In 2023, after completing an audit that identified multiple areas for improvement, this organization called upon NST for a full program review. In addition to a review of the program itself, the organization requested NST to conduct a high-level analysis of staffing levels and organizational structure with respect to their compliance program.
During the program review, NST noticed a pattern: the organization’s SMEs performed many of the activities required to demonstrate compliance across the board, but program documentation failed to take credit for all the activities. With such a large organization, unintentional silos stifled communication between different business units, and there was a disconnect between compliance personnel and technical SMEs.
With a solid perspective on the organization as a whole, NST provided valuable input on how the current staffing levels across business units impacted the overall burden of compliance and helped to “right-size” each one to their responsibilities. NST guided program remediation efforts and helped strengthen connections among the various teams to promote a more cohesive compliance program throughout the organization.
NST also kicked off a large-scale effort to ensure that program documentation accurately reflected the activities performed by SMEs. NST ensured that credit was only taken for activities with solid performance records and internal controls so that the organization was not held accountable for activities performed only most of the time.
Following the initial gap assessment and remediation, NST was invited to assist the organization in preparing for their upcoming NERC CIP audit. The organization wanted to show their RE that they had made progress on the program since the last audit but feared that they may expose other program areas to unnecessary scrutiny.
To start, NST conducted an audit “bootcamp” for SMEs which addressed the audit life cycle, the CIP ERT, RSAWs, performance records, and similar topics. NST then oversaw the collection, presentation, and submission of evidence to the Regional Entity. The audit evidence was diligently packaged; cover letters, bookmarks, notes, and pointers were meticulously crafted to lead auditors directly to the information they needed to determine compliance. NST’s evidence packaging methodology limited the need for SME interviews, avoided exposing additional program areas to unnecessary scrutiny, and even garnered praise from the Regional Entity.
Following a successful audit engagement, the customer has continued to partner with NST to support continuous improvement, ongoing remediations, and preparation for new and upcoming Standards.
NST is currently engaged with this organization to prepare for CIP-012-2, CIP-015, and the Virtualization Standards.
