Regional Entity Public Audit Report Template October 2015 (Version 2.07) 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 | www.nerc.com Table of Contents I. Purpose and Overview ........................................................................................................ 2 II. Audit and Spot Check Report Development ....................................................................... 2 Audit and Spot Check Reports without Possible Violations ............................................... 2 Audit and Spot Check Reports with Possible Violations ..................................................... 3 Audit and Spot Check Reports for Registered Entities in Canada and Mexico ................... 4 Additional Requirements for CIP Audit and Spot Check Reports ....................................... 4 III. Audit and Spot Check Report Content and Naming Convention ........................................ 5 Public Audit and Spot Check Report Content ..................................................................... 5 Audit and Spot Check Findings ........................................................................................... 5 Possible Violation (PV) ........................................................................................................ 5 Open Enforcement Action (OEA) ........................................................................................ 5 Areas of Concern and Recommendations .......................................................................... 5 Audit and Spot Check Report Naming Convention ............................................................. 6 IV. Audit and Spot Check Report Submittal and Posting ......................................................... 7 V. Revision History .................................................................................................................. 9 Appendix 1: Public Audit Report Template Regional Entity Public Audit Report Template (Version 2.07) i I. Purpose and Overview The electric reliability organization (ERO) produces public and non-public reports following each compliance audit or spot check of registered entities. This document describes the process for developing the format and content of report documents, as well as the process for filing and posting them. The Regional Entities develop these reports according to the NERC Rules of Procedure (ROP),1 consistent with the template in the Appendices of this document. Registered entities are provided an opportunity to review and comment on the compliance reports in draft form. As discussed below, NERC reviews and submits the final compliance reports to the applicable governmental authorities2 and, as appropriate, posts a public version of the compliance report in accordance with the reporting and disclosure process in Appendix 4C of the ROP. This bulletin applies to compliance audit and spot check reports from Operations and Planning (O&P) and Critical Infrastructure Protection (CIP). II. Audit and Spot Check Report Development The Regional Entity audit and spot check teams develop reports of compliance audits and spot checks of registered entities, and Regional Entity compliance staff reviews the reports. The Regional Entity submits both a non-public and a public report for each audit of a registered entity. The Regional Entity submits only a non-public report for each spot check of a registered entity. The NERC Compliance Administrator is responsible for reviewing all reports, publicly posting appropriate reports, and submitting select reports to the applicable governmental authorities. CIP audit and spot check reports require additional processing to protect the registered entity’s Critical Energy Infrastructure Information (CEII) and identification of Critical Cyber Assets (CCA). The timing and sequencing of report distribution to registered entities and NERC are discussed below. Audit and Spot Check Reports without Possible Violations As part of the audit and spot check assessment, the audit or spot check team completes a preliminary screen for any Possible Violations of reliability standards, based on any instances of potential noncompliance with reliability standards. If the audit or spot check team determines that the registered entity does not have any Possible Violations, the team will complete both the public and non-public audit reports and the non-public spot check report as soon as practical after the last day of the audit or spot check. If there are any differences between the findings during the compliance audit or spot check exit briefing and the non-public report, the executive summary of the report will include a statement of the referenced differences. CIP 1 See, NERC Rules of Procedure, Appendix 4C, Section 3.1. (http://www.nerc.com/AboutNERC/Pages/Rules-ofProcedure.aspx) All compliance audits shall be conducted in accordance with audit guides established for the Reliability Standards included in the compliance audit, consistent with accepted auditing guidelines as approved by NERC. The audit guides will be posted on NERC’s website. 