Add to collection(s) Add to saved
  1. Business
  2. Management

Regional Entity Public Audit Report Template v 2.07

advertisement 
Regional Entity
Public Audit Report Template
October 2015 (Version 2.07)
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
Table of Contents
I.
Purpose and Overview ........................................................................................................ 2
II. Audit and Spot Check Report Development ....................................................................... 2
Audit and Spot Check Reports without Possible Violations ............................................... 2
Audit and Spot Check Reports with Possible Violations ..................................................... 3
Audit and Spot Check Reports for Registered Entities in Canada and Mexico ................... 4
Additional Requirements for CIP Audit and Spot Check Reports ....................................... 4
III. Audit and Spot Check Report Content and Naming Convention ........................................ 5
Public Audit and Spot Check Report Content ..................................................................... 5
Audit and Spot Check Findings ........................................................................................... 5
Possible Violation (PV) ........................................................................................................ 5
Open Enforcement Action (OEA) ........................................................................................ 5
Areas of Concern and Recommendations .......................................................................... 5
Audit and Spot Check Report Naming Convention ............................................................. 6
IV. Audit and Spot Check Report Submittal and Posting ......................................................... 7
V. Revision History .................................................................................................................. 9
Appendix 1: Public Audit Report Template
Regional Entity Public Audit Report Template (Version 2.07)
i
I. Purpose and Overview
The electric reliability organization (ERO) produces public and non-public reports following each
compliance audit or spot check of registered entities. This document describes the process for
developing the format and content of report documents, as well as the process for filing and
posting them. The Regional Entities develop these reports according to the NERC Rules of
Procedure (ROP),1 consistent with the template in the Appendices of this document. Registered
entities are provided an opportunity to review and comment on the compliance reports in draft
form. As discussed below, NERC reviews and submits the final compliance reports to the
applicable governmental authorities2 and, as appropriate, posts a public version of the
compliance report in accordance with the reporting and disclosure process in Appendix 4C of
the ROP. This bulletin applies to compliance audit and spot check reports from Operations and
Planning (O&P) and Critical Infrastructure Protection (CIP).
II. Audit and Spot Check Report Development
The Regional Entity audit and spot check teams develop reports of compliance audits and spot
checks of registered entities, and Regional Entity compliance staff reviews the reports. The
Regional Entity submits both a non-public and a public report for each audit of a registered
entity. The Regional Entity submits only a non-public report for each spot check of a registered
entity. The NERC Compliance Administrator is responsible for reviewing all reports, publicly
posting appropriate reports, and submitting select reports to the applicable governmental
authorities. CIP audit and spot check reports require additional processing to protect the
registered entity’s Critical Energy Infrastructure Information (CEII) and identification of Critical
Cyber Assets (CCA). The timing and sequencing of report distribution to registered entities and
NERC are discussed below.
Audit and Spot Check Reports without Possible Violations
As part of the audit and spot check assessment, the audit or spot check team completes a
preliminary screen for any Possible Violations of reliability standards, based on any instances of
potential noncompliance with reliability standards. If the audit or spot check team determines
that the registered entity does not have any Possible Violations, the team will complete both
the public and non-public audit reports and the non-public spot check report as soon as
practical after the last day of the audit or spot check. If there are any differences between the
findings during the compliance audit or spot check exit briefing and the non-public report, the
executive summary of the report will include a statement of the referenced differences. CIP
1
See, NERC Rules of Procedure, Appendix 4C, Section 3.1. (http://www.nerc.com/AboutNERC/Pages/Rules-ofProcedure.aspx) All compliance audits shall be conducted in accordance with audit guides established for the
Reliability Standards included in the compliance audit, consistent with accepted auditing guidelines as approved by
NERC. The audit guides will be posted on NERC’s website.
2
The Applicable Governmental Authority for the United States is the Federal Energy Regulatory Commission (FERC
or the Commission). The Applicable Governmental Authorities for each Canadian province and Mexico are
separate and independent bodies.
Regional Entity Public Audit Report Template (Version 2.07)
2
reports and any other reports that contain CIP information will not be submitted to applicable
governmental authorities and will not be publicly posted by NERC.
