Compliance Audit Preparation Best Practices – Perspective of an Ex-Regulator

I received a lot of great feedback on my last publication “Testing NERC Evidence for Quality”. During discussions about this article, several people asked me to write an additional article and share my perspective on best practices and key behaviors organizations should adopt to help mature the compliance audit readiness process. I thought this was a great idea since many people indicated they were “thrown into compliance roles without a lot of compliance experience”. As requested, here is my follow-up on compliance audit preparation best practices, enjoy!

‍1.      Prepare Clear and Concise Compliance Narratives

Compliance narratives should clearly describe how policies, procedures, documentation, internal controls and associated evidence address reliability risk and meet the objectives of the NERC standard requirements. Often these narratives are captured in the response sections of the Reliability Standard Audit Worksheets (RSAW). Compliance narratives should be drafted in a logical sequence that includes a structured way to connect the dots for auditors and synchronizes compliance evidence with your narrative content. I cannot understate the value of well thought out and articulated compliance narratives.

2.      Practice Delivering Compliance Narratives with Managers and Subject Matter Experts

Practice delivering compliance narratives as a team. Preparation and practice will allow teams to enter the audit interview with a high level of confidence to articulate how your compliance program meets compliance to the NERC requirements. Everyone participating in interviews should be telling the same story. Never send someone into the audit interview process cold, never send someone in who is likely to be over emotional or obstinate. Teams that practice will present a more complete picture of your commitment to compliance through a well-founded narrative. Practice also allows you to identify any gaps early in the process. Bring a copy of the narratives as a tool to keep you on track during the audit interview process.

3.      Do not Disagree or Debate with your Team in the presence of an Auditor

All interviewees should answer auditor’s questions from the agreed-on narratives and home messages. When you get in the audit room, your team must be on the same page. Anything discussed during the audit is fair game for the auditor; it is not the time for your team to debate terminology, requirement language, policy, or evidence issues. Have the debates as a team ahead of time so you can have a principled interaction with the auditors.

4.      Do not Over Elaborate During Audit Interviews

Auditors are trained to focus on everything you say. While you are expected to answer questions, do not ramble or elaborate outside of the specific question being asked. Overelaborating can lead auditors to looking at areas not originally in their audit scope. Answer questions with clear, concise, practiced narratives. Avoid improvising on “open-ended” questions, stick to the narratives and ask the auditor for necessary specifics. It’s easy to get carried away attempting to address open ended questions.

5.      Do not Speculate, Guess, or Make Stuff Up During Audit Interviews

Never speculate or attempt to explain a question you do not understand. If an auditors question does not make sense, ask for examples or clarification. If you still do not understand the question or know the answer, simply state; “I am not the best person to answer that question, however, I will caucus with my leadership and make sure someone is made available who can answer the question.” Ask them if they would like for you to seek an answer now or if you can follow-up with them later in the day.

6.      Avoid Over-Zealous Sharing of Information and Data During Audits

Always be transparent and openly share data and information relative to how you meet compliance to the NERC standards. However, avoid providing data and information not relevant to the requirement under review or the question posed by the auditor. This practice can confuse the auditor or prolong the audit process by causing the auditor to investigate other areas that might have otherwise been left alone. Auditors can be aggravated by “data dumps” not relevant to the compliance element they are auditing. They often see this as an attempt to divert or cover up deficiencies. Provide information and data that is relevant to what they need to make determinations, no more, no less.

7.      Do Not Answer Outside of Your Expertise During Audit Interviews

When questioned by an auditor, do not answer for any process or action that is not your expertise or for which you do not have direct knowledge. The auditor may even ask questions when they already know the answers. This is done to corroborate if your defined program is executed in the manner described in your policy and procedures. Processes and situations often change to meet the dynamic environment of the standards, you do not want the responsibility of providing an inaccurate or misleading answer to the auditor. Stay within your level of expertise and knowledge. If necessary, call for additional support to provide the information needed by the auditor.

8.      Be Poised and Professional

Always be poised and professional, establish a positive tone with the auditors. Be courteous and cooperative. Auditors are professional seeking to understand your compliance environment. Keep a business posture and don’t take anything personal – find common ground with the auditor. Avoid conflict during interviews and exit presentations, if there is a disagreement with an auditor, it does not serve the process to escalate – discuss and seek clarity, but do not argue the results. If you feel you have legitimate disagreements, discuss internally with management and legal. Refer to the NERC Rules of Procedure on the appropriate way to bring your grievances to the attention of the Regional Entity Enforcement Department or NERC. Your attitude and behaviors can shape the audit outcome tremendously.

9.      Capture Lessons Learned for Feedback

During the audit engagement, capture in detail what went well and what could have been done better. Many times, you can apply these lesson as the audit progresses and smooth out your delivery of information and interaction with the auditors. Following the completion of the audit engagement, conduct a post audit lessons learned meeting, use feedback from the auditors. Determine how you can apply your lessons to your policy, procedures, compliance narratives, evidence quality, training activities etc.