2 The Applicable Governmental Authority for the United States is the Federal Energy Regulatory Commission (FERC or the Commission). The Applicable Governmental Authorities for each Canadian province and Mexico are separate and independent bodies. Regional Entity Public Audit Report Template (Version 2.07) 2 reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. Regional Entity staff reviews reports before providing a draft to the registered entity for review and comment. The registered entity has ten business days to respond to the Regional Entity with any proposed revisions. Once registered entity comments are taken into consideration and appropriate revisions are made to the reports, the Regional Entity staff simultaneously provides the registered entity and NERC with the final version of the non-public and public reports in separate pdf files. The Regional Entity staff transmits the reports to NERC using the Regional Entities’ designated https site and tracks submission of the reports to avoid sending duplicates. The Regional Entity submits only a non-public report for each spot check of a registered entity. After the Regional Entity staff transmits the reports to NERC, the NERC Compliance Administrator posts the public report on the NERC website and sends appropriate non-public reports to FERC via a secure portal. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. Audit and Spot Check Reports with Possible Violations If the audit or spot check team determines that the registered entity has Possible Violations, the team will complete only the non-public report as soon as practical after the last day of the audit or spot check. If there are any differences between the findings during the compliance audit or spot check exit briefing and the non-public report, the executive summary of the report will include a statement of the referenced differences. Regional Entity staff reviews audit and spot check reports before providing a draft to the registered entity for review and comment. The registered entity has ten business days to respond to the Regional Entity with any proposed revisions. Once registered entity comments are taken into consideration and appropriate revisions are made to the reports, the Regional Entity staff simultaneously provides the registered entity and NERC with the final version of the non-public report in a pdf file. The Regional Entity staff transmits the report to NERC using the Regional Entities’ designated https site and tracks submission of the report to avoid sending duplicates. The Regional Entity submits only a non-public report for each spot check of a registered entity. After the Regional Entity staff transmits the report to NERC, the NERC Compliance Administrator sends appropriate non-public reports to FERC via a secure portal. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. Before producing the public version of the audit report, Regional Entity staff processes the Possible Violations that the audit team identified in the report according to the NERC Compliance Monitoring and Enforcement Program (CMEP). Once the Regional Entity and NERC have processed the Possible Violations through the appropriate compliance enforcement method, the Regional Entity will redact the non‐public audit report to remove all sensitive, confidential, privileged, and critical energy infrastructure information. The redacted non‐public report then becomes the public report. Regional Entity Public Audit Report Template (Version 2.07) 3 The Regional Entity staff will provide the public version of the audit report that contains Possible Violations to the registered entity for review and comment. The registered entity has ten business days to respond to the Regional Entity with any proposed revisions to the report. Once registered entity comments are taken into consideration and appropriate revisions are made to the report, the Regional Entity staff simultaneously provides the registered entity and NERC the final version of the public audit report in a pdf file. Regional Entity staff transmits the public audit report to NERC using the Regional Entities’ designated https site and tracks submission of the report to avoid sending duplicates. After the Regional Entity staff transmits the report to NERC, the NERC Compliance Administrator posts the public report on the NERC website. If Possible Violations result from a Multi-Regional Registered Entity joint audit, the Regional Entity responsible for producing the audit reports will ensure that the processing of violations is complete in the respective Regional Entities participating in the joint audit, prior to providing the final public audit report to the registered entity for review or submitting the final public audit report to NERC for public posting. The Regional Entity submits only a non-public report for each Multi-Regional Registered Entity joint spot check of a registered entity. The executive summary of the public version of the report will include a statement that all Possible Violations have been resolved through the NERC CMEP process. