Out of Control Internal Controls: Mastering Complexity in NERC Regulatory Compliance

As energy utilities increasingly adopt advanced technologies and face ever-evolving regulatory requirements, the need for strong internal controls has never been more crucial. If you’ve recently undergone a NERC, FERC, or regional audit, you understand the significance. It’s no longer just about perfection; having a well-designed internal controls program is key to navigating these challenges.

In this discussion, we examine how utilities manage internal controls, grounded in the historical framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its relevance to current NERC regulations. But how can you be sure you’ve accounted for everything? And why is that more important than striving for perfection? The answer is simple: it just is. To put it in homeowner terms, NERC auditors arguably would rather see a robust, failsafe security system than a perfect record of no burglaries.

Historical Context and Origin of Internal Controls

The concept of Internal Controls has evolved significantly since its formal inception with the establishment of COSO in 1985. COSO was created to develop a robust framework to enhance organizational internal control systems, risk management, and governance. Its landmark publication, “Internal Control-Integrated Framework,” is crucial for designing, implementing, and evaluating internal controls, providing a foundation that many energy utilities have adopted to ensure compliance with regulatory standards, including those set by NERC.

COSO Framework and Its Relevance to NERC Compliance

The COSO framework outlines five core components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components are instrumental for utilities in ensuring effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations, which are critical for adhering to NERC standards.

• Framework Adoption: Many energy utilities utilize the COSO framework as the backbone for their Internal Controls, aligning these controls with NERC’s reliability and security standards for the bulk power system.
• Risk Management Integration: COSO’s structured approach to risk assessment and control activities is directly applicable to meeting NERC requirements, helping utilities proactively manage risks that could impact their compliance and operational integrity.

Challenges in Managing Internal Controls

Managing Internal Controls within the energy sector involves navigating through layers of complexity, integrating these controls with advanced operational technologies, and aligning them with evolving regulatory requirements. And if you’re an energy utility, you have hundreds, if not thousands, of documented controls, all of which need to be reviewed on a regular basis. Ultimately, the number of internal controls is often a reflection of the utility’s risk profile, regulatory exposure, and operational complexity.

• Complex Systems Integration: Utilities must harmonize sophisticated control systems with operational technologies that support compliance with NERC standards. Automation plays a crucial role here, as utilities push for solutions that reduce manual errors and streamline oversight processes. For example, automating tasks such as filling out and validating contractor information forms can drastically reduce errors. A shift from manual data entry to automated workflows, where systems ensure that all required fields are completed before signatures can be added, has led to significant reductions in mistakes.
• Monitoring and Adaptation: Implementing advanced monitoring solutions that can dynamically track compliance and adapt to changes in regulatory requirements is essential. This includes creating automated triggers that kick off workflows when standards are updated, ensuring that upstream processes, like IT management, remain aligned with regulatory expectations.

Organizational Processes and Continuous Improvement

• Ongoing Training and Standardization: Continuous education and standardized processes across the organization are crucial for maintaining the effectiveness of Internal Controls and ensuring uniform compliance. The role of Subject Matter Experts (SMEs) is vital, as they often seek automated solutions and dashboards to oversee complex processes. Collaboration with technical experts and automation of routine tasks is key to reducing manual efforts and minimizing the risk of errors.
• Documentation and Communication: Meticulous documentation and effective communication are vital for demonstrating compliance during NERC audits and for internal assessments. In organizations where compliance might butt heads with security teams, open communication and alignment on objectives are critical. If there’s conflict, it often stems from differing interpretations—security might want more frequent actions than compliance requires, leading to excess work. Here, it’s essential to re-evaluate policies to avoid unnecessary duplication of effort.

Navigating Regulatory Requirements and Audits

• Regular Compliance Audits by NERC: These audits are critical for ensuring that utilities adhere to NERC standards, with a focus on areas such as system operations, cybersecurity, and emergency preparedness. A well-managed Internal Control system can spotlight issues early, allowing for adjustments before audits take place.
• Adaptation to Regulatory Changes: Utilities must remain agile to adapt their Internal Controls in response to ongoing changes in NERC standards and broader regulatory developments. Ensuring that internal controls for both compliance and security are not only in place but also aligned is crucial. As regulations evolve, so must the controls—triggering reviews, updates, or the creation of new controls as necessary.

Future Outlook and Strategic Compliance Management

As the NERC regulatory footprint and technological environments continue to evolve, the role of Internal Controls will become increasingly central in navigating these changes. Utilities must employ strategic approaches to manage these controls effectively:

• Proactive Risk Management: Comprehensive risk assessments and dynamic risk management frameworks are essential for adapting to new threats and maintaining system integrity. Organizations that have adequate internal controls often find that audits focus on other areas, highlighting the effectiveness of these controls. Regular review of each and every internal control is not just best practices, it is required.
• Enhanced Digital Tools for Documentation: Utilizing digital solutions for documentation enhances the accuracy, accessibility, and manageability of compliance records, facilitating easier audits and compliance tracking. For example, these tools can also help in creating more versatile Incident Response Plans (IRPs) that are tailored to different operational needs, ensuring that compliance requirements such as CIP-008 (Incident Response) are met without creating unnecessary paperwork. The same is true for all NERC requirements and by addressing regulatory requirements with a robust internal controls program, supported by digital tools to automate and streamline processes, utilities can achieve the ultimate goals of enhanced security, safety, reliability, and resilience.

Conclusion

In the endless rocky landscape of NERC compliance, mastering internal controls is essential—not only for regulatory adherence but for integrating these controls into the everyday operations of utilities. More important than achieving perfection (though that’s the expectation in NERC compliance), these controls enhance reliability, security, and compliance, equipping utilities to face both current and future challenges in an increasingly digitized environment. As these systems evolve, the focus will shift even further toward automation, integration, and continuous improvement, ensuring utilities stay ahead in a highly demanding regulatory world.

View our recent webinar, where we dive deeper into practical solutions to streamline CIP-004 compliance in your organization.

 

About the Author

Scott Crow is the Senior Business Systems Strategist – Energy & Utilities at AssurX, where he drives strategic innovation and technological transformation across the critical infrastructure landscape. With extensive experience in delivering IT/OT solutions, Scott specializes in tackling the most pressing cybersecurity and compliance challenges for the energy and utilities sector. His expertise lies in aligning technology with business objectives, seamlessly integrating people, process, and technology to develop solutions that optimize operational performance while safeguarding critical systems.