AICPA SOC Service Organizations

NERC RSAWs: Five Common Challenges

December 7th, 2020

Over the past few years, Regional and Registered Entities have been sharing NERC audit experiences and best practices. While helpful, they are often broad discussions of “Here’s what was required, here’s what we did, make sure you address that” type of presentations

However, when Notification of Audit letters arrive in your inbox defining the audit scope and sub-requirements, those PowerPoint discussions simply do not go deep enough into the real challenges of responding to RSAWs. Some common RSAW challenges you may face are outlined below.

1. RSAW Knowledge Gaps Between Audits
Completing RSAWs accurately can be challenging because of changing NERC requirements, critical knowledge lost through retirement and job changes, and escalating resource constraints. With the exception of spot checks, regulatory audits of NERC registered entities are typically three or more years apart. As a result, there may not be an on-going process of maintaining RSAWs up to date, thus preventing dynamic or “living” compliance

2. The Difficulty of RSAW Preparation
RSAWs demand adherence to exacting policy, procedure, narrative, evidence, formatting, and submittal package requirements. They are not easy—or quick—and require rigorous attention to detail. Ensuring successful RSAW preparation and submittal has required hundreds of hours for some NERC registered entities.

3. Inconsistent Standard Applied to RSAW Narratives during Regional Audits Consistent measure applied to RSAW narratives, evidence type, or submittal across the six Regional Entities can often be challenging. Registered entities in multiple jurisdictions must ferret out regional differences and requirements. Auditors rely on evidence, questioning Subject Matter Experts, and Operator interviews as much as the RSAW narrative, although expectations for RSAW narratives will vary among different audit teams.

4. Lack of Central Repository for Files, Folders, & Evidence Often compliance documentation is archived in various Word documents, standalone spreadsheets, personal emails, PDFs, phone texts, voicemails, telephone recordings, and legacy enterprise systems. These are rarely searchable, readily available, or electronically linked. Often there are multiple versions of policies and procedures, narratives, and evidence, resulting in out-of-date RSAWs, formatting differences, and changes in content. Without a central compliance management system, registered entities must search for and verify hundreds of documents and artifacts and create a standard management system.

5. Inconsistent RSAW Submittal Package Requirements Occasionally, RSAWs must be submitted via specific versions of Internet Explorer, Mozilla Firefox, or Chrome. Interfaces to EFT Server and client interfaces may be required, along with specific applications. File structure and naming conventions can be confusing and vary by Regional Entity.
The RSAW is your primary method of communicating your entity’s internal compliance process, controls, and evidence. As such, RSAWs are the “make it or break it” component of your audit – they are, indeed, the road map of your compliance program. If you find your team is experiencing any of the above challenges, we have a solution for you. Learn more about our RSAW solution and how it can generate submittal packages with a simple click of a button by contacting our compliance consultants at support@certrec.com or visiting www.certrec.com/nerc-rsaws.

NERC RSAWs
https://youtu.be/JIUSWz3hF_k