Sean Sherman and I did a webinar on NERC compliance last week, which was very well received. The title was “Seven Practical Steps to Achieve and Maintain NERC Compliance.” We had over 100 people attend, and it was one of the most lively and interactive webinars I’ve seen in years. (Archived webinar link is here.)
This webinar had an astonishingly high attendance rate, with 80% of people registered attending. That’s more than 2x higher than average, which may indicate the urgency surrounding the first set of NERC compliance deadlines coming in June 2009, and the lack of specifics coming from the regulatory and enforcement agencies.
This will be the first several blog entries, where I will provide highlights and summaries of the information presented in the webinar. In the next post, I will present some of the late breaking news from the NERC auditors, presented at the WECC conference a couple of weeks ago. (WECC stands for Western Electricity Coordinating Council, whose members are the bulk power generation and transmission entities that must comply with NERC compliance requirements.)
In this article, I wanted to expound upon a very interesting question that was asked about working with internal audit:
“How should NERC compliance managers work with internal audit? How should we be coordinating testing, does any of the testing work really need to be duplicated, etc.? What about all the other compliance programs, like PCI, SOX-404, etc.?”
This is a terrific question, because the answer is that compliance managers may choose to do all or none of these, depending on how your view of the risk environment jibes with those of internal audit. Therefore, probably one the best thing that compliance managers can do is to sit down with internal audit, and have a conversation about what they believe are the top compliance risks to the organization.
If internal audit and compliance managers have a common view of the organizational risk, all sorts of virtuous things may result. Internal audit may:
- Make us aware of other compliance objectives that are relevant to the IT infrastructure in scope for NERC compliance (e.g., financial reporting objectives for SOX-404, protecting cardholder data for PCI DSS)
- Make us aware of compliance testing that has already been done for the IT infrastructure in scope for NERC compliance (i.e., so we can rely on the work of others to use as compliance evidence)
- Or even potentially use the work of internal audit to fulfil the compliance evidence requirements
In an era where we have “compliance programs du jour,” there are tremendous efficiencies to be gained scoping and testing controls for multiple compliance programs at once. Internal audit is uniquely suited to help. They have the lay of the land, having formulated what they believe are the major organizational risks into their audit plan, including contractual and regulatory risks. And they also have to do work for each of them, to gain assurance that management is not asleep at the wheel.
This is a topic of real interesting to me, especially after I helped lead the Institute of Internal Auditors GAIT task force that developed and published the GAIT Principles and Methodology in January 2007, designed to help management appropriately scope the IT portions of SOX-404.
Effectively leading successful compliance programs require expertise on risks and controls. Most often, the place where this is most often found is the auditors. So make sure you reach out for their expertise!
Questions or comments? Feel free to send me a note on Twitter! I’m @RealGeneKim.