Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff

1. In this order, the Commission provides guidance on conducting compliance audits to the North American Electric Reliability Corporation (NERC), the certified Electric Reliability Organization (ERO), and the eight Regional Entities to which NERC has delegated responsibility for enforcing Commission-approved Reliability Standards within the United States.

2. NERC and Regional Entities conduct compliance audits of registered entities subject to mandatory Reliability Standards approved by the Commission. They conduct these audits pursuant to procedures approved by the Commission under FPA sections 215(c)(2)(C) (certification of the ERO) and 215(e)(4) (approval of delegation agreements), which, among other things, require that the ERO and Regional Entities provide fair and impartial procedures for enforcement of reliability standards.^[1] This order provides guidance to the ERO and Regional Entities with respect to implementation of Section 3.1 of NERC's Compliance Monitoring and Enforcement Program (CMEP), which the Commission approved on April 19, 2007 pursuant to FPA sections 215(c)(2) and 215(e)(4).^[2] This guidance stems from Commission staff observations of audits that NERC and the Regional Entities have conducted into whether particular users, owners and operators of the Bulk-Power System are complying with Reliability Standards.^[3]

3. We require that NERC and Regional Entities “base their compliance audit processes in the U.S. on professional auditing standards recognized in the U.S., such as Generally Accepted Accounting Standards, Generally Accepted Government Auditing Standards, and standards sanctioned by the Institute of Internal Auditors.” ^[4] We allow flexibility for NERC and the Regional Entities to implement their compliance audit programs in that they are to base their audit processes on these auditing standards.

4. Nevertheless, our staff has observed that additional consistency in compliance audit processes among NERC and the Regional Entities within the United States would be beneficial. We expect NERC and Regional Entities to implement the following guidance, as appropriate, in ongoing compliance audits and in all compliance audits that commence on or after the date of this order.

A. Audit Team Leadership and Training

5. In order to resolve possible perceptions that a Regional Entity's compliance staff is not sufficiently independent from the audited entity, such as the Regional Entity itself or its affiliate, NERC staff sometimes leads compliance audit teams in which Regional Entity staff participates. This is intended to assess compliance in an unbiased or professional manner.^[5] In these audits, Regional Entity staff should serve as subject matter experts, rather than lead the audit or advise on its conduct or scope. NERC staff should control the scope and conduct of a NERC-led audit and refrain from seeking advice from or involving Regional Entity staff on the direction or findings of the audit. NERC and Regional Entity staff should assume these roles from the beginning of the pre-audit stage of such a NERC-led audit until the completion of the final audit report.^[6]

6. CMEP section 3.1.5 requires that for all compliance audits conducted after January 1, 2008, each audit team member must successfully complete all NERC or NERC-approved Regional Entity auditor training applicable to the audit. We suggest that NERC and Regional Entities ensure that this audit training include skills in interviewing, choosing samples of matters to be audited, and evaluating evidence.

B. Pre-Audit Procedures

7. We suggest that NERC, in the context of developing, reviewing and updating its pre-audit questionnaires, ensure that audit team requests for information and documents about specific matters are as consistent as possible among the Regional Entities.^[7] For organizing requests for data and information, all compliance audit teams should use a database consisting of a spreadsheet that serves as a checklist for all requirements of Reliability Standards that are to be audited.

8. Compliance audit teams should request that registered entities: (1) organize responses to data requests and other audit evidence into the format that the audit team will use to match evidence to compliance with particular requirements; and (2) cross-reference the information provided to the audit team to specific requirements of the Reliability Standards being audited. Registered entities' responses should label all information that is responsive to a particular audit team request relating to specific requirements.

9. Each audit team should allot sufficient time to complete its review of responses to pre-audit data requests before beginning site visits or similar efforts. During pre-audit preparation, audit teams should identify and examine any mitigation plans and associated documentation pertaining to standard requirements to be audited, including assessing, as relevant, whether mitigation plan milestones have been met, mitigation plans have been completed in a timely manner and whether completion of a mitigation plan was sufficient to bring the registered entity into compliance with applicable requirements.^[8]

C. Procedures During the Compliance Audit

10. A compliance audit should ascertain that the registered entity is in compliance with a requirement or that there is evidence that a violation of the Start Printed Page 6283requirement has occurred. A compliance audit team should not consider or discuss whether a monetary penalty or some other sanction would be appropriate if the Regional Entity finds that the registered entity has violated the requirement. Nor should a compliance audit team base its decision regarding whether evidence of a violation exists upon the resources or time needed for litigation or settlement of a related notice of alleged violation.^[9] The Commission would look with disfavor on the conclusions of a compliance audit that is based in any way on these considerations.

11. We emphasize that NERC and Regional Entities need to be as consistent as possible about the level of evidence or documentation that is needed to demonstrate compliance for particular requirements.

12. A compliance audit conducted by NERC or a Regional Entity should include an assessment of the registered entity's Reliability Standards compliance program. We suggest that NERC and the Regional Entities discuss how NERC's audit guidelines and audit data requests and questionnaires could better elicit information on the factors discussed in our recent Policy Statement on Compliance.^[10]

13. If an audit team learns about a situation that does not appear to involve a current or ongoing violation of a Reliability Standard requirement, but instead represents an area of concern that could become a violation, we expect the team to notify the registered entity of the situation, discuss it with the entity, and document such discussions in the compliance audit report. We remind audit teams that they are expected to fully test compliance with any non-actively monitored standard if the teams find evidence during the audit of non-compliance with such a standard.^[11]

14. We believe implementation of this guidance will improve the consistency of compliance audits relating to Reliability Standards and result in greater compliance with them.

Footnotes