Regional Entity staff reviews reports before providing a draft to the registered entity for review
and comment. The registered entity has ten business days to respond to the Regional Entity
with any proposed revisions. Once registered entity comments are taken into consideration and
appropriate revisions are made to the reports, the Regional Entity staff simultaneously provides
the registered entity and NERC with the final version of the non-public and public reports in
separate pdf files. The Regional Entity staff transmits the reports to NERC using the Regional
Entities’ designated https site and tracks submission of the reports to avoid sending duplicates.
The Regional Entity submits only a non-public report for each spot check of a registered entity.
After the Regional Entity staff transmits the reports to NERC, the NERC Compliance
Administrator posts the public report on the NERC website and sends appropriate non-public
reports to FERC via a secure portal. CIP reports and any other reports that contain CIP
information will not be submitted to applicable governmental authorities and will not be
publicly posted by NERC.
Audit and Spot Check Reports with Possible Violations
If the audit or spot check team determines that the registered entity has Possible Violations,
the team will complete only the non-public report as soon as practical after the last day of the
audit or spot check. If there are any differences between the findings during the compliance
audit or spot check exit briefing and the non-public report, the executive summary of the report
will include a statement of the referenced differences.
Regional Entity staff reviews audit and spot check reports before providing a draft to the
registered entity for review and comment. The registered entity has ten business days to
respond to the Regional Entity with any proposed revisions. Once registered entity comments
are taken into consideration and appropriate revisions are made to the reports, the Regional
Entity staff simultaneously provides the registered entity and NERC with the final version of the
non-public report in a pdf file. The Regional Entity staff transmits the report to NERC using the
Regional Entities’ designated https site and tracks submission of the report to avoid sending
duplicates. The Regional Entity submits only a non-public report for each spot check of a
registered entity. After the Regional Entity staff transmits the report to NERC, the NERC
Compliance Administrator sends appropriate non-public reports to FERC via a secure portal. CIP
reports and any other reports that contain CIP information will not be submitted to applicable
governmental authorities and will not be publicly posted by NERC.
Before producing the public version of the audit report, Regional Entity staff processes the
Possible Violations that the audit team identified in the report according to the NERC
Compliance Monitoring and Enforcement Program (CMEP). Once the Regional Entity and NERC
have processed the Possible Violations through the appropriate compliance enforcement
method, the Regional Entity will redact the non‐public audit report to remove all sensitive,
confidential, privileged, and critical energy infrastructure information. The redacted non‐public
report then becomes the public report.
Regional Entity Public Audit Report Template (Version 2.07)
3
The Regional Entity staff will provide the public version of the audit report that contains
Possible Violations to the registered entity for review and comment. The registered entity has
ten business days to respond to the Regional Entity with any proposed revisions to the report.
Once registered entity comments are taken into consideration and appropriate revisions are
made to the report, the Regional Entity staff simultaneously provides the registered entity and
NERC the final version of the public audit report in a pdf file.
Regional Entity staff transmits the public audit report to NERC using the Regional Entities’
designated https site and tracks submission of the report to avoid sending duplicates. After the
Regional Entity staff transmits the report to NERC, the NERC Compliance Administrator posts
the public report on the NERC website.
If Possible Violations result from a Multi-Regional Registered Entity joint audit, the Regional
Entity responsible for producing the audit reports will ensure that the processing of violations is
complete in the respective Regional Entities participating in the joint audit, prior to providing
the final public audit report to the registered entity for review or submitting the final public
audit report to NERC for public posting. The Regional Entity submits only a non-public report for
each Multi-Regional Registered Entity joint spot check of a registered entity. The executive
summary of the public version of the report will include a statement that all Possible Violations
have been resolved through the NERC CMEP process. CIP reports and any other reports that
contain CIP information will not be submitted to applicable governmental authorities and will
not be publicly posted by NERC.
Audit and Spot Check Reports for Registered Entities in Canada
and Mexico
With respect to submission of compliance audit or spot check reports to applicable
governmental authorities other than FERC (i.e., entities in Canada and Mexico), Regional
Entities should follow any processes specified either in the Region’s agreement with the
applicable government authorities3 or under the governing laws of the applicable government
authorities.
Additional Requirements for CIP Audit and Spot Check Reports
The CIP audit or spot check team develops the CIP report using the non-public audit report
template located in Appendix 1 of this bulletin. A separate CIP report is necessary even if the
Regional Entity performs the CIP audit or spot check concurrently with an O&P audit or spot
check. The CIP team does not develop a public version of a CIP report as NERC does not publicly
post CIP audit or spot check reports. Submission of the non-public CIP audit or spot check
reports to NERC will follow the process outlined in this bulletin. CIP reports and any other
reports that contain CIP information will not be submitted to applicable governmental
authorities and will not be publicly posted by NERC.
