The Evolution of Mock Audits for Compliance
Compliance mock audits, or “practice” audits, with the NERC Reliability Standards have long been a staple of robust internal compliance programs. The options for how to execute the audit are infinite but typically consist of the published practices of the applicable region. The audits ideally include completing the Reliability Standard Audit Worksheet for each standard included.
The scope of which standards to include can depend on things such as:
- Historic problems with one or more standards
- Areas of focus and risk elements identified in the NERC Compliance Monitoring and Enforcement Plan
- Industry forums that have pointed to difficulties with certain standards or requirements
- Subject Matter Expert (SME) turnover
Mock audits tend to fall within one of three categories, depending on what the registered entity wants to achieve.
#1. The first method is the straight and strict audit. SMEs are interviewed either in person or online and asked to describe how their organization complies with the requirements of the standards in scope for the audit. There is very little back and forth conversation. The SME is allowed to respond however they see fit, whether they stick to the simple evidence of compliance or veer off into explanations about how things actually work and questions on why their entity is expected to comply with the standard in the first place. The auditor notes the evidence referenced or provided and defers opinions on the SME’s responses to the exit presentation.
#2. A second method is similar to the one described above, but with the auditors calling a time out to provide guidance for the SME’s response or address the quality of the evidence when appropriate. This method brings the guidance input from the exit presentation forward to the time spent with the SME. Questions are answered and explanations of applicability are handled here as well.
#3. A third method is to have more of a guided dress rehearsal of the audit, with introductions and some background for each standard covered. The auditor and SME discuss how to best present and describe the evidence. This method is more of a training exercise and is especially useful for newer entities with little experience in complying with reliability standards. Audits like this are often preceded by some training on the origins, scope, and purpose of the standards.
The mock audit scope can include every applicable requirement which may be a good approach for newer entities. Or the scope can be any combination of standards and requirements the registered entity feels needs attention.
One other option is a mock audit devoted entirely to internal controls. This audit type is becoming more popular as questions about controls become more prominent in actual audits.
One final note is the expected look and feel of the final audit report. If the compliance managers and SMEs want a clean and quick record of the audit findings, a simple spreadsheet is sufficient. However, if the report is going to be used to substantiate budget or personnel requests and will be included in a board of directors’ agenda package for example, then a more formal and expository report may be needed.
Don’t hesitate to customize your mock audit in whatever way suits your situation. It is a valuable tool when used correctly.