Preparing for a Compliance Audit under Mandatory Reliability Standards

Transcription

1 Preparing for a Compliance Audit under Mandatory Reliability Standards Dan Skaar March 1, 2010 Midwest Reliability Organization Background Reliability Standards are mandatory in the U.S. under Section 215 of the Federal Power Act (since 2007) and in other parts of Canada, subject to provincial authorities NERC, as the international Electric Reliability Organization, delegates its authorities to Regional Entities (Midwest Reliability Organization) Compliance and Enforcement of Reliability Standards is done under Rules called the Compliance and Enforcement Monitoring Program (CMEP) In the U.S., the Federal Energy Regulatory Commission approves any enforcement actions or Rules changes 2

2 Preparing for An Audit-Big Picture Understand the Mind of the Auditor Risk averse Seek Reasonable Assurance -show me [it s not about trust; its about demonstrating compliance] Risks, Controls, and Materiality Inherent Risk the risk linked to the activity itself assuming there are no related controls Control Risk - the risk that controls will not prevent, detect and correct errors Detection Risk risk that auditor will not detect a material problem function of audit procedure and its application by the auditor Three Phases to An Audit [reference GAO Yellow Book : MRO asserts that compliance audits should be conducted under the applicable performance audit standards] Planning: understanding the entity under audit Fieldwork: evidentiary review- overall sufficiency Reporting: conclusions and findings 3 Compliance Controls Culture of Compliance Significant mitigating factor for audit risk and enforcement actions How can you demonstrate it? Examples: Have a written program Senior management engagement early and often [MRO likes to see a very senior executive engaged in the audit] and review of draft audit reports Documentation readily available (ability to get information quickly) Understanding of how to demonstrate compliance Single points of contacts On going compliance training, including the field staff [documents are marked that are compliance mandatory] and buy in Cooperation [flexibility for change to schedule, provide additional information, etc.] Continuous and tested [internal self assessments, self reporting, training] Complete the internal compliance control survey Bottom line: Effective compliance programs Detect, Report, and Correct [refer to Commission guidance, US sentencing guidelines, NERC sanction guidelines, COSO framework] 4

3 Interview Preparation Part of an audit relies on interviews of Subject Matter Experts and others Those who will be interviewed should: Exhibit clear communications Not be defensive; be open, but not flippant Listen to the questions and discussion Not guess, provide alternatives to demonstrate compliance; not everyone demonstrates compliance the same way, get adequate clarifications to accurately address the question Know that auditors like to corroborate answers from interviews with other sources; so help the auditors corroborate your answers 5 Don t Confuse Enforcement with Compliance Compliance: the burden is on the entity to provide sufficient evidence to be reasonably assured of compliance [known as the man on the street test ] Enforcement: the burden is on the Region [closer to absolute assurance ] 6

4 Segregating Compliance from Enforcement Reaching Absolute Assurance = Enforcement Action ENFORCEMENT COMPLIANCE ABSOLUTE ASSURANCE REASONABLE ASSURANCE Investigations and Findings Notices [INAVs, NOAVs, NOCVs] Settlements and Hearings Key considerations: harm, compliance culture, intent, compliance history, sufficiency/quality of evidence Sufficiency Relevance FINDINGS (Potential Wrong Doing) Appropriateness ( reliability ) Overall Assessment of Evidence Key considerations: risk, materiality, strength of internal (compliance) controls, applicability, legal context of Section 215 and provincial agreements CMEP Due Process GAO STANDARDS 1. Planning 2. Field Work 3. Reporting No Presumption of Wrong Doing Midwest Reliability Organization Documentation Retention Documentation Keep current and retain past versions and be able to produce them on request [ask the audit lead on the audit monitoring period of the applicable standards] Make sure retention policies align with obligation to produce evidence for an audit Operations Retain logs and communications of significant events [searchable is a plus] Protection Systems, Vegetation Management Retain all maintenance and testing records [database is a plus] Planning Retain studies, communications 8

5 Audit Packet 60 Day Notice [voluntarily using 90 day notices] Pre-Audit Survey High level overview and logistics Questionnaire Reliability Standard Auditor Worksheets (QRSAWs) Describe process to meet compliance with each requirement Identify supporting documentation, section, page numbers Identify Subject Matter Experts [SME] Single points of contacts are most helpful Provide response to general questions 9 Supporting Evidence Provide Identified Evidence Catalog Evidence By Standard Library approach for common documents, such as System Restoration Plan Evidence Naming Conventions Facility Ratings Methodology, FAC_008 , FAC008 Comments FAC_008_R1_D1, FAC_008_R2 D1 Doc1.pdf, Doc2.pdf, Doc3.pdf 10

6 Supplemental Evidence Requested prior to on-site fieldwork/webex (off-site) Provide in electronic format prior to visit/meeting Similar presentation as initial submittal-by Standard Requested on-site/webex (off-site) Provide in electronic format at end of each day Goal: Save trees-zero paper at the end of the day for the audit team 11 Tips Ask questions; don t assume Its fair to ask the auditors how can I demonstrate compliance with this standard [there should be no mysteries; its an open book test ] Its not fair to ask the auditors if I do this, will I be compliant [independent auditors cannot step in the shoes of an owner, operator or user of the bulk power system. We cannot assume the risk that we know how to operate, own and operate your system better than you. If you are not sure, self report] Request a pre-audit conference Provide an overview of your company and compliance programs; help the auditor understand your business Assign single points of contacts for providing the documentation to the auditor [ask the same of the auditor] 12

7 Tips Perform a self assessment once a year [use a peer company] as part of a systematic compliance program [not point in time compliance ] Be an advocate for you company. At the end of the day, if the auditor disagrees and makes a finding, you are protected through the due process steps in the enforcement Rules 13 Questions? QUESTIONS 14