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. Audit and Spot Check Reports for Registered Entities in Canada and Mexico With respect to submission of compliance audit or spot check reports to applicable governmental authorities other than FERC (i.e., entities in Canada and Mexico), Regional Entities should follow any processes specified either in the Region’s agreement with the applicable government authorities3 or under the governing laws of the applicable government authorities. Additional Requirements for CIP Audit and Spot Check Reports The CIP audit or spot check team develops the CIP report using the non-public audit report template located in Appendix 1 of this bulletin. A separate CIP report is necessary even if the Regional Entity performs the CIP audit or spot check concurrently with an O&P audit or spot check. The CIP team does not develop a public version of a CIP report as NERC does not publicly post CIP audit or spot check reports. Submission of the non-public CIP audit or spot check reports to NERC will follow the process outlined in this bulletin. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. 3 The provision of the final Compliance Audit report to FERC or to another Applicable Governmental Authority shall be in accordance with Section 8.0, Reporting and Disclosure. See NERC Rules of Procedure, Appendix 4C, Section 3.1.6, available at http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx. Regional Entity Public Audit Report Template (Version 2.07) 4 III. Audit and Spot Check Report Content and Naming Convention The content of audit and spot check reports varies according to whether a report is public or non-public; however, both report types contain defined terminology for compliance audit findings. Regional Entity staff distinguishes between public and non-public and CIP and O&P reports when submitting report files to NERC to ensure that registered entity information is appropriately protected. Public Audit Report Content The Regional Entity audit team develops the content of the public report by redacting sensitive or confidential information from the non-public report. The public report includes a list of audit findings using terminology as defined in this document. The public report will not contain confidential information, as defined in Section 1500 of the NERC ROP. The Findings section of the public report will not include a list of the evidence reviewed by the team in making their determination of compliance. Further, the public report will not include a description of how the team determined its findings, nor will it include the names of the audit participants. Audit and Spot Check Findings In order to maintain consistency and ensure protection of confidential information, the following terminology will be used in the Findings section of the public and non-public audit reports and the non-public spot check reports: Possible Violationand Open Enforcement Action. Possible Violation (PV) The audit or spot check team discovered areas of potential non-compliance (PNC) based on the evidence presented by the registered entity and reviewed by the team, and they performed a preliminary screen within five days to determine whether the PNC was a Possible Violation. Open Enforcement Action (OEA) At the time of the audit or spot check, the registered entity had an open action item regarding the reliability standard requirement. Examples of OEAs include an open mitigation plan, selfreport, settlement agreement, etc. Use of this term will include a NERC or Regional Entity enforcement tracking number in the Findings section of the report. OEA is used when the requirement has an OEA associated with it and the audit or spot check team did not identify new Possible Violations. In circumstances in which an OEA existed for a requirement, but a new Possible Violation was identified by the team, the newly identified Possible Violation will be included in the Possible Violation count, but not in the OEA count. It will appear in the Summary of Findings table in the Executive Summary and the Findings section of the report templates. Areas of Concern and Recommendations Regional Entity audit or spot check teams identify and inform registered entities of Areas of Concern and Recommendations per the FERC Guidance Order on Compliance Audits Conducted Regional Entity Public Audit Report Template (Version 2.07) 5 by the Electric Reliability Organization and Regional Entities, dated January 15, 2009. Areas of Concern will be included in the non-public version of the report only. The Recommendations will be included in the non-public version of the report and may be included in the public version of the audit report at the Regional Entity’s discretion. It is expected that Regional Entities will include Recommendations in the public versions of the audit report if the Recommendations may be useful to other registered entities. Although Recommendations are not mandatory, it is expected that the registered entities will act upon or consider the team’s Recommendations. Area of Concern:4 Notifies registered entity of a situation that does not appear to involve a current or ongoing violation of a reliability standard requirement, but instead represents an area of concern that