3
The provision of the final Compliance Audit report to FERC or to another Applicable Governmental Authority shall
be in accordance with Section 8.0, Reporting and Disclosure. See NERC Rules of Procedure, Appendix 4C, Section
3.1.6, available at http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx.
Regional Entity Public Audit Report Template (Version 2.07)
4
III. Audit and Spot Check Report Content and
Naming Convention
The content of audit and spot check reports varies according to whether a report is public or
non-public; however, both report types contain defined terminology for compliance audit
findings. Regional Entity staff distinguishes between public and non-public and CIP and O&P
reports when submitting report files to NERC to ensure that registered entity information is
appropriately protected.
Public Audit Report Content
The Regional Entity audit team develops the content of the public report by redacting sensitive
or confidential information from the non-public report. The public report includes a list of audit
findings using terminology as defined in this document. The public report will not contain
confidential information, as defined in Section 1500 of the NERC ROP. The Findings section of
the public report will not include a list of the evidence reviewed by the team in making their
determination of compliance. Further, the public report will not include a description of how
the team determined its findings, nor will it include the names of the audit participants.
Audit and Spot Check Findings
In order to maintain consistency and ensure protection of confidential information, the
following terminology will be used in the Findings section of the public and non-public audit
reports and the non-public spot check reports: Possible Violationand Open Enforcement Action.
Possible Violation (PV)
The audit or spot check team discovered areas of potential non-compliance (PNC) based on the
evidence presented by the registered entity and reviewed by the team, and they performed a
preliminary screen within five days to determine whether the PNC was a Possible Violation.
Open Enforcement Action (OEA)
At the time of the audit or spot check, the registered entity had an open action item regarding
the reliability standard requirement. Examples of OEAs include an open mitigation plan, selfreport, settlement agreement, etc. Use of this term will include a NERC or Regional Entity
enforcement tracking number in the Findings section of the report.
OEA is used when the requirement has an OEA associated with it and the audit or spot check
team did not identify new Possible Violations. In circumstances in which an OEA existed for a
requirement, but a new Possible Violation was identified by the team, the newly identified
Possible Violation will be included in the Possible Violation count, but not in the OEA count. It
will appear in the Summary of Findings table in the Executive Summary and the Findings section
of the report templates.
Areas of Concern and Recommendations
Regional Entity audit or spot check teams identify and inform registered entities of Areas of
Concern and Recommendations per the FERC Guidance Order on Compliance Audits Conducted
Regional Entity Public Audit Report Template (Version 2.07)
5
by the Electric Reliability Organization and Regional Entities, dated January 15, 2009. Areas of
Concern will be included in the non-public version of the report only. The Recommendations
will be included in the non-public version of the report and may be included in the public
version of the audit report at the Regional Entity’s discretion. It is expected that Regional
Entities will include Recommendations in the public versions of the audit report if the
Recommendations may be useful to other registered entities. Although Recommendations are
not mandatory, it is expected that the registered entities will act upon or consider the team’s
Recommendations.
Area of Concern:4 Notifies registered entity of a situation that does not appear to involve a
current or ongoing violation of a reliability standard requirement, but instead represents an
area of concern that could become a violation.
Recommendation: Notifies a registered entity of a situation in which an opportunity may exist
for improving compliance-related processes, procedures, or tools.
Audit and Spot Check Report Naming Convention
The Regional Entities submit compliance audit or spot check reports to NERC in pdf file format
with the naming convention in this bulletin in order to properly track reports and maintain
confidentiality. CIP reports are distinguished from the O&P reports, and spot check reports are
distinguished from audit reports. Each report name convention is followed by an example of a
compliance audit report conducted in 2013 by Regional Entity “XYZ” of registered entity “ABC.”
