Identifying when a NERC CIP Mock Audit may be right for you
Many entities struggle to demonstrate compliance with NERC CIP Security Standards. Common issues include:
- Reliability Standard Audit Worksheets (RSAWs) with unfocused or irrelevant verbiage, or that only rehash Requirements or statements pulled from the entity’s security policy, rather than offer a clear roadmap of the controls and documentation provided,
- SMEs unprepared for the GAGAS “show me the evidence” style of questioning, inconsistent procedures and technical controls across business units (power, IT, physical security), and
- irrelevant or excessive documentary evidence provided to demonstrate compliance.
Such issues can lead to a difficult NERC CIP audit characterized by lengthy and
potentially unresolved lines of questioning, numerous after-business hours devoted each
night to fulfilling data requests, and having areas unnecessarily deemed non-compliant.
N&ST’s approach: Confidence comes practice
N&ST has developed an offering to assist an entity in becoming better prepared for its NERC CIP Audit by its Regional Entity (RE). Led by two senior consultants with direct experience working with REs, both on and off official Audit Teams, the engagement follows the general approach and format of an official audit. Sessions interleave coaching discussions with SMEs regarding strategies, tactics, and targeted wording to use in response to auditor questioning. Thus, the SMEs will become prepared in responding to questions and discussing their evidence in a manner that facilitates the goal of the Audit Team: to determine compliance. During the engagement all 43 requirements in the eight Standards (CIP-002-009) are evaluated, although ad hoc coaching advice, discussion around particular SME responses, as well as a need for prolonged focus on certain requirements, may limit deep analysis of all Requirements or a Standard as a whole.
N&ST encourages representatives from Internal Audit and Legal, in addition to the core NERC CIP compliance team and SMEs, to participate in the Mock Audit to become familiar with the style of questioning and the burden of proof on the organization.
The dress rehearsal
N&ST begins the engagement – a rehearsal for the actual audit – by reviewing the entity’s RSAWs and other evidence they intend to present for compliance determination. SME interviews are conducted to simulate the GAGAS approach, using the RSAW to guide the questions and interpret other evidence. Sessions are started with an “auditor hat on”, unless issues arise during the interview, such as inappropriate verbiage, volunteering information, or “deer in headlights” occasions, that would initiate “hats off” discussions. The line of questioning may reveal the need to make changes to the materials provided as evidence – additions, modifications, and even removal of irrelevant items. Inconsistencies in policy, process, procedures, and evidence across responses from the power, IT, and physical security SMEs will be discussed with the group, noted and recorded by the entity, and captured in the workbook created by the N&ST consultants to log evidence presented. At the conclusion of the interview portion of the engagement, SMEs should be better able to convince the Audit Team that the entity practices what is documented. They will do this by “painting a picture” of policy impact, enacted procedures, and implemented controls intended to reduce unauthorized access.
N&ST will deliver two documents at the conclusion of the engagement. The first is a workbook listing observations, compliance opinion, and recommendations for each individual Requirement in the Standards. The other is a presentation summarizing the findings and recommendations, as well as some reminders for preparing for the audit.
The lessons learned during the “dress rehearsal” should result in an audit characterized by workdays ending at a reasonable hour, a small number of data requests, and SMEs not so drained they cannot return to their desks and work. Most of all, there should not be any surprise “Potential Violations” beyond known gaps in controls. In some cases, a low-anxiety audit may lead to free advice from the RE Audit Team.
Options to customize the Mock Audit to your specific needs
There are three optional modules that may be incorporated into the Mock Audit to ensure that it is custom tailored to address the individual needs of the entity:
- SME Workshop: Some SMEs, frequently the more technically proficient, have never participated in any type of audit. N&ST has developed a one-day workshop to introduce these SMEs to the audit experience. Role play exercises have been developed to simulate actual lines of questioning, and to demonstrate behaviors SMEs should exhibit when in front of the RE Audit Team. This workshop is best placed at the start of the engagement, ensuring that the SMEs are better prepared for the “auditor hats on” interviews that will be conducted as part of the Mock Audit.
- Document (Re)writing: Once the interviews have been completed, the entity may desire assistance in writing or updating the RSAWs. Well written responses in these documents should guide the Audit Team to understand the programs, controls, and evidence provided for compliance determination by painting a picture of the overall program and materials provided. These responses should present unified approaches that may be implemented separately by the power, IT, and physical security business units. Additional types of documents may also be reviewed and edited by the N&ST consultants, such as policies, programs, and procedures.
- Individualized SME Coaching: During interview sessions, N&ST and/or members of the entity’s business units, may flag certain SMEs requiring additional coaching. Either in a small group setting or one-to-one, N&ST will work with these SMEs to practice interview skills to become more relaxed and proficient at handling ad hoc questions in an intuitive manner.