could become a violation. Recommendation: Notifies a registered entity of a situation in which an opportunity may exist for improving compliance-related processes, procedures, or tools. Audit and Spot Check Report Naming Convention The Regional Entities submit compliance audit or spot check reports to NERC in pdf file format with the naming convention in this bulletin in order to properly track reports and maintain confidentiality. CIP reports are distinguished from the O&P reports, and spot check reports are distinguished from audit reports. Each report name convention is followed by an example of a compliance audit report conducted in 2013 by Regional Entity “XYZ” of registered entity “ABC.” O&P Public Audit Reports: [Year]_public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf Example: 2013_public_XYZ_ABC.pdf O&P Non-Public Audit Reports: [Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf Example: 2013_non-public_XYZ_ABC.pdf CIP Non-Public Audit Reports: [Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym]_[CIP].pdf Example: 2013_non-public_XYZ_ABC_CIP.pdf O&P Public and Non-Public Audit Reports for Multi-Regional Registered Entity Audit: [Year]_public_[Lead Regional Entity Acronym]_[MRRE] [Audited Entity Acronym].pdf Example: 2013_public_XYZ_MRRE_ABC.pdf Example: 2013_non-public_XYZ_MRRE_ABC.pdf O&P Non-Public Spot Check Reports: [Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf Example: 2013_non-public_XYZ_ABC Spot Check.pdf 4 See Compliance with Mandatory Reliability Standards, “Guidance Order on Compliance Audits Conducted by the Electric Reliability Organization and Regional Entities,” 126 FERC ¶ 61,038 (2009), dated January 15, 2009. Regional Entity Public Audit Report Template (Version 2.07) 6 CIP Non-Public Spot Check Reports: [Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf Example: 2013_non-public_XYZ_ABC Spot Check_CIP.pdf Reports Requiring Revision and Resubmission to NERC: [Year]_public_[Regional Entity Acronym]_[Audited Entity Acronym]_REVISED.pdf Example: 2013_non-public_XYZ_ABC_REVISED.pdf Example: 2013_non-public_XYZ_ABC Spot Check_REVISED.pdf Example: 2013_non-public_XYZ_ABC Spot Check_CIP_REVISED.pdf Example: 2013_non-public_XYZ_ABC CIP_REVISED.pdf Example: 2013_non-public_XYZ_MRRE_ABC_REVISED.pdf IV. Audit and Spot Check Report Submittal and Posting In order to maintain continuity of audit and spot check report format and content, as well as to prevent duplicate report submissions, the Regional Entity will designate a staff member to submit audit and spot check reports to NERC and track their submission. The Regional Entity submits only a non-public report for each spot check of a registered entity. The Regional Entity staff designee will upload the reports to the Regional Entity’s designated https site and will track the reports to avoid submission of duplicates. The public and non-public reports will be submitted in separate pdf files. The NERC Compliance Administrator will check the Regional Entities’ https sites for submitted reports at least once per week, log receipt of the reports in the report-tracking tool, and review the reports for administrative errors and consistency with the audit and spot check report template. The NERC Compliance Administrator will inform the Regional Entity designated staff via email that the report was received by NERC and whether there are any reports that do not meet review criteria that require revision and re-submission. The NERC Compliance Administrator will submit the final non-public audit and spot check reports to the applicable governmental authority5 via a secure portal or other pre-approved method, post the finalized public audit reports to the NERC website, log dates in the report tracking tool, archive both public and non-public reports on the NERC SharePoint site, and notify the Regional Entity designated staff via email that the reports have been posted. NERC will not publicly post the final Compliance Audit report for at least five (5) business days 5 The provision of the final Compliance Audit report to FERC or to another Applicable Governmental Authority shall be in accordance with Section 8.0, Reporting and Disclosure. See NERC Rules of Procedure, Appendix 4C, Section 3.1.6, available at http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx. Regional Entity Public Audit Report Template (Version 2.07) 7 following receipt6. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC. Process disclaimer: NERC reserves the right to issue new process bulletins or modify existing process bulletins when necessary and at its discretion. 6 NERC will not publicly post the final Compliance Audit report for at least five (5) business days following receipt. See NERC Rules of Procedure, Appendix 4C, Section 3.1.6, available at http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx Regional Entity Public Audit Report Template (Version 2.07) 8 V. Revision History Revision History Version Date Reviewers Revision Description 1 02/01/2010 (effective on posting) NERC and Regional Entity Staff Version 1.0 1.1 04/30/ 2010 Mike Moon; Jacki Power; Craig Struck; Regional Entity Staff Directive Revisions: Removed flowchart. Audit Report Template Revisions: Added self-certification statement to Executive Summary, Added reference to NOP link in Executive Summary, Changed all references to PAV to PV. 1.1 05/19/2010 NERC Management Changed non-public status and posted publicly. 