The INPOWERD Perspective: The Quiet but Significant ERO Internal Controls Shift: Why Functional Internal Control Programs are More Important than Ever.

The INPOWERD Perspective: The Quiet but Significant ERO Internal Controls Shift: Why Functional Internal Control Programs are More Important than Ever.

By Earl Shockley, President and CEO, INPOWERD LLC

Trust • Accountability • Service

‍

Technical Context

Most registered entities do not fail to achieve North American Electric Reliability Corporation (NERC) compliance objectives because they lack technical knowledge, ignore requirements, or refuse to do the work. In my experience as a former NERC regulator and now the CEO of a consulting firm that has worked directly with registered entities for the past decade, the failure pattern is far more consistent, predictable, and frankly preventable. NERC’s recent shift in Electric Reliability Organization (ERO) compliance philosophy toward internal controls is a direct reflection of what the data has been showing for years.

Registered entities fail because they cannot consistently control the work, and, more importantly, they cannot consistently prove the work with defensible evidence that meets renewed regulatory expectations. That is the heart of internal controls, and now a more scrutinized approach by regulators is changing how the industry must view Internal Controls Programs.  

Internal controls are not paperwork. They are not a compliance add‑on. They are the discipline and structure that turns regulatory requirements into reliable, repeatable performance, supported by credible evidence, sustained over time, and resilient through change.

Internal controls are the engineering layer between NERC Reliability Standards and consistent compliance performance. They are a defense in depth around a key enterprise risk, yet they continue to be a key failure mode simply because organizations rarely have formal internal controls programs, policies, or procedures or a means to show how controls manage risk to a residual and acceptable level. As a result, there is often no governance or leadership focus on controlling the work.

From a former regulator’s perspective, the outcome is often predictable. Compliance becomes a collection of tasks, calendars, and individual effort rather than a controlled system that produces repeatable, defensible assurance. Internal controls are often treated as something created to satisfy auditors. That mindset is backwards.

When internal controls are not identified, cataloged and tested, compliance becomes a high‑cost, after‑the‑fact reconstruction exercise, especially during audits, spot checks, investigations, or data requests. Evidence is chased, narratives are built under pressure, and leadership becomes reliant on institutional memory rather than controlled execution.

‍

Leadership Implication

Compliance performance is not proven by effort. It is proven by controlled execution and credible evidence over time. It is now a central expectation of NERC and regional regulators.

‍

The ERO Enterprise Shifting Perception on Internal Controls: Why It Matters

The ERO Enterprise continues moving toward a risk‑informed evaluation of entity performance, including how internal controls reduce risk and prevent recurring noncompliance. Auditors are increasingly evaluating internal controls, not just compliance outcomes. Why? Enforcement data has shown that sustainable compliance is a function of internal controls and management oversight, not last-minute heroics during audit preparation.

In mid‑2025, NERC published its “ERO Enterprise Enforcement Cause Code User Guide”, formalizing a structured taxonomy to capture root causes of noncompliance and identify systemic trends. As of mid‑2025, approximately 1,800 dispositions had been assigned to an Enforcement Cause Code. More than 40 percent of those root causes were concentrated in just two categories: ineffective preventive controls and deficient department or business‑level policies and procedures. I predict the trend will continue to follow the same trajectory.

This has practical implications. Entities are increasingly evaluated not only on whether they can produce evidence for a requirement, but on whether they can demonstrate that their processes are repeatable, managed, and tested.

It also places a spotlight on organizational maturity and executive‑level governance.

If compliance performance depends on a handful of experts, tribal knowledge, or chaotic audit preparation and evidence management, the work is not being controlled, even if violations have not yet surfaced. Winners and losers share the same goals and aspirations for success. The difference is that winners build systems that consistently meet those desired obligations. The sustainable difference is that compliance becomes part of the culture and organizational framework like safety, one that embraces an extreme ownership of the compliance objectives.

‍

Leadership Implication

One of the biggest lessons I learned as a regulator is that enforcement outcomes often reflect upstream control weaknesses. Now that the ERO is actively collecting and analyzing that data, those weaknesses will increasingly become transparent and will justify stronger enforcement outcomes when internal control programs do not exist or cannot be articulated properly.

‍

The Quiet but Significant Shift: ICE Is Gone and Internal Controls Now Live Inside CMEP Audits

Historically, Internal Controls Evaluations (ICE) were established as a voluntary evaluation process to help the ERO understand compliance risk, focus audits on the riskiest elements, and scope compliance engagements more effectively. It was conducted outside of audit and enforcement practices. That construct no longer exists.

In December 2025, NERC issued a major revision to the “ERO Enterprise Guide for Internal Controls”. One of the most important clarifications in the 2025 revision is the removal of the idea that ICE reviews occur outside the audit framework. NERC removed all references to ICE and the ICE process and changed its expectation that fully integrated internal controls evaluations should reside within the standard CMEP activities.  