O&P Public Audit Reports:
[Year]_public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf
Example: 2013_public_XYZ_ABC.pdf
O&P Non-Public Audit Reports:
[Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf
Example: 2013_non-public_XYZ_ABC.pdf
CIP Non-Public Audit Reports:
[Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym]_[CIP].pdf
Example: 2013_non-public_XYZ_ABC_CIP.pdf
O&P Public and Non-Public Audit Reports for Multi-Regional Registered Entity Audit:
[Year]_public_[Lead Regional Entity Acronym]_[MRRE] [Audited Entity Acronym].pdf
Example: 2013_public_XYZ_MRRE_ABC.pdf
Example: 2013_non-public_XYZ_MRRE_ABC.pdf
O&P Non-Public Spot Check Reports:
[Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf
Example: 2013_non-public_XYZ_ABC Spot Check.pdf
4
See Compliance with Mandatory Reliability Standards, “Guidance Order on Compliance Audits Conducted by the
Electric Reliability Organization and Regional Entities,” 126 FERC ¶ 61,038 (2009), dated January 15, 2009.
Regional Entity Public Audit Report Template (Version 2.07)
6
CIP Non-Public Spot Check Reports:
[Year]_non-public_[Regional Entity Acronym]_[Audited Entity Acronym].pdf
Example: 2013_non-public_XYZ_ABC Spot Check_CIP.pdf
Reports Requiring Revision and Resubmission to NERC:
[Year]_public_[Regional Entity Acronym]_[Audited Entity Acronym]_REVISED.pdf
Example: 2013_non-public_XYZ_ABC_REVISED.pdf
Example: 2013_non-public_XYZ_ABC Spot Check_REVISED.pdf
Example: 2013_non-public_XYZ_ABC Spot Check_CIP_REVISED.pdf
Example: 2013_non-public_XYZ_ABC CIP_REVISED.pdf
Example: 2013_non-public_XYZ_MRRE_ABC_REVISED.pdf
IV. Audit and Spot Check Report Submittal and
Posting
In order to maintain continuity of audit and spot check report format and content, as well as to
prevent duplicate report submissions, the Regional Entity will designate a staff member to
submit audit and spot check reports to NERC and track their submission. The Regional Entity
submits only a non-public report for each spot check of a registered entity. The Regional Entity
staff designee will upload the reports to the Regional Entity’s designated https site and will
track the reports to avoid submission of duplicates. The public and non-public reports will be
submitted in separate pdf files.
The NERC Compliance Administrator will check the Regional Entities’ https sites for submitted
reports at least once per week, log receipt of the reports in the report-tracking tool, and review
the reports for administrative errors and consistency with the audit and spot check report
template. The NERC Compliance Administrator will inform the Regional Entity designated staff
via email that the report was received by NERC and whether there are any reports that do not
meet review criteria that require revision and re-submission.
The NERC Compliance Administrator will submit the final non-public audit and spot check
reports to the applicable governmental authority5 via a secure portal or other pre-approved
method, post the finalized public audit reports to the NERC website, log dates in the report
tracking tool, archive both public and non-public reports on the NERC SharePoint site, and
notify the Regional Entity designated staff via email that the reports have been posted. NERC
will not publicly post the final Compliance Audit report for at least five (5) business days
5
The provision of the final Compliance Audit report to FERC or to another Applicable Governmental Authority shall
be in accordance with Section 8.0, Reporting and Disclosure. See NERC Rules of Procedure, Appendix 4C, Section
3.1.6, available at http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx.
Regional Entity Public Audit Report Template (Version 2.07)
7
following receipt6. CIP reports and any other reports that contain CIP information will not be
submitted to applicable governmental authorities and will not be publicly posted by NERC.
Process disclaimer: NERC reserves the right to issue new process bulletins or modify existing
process bulletins when necessary and at its discretion.
6
NERC will not publicly post the final Compliance Audit report for at least five (5) business days following receipt.
See NERC Rules of Procedure, Appendix 4C, Section 3.1.6, available at
http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx
Regional Entity Public Audit Report Template (Version 2.07)
8
V. Revision History
Revision History
Version
Date
Reviewers
Revision Description
1
02/01/2010
(effective on
posting)
NERC and
Regional Entity
Staff
Version 1.0
1.1
04/30/ 2010
Mike Moon;
Jacki Power;
Craig Struck;
Regional Entity
Staff
Directive Revisions: Removed flowchart.
Audit Report Template Revisions: Added
self-certification statement to Executive
Summary, Added reference to NOP link in
Executive Summary, Changed all references
to PAV to PV.
1.1
05/19/2010
NERC
Management
Changed non-public status and posted
publicly.
1.2
07/28/2010
Craig Struck,
NERC
Added guidance to directive and report
templates on use of terms for identifying
compliance findings in audit reports, and
information regarding CIP audit reports.
