Great information from Nick Santora.
I spent quite a while on the road while working at NERC for about seven years. I believe at one point I had over 130+ nights stayed during a single year. One of the many roles I had while at NERC was as a compliance program auditor for NERC CIP audits and compliance investigations. I picked up some common mistakes I have seen from entities across the entire country and would like to share them with you.
1) BE POLITE AND PATIENT
When an auditor asks for information, they are usually just trying to get an understanding of your environment. This isn’t a court hearing. The audit team is just trying to gain an understanding of the entire picture because they don’t know your environment as well as you do.
They may also not be familiar with certain acronyms, diagrams and other procedures at your organization. Take your time and explain them, since they will help tell your story of compliance.
2) NOT REWARDING YOUR STAFF
Let’s face it – no matter how prepared you are for an audit, it’s still a very intense process. Your staff is stressed out, and have been looking to find evidence in every nook and cranny of the past several years. Give them a break, reward them with a day off if possible or something fun to do as a thank you for all of the hard work they put in.
3) LISTEN TO CIP AUDITORS ADVICE
I have worked with the CIP audit and compliance teams in every region across North America. Your auditors, in fact, have a lot of experience. They have seen more implementations, configurations, environments and procedures than you could ever imagine.
Listen to them if they talk about best practices or advise on some thoughts for additional approaches towards demonstrating compliance. Sometimes it can really help open your eyes to a different point of view.
4) ARGUING OVER EVERY WORD IN THE STANDARD
During CIP Version 3 audits, I have seen words like significant, annual and other non-defined terms used in every possible way you could imagine. Of course, some of that has been cleaned up for CIP V5, but you get the point. If you do have an undefined term, ensure you define it somewhere in your internal documents to show the audit team what you mean.
5) ARGUING DURING THE EXIT PRESENTATION
Act professional – there is a big difference between arguing and disagreeing. Whether you disagree with a finding or not, the time and place is not during the exit presentation. Many times I would see entities yell at the auditors during the exit presentation, and say they’re wrong.
6) SCRAMBLING FOR DOCUMENTATION
A perfect example here was during training and awareness records. The CIP training standards dictate that authorized staff with unescorted physical or electronic access to BES Cyber Assets, otherwise known as BCAs, must go through a NERC CIP compliance training program.
Any of your staff, contractors, vendors, and even cleaning crew might fall into scope of this requirement. Make sure you have records of all of this going back during the audit scope, so you are not scrambling during the audit.
7) KNOW YOU’RE GOING TO BE AUDITED
You will be audited. I cannot believe how many times I would walk into an entity and find out they had never performed a mock audit with their staff. They didn’t know the types of questions they would be asked, the evidence to produce, or the responses they should prepare for.
8) SHOW YOUR WORK
A lot of times I would see an entity provide evidence of results. Sometimes you will hear auditors ask to see how you got to your results. A great example here is a Cyber Vulnerability Assessment or CVA.
One time, I remember hearing an entity perform their CVA, and get a pile of results/action items to fix. They then showed a piece of paper that said “Results” and had a completed check mark. When the auditors asked how they completed some of these tasks, or if they could see the steps they went through to get this result, the entity had no answers. They couldn’t even confirm that all of the CVA findings were fixed because they didn’t have documentation for themselves.
9) SPEAKING THROUGH LAWYERS
While having lawyers is very important for any dispute, settlement, or compliance program process, they aren’t always the best to be the front line on answering questions. For example, you don’t want your corporate attorney to answer technical questions on how your ESP are designed and configured.
10) REDACTING DOCUMENTATION AND EVIDENCE
The goal of the auditor is to help your entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance.
I have been on audits where the entity would not even allow the auditors to view evidence by themselves – it had to be on an entity-owned machine with limited access and documents that were mostly blacked out information. All this did was extend the audit another week, and created a starting point for more questions.
Please help the auditors by making evidence accessible and useful.