This change is subtle on paper but significant in practice. Under the revised framework, internal controls are reviewed during CMEP activities, not outside of them. Control design and implementation effectiveness are evaluated alongside compliance testing.

The ERO is explicit that auditors obtain an understanding of internal controls through inquiries, observations, inspections, and testing during CMEP engagements. Those conclusions can influence how an entity is monitored in the future. Auditors now capture control evaluations during audits, spot checks, self-assessments etc., assessed for design and implementation effectiveness, used to evaluate whether compliance performance is sustainable, and used to inform future monitoring frequency and intensity.

In practical terms, internal controls have shifted from a discussion topic to a direct input into regulatory and enforcement judgment, reinforced by a long-standing regulatory expectation, articulated in FERC’s “2005 Policy Statement on Enforcement”, that compliance programs be formally structured, budgeted and managed using defined criteria.  

As a result, registered entities should expect auditors to ask more than whether a requirement was met. They will ask how the requirement is met consistently, what controls prevent failure, how control drift and failure is detected, and what evidence demonstrates control effectiveness.

If a registered entities responses are weak, informal, or undocumented, the risk is no longer abstract.

‍

Leadership Implication

Internal controls are no longer a side program or a “nice to have.” They are now a core measure of leadership accountability and regulatory defensibility inside every CMEP engagement.

In practical terms, leaders should assume auditors are evaluating more than compliance outcomes. They are evaluating whether leadership has built a disciplined, sustainable control environment that prevents failure, detects drift, and demonstrates management-in-control. That means internal controls must be treated as an enterprise governance responsibility with clear ownership, funding, and performance expectations, not something delegated to a compliance team to explain during an audit.

‍

The Trap: We Don’t Need a Program, We Just Need People to Do the Work

I hear this statement frequently when speaking with executives and frontline leaders, and it is now more consequential than ever. With internal controls fully embedded in CMEP audits, this belief is no longer a harmless mindset or a deferred improvement. It is a direct misalignment with how audits are conducted and how sustainability is evaluated.

Saying “we do not need a formal internal controls program, people know how to do the work”, is the compliance equivalent of saying we do not need instrument panels, only pilots who know how to fly, or that we prefer crisis management over risk management. That is not leadership. It is gambling with a reliability and organizational reputation.

Culture is the strongest control environment indicator because it reveals whether compliance is owned as a reliability value, and our purpose is to expose and correct control weaknesses long before an auditor does. Internal controls programs are a culture statement. A weak control environment says, “we are chaotic, reactive and shoot from the hip”. A strong control environment says: “we manage structure, risk, and discipline”.  

In organizations with a strong control culture, people understand not only what the requirement is, but why it matters, how failure creates risk, and when escalation is expected. Deviations are surfaced early, controls are challenged and improved, and evidence is produced as a natural outcome of disciplined execution.  

In weak control cultures, controls are non-existent or misunderstood, issues are rationalized or deferred, and risk accumulates silently until it is discovered through an audit, an event, or an investigation. Auditors recognize this distinction quickly, not through statements or policies, but through how consistently work is performed, how confidently staff explain their controls, and how leadership demonstrates oversight.

‍

Audit Implication

The ERO Enterprise increasingly evaluates internal controls, not just compliance outcomes. Auditors want to understand whether compliance performance is the result of a system or a series of isolated successes.

‍

Internal Controls: What Good Actually Looks Like

The Committee of Sponsoring Organizations describes internal controls as a program consisting of operating practices or controlling activities established through policy to provide reasonable assurance that objectives will be achieved. The COSO framework includes control environment, risk assessment, control activities, information and communication, and monitoring activities.

From my operations, regulatory, and risk experience, I define internal controls as the control elements around systems, processes, and people that render organizational objectives free from unacceptable harm caused by risk and uncertainty. Internal controls should live in the discipline of execution every day, every interval, and every time.

In a NERC internal controls program, it is important to distinguish between control categories and control classifications because they answer two different questions. Control categories describe the type of control based on how it is implemented, typically administrative, technical, or physical.  

• Administrative controls - people and process-based mechanisms such as policies, procedures, training, approvals, and management reviews

• Technical controls - system or tool-based mechanisms such as access controls automated workflows, system configurations, and monitoring logs; and  

• Physical Controls - facility or asset-based protections such as locks, barriers, badge access, and surveillance  

Control classifications describe the function or purpose of the control, typically preventative, detective, or corrective.  

• Preventive Controls - designed to stop a failure before it occurs,  

• Detective Controls - identify failures or weaknesses after they occur (ideally early enough to limit impact), and  

• Corrective Controls - fix failures and prevent recurrence.  

Using both categories and classifications when designing and testing internal controls allows organizations to move beyond generic compliance checklists and instead build controls that are risk-informed, measurable, and aligned with how regulators evaluate management-in-control.