1.3
10/11/2010
Craig Struck;
NERC
Compliance
Operations
Management
and Legal
Department
Minor editorial & errata changes. Added
references to pending CIP information
handing process. Added wording stating
spot-checks will require reports. Revised
wording to state links will be to NOP page.
Incorporated Compliance Operations
Management and Legal Department
comments.
1.4
08/01/2011
Craig Struck,
NERC
Added language to include “areas of
concern” (as noted in January 2009 FERC
Guidance Order on Compliance Audits) and
Recommendations. Added clarifying
language regarding NOP links, separate
report requirements for concurrent O&P
and CIP audits, level of details in findings
table, and use of findings terminology in
findings table. Modified audit report
templates based on changes noted above.
Minor editorial and arrangement changes.
Regional Entity Public Audit Report Template (Version 2.07)
9
2.01
06/ 26/2012
Craig Struck,
NERC
Re-write of directive and report template to
remove duplicative language. Added
instructional language to template. Added
high level count table to Executive
Summary. Renamed Audit Results section
to Audit Findings. Removed evidence
reviewed from Public report. Added blue
color instructional text. Removed language
regarding NOP links. Added definitions for
Areas of Concern and Recommendation.
Added language regarding functional
registration mapping to templates.
Updated to latest version of Style Guide.
2.02
08/21/2012
Craig Struck,
NERC
Minor editorial and arrangement revisions
based on ECEMG, CMPWG, and CCWG
feedback. Added language that states
Findings table may be an Appendix to
reports.
2.03
09/10/2012
Caroline Clouse,
NERC
Copyediting
2.04
01/30/2013
Caroline Clouse,
NERC
Copyediting
2.05
03/26/2013
Craig Struck,
NERC
Removed references to public spot check
reports. Updated footnotes to correspond
with Rules of Procedure\CMEP revisions.
Minor wording changes.
2.06
06/13/2013
Jim Armstrong,
NERC;
NERC
Compliance
Operations staff;
Removed requests for listing of standards
for which there were “No Findings” or that
were “Not Applicable.” This information
should be properly supported by the team’s
corresponding work papers.
Also, divide public and non-public audit
report templates into two documents.
2.07
10/22/2015
Adina Mineo,
NERC
Compliance
Assurance
Manager
Updated Appendix 1 - Removed areas of
concern reference from the executive
summary
Regional Entity Public Audit Report Template (Version 2.07)
10
Appendix 1: Public Audit Report Template
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
i
Public Audit Report Template
[INSTRUCTIONS – Delete After Reading: All blue-colored text found in the Audit
Report templates is instructional language from the appropriate section of the
bulletin and should be deleted when no longer needed by the report author.]
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
ii
[Insert Regional Entity Logo]
NERC ID(s):
Registered Entity Name(s)
NCR00000
[Name of the Entity Here]
Reliability Standards
Audit Scope:
Choose an item.
Compliance
Monitoring Process:
Choose an item.
Distribution:
Choose an item.
Lead Region:
Choose an item.
Dates of Audit:
From June 20, 2013 to May 6, 2013
Date of Report:
May 16, 2013
Possible Violations
Identified:
Choose an item.
Jurisdiction:
Choose an item.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
iii
Table of Contents
[INSTRUCTIONS – Delete After Reading: When report is complete, ensure the Table of
Contents is updated so that section titles indicate the correct page number. 1) Select the entire
Table of Contents. 2) Right click on the selection and select Update Field. 3) Update page
numbers or the entire table as appropriate.]
I. Executive Summary........................................................................................................... 1
II. Audit Process .................................................................................................................... 3
Objectives.................................................................................................................... 3
Scope ........................................................................................................................... 4
Confidentiality and Conflict of Interest ...................................................................... 4
Methodology............................................................................................................... 4
Company Profile.......................................................................................................... 4
Audit Participants........................................................................................................ 5
III. Audit Findings ................................................................................................................... 6
IV. Recommendations ............................................................................................................. 7
V. Compliance Culture............................................................................................................ 8
I. Executive Summary
[INSTRUCTIONS – Delete After Reading: Use of MS Word’s Find and Replace
feature for [Red Text] in brackets will significantly reduce manual entry by the
report author.]
