NERC Audits: From an Auditor’s Perspective
by William White – NERC Reliability Specialist, NAES Corporation
You’ve received the audit notice, and panic starts to set in: ‘Am I ready? What will the auditor want to review? Will they find a hole in our program?’ These concerns are all valid, but are they necessarily warranted? NAES NERC Services recently participated in a peer-led mock audit of a WECC entity and gained some valuable insights. Here is a look – through the eyes of an auditor – of how a few situations can be handled to achieve a smooth(er) audit process and a positive outcome.
Make sure all PDF documents are searchable. Consider the structure and presentation of materials submitted to auditors. From beginning to end, first RSAW to last Data Request, you want your program and supporting documents to be clear, concise and on point. Auditors are pressed for time and already have many thoughts rushing through their heads. By making their job easier, you’ll ease their irritability and frustration.
RSAWS – or Reliability Standard Audit Worksheets – can be your greatest support or your worst enemy. They form the cornerstone of your audit package. First things first: make sure all appropriate boxes are checked and narratives are completely filled out. Compliance Narratives should be complete, detailed and clear. The Compliance Narrative should also align closely with the entity’s evidence; when these two pieces work together, compliance is easy to ascertain. The Compliance Narrative should display a clear roadmap to compliance and make the appropriate references to supporting documentation.
Data Requests – or DRs – and SME interviews are your chance to clear the air. Once a question has been asked, answering that question correctly the first time and with the appropriate amount of information is critical. A one- time answer may stop any further questions or scrutiny from the audit team. It is important to understand what questions are being asked and to answer them correctly. Make the requested deadline and time frames; the auditors will allow a sufficient amount of time to reply. You don’t want to overload the auditor or keep him/her guessing. Finally, do not ‘dump truck’ the auditor with multiple pages of information, especially without a complete and concise roadmap. Overloading your auditors will just frustrate them and likely result in additional data requests.
During the interview process, make sure your SMEs remain polite, calm and on point. In your answers, stick to what the auditor is asking; don’t talk over the auditor or other people who might be part of the interview – and do not get defensive. Keep in mind that the auditor is there to find all the things you are doing right. If something is out of sorts, do not take it personally and attack the auditor or open yourself up to other scrutiny by offering unrelated information. Have proof of what you are talking about and know the details of your program. Having a strong program is only one part of compliance; being able to prove your words is arguably more important.
Always remember that nothing is out of scope. Just because a particular standard is not on the audit list does not mean the audit cannot be broadened to include other standards. If an auditor asks about a standard that was not part of the original scope, answer the question tactfully and don’t argue the point of whether the scope expansion is appropriate. If a request is made for additional information that is not required by the standards, have your compliance lead ask politely, ‘Could you show us where in the standards it requires us to provide this?’
The audit process can be as easy or as painful as you want to make it. Ultimately, the outcome will be determined by your program, your preparation and the thoroughness of your replies. Be prepared, courteous and responsive – and your audit will end up on the top shelf.