‍

The “Most Common” Internal Controls NERC Auditors Look for (Quick Hits)

If you only implement a core set, these are the ones that matter most:

• Clear requirement ownership and accountability

• Formal compliance calendar / task tracking and escalation

• Evidence repository, retention, naming standards

• Periodic self-assessments / monitoring / QA and peer reviews

• Training matrix and completion tracking

• Change management for standards and for operational/system changes

• Identify lessons learned and program revisions with effectiveness reviews

• Management oversight and escalation

‍

The Most Common Control Failure Modes

From an enforcement and oversight perspective, most internal control failures present as one of the following:

1) The control exists on paper but does not operate

• Procedures are published but not followed consistently.

• Roles are assigned, but owners cannot describe the control activity.

• A control is “assumed,” not defined.

2) The work is done, but the evidence fails

• Evidence is not contemporaneous.

• Evidence is not attributable (no name, no timestamp, no approval trail).

• Evidence does not link to the specific interval under review.

• Evidence is stored across email boxes and local drives with no retention governance.

3) Control execution depends on a person, not a system

• The control works because “Bill always does that.”

• Turnover, vacations, or shift changes introduce inconsistency.

• Evidence quality varies by department or individual.

4) Change breaks the control

• Tools change.

• Ownership changes.

• Workflows change.

• System configurations drift.

• The control is no longer operating as designed, but nobody detects it.

‍

Risk implication: These failure modes are not “small compliance problems.” They are systematic weaknesses that increase reliability risk and increase the probability of audit failures and repeat findings.

‍

In organizations with strong controls maturity, I consistently see these practices:

• Clear ownership and accountability - every requirement has an owner and a backup. Accountability is explicit and understood. Escalation is defined.

• Evidence is engineered into execution - evidence is produced naturally through workflow, not hunted down later. The organization knows exactly what “good evidence” looks like and where it lives. They do not have to chase it.

• Controls are monitored and tested - the entity verifies that controls operate over time—not just that they exist on paper. Testing is used to detect drift and weaknesses early.

• Failures trigger disciplined correction - control failures are treated as reliability and compliance risks. They are logged, evaluated, corrected, and followed through to effectiveness reviews.

• Management oversight is visible - leaders can demonstrate governance, supervision, and accountability. Oversight is not assumed—it is documented.

‍

“Minimum Controls Per Requirement” Rule of Thumb (Practical)

For each standard requirement, aim for:

1. One preventive control (procedure + execution discipline)

2. One evidence control (repository + naming + retention)

3. One detective control (periodic review/test)

4. One corrective control (issue + CAP + effectiveness review)

That structure alone eliminates most repeat findings and evidence failures.

‍

The INPOWERD Perspective

The INPOWERD perspective is straightforward. NERC compliance does not fail because organizations lack effort or technical capability. It fails when execution is not controlled; evidence is not engineered, and leadership relies on people instead of systems and culture to manage risk. Culture is the strongest control environment indicator because it reveals whether compliance is owned as a reliability value.  

Internal controls are no longer an optional layer or an audit preparation exercise. They are how reliable organizations translate requirements into consistent, defensible performance. Entities that recognize this will reduce risk, build confidence, and strengthen regulatory trust. Those that do not, will continue to experience compliance as a reactive, back end high-cost event rather than a managed business function.

The quiet shift is this: the audit is now a direct test of organizational maturity. If controls are informal, undocumented, inconsistently executed, or dependent on a few individuals, the organization’s risk profile rises, and future monitoring intensity will likely increase. Leadership can no longer rely on “we passed last time” as proof of readiness. The expectation is now sustained performance, proven through controls.

‍

How INPOWERD Helps Registered Entities Strengthen Internal Controls

INPOWERD works with registered entities to educate staff, design, implement, and sustain internal controls programs that align with how the ERO Enterprise evaluates controls during CMEP audits. Our approach is grounded in operational reality, enforcement experience, and an understanding of how auditors assess control design, implementation, and sustainability.

We help organizations move from effort-based compliance to controlled execution by engineering requirement-level controls that clearly define control objectives, control activities, evidence expectations, and testing methods mapped directly to applicable NERC Reliability Standards. We focus on building controls that operate in daily execution, not controls that only exist to support audit narratives.

To support sustainability, we help entities implement risk-based monitoring and testing programs that evaluate both control design and operating effectiveness over time. Control failures are treated as reliability and compliance risks, with disciplined corrective action plans and effectiveness reviews that regulators expect to see.

Finally, we work with executive leadership to strengthen governance, oversight, and accountability. This includes clarifying ownership, reducing override and segregation-of-duties risk, and aligning internal controls programs with organizational culture so that compliance is owned as a reliability value rather than managed as a periodic obligation.

Our objective is simple. Simplify the complexity of Internal Control Programs.

‍