1.2 07/28/2010 Craig Struck, NERC Added guidance to directive and report templates on use of terms for identifying compliance findings in audit reports, and information regarding CIP audit reports. 1.3 10/11/2010 Craig Struck; NERC Compliance Operations Management and Legal Department Minor editorial & errata changes. Added references to pending CIP information handing process. Added wording stating spot-checks will require reports. Revised wording to state links will be to NOP page. Incorporated Compliance Operations Management and Legal Department comments. 1.4 08/01/2011 Craig Struck, NERC Added language to include “areas of concern” (as noted in January 2009 FERC Guidance Order on Compliance Audits) and Recommendations. Added clarifying language regarding NOP links, separate report requirements for concurrent O&P and CIP audits, level of details in findings table, and use of findings terminology in findings table. Modified audit report templates based on changes noted above. Minor editorial and arrangement changes. Regional Entity Public Audit Report Template (Version 2.07) 9 2.01 06/ 26/2012 Craig Struck, NERC Re-write of directive and report template to remove duplicative language. Added instructional language to template. Added high level count table to Executive Summary. Renamed Audit Results section to Audit Findings. Removed evidence reviewed from Public report. Added blue color instructional text. Removed language regarding NOP links. Added definitions for Areas of Concern and Recommendation. Added language regarding functional registration mapping to templates. Updated to latest version of Style Guide. 2.02 08/21/2012 Craig Struck, NERC Minor editorial and arrangement revisions based on ECEMG, CMPWG, and CCWG feedback. Added language that states Findings table may be an Appendix to reports. 2.03 09/10/2012 Caroline Clouse, NERC Copyediting 2.04 01/30/2013 Caroline Clouse, NERC Copyediting 2.05 03/26/2013 Craig Struck, NERC Removed references to public spot check reports. Updated footnotes to correspond with Rules of Procedure\CMEP revisions. Minor wording changes. 2.06 06/13/2013 Jim Armstrong, NERC; NERC Compliance Operations staff; Removed requests for listing of standards for which there were “No Findings” or that were “Not Applicable.” This information should be properly supported by the team’s corresponding work papers. Also, divide public and non-public audit report templates into two documents. 2.07 10/22/2015 Adina Mineo, NERC Compliance Assurance Manager Updated Appendix 1 - Removed areas of concern reference from the executive summary Regional Entity Public Audit Report Template (Version 2.07) 10 Appendix 1: Public Audit Report Template Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] i Public Audit Report Template [INSTRUCTIONS – Delete After Reading: All blue-colored text found in the Audit Report templates is instructional language from the appropriate section of the bulletin and should be deleted when no longer needed by the report author.] Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] ii [Insert Regional Entity Logo] NERC ID(s): Registered Entity Name(s) NCR00000 [Name of the Entity Here] Reliability Standards Audit Scope: Choose an item. Compliance Monitoring Process: Choose an item. Distribution: Choose an item. Lead Region: Choose an item. Dates of Audit: From June 20, 2013 to May 6, 2013 Date of Report: May 16, 2013 Possible Violations Identified: Choose an item. Jurisdiction: Choose an item. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] iii Table of Contents [INSTRUCTIONS – Delete After Reading: When report is complete, ensure the Table of Contents is updated so that section titles indicate the correct page number. 1) Select the entire Table of Contents. 2) Right click on the selection and select Update Field. 3) Update page numbers or the entire table as appropriate.] I. Executive Summary........................................................................................................... 1 II. Audit Process .................................................................................................................... 3 Objectives.................................................................................................................... 3 Scope ........................................................................................................................... 4 Confidentiality and Conflict of Interest ...................................................................... 4 Methodology............................................................................................................... 4 Company Profile.......................................................................................................... 4 Audit Participants........................................................................................................ 