[Regional Entity] conducted [a(n)] [Operations and Planning or Critical Infrastructure
Protection] Audit of [Entity Name] [Entity Acronym], NERC ID [XXXXXX] from [Dates of Opening
Presentation – Exit Briefing]. At the time of the Audit, [Entity Acronym] was registered for the
functions of [Delete Non-Applicable Functions] Balancing Authority (BA), Distribution Provider
(DP), Generator Operator (GOP), Generator Owner (GO), Interchange Authority (IA), LoadServing Entity (LSE), Planning Authority (PA), Purchasing-Selling Entity (PSE), Reliability
Coordinator (RC), Reserve Sharing Group (RSG), Resource Planner (RP), Transmission Operator
(TOP), Transmission Owner (TO), Transmission Planner (TP), and Transmission Service Provider
(TSP)].
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
iv
[Delete if Non-Applicable] [Entity Acronym] was also registered for a Joint Registration
Organization (JRO), JRO ID [XXXXXX], for the [JRO Registered Functions] functions. [Entity
Acronym] was also registered for a Coordinated Function Registration (CFR), JRO ID [XXXXXX],
for the [CFR Registered Functions] functions.
[Delete if Non-Applicable; Delete Non-Applicable Functions] The Reliability Coordinator (RC),
Balancing Authority (BA), Transmission Operator (TOP), Planning Coordinator (PC), Transmission
Planner (TP), and Resource Planner (RP) for [Entity Acronym] are as follows, respectively
[XXXXXX], [XXXXXX], [XXXXXX], [XXXXXX], [XXXXXX], and [XXXXXX].
[Delete if Non-Applicable; Delete Non-Applicable Functions] [Entity Acronym] performs the
functions of Planning Coordinator (PC), Transmission Planner (TP), and Resource Planner (RP)
for the following registered entities, respectively [XXXXXX], [XXXXXX], [XXXXXX], [etc].
The Audit team evaluated [Entity Acronym] for compliance with [Number (XX)] requirements in
the [Year] NERC Compliance Monitoring and Enforcement Program (CMEP) and the [Regional
Entity] CMEP Implementation Plan. The team assessed compliance with the NERC Reliability
Standards (and Regional Reliability Standards if applicable), for the period of [Start Date of
Monitored Period to Date of Exit Briefing]. [Entity Acronym] submitted evidence for the team’s
evaluation of compliance with requirements. The team reviewed and evaluated all evidence
provided to assess compliance with reliability standards applicable to [Entity Acronym] at this
time. [Delete this sentence and Table 1 if there are no findings]Based on the evidence
provided, the team’s findings are summarized in Table 1 below: [Add the following if no
findings are noted: Based on the evidence provided, no findings were noted for the standards
and applicable requirements in scope for this engagement.
Table 1. Summary of Findings
Possible
Violation
Open
Enforcement
Action*
Total
Reliability Standard
Requirements
Regional Standard Requirements
Total
*OEAs with newly identified PVs are counted in the PV column only; not in the OEA column. OEAs without newly
identified PVs are counted in the OEA column.
The team notified [Entity Acronym] of [Number XX] Recommendations.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
2
Possible Violations will be processed as outlined in the NERC CMEP and the [Regional Entity
Name] CMEP Implementation Plan. There [were/were not] open mitigation plans, and
therefore [all/none] were reviewed by the team. [NOTE – Delete After Reading: If the team is
instructed by an ERO Enforcement department NOT to review an open mitigation plan, please
note that here. If the team reviewed mitigation plans for OEAs, note that here.]
The [Regional Entity] Audit team lead certifies that the team adhered to all applicable
requirements of the NERC Rules of Procedure (ROP) and Compliance Monitoring and
Enforcement Program (CMEP).1
OR
The [Regional Entity] audit team lead certifies that the Audit team adhered to all applicable
requirements of the NERC Rules of Procedure (ROP) and Compliance Monitoring and
Enforcement Program (CMEP) with the following exceptions: The [Regional Entity] team did not
adhere to [Section of ROP/CMEP] due to [state reason].
1
This statement replaces the Regional Entity Self-Certification process.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
3
II. Audit Process
The compliance Audit process steps are detailed in the NERC Rules of Procedure, the NERC
Compliance Monitoring and Enforcement Program, and the [Regional Entity] CMEP
Implementation Plan. The Compliance Monitoring and Enforcement Program generally
conforms to the Government Auditing Standards and other generally accepted audit practices.
