NERC Compliance Audit Tips for Subject Matter Experts
It is one thing for Compliance Managers, regulatory specialists, and expert advisers to sit down with an auditor and answer questions about how an organization meets the requirements of the NERC reliability standards. Many of these individuals deal with the standards full time, including monitoring the development of the applicable standards, mapping implementation of changes, and creating or revising applicable procedures. These duties include designing and delivering training to both executive and operations staff on what is involved and how best to craft a compliance strategy that best fits their needs.
It is quite another thing for a designated Subject Matter Expert (SME) to prepare and deliver compliance information to an auditor. Likely, compliance with the standard in question is not their full-time job. They have a role to play in assuring compliance with one or more requirements but their viewpoint, rightfully so, is limited. A wise person once said that compliance with the NERC standards consists of two things: either a procedure to do something or evidence you did something. That adage can be refined to include controls for making sure these things happen correctly and on time.
Auditor interviews can be intimidating but the anxiety associated with the experience can be largely mitigated with some relatively simple steps.
- Conduct a mock audit with SME interviews to replicate the practices and expectations of the Compliance Enforcement Authority who would be doing an audit. This mock audit can include informal exchanges and presentations of examples for what language leads most directly to the evidence of compliance, and what behaviors can distract from achieving a quick acknowledgement of compliance
- Avoid answers to auditor questions that include opinions about the efficacy of the standard in question or skepticism about the organization’s effectiveness in complying with it.
- Say “I don’t know but I can find out,” as perfectly acceptable for a detailed question.
- Spend a few minutes, especially for newer employees, to explain why certain standards exist, what risks are being addressed, and how their organization manages those risks. Sometimes understanding the why behind the what can instill confidence in the how.
- Include the SMEs in reviews of procedures, internal controls, and ideally a roles and responsibility matrix that has their name on it next to the requirements for which they’re responsible. Familiarity with the matrix also lets them know what constitutes acceptable evidence, who is responsible for generating it, where it is stored, the periodicity of actions, and where to seek guidance on any questions that may come up.
- Provide a brief overview of documented violations of standards and requirements within their scope of responsibility.
- Review relevant published guidance on best practices and lessons learned for standards and requirements within their scope of responsibility.
- Don’t afraid of the dreaded “controls” questions. For one thing, everything described here is a control. For high risk standards like Facility Ratings and Protection System Maintenance and testing, it is rare that one SME has sole responsibility for them. These types of standards by their nature demand a programmatic process to manage the complex requirements. In these cases, the obvious SME is the compliance manager who can easily describe how compliance is achieved. A technical resource can be a co-SME for these interviews if needed.
- Make sure the SME knows they have the full support of the entire compliance program and management.