5 III. Audit Findings ................................................................................................................... 6 IV. Recommendations ............................................................................................................. 7 V. Compliance Culture............................................................................................................ 8 I. Executive Summary [INSTRUCTIONS – Delete After Reading: Use of MS Word’s Find and Replace feature for [Red Text] in brackets will significantly reduce manual entry by the report author.] [Regional Entity] conducted [a(n)] [Operations and Planning or Critical Infrastructure Protection] Audit of [Entity Name] [Entity Acronym], NERC ID [XXXXXX] from [Dates of Opening Presentation – Exit Briefing]. At the time of the Audit, [Entity Acronym] was registered for the functions of [Delete Non-Applicable Functions] Balancing Authority (BA), Distribution Provider (DP), Generator Operator (GOP), Generator Owner (GO), Interchange Authority (IA), LoadServing Entity (LSE), Planning Authority (PA), Purchasing-Selling Entity (PSE), Reliability Coordinator (RC), Reserve Sharing Group (RSG), Resource Planner (RP), Transmission Operator (TOP), Transmission Owner (TO), Transmission Planner (TP), and Transmission Service Provider (TSP)]. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] iv [Delete if Non-Applicable] [Entity Acronym] was also registered for a Joint Registration Organization (JRO), JRO ID [XXXXXX], for the [JRO Registered Functions] functions. [Entity Acronym] was also registered for a Coordinated Function Registration (CFR), JRO ID [XXXXXX], for the [CFR Registered Functions] functions. [Delete if Non-Applicable; Delete Non-Applicable Functions] The Reliability Coordinator (RC), Balancing Authority (BA), Transmission Operator (TOP), Planning Coordinator (PC), Transmission Planner (TP), and Resource Planner (RP) for [Entity Acronym] are as follows, respectively [XXXXXX], [XXXXXX], [XXXXXX], [XXXXXX], [XXXXXX], and [XXXXXX]. [Delete if Non-Applicable; Delete Non-Applicable Functions] [Entity Acronym] performs the functions of Planning Coordinator (PC), Transmission Planner (TP), and Resource Planner (RP) for the following registered entities, respectively [XXXXXX], [XXXXXX], [XXXXXX], [etc]. The Audit team evaluated [Entity Acronym] for compliance with [Number (XX)] requirements in the [Year] NERC Compliance Monitoring and Enforcement Program (CMEP) and the [Regional Entity] CMEP Implementation Plan. The team assessed compliance with the NERC Reliability Standards (and Regional Reliability Standards if applicable), for the period of [Start Date of Monitored Period to Date of Exit Briefing]. [Entity Acronym] submitted evidence for the team’s evaluation of compliance with requirements. The team reviewed and evaluated all evidence provided to assess compliance with reliability standards applicable to [Entity Acronym] at this time. [Delete this sentence and Table 1 if there are no findings]Based on the evidence provided, the team’s findings are summarized in Table 1 below: [Add the following if no findings are noted: Based on the evidence provided, no findings were noted for the standards and applicable requirements in scope for this engagement. Table 1. Summary of Findings Possible Violation Open Enforcement Action* Total Reliability Standard Requirements Regional Standard Requirements Total *OEAs with newly identified PVs are counted in the PV column only; not in the OEA column. OEAs without newly identified PVs are counted in the OEA column. The team notified [Entity Acronym] of [Number XX] Recommendations. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 2 Possible Violations will be processed as outlined in the NERC CMEP and the [Regional Entity Name] CMEP Implementation Plan. There [were/were not] open mitigation plans, and therefore [all/none] were reviewed by the team. [NOTE – Delete After Reading: If the team is instructed by an ERO Enforcement department NOT to review an open mitigation plan, please note that here. If the team reviewed mitigation plans for OEAs, note that here.] The [Regional Entity] Audit team lead certifies that the team adhered to all applicable requirements of the NERC Rules of Procedure (ROP) and Compliance Monitoring and Enforcement Program (CMEP).1 OR The [Regional Entity] audit team lead certifies that the Audit team adhered to all applicable requirements of the NERC Rules of Procedure (ROP) and Compliance Monitoring and Enforcement Program (CMEP) with the following exceptions: The [Regional Entity] team did not adhere to [Section of ROP/CMEP] due to [state reason]. 1 This statement replaces the Regional Entity Self-Certification process. