What will you show them?
ICCT Corp has brought together the best subject matter experts available with relevant business expertise to provide our clients with directive assistance to ensure regulatory compliance with NERC Reliability Standards. We continue to assist our clients in determining potential operational/service impacts by validating their current state of compliance and providing a gap analysis for mitigation of potential deficiencies.
A critical advantage to our mock audit services is that they mirror what your company will experience in a real Regional Entity CIP or 693 audit. ICCT’s mock audits are normally conducted in a manner where all SME resources are able to perform as if a real audit was underway. As your company will experience during the next audit, offsite data requests will be submitted to your SME’s prior to the onsite audit work. During the onsite audit period, the ICCT Team will have several experienced CIP auditors engaged, normally a Senior Audit Lead and two Senior Auditors. The Team members have formerly worked for WECC as Senior CIP Auditors and/or have held senior CIP compliance manager responsibilities at major West Coast utilities.
Normally 36 of the 43 requirements are audited in conjunction with NERC’s current actively monitored CIP requirements list; however, our Team will audit all 43, if requested. A real audit has three distinct phases, which are followed by ICCT during a mock audit:
• Phase-1 - offsite data requests to allow audit team review evidentiary data and information, and prepare for onsite audit work;
• Phase-2 - onsite audit work at the chosen facility to review completed RSAWS for CIP-002 through CIP-009 , review additional entity supplied evidence and artifacts, interview your SMEs, and perform onsite data requests and potential physical walk-throughs as required, and deliver a final presentation of findings and potential violations, with recommendations;
• Phase-3 - post-audit work to confirming findings and potential violations, submit clarification requests, preparation and presentation of the final detailed report.
It is expected that the Mock Audit engagement will have a duration of six weeks covering four (4) work weeks : Phase-1 one (1) week, Phase-2 one (1) week, Phase-3 two (2) weeks, with some time spent finalizing the Report after CAISO review and comment.
Data requests for Phase-1 (offsite) and Phase-2 (onsite) will include CIP-related policy and procedures, sampling of evidentiary data and other artifacts. This includes existing documentation and evidence covered by the audit period, and as dictated by requirements subject to bookend review . Finalized RSAW documents will not be required until the onsite audit begins but you may provide RSAW documents as they become available prior to the onsite audit. The sampling quantity will vary based on the Requirement/Sub-Requirement and may include analysis that is more detailed and additional data requests for the purpose of clarification and/or assuring the necessary corroborating evidence is discovered. Sampling will meet or exceed the current WECC sampling requirements for an audit of this type .
Other organizations have requested sufficient time for a pre-audit review of RSAW documentation and evidence to ensure that all aspects of meeting the Requirements are sufficient, accurate and up-to-date. This is an open option for every organizatoin however, unless otherwise directed, ICCT will begin the Mock Audit engagement with the Phase-1 data requests. Other organizations have taken advantage of our ‘Witness Training’ prior to the Phase-2 onsite audit to ensure that the SMEs conduct themselves appropriately when dealing with Regional Entity auditors. This option is available to you also on an hourly rate basis.
In Phase-3 the Audit Team will continue their reviews of information to ensure any findings or potential violations are appropriately validated, will ask the SME team for additional clarifications, and will begin drafting the Final Report. The Draft Final Report will be issued within ten (10) business days to allow your team an opportunity for review, to comment, and to submit request for clarification. After a brief agreed upon comment period, the Final Report will be completed and submitted to the appropriate Team Member. An online presentation will be scheduled to review the Final Report with the full Team.
The process of reviewing the evidentiary data and information allows the ICCT Team to prepare a gap analysis that will reflect general findings and potential violations requiring mitigation. The ICCT Team handles all data and documentation based on the current Regional Entity methodologies to ensure conformity to the Reliability Standards, as well as the Regional Entity’s expectations for employing protection to applicable critical asset information. Any specific requirements for handling of such information will be followed.
All of us at ICCT appreciate the opportunity to present our services to you, and we look forward to the possibility of working with your team on this important regulatory process.