It is not unusual that a NERC CIP audit causes anxiety in the preceding weeks for the facility owners. However, there is a way to avoid such tough times by having a detailed audit strategy.
We have listed a step-by-step approach for preparing for a NERC CIP Audit.
Take a look.
1.Know the Essentials
The NERC CIP Reliability Standards, or CIP Standards, were created by the committee without technical writers. So, these standards may appear confusing and overwhelming.
While it is important to understand the current version, it is also helpful to look at the draft version. You should review your registration status concerning the requirements to ensure that you comply with the correct version and constraints.
The two sections titled Requirements or Measures are the most important sections of each of the eight CIP Standards. While the requirements outline what the entity must do, the measures detail what evidence auditors will be looking for. However, each section is only a summary of the whole topic.
Read each requirement carefully. Note any terms that you don’t understand. To track your information, create a list of important statements in a spreadsheet.
2.Understand the Auditor Expectations
Auditors only look for one thing: the opportunity to prove that you comply (auditable) with the CIP Standards. They seek documentation and proof that you are executing procedures (as per Federal Energy Regulatory Commission [FERC] Docket No RM06-22-008. This includes both the RSAWs as well as the evidence required for each requirement.
Auditors also check for enforcement. They would want to know how you handled situations where employees didn’t comply with a procedure. It would also help determine which auditors are more concerned with “good” documentation than those who consider it “weak” or poor documentation. Remember that your experience with a “spot” check will not indicate readiness to audit.
Such a check is not subject to the same requirements as an actual audit. This is because spot checks are less thorough than actual audits, so your evidence for a spot-check might not be sufficient to support an audit.
3.Go Through the Evidence
It is beneficial to keep track of your compliance with a documentation spreadsheet. Create a column for each requirement and sub-requirement. Then create a row to hold each piece of evidence. Each row should contain a file name and/or document title. A comments column can be used to add additional information (e.g., how to access the data).
The spreadsheet should be updated after each piece of evidence has been analyzed. Even if you don’t use all of the evidence for the RSAW audit, they may be needed if the auditors request additional evidence. This spreadsheet is very helpful when packaging your evidence.
4.Make Your Evidence Accessible
In the fourth step, you must take the data (or raw evidence) and put it in a format that allows the auditor to check compliance. The auditor will typically only request a sample of your evidence.
Make sure that you have established internal procedures for extracting these samples. While most auditors prefer searchable PDFs for evidence, other formats such as Excel spreadsheets are also acceptable. A folder can be created for common files. You will only need one copy for all the documents then.
The last step involves mock audits. This can be done internally with your corporate auditor team (if one exists) or with an outside consultant. This should be done well in advance of the audit to ensure that you have time to remedy any weaknesses found.
When using internal mock audits, make sure that you don’t have the same people create and audit the evidence. You will need a new set of eyes to examine the evidence. Having a technical audience would be helpful, especially if they were not involved in preparing the evidence.
Outside vendors can also conduct practice audits. These vendors usually provide a simplified version of the actual audit. Before you hire an outside vendor, verify the experience and credentials of these auditors.
So many things can go wrong in a NERC CIP audit if you don’t prepare for it properly. However, you can undergo NERC compliance training to make sure you leave no stone unturned to prepare for that all-important audit!