this implementation to Audit Staff.
2. Employee Separation
    Recommendation No. 4: Dedicate employees performing transmission 
activities that support Southern Power's long-term wholesale energy 
transactions solely to Southern Power.
Southern Companies' Comments on Recommendation No. 4:
    Southern Companies disagree with the findings in this section of 
the Draft Audit Report and the related recommendation. However, in 
order to resolve this issue, the procurement of long-term transmission 
service associated with the long-term wholesale energy transactions of 
Southern Power has been moved to Southern. Accordingly, all long-term 
transmission service requests associated with Southern Power's long-
term energy transactions will be made on OASIS by Southern Power 
employees.
3. Posting of Separation Protocol Violations on OASIS
    Recommendation No. 5: Post all violations of the Separation 
Protocol immediately in accordance with 18 CFR

[[Page 77678]]

358.5(b)(3). In addition to the date the violation occurred, Southern 
Company should include on each document the date and time Southern 
Company posted the violation to OASIS in accordance with 18 CFR 
37.6(g)(2).
Southern Companies' Comments on Recommendation No. 5:
    Southern Companies have revised their ``Separation Protocol 
Violations Investigative Procedure'' to state that when ``it is 
determined that an actual violation has occurred, the incident must be 
posted on OASIS immediately.'' Southern Companies have submitted the 
revised protocol to Audit Staff for review.
    Southern Companies have implemented the changes necessary so that 
the date and time a violation is posted on OASIS will be included for 
each posting.
    Recommendation No. 6: Strengthen procedures and controls for 
maintaining e-mail distribution lists and providing reports to Southern 
Power that may contain non-public market information. Incorporate these 
procedures and other pertinent procedural enhancements in the 
Separation Protocol compliance training program to achieve a reduction 
in the number of future violations.
Southern Companies' Comments on Recommendation No. 6:
    Effective November 14, 2008, Southern Companies have implemented 
the revised ``Fleet Operations and Trading Floor Information, Physical 
Access and Visitor's Policy,'' which revision requires employees to 
maintain their e-mail distribution lists and to periodically review 
such lists to verify employee memberships. Southern Companies have also 
revised the Separation Protocol training to provide additional and more 
detailed guidance with regard to electronic communications with 
Southern Power employees and, the development and maintenance of e-mail 
distribution lists. This revised training will be conducted online, 
with an anticipated completion deadline of December 31, 2008. In 
addition, Southern Companies will continue to conduct individual 
training and counseling for employees that are involved in Separation 
Protocol investigations. Southern Companies have submitted the revised 
policy and applicable portions of the revised training materials to 
Audit Staff for review.

[FR Doc. E8-30143 Filed 12-18-08; 8:45 am]

BILLING CODE 6717-01-P
