Internal Controls for Compliance

by Walt Bukowski, NERC Reliability Specialist

No other topic has gained as much attention in the electric industry lately as Internal Control, and the ongoing concerns over cyber-security risk to the Bulk Electric System. Depending on the level of success, or frustration with your company compliance efforts, the idea of developing and incorporating a set of Internal Control into your operation is either logical, or a mind breaking task. Those of you in the mind breaking task need to be reminded that Internal Controls are now mandatory, and most companies operate on a “do whatever is necessary but nothing more.” Many companies relegate Internal Controls into doing more. Internal Controls are doing something that is necessary for compliance. Depending on one approach to Internal Controls is truly doing something extra for compliance. Internal Controls are a set of requirements which requires extra time and efforts to implement.

So, what is an Internal Control? Per the NERC ERO for Internal Controls offers the following statement, “Effective Internal Controls support the reliability and security of the Bulk Electric System (BPS) by identifying, assessing, and correcting issues, and their use can demonstrate reasonable assurance of compliance with the NERC Reliability Standards.” Internal Controls are classified as: Preventive, Detective and Corrective.

A simple analogy is the lights or alarms on your instrument panel in your car. The primary purpose is to make sure you are aware of the conditions of your car. This is Preventive.

A secondary analogy is the displaying an indicator light or sounding an alarm. The secondary purpose is to make you aware or warn you that there is something wrong. This is Detective.

If you see an indicator light or sounding of an alarm, then you proceed to the side of the road or the nearest gas station to check out the issues. This is Corrective.

So, why is Internal Control being emphasize by NERC ERO? Per the NERC ERO, a company with strong Internal Controls are more aware of circumstances that could lead to the possible compliance issues before compliance issue lead into a violation. If a violation does occur, a strong Internal Controls kick in to correct the issue and help prevent future compliance issues. Internal Controls will allow a companies compliance program to run in automatic and actually save work instead of creating work by reducing the amount of time and efforts by the compliance staff.