November 21, 2024

The Bigger Picture: Five Keys to Audit Success

by Bob Biggs

Background
Generation, transmission, and distribution owners and operators (Registered Entities)1 all have compliance responsibilities related to NERC and NERC CIP standards, aimed at improving reliability of the bulk electric system and securing appropriate cyber assets and supporting infrastructure. Regional Entities (REs)2 are obligated to NERC to conduct audits of their Registered Entities’ compliance programs and implementation, which can culminate in monetary fines and additional regulatory engagement and oversight.

Demonstrating compliance is made more difficult if entities do not understand the NERC audit processes. Additionally, RE auditors do not always possess the same skill sets or expect the same things and this often results in different methods being applied and additional entity difficulty responding to the auditors. By considering ‘Five Keys to Audit Success’, entities can assure effective audit preparation and management, facilitate the audit processes, and demonstrate compliance that can be realized on an ongoing basis.

Five Keys to Audit Success

1. Establish your knowledgeable audit support team well in advance of an audit.

Entity audit prep teams should be ‘standing teams’ that remain intact between audits, employing the organization’s compliance team (Senior Management, Compliance Officer/Manager, and Subject Matter Experts or SMEs). Some or all of the audit prep team will be your actual audit team.

Entities often do not establish formal audit preparation teams or projects. Additionally, if established, the audit preparation teams are chartered much too late to be optimal. The entity may rely upon a contract organization to conduct a mock-audit; again often too late to be optimal. Many of the teams do not possess all of the skills needed to assure success without difficulty. Personnel that prepare your company for an audit have a very vital role and are the ‘face’ of your company. With that in mind, membership on an audit prep team should be considered an honor and an assignment of importance.

While technically knowledgeable, many of the personnel associated with NERC Compliance Program implementation may have little or no experience with the audit process. SMEs may also lack ‘soft skills’3 that are highly important during an audit (especially an onsite audit).

Audit preparation takes a dedicated group of folks knowledgeable of the NERC Standards and Requirements, familiar with their organizational structure, trained in the entity’s compliance program policies and procedures, and comfortable communicating with regulators.

Key Considerations for Audit Prep Teams
Optimal audit preparation team make-up consists of a Senior Management Sponsor, Compliance Officer or Manager, and appropriate SMEs. A good practice is to know at all times who these members are and to ‘press’ them into service once an audit schedule is known. This is most easily accomplished by maintaining updated Reliability Standards Audit Worksheets (RSAWs) that have SMEs established for each Standard or Requirement. The Senior Management Sponsor and Compliance Officer or Manager are as assigned in the organization.

  • Conduct audit prep team indoctrination sessions to ensure understanding of the team’s responsibilities, individual team member responsibilities, and the audit process and schedule.
  • Soft skills, such as professional demeanor and verbal communication, must be emphasized through training. All members of an audit prep team must receive training.
  • Prepare a project schedule to ensure early and complete audit preparation. This project schedule should use the RE-specific audit timetable, audit specific milestones, and due dates. Each team member should fully understand the audit schedule, process, and specific responsibilities.
  • The timeliness, adequacy, and accuracy of responses to the regulator’s questions or requests for information (Request for Additional Information or RAI) during an audit are crucial in demonstrating compliance. To ensure success, entities must establish their expectations and communicate this to their organization and especially the audit prep team.
  • Prepare the audit prep team and SMEs on what constitutes quality evidence, evidence organization, and how to respond to questions or additional information requests (RAIs) presented by the auditors.
  • Conduct a mock audit to ‘test’ the audit prep team under simulated audit conditions. This mock audit should include industry peers, outside consultants, and internal auditors (if available). Coaching during the mock audit should be minimized. Conduct a debrief to capture lessons learned and address each area for improvement.
  • SMEs at the company should assist in preparation of audit responses and be available for additional support both prior to and during the audit.

Audit prep team training and development, both between audit periods and prior to the actual audit, are keys to audit success.