Objectives
All registered entities are subject to compliance assessments with all reliability standards
applicable to the functions for which the registered entity is registered 2 in the Region(s)
performing the assessment. The Audit objectives are to:

Review compliance with the requirements of reliability standards that are applicable to
[Entity Acronym], based on the functions that [Entity Acronym] is registered to perform;

Validate compliance with applicable reliability standards from the NERC [year]
Implementation Plan list of actively monitored standards, and additional NERC
Reliability Standards selected by [Regional Entity];

Validate compliance with applicable Regional Reliability Standards from the [Regional
Entity] [Year] Implementation Plan list of actively monitored standards, if applicable;

Validate evidence of self-reported violations and previous self-certifications;

Observe and document [Entity Acronym]’s compliance program and culture;

Review the status of open mitigation plans.

[INSTRUCTIONS – Delete After Reading: For CIP audits only] Review Approved and
Terminated Technical Feasibility Exceptions.
Scope
The scope of the compliance Audit included the NERC Reliability Standards from the [Regional
Entity] [Year] CMEP Implementation Plan. In addition, this Audit included a review of mitigation
plans or remedial action directives that were open during the Audit. The standards and
requirements in scope for this [Audit or Spot Check] are illustrated in Table 2 below:
Table 2. Audit Scope
Standards
2
Requirement(s)
NERC Rules of Procedure, Appendix 4C, Section 3.1, Compliance Audits.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
4
The team [did/did not] expand the scope beyond what was stated in the notification package.
[NOTE – Delete After Reading: If the team expanded the scope beyond what was stated in the
notification package, note that here.]
Confidentiality and Conflict of Interest
Confidentiality and conflict of interest of the Audit team are governed under the [Regional
Entity] Delegation Agreement with NERC, and Section 1500 of the NERC Rules of Procedure.
[Entity Acronym] was informed of [Regional Entity]’s obligations and responsibilities under the
agreement and procedures. The work history for each team member was provided to [Entity
Acronym], which was given an opportunity to object to a team member’s participation on the
basis of a possible conflict of interest or the existence of other circumstances that could
interfere with a team member’s impartial performance of duties. [Entity Acronym] had not
submitted any objections by the stated 15-day objection due date and accepted the team
member participants without objection. There were no denials or access limitations placed
upon this team by [Entity Acronym].
Methodology
The Audit team reviewed the evidence submitted by [Entity Acronym] and assessed compliance
with requirements of the applicable reliability standards. [Regional Entity] provided [Entity
Acronym] with a Request for Information (RFI) prior to commencement of the Audit. [Entity
Acronym] provided pre-Audit evidence at the time requested, or as agreed upon, by [Regional
Entity]. Additional evidence could be submitted until the agreed-upon deadline prior to the exit
briefing. After that date, only data or information that was relevant to the content of the report
or its findings could be submitted with the agreement of the audit team lead.
The Audit team reviewed documentation provided by [Entity Acronym] and requested
additional evidence and sought clarification from subject matter experts during the Audit.
Evidence submitted in the form of policies, procedures, emails, logs, studies, data sheets, etc.
were validated, substantiated, and cross-checked for accuracy as appropriate. Where sampling
is applicable to a requirement, the sample set was determined by a statistical methodology,
along with professional judgment.
Findings were based on the facts and documentation reviewed the team’s knowledge of the
BES, the NERC Reliability Standards, and professional judgment. All findings were developed
based upon the consensus of the team.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
5
Company Profile
[INSTRUCTIONS – Delete After Reading: This section should contain descriptive information
about the audited entity to explain its usage, ownership, or operational responsibilities
pertaining to the BES. In addition, information identifying geographical area, size, organizational
roles, etc. should be included.]
Audit Participants
The following is a list of all personnel from the [Regional Entity] Audit team and [Entity
Acronym] who were directly involved during the meetings and interviews.
[Regional Entity] Team Members
Role
Title
Entity
Audit Team Lead
Team Member
Team Member
Team Member
Team Member
Observer
[Entity Acronym] Participants
Title
Entity
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
6
III. Audit Findings
[INSTRUCTIONS – Delete After Reading: The CIP team does not develop a public version of a
CIP report as NERC does not publicly post CIP audit or spot check reports. CIP reports and any
other reports that contain CIP information will not be submitted to applicable governmental
authorities and will not be publicly posted by NERC.]
[NOTE: The audit findings may be provided in the body of the report or as an Appendix to the
report.]