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 3 II. Audit Process The compliance Audit process steps are detailed in the NERC Rules of Procedure, the NERC Compliance Monitoring and Enforcement Program, and the [Regional Entity] CMEP Implementation Plan. The Compliance Monitoring and Enforcement Program generally conforms to the Government Auditing Standards and other generally accepted audit practices. Objectives All registered entities are subject to compliance assessments with all reliability standards applicable to the functions for which the registered entity is registered 2 in the Region(s) performing the assessment. The Audit objectives are to: Review compliance with the requirements of reliability standards that are applicable to [Entity Acronym], based on the functions that [Entity Acronym] is registered to perform; Validate compliance with applicable reliability standards from the NERC [year] Implementation Plan list of actively monitored standards, and additional NERC Reliability Standards selected by [Regional Entity]; Validate compliance with applicable Regional Reliability Standards from the [Regional Entity] [Year] Implementation Plan list of actively monitored standards, if applicable; Validate evidence of self-reported violations and previous self-certifications; Observe and document [Entity Acronym]’s compliance program and culture; Review the status of open mitigation plans. [INSTRUCTIONS – Delete After Reading: For CIP audits only] Review Approved and Terminated Technical Feasibility Exceptions. Scope The scope of the compliance Audit included the NERC Reliability Standards from the [Regional Entity] [Year] CMEP Implementation Plan. In addition, this Audit included a review of mitigation plans or remedial action directives that were open during the Audit. The standards and requirements in scope for this [Audit or Spot Check] are illustrated in Table 2 below: Table 2. Audit Scope Standards 2 Requirement(s) NERC Rules of Procedure, Appendix 4C, Section 3.1, Compliance Audits. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 4 The team [did/did not] expand the scope beyond what was stated in the notification package. [NOTE – Delete After Reading: If the team expanded the scope beyond what was stated in the notification package, note that here.] Confidentiality and Conflict of Interest Confidentiality and conflict of interest of the Audit team are governed under the [Regional Entity] Delegation Agreement with NERC, and Section 1500 of the NERC Rules of Procedure. [Entity Acronym] was informed of [Regional Entity]’s obligations and responsibilities under the agreement and procedures. The work history for each team member was provided to [Entity Acronym], which was given an opportunity to object to a team member’s participation on the basis of a possible conflict of interest or the existence of other circumstances that could interfere with a team member’s impartial performance of duties. [Entity Acronym] had not submitted any objections by the stated 15-day objection due date and accepted the team member participants without objection. There were no denials or access limitations placed upon this team by [Entity Acronym]. Methodology The Audit team reviewed the evidence submitted by [Entity Acronym] and assessed compliance with requirements of the applicable reliability standards. [Regional Entity] provided [Entity Acronym] with a Request for Information (RFI) prior to commencement of the Audit. [Entity Acronym] provided pre-Audit evidence at the time requested, or as agreed upon, by [Regional Entity]. Additional evidence could be submitted until the agreed-upon deadline prior to the exit briefing. After that date, only data or information that was relevant to the content of the report or its findings could be submitted with the agreement of the audit team lead. The Audit team reviewed documentation provided by [Entity Acronym] and requested additional evidence and sought clarification from subject matter experts during the Audit. Evidence submitted in the form of policies, procedures, emails, logs, studies, data sheets, etc. were validated, substantiated, and cross-checked for accuracy as appropriate. Where sampling is applicable to a requirement, the sample set was determined by a statistical methodology, along with professional judgment. Findings were based on the facts and documentation reviewed the team’s knowledge of the BES, the NERC Reliability Standards, and professional judgment. All findings were developed based upon the consensus of the team. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 5 Company Profile [INSTRUCTIONS – Delete After Reading: This section should contain descriptive information about the audited entity to explain its usage, ownership, or operational responsibilities pertaining to the BES. In addition, information identifying geographical area, size, organizational roles, etc. should be included.] Audit Participants The following is a list of all personnel from the [Regional Entity] Audit team and [Entity Acronym] who were directly involved during the meetings and interviews. [Regional Entity] Team Members Role Title Entity Audit Team Lead Team Member Team Member Team Member Team Member Observer [Entity Acronym] Participants Title Entity Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 6 III. Audit Findings [INSTRUCTIONS – Delete After Reading: The CIP team does not develop a public version of a CIP report as NERC does not publicly post CIP audit or spot check reports. CIP reports and any other reports that contain CIP information will not be submitted to applicable governmental authorities and will not be publicly posted by NERC.] [NOTE: The audit findings may be provided in the body of the report or as an Appendix to the report.] The following information details the compliance findings for the reliability standards and requirements identified in the scope of this Audit. All other reliability standards and requirements in scope for this audit were tested without exception. OR Based on the results of this Audit, no findings were noted for the standards and applicable requirements in scope for this engagement. 