2. Clearly understand the audit process prior to audit notification by the regulator (RE and/or NERC)

There are over 1,000 requirements in the approved NERC standards, but not all are part of typical audits in a given year. NERC produces an annual implementation plan that includes an Actively Monitored Standards and Requirements Listing (AML). They are selected out of the universe of NERC standards to cover areas deemed most significant to reliability. Other NERC standards may be included if the RE finds a need to examine them due to triggering events or other circumstances. REs develop an audit plan and consider an entity’s compliance history, events, and size (relative to MW and number of functions/assets) to perform a qualitative risk evaluation. REs may expand audit scope and include Reliability Standards and Requirements not identified in the AML. Further, REs may reduce audit scope from AML, but they must notify NERC of their intent to reduce audit scope from AML or make a deferment of a scheduled compliance audit. The scope reduction/deferment form requires justification and submittal to NERC for approval at least 90 days prior to the audit. NERC may make requests for information pertaining to any notifications of audit scope reduction or audit deferments, as NERC ultimately reserves the right to deny any audit scope changes or audit deferments by a RE.

During the audit process and prior to actual conduct, the RE will issue the following items: 4

  • Audit Notification Letter: Indicates the date of the audit, type of audit – onsite or offsite (table-top), pre-audit instructions, registration clarification request, audit agenda, auditor contact information, and types of information and data to be provided by the auditee. Additionally, many times links to the RE website are also provided in the notification letter.
  • Pre-audit Survey or General Information Request:5 The RE will ask the auditee to fill out general entity information such as facility description, size and voltage class, neighboring entities, other auditee facilities within the RE’s jurisdiction, and most importantly, the auditee must answer specific questions describing its internal compliance program (ICP), and provide evidence supporting each answer. Of importance is a company’s compliance program, which is a factor when evaluating penalties for a reliability standards violation.
  • RE auditor biographies: Entities may object to audit team members in writing (usually 15 days in advance of the audit start) on the basis of conflict of interest or lack of impartiality. Entities’ objections cannot generically preclude participation of FERC or NERC representation on any audit. However, entity objections regarding participation by specific individuals will be evaluated based on the merits of the objections raised.
  • Auditor data request (may be included with the Audit Notification Letter): A RE data request will 1) specify the specific format of the data requested, 2) provide any evidence tables, 3) request specific evidence lists (such as PRC-005 equipment listings) to be used for sample selection, and 4) give instructions on data provision, as well as dates for submittal and how to submit the data. The data requested consists, e.g., of RSAWs, policies and procedures, and supporting evidence.
  • Registered Entity Certification Letter: RE will provide a certification letter template to be used by the auditee to certify the completeness and accuracy of the audit package prior to submittal to the RE. An officer of the company normally signs this letter; however, on occasion it may be appropriate for the Compliance Officer to sign the letter (depends on organization structure).

3. Engage the Lead Auditor early and often throughout the audit process.

The fact that an auditor may have audited other registered entities does not equate to understanding your organization’s environment or having an immediate appreciation for how you manage compliance.

Upon receiving the audit notification, an entity’s Compliance Officer and/or audit prep team lead should contact the Lead Auditor and get to know him/her. Be sure during initial contact to ask any clarifying questions regarding the RE’s audit notification and information requests received. Tell the Lead Auditor about yourself and any key facility operational activities that are ongoing (focus on reliability whenever possible). Let the Lead Auditor know that you are looking forward to sharing your compliance program and its results with him/ her and the audit team. Continue to provide updates to the Lead Auditor as you submit information to him/her.

Once the audit entrance meeting has been scheduled, take time and prepare a high-level overview of your facility, organization, and your compliance program. Make sure to discuss any improvements to your compliance program that you have made and that may be ongoing.

Audit Conduct: Most audits last three to five days and are conducted onsite at the audited entity’s location or as ‘Table Top’ audits that are conducted offsite by the RE, using information provided by the entity. During the audit conduct, stay engaged with the Lead Auditor daily to ensure that the Audit Team is receiving all the needed support and information to conduct the audit. Typically, Lead Auditors will provide frequent or daily status updates without any prompting. However, you should establish that you want to receive frequent updates so that no surprises present themselves, and to smooth the process for the RE. When a request for additional information (RAI) arises, seek first to clearly understand the request and the reason for it, take prompt action to fulfill the request, and finally, ensure that the response is complete and accurate.

