AICPA SOC Service Organizations - Certrec

Tips on How To Prepare for NERC Audits

nerc-audit-tips-dl.jpg - Certrec

How to Get Better at Tackling Audits?

1. Conduct Mock Audits

Well in advance of an audit, conduct mock audits incorporating SME interviews to test your subject matter experts. Auditors will test SME knowledge, look at the actual environment in question, and ask you to demonstrate how to accomplish particular requirements.

2. Understand the Requirements

Understanding each requirement is vital (i.e., what the Entity needs to do, and what evidence the auditors will be checking). Highlight the strongest elements of your program and the evidence supporting compliance in your answers, so that the auditor knows you have done your homework.

3. Prioritize Your RSAWs

An RSAW is a tool to prove to an auditor that you are compliant with a requirement. Put serious effort into RSAWs so they can verify this via documentation. Ensure that you showcase your procedures and policies. Evidence could be requested for the audit period (from the previous audit to the current audit). It is best to establish a compliance timeline demonstrating continuous compliance with the standard. Ensure that RSAWs are thorough, and review them for accuracy. Use an independent third party whenever possible to validate your RSAWs are audit-ready.

4. Prepare and Present

Adequate preparation and clear presentation of evidence can help the auditor make informed decisions about your compliance status. Make it easy for them by making the evidence easily accessible, and draw their attention to relevant compliance information. Be polite, helpful, and patient. Be ready to answer open-ended questions succinctly without straying from the topic. Make sure to check for understanding using repeat backs and paraphrasing.

5. Don’t Forget to Listen

Listen actively to what the auditor says, repeat questions, and paraphrase to ensure understanding. Don’t argue every point, and take the time to explain obscure acronyms, diagrams, or procedures to better tell your story of compliance. You and the auditors are working towards the same goal of ensuring the reliability and security of the North American energy grid.