1. Reliability Standard # - [XXX-###-#] Requirement # - [Requirement/Sub-Requirement (XX)] Finding – [INSTRUCTIONS – Delete After Reading: OEA is used when the requirement had an OEA associated with it and the team did not identify new Possible Violations. In circumstances where an OEA existed for a requirement but a new Possible Violation was identified by the team, the newly identified Possible Violation will be included in the Possible Violation count, but not in the OEA count. It will appear in the Summary of Findings table in the Executive Summary and the Findings section of the report templates.] [Enter Finding: Possible Violation or Open Enforcement Action (Include Enforcement Tracking Number)] 2. Reliability Standard # - [XXX-###-#] Requirement # - [Requirement/Sub-Requirement (XX)] Finding – [INSTRUCTIONS – Delete After Reading: OEA is used when the requirement had an OEA associated with it and the team did not identify new Possible Violations. In circumstances where an OEA existed for a requirement, but a new Possible Violation was identified by the team, the newly identified Possible Violation will be included in the Possible Violation count, but not in the OEA count. It will appear in the Summary of Findings table in the Executive Summary, and the Findings section of the report templates.] [Enter Finding: Possible Violation or Open Enforcement Action (Include Enforcement Tracking Number)] OR Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 7 Standard Req. Finding [XXX-###-#] [Requirement/ [INSTRUCTIONS – Delete After Reading: SubOEA is used when the requirement had an OEA associated Requirement with it and the team did not identify new Possible (XX)] Violations. In circumstances where an OEA existed for a requirement but a new Possible Violation was identified by the team, the newly identified Possible Violation will be included in the Possible Violation count, but not in the OEA count, in the Summary of Findings table in the Executive Summary, and the Findings section of the report templates.] [Enter Finding: Possible Violation or Open Enforcement Action (Include Enforcement Tracking Number)] IV. Recommendations [INSTRUCTIONS – Delete After Reading: Regional Entity teams identify and inform registered entities of Areas of Concern and Recommendations per the FERC Guidance Order on Compliance Audits Conducted by the Electric Reliability Organization and Regional Entities, dated January 15, 2009. The Areas of Concern will be included in the non-public version of the audit or spot check report only. The Recommendations will be included in the non-public version of the report and may be included in the public version of the report at the Regional Entity’s discretion. It is expected that Regional Entities will include Recommendations in the public versions of the audit report if the Recommendation may be useful to other registered entities. If the Regional Entity chooses to exclude Recommendations from the non-public report, delete the following section.] The Audit team identified and informed [Entity Acronym] of [Number (XX)] Recommendations. The specific details of each Recommendation are described below. 1. [Enter detailed description on Recommendation]. 2. [Enter detailed description on Recommendation]. 3. [Enter detailed description on Recommendation]. OR OR Based on the results of this Audit, no recommendations were noted for the standards and applicable requirements in scope for this engagement. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 8 V. Compliance Culture The [Regional Entity] Audit team performed an assessment of [Entity Acronym]’s compliance culture in conjunction with the Audit process. The assessment was accomplished through a review of responses to the Internal Compliance Survey questionnaire and additional information that was gathered during interviews and observations. This included an assessment of factors that characterize vigorous and effective compliance programs including: Active engagement and leadership by senior management; • Effective, in-practice preventive measures appropriate to the circumstances of the company; • Prompt detection of problems, cessation of misconduct, and reporting of a violation; and Remediation of the misconduct. OR [Entity Acronym]’s compliance culture was not reviewed by the [Regional Entity] Audit team due to [state reason]. Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing] Date of Report: [Date of Final Management Review and Report Does Not Change] 9