If, during the audit process, a potential violation is identified, be self-critical, ensure understanding of the requirement, and what the performance deficiency is e.g., failed to meet requirement (action not taken), missing evidence, insufficient evidence/low quality, or not included in the compliance program. If the potential violation cannot be quickly resolved, promptly enter the issue into your corrective action process, take action to restore compliance, determine the cause of the potential violation, extent of condition, and implement action to preclude recurrence. Actions to address potential violations must be taken expeditiously and communicated to the Lead Auditor as soon as possible. Rapid recognition of a performance issue or potential violation and prompt and thorough corrective action demonstrates a healthy Internal Compliance Program (ICP) and satisfies most mitigation plan elements, should one be required. Remember to focus on reliability first.

4. Maintain a robust ongoing ICP containing appropriate controls and a self-audit process.

Audits of NERC Standards and Requirements are scheduled primarily on a three or six year periodicity based upon registered functions. Each year, Standards are revised, a new Standard implemented, or a Standard is retired. Both NERC and the Regions are involved in the Standards process and all are approved by FERC. Along with the dynamic Standards process, entities are continually operating and maintaining their facilities. All of these dynamic processes create an ever-changing and challenging regulatory landscape.

Given that entities must always be and remain in compliance with applicable Standards and Requirements, constant vigilance is needed.

In order to establish a compliance culture, each entity should implement an ICP. This program should be based upon the 13 questions developed from FERC’s enforcement guidance. Within these thirteen questions are key programmatic processes that should be implemented.

  • Documented compliance policy and procedures.
  • Awareness training of personnel in compliance program specifics.
  • Wide dissemination of the compliance program.
  • Specific training as needed to perform regulatory activities for all relevant staff.
  • A corrective action process (find, fix, and prevent recurrence).
  • Reliability Compliance Manager/Officer has independent access to the CEO and/or Board of Directors.
  • ICP is operated and managed so as to be independent.
  • Program has sufficient resources.
  • Support and participation of senior management.
  • Regular reviews are conducted of the internal compliance program and changes made as appropriate.
  • Self-auditing is scheduled for the internal compliance program.
  • Accounts for disciplinary action.

Key Actions Indicative of a Strong Compliance Culture
An entity must implement a robust training and communication plan surrounding its ICP. Senior Management should frequently participate in this training plan. Workplace posters, emails, and other awareness tools should be used to promote awareness of compliance.

NERC Compliance policies, procedures, and processes must be developed, taught, implemented, and evaluated for effectiveness. Regulatory policies, procedures, and processes must be controlled and kept current with applicable Standards and Requirements. These procedures must be approved and contain a history of revisions.

Records of all regulatory required activities (training, maintenance, communications, inventories, etc.) must be retained for the specified periods and quickly available for audit.

An effective means to schedule and track regulatory commitments such as self-certifications, NERC Alert responses, actions taken in response to violations, and NERC Standard changes must be implemented.

A corrective action process must be implemented that addresses potential and actual regulatory issues by identifying the issue, determining the cause, and taking actions to correct the specific issue and to prevent recurrence.

Each entity should implement a risk informed self-assessment process that evaluates internal controls for effectiveness and addresses those needing attention. The scheduling of these self-assessments should be developed considering the regulatory risk, potential impact to the bulk electric system, and any routine regulatory audits and self-certification schedules. The entity evaluation should be scheduled independent of any regulatory activity.

Entities should strive to implement a strong ICP that includes all elements of FERC’s 13 questions.

5. Know what the auditors will be looking for to support a compliant conclusion.

NERC Compliance staff has developed Compliance Audit Directives, Bulletins, and Tools for all Regional Entities to use in performing Compliance Audits and Spot Checks. Their purpose is to provide consistency and objectivity in assessing each Compliance Audit. The Tools [NERC RSAWs] are based on the specific reliability standards to be reviewed during the audit and contain auditor insights, such as relationship to FERC Orders and methods of verification of compliance. These sources and tools must be used to ensure success.

NERC and the REs used to focus mostly on having procedures and policies in place that include regulatory requirements, with some supporting evidence to support a compliant conclusion. Many of the Regions now focus more on operators and SMEs and whether or not they understand and actually operate to their policies and procedures (…discuss/demonstrate for me how you meet…). Robust evidence organization and process mapping are becoming much more common in entities that are highly successful in demonstrating compliance to the regulator.