The following information details the compliance findings for the reliability standards and
requirements identified in the scope of this Audit. All other reliability standards and
requirements in scope for this audit were tested without exception. OR Based on the results of
this Audit, no findings were noted for the standards and applicable requirements in scope for
this engagement.
1. Reliability Standard # - [XXX-###-#]
Requirement # - [Requirement/Sub-Requirement (XX)]
Finding – [INSTRUCTIONS – Delete After Reading: OEA is used when the requirement had
an OEA associated with it and the team did not identify new Possible Violations. In
circumstances where an OEA existed for a requirement but a new Possible Violation was
identified by the team, the newly identified Possible Violation will be included in the
Possible Violation count, but not in the OEA count. It will appear in the Summary of Findings
table in the Executive Summary and the Findings section of the report templates.]
[Enter Finding: Possible Violation or Open Enforcement Action (Include Enforcement
Tracking Number)]
2. Reliability Standard # - [XXX-###-#]
Requirement # - [Requirement/Sub-Requirement (XX)]
Finding – [INSTRUCTIONS – Delete After Reading: OEA is used when the requirement had
an OEA associated with it and the team did not identify new Possible Violations. In
circumstances where an OEA existed for a requirement, but a new Possible Violation was
identified by the team, the newly identified Possible Violation will be included in the
Possible Violation count, but not in the OEA count. It will appear in the Summary of Findings
table in the Executive Summary, and the Findings section of the report templates.]
[Enter Finding: Possible Violation or Open Enforcement Action (Include Enforcement
Tracking Number)]
OR
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
7
Standard
Req.
Finding
[XXX-###-#]
[Requirement/ [INSTRUCTIONS – Delete After Reading:
SubOEA is used when the requirement had an OEA associated
Requirement
with it and the team did not identify new Possible
(XX)]
Violations. In circumstances where an OEA existed for a
requirement but a new Possible Violation was identified by
the team, the newly identified Possible Violation will be
included in the Possible Violation count, but not in the OEA
count, in the Summary of Findings table in the Executive
Summary, and the Findings section of the report
templates.]
[Enter Finding: Possible Violation or Open Enforcement
Action (Include Enforcement Tracking Number)]
IV. Recommendations
[INSTRUCTIONS – Delete After Reading: Regional Entity teams identify and inform registered
entities of Areas of Concern and Recommendations per the FERC Guidance Order on
Compliance Audits Conducted by the Electric Reliability Organization and Regional Entities,
dated January 15, 2009. The Areas of Concern will be included in the non-public version of the
audit or spot check report only. The Recommendations will be included in the non-public
version of the report and may be included in the public version of the report at the Regional
Entity’s discretion. It is expected that Regional Entities will include Recommendations in the
public versions of the audit report if the Recommendation may be useful to other registered
entities. If the Regional Entity chooses to exclude Recommendations from the non-public
report, delete the following section.]
The Audit team identified and informed [Entity Acronym] of [Number (XX)] Recommendations.
The specific details of each Recommendation are described below.
1. [Enter detailed description on Recommendation].
2. [Enter detailed description on Recommendation].
3. [Enter detailed description on Recommendation].
OR
OR Based on the results of this Audit, no recommendations were noted for the standards and
applicable requirements in scope for this engagement.
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
8
V. Compliance Culture
The [Regional Entity] Audit team performed an assessment of [Entity Acronym]’s compliance
culture in conjunction with the Audit process. The assessment was accomplished through a
review of responses to the Internal Compliance Survey questionnaire and additional
information that was gathered during interviews and observations. This included an assessment
of factors that characterize vigorous and effective compliance programs including:
Active engagement and leadership by senior management;
• Effective, in-practice preventive measures appropriate to the circumstances of the
company;
• Prompt detection of problems, cessation of misconduct, and reporting of a violation;
and
Remediation of the misconduct.
OR
[Entity Acronym]’s compliance culture was not reviewed by the [Regional Entity] Audit team
due to [state reason].
Date of [Entity Name] Audit: [Opening Presentation – Exit Briefing]
Date of Report: [Date of Final Management Review and Report Does Not Change]
9
Related documents
Illustrative Representation Letter
Illustrative Representation Letter
1 The best definition of an accounting system is: a Journals, ledgers
1 The best definition of an accounting system is: a Journals, ledgers
Marketing Plan Rubric
Marketing Plan Rubric
Assumptions on our ER diagram
Assumptions on our ER diagram
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Download
advertisement