To ensure success, an entity needs to provide evidence for support of its compliance during the duration of the audit period. REs often request that responses be prepared in searchable electronic formats, whether in the original submittal or subsequent information provided. SMEs at the entity should assist in preparation of responses and be available for additional support and information. In particular, the RSAWs and questionnaires submitted are requested to be in MS Word format. SMEs at the company should assist in preparation of responses and be available for additional support both prior to and during the audit.

When completing RSAWs, ensure that you read and follow what the RSAW instructs. For each requirement you must respond in narrative form on how you are meeting the specific requirement and provide specific references to support your statement. This narrative response should be specific to the requirement and as brief as possible, while conveying the necessary information to demonstrate compliance. A tip is to include an evidence reference when possible to demonstrate proof of process. More complete supportive evidence will be included as necessary.

Evidence supporting compliance should demonstrate a clear line of site to a determination of “compliant”. To address a regulatory requirement, each entity should have processes, procedures, or policies that depict how the entity intends to meet the specific requirement. To prove compliance with these entity processes, procedures, and policies you will have documentation or other means to document the results of the implementing instrument. For example, if a standard and requirement require entity staff training, acceptable evidence would be the procedure that includes the requirement for training, the lesson plan for the training, training attendance sheets for those trained, and evidence, such as shift staffing, to demonstrate that all required personnel actually received the training. Further, it may also be necessary to provide multiple copies of this training evidence depending upon the periodicity of training and the period of the audit. Evidence can take many forms such as screen shots, test records, voice recordings, memos or letters and many more. Of import is that they must be specific, dated, and retained for the specified period.

It is very important to understand what the Lead Auditor instructions are for submitting evidence and data filed for an audit. You must always follow these instructions. Below are a few good practices:

  • Create a folder for each Standard.
  • Create sub-folders for each Requirement and Sub-requirement.
  • Place the RSAW for each Standard in its specific folder.
  • Make sure you have implemented the required file naming convention prescribed by the Lead Auditor or agreed to by him/her.
  • Within the RSAW, identify all evidence by Requirement and Sub-requirement and place these files into the appropriate folder, as needed.
  • You can also create a folder for miscellaneous files that contain additional entity information that is not directly supporting the audit scope, but may be needed should additional questions arise.
  • Highlighting of all specific narratives and bookmarks within files is highly recommended.
  • Bookmarking electronic files is highly desired; however, many Lead Auditors do not want you to do this because of problems they have had. You may want to demonstrate successful transfer of information and the ability to use the bookmarks if the Lead Auditor will entertain it. In any case, satisfy the Lead Auditor.

REs provide secure portals to submit audit packages. Each Standard should stand alone with the file structure noted above, so creating a folder for each Requirement, Sub-requirement, and the RSAW and the associated evidence is the method most often used.

About the Author
Bob Biggs has more than 35 years of utility experience in generation plant operation and maintenance (fossil, hydro, nuclear, and wind), protective systems, self-assessment programs, facility ratings, and regulatory compliance. He deeply understands the regulatory lifecycle of NERC standards, development, regulatory policies and procedures, Regional Entity audits, findings, enforcement, and mitigation. Formerly the head of Entergy’s Electric Reliability Standards Corporate Compliance Division, Bob is the Services Manager and currently serves as Office of NERC Compliance Services Director for Certrec – a leading regulatory compliance expert that helps utilities manage the regulatory process to their advantage through a suite of Internal Compliance Program solutions.
 


References

1 Registered Entities will be referred to as entities throughout this article.
2 Regional Entities will be referred to as REs throughout this article.
3 Soft-skills are interpersonal skills associated with effective communication, body language, etc.
4 This is a typical listing depicting the items regions will request during the audit process. The names can at times be a bit different; however, the contents will be essentially the same.
5 A registered entity is not required to have a formal company compliance program. This survey is for documenting what your company currently does or does not have in place for promoting compliance inside of your company. The RE, to evaluate any reliability standard violations, will keep this information on file for use. A company compliance program is a factor when evaluating penalties for a reliability standards violation, so please answer the questions accurately because they can be audited.