[Federal Register Volume 74, Number 24 (Friday, February 6, 2009)]
[Notices]
[Pages 6282-6283]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-2527]



[[Page 6282]]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. AD09-3-000]


Compliance With Mandatory Reliability Standards; Guidance Order 
on Compliance Audits Conducted by the Electric Reliability Organization 
and Regional Entities

Issued January 15, 2009.

Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. 
Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff

    1. In this order, the Commission provides guidance on conducting 
compliance audits to the North American Electric Reliability 
Corporation (NERC), the certified Electric Reliability Organization 
(ERO), and the eight Regional Entities to which NERC has delegated 
responsibility for enforcing Commission-approved Reliability Standards 
within the United States.
    2. NERC and Regional Entities conduct compliance audits of 
registered entities subject to mandatory Reliability Standards approved 
by the Commission. They conduct these audits pursuant to procedures 
approved by the Commission under FPA sections 215(c)(2)(C) 
(certification of the ERO) and 215(e)(4) (approval of delegation 
agreements), which, among other things, require that the ERO and 
Regional Entities provide fair and impartial procedures for enforcement 
of reliability standards.\1\ This order provides guidance to the ERO 
and Regional Entities with respect to implementation of Section 3.1 of 
NERC's Compliance Monitoring and Enforcement Program (CMEP), which the 
Commission approved on April 19, 2007 pursuant to FPA sections 
215(c)(2) and 215(e)(4).\2\ This guidance stems from Commission staff 
observations of audits that NERC and the Regional Entities have 
conducted into whether particular users, owners and operators of the 
Bulk-Power System are complying with Reliability Standards.\3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(c)(2)(C) and 824o(e)(4) (2006).
    \2\ North American Electric Reliability Corp., 119 FERC ] 
61,060, at P 41 (2007).
    \3\ The Commission disclosed these observation audits in the 
2008 Report on Enforcement (Docket No. AD07-13-001) at 26 (issued 
October 31, 2008).
---------------------------------------------------------------------------

    3. We require that NERC and Regional Entities ``base their 
compliance audit processes in the U.S. on professional auditing 
standards recognized in the U.S., such as Generally Accepted Accounting 
Standards, Generally Accepted Government Auditing Standards, and 
standards sanctioned by the Institute of Internal Auditors.'' \4\ We 
allow flexibility for NERC and the Regional Entities to implement their 
compliance audit programs in that they are to base their audit 
processes on these auditing standards.
---------------------------------------------------------------------------

    \4\ North American Electric Reliability Corp., 122 FERC ] 
61,245, at P 42 n.29 (2008). NERC currently so provides in CMEP 
section 3.1. The Commission further clarified the matter recently by 
requiring that in CMEP section 3.1, NERC substitute the term 
``Generally Accepted Auditing Standards'' for ``Generally Accepted 
Accounting Standards.'' North American Electric Reliability Corp., 
125 FERC ] 61,330, at P 14 n.11 (2008).
---------------------------------------------------------------------------

    4. Nevertheless, our staff has observed that additional consistency 
in compliance audit processes among NERC and the Regional Entities 
within the United States would be beneficial. We expect NERC and 
Regional Entities to implement the following guidance, as appropriate, 
in ongoing compliance audits and in all compliance audits that commence 
on or after the date of this order.

A. Audit Team Leadership and Training

    5. In order to resolve possible perceptions that a Regional 
Entity's compliance staff is not sufficiently independent from the 
audited entity, such as the Regional Entity itself or its affiliate, 
NERC staff sometimes leads compliance audit teams in which Regional 
Entity staff participates. This is intended to assess compliance in an 
unbiased or professional manner.\5\ In these audits, Regional Entity 
staff should serve as subject matter experts, rather than lead the 
audit or advise on its conduct or scope. NERC staff should control the 
scope and conduct of a NERC-led audit and refrain from seeking advice 
from or involving Regional Entity staff on the direction or findings of 
the audit. NERC and Regional Entity staff should assume these roles 
from the beginning of the pre-audit stage of such a NERC-led audit 
until the completion of the final audit report.\6\
---------------------------------------------------------------------------

    \5\ For example, NERC staff will lead any audit team conducting 
a compliance audit of the reliability coordinator function of the 
Western Electricity Coordinating Council (WECC), a Regional Entity. 
North American Electric Reliability Corp., 119 FERC ] 61,059, at P 
35, 39 (2007).
    \6\ This guidance does not apply to compliance audits that NERC 
leads for other reasons, such as when NERC personnel have 
specialized technical knowledge of particular standards.
---------------------------------------------------------------------------

    6. CMEP section 3.1.5 requires that for all compliance audits 
conducted after January 1, 2008, each audit team member must 
successfully complete all NERC or NERC-approved Regional Entity auditor 
training applicable to the audit. We suggest that NERC and Regional 
Entities ensure that this audit training include skills in 
interviewing, choosing samples of matters to be audited, and evaluating 
evidence.

B. Pre-Audit Procedures

    7. We suggest that NERC, in the context of developing, reviewing 
and updating its pre-audit questionnaires, ensure that audit team 
requests for information and documents about specific matters are as 
consistent as possible among the Regional Entities.\7\ For organizing 
requests for data and information, all compliance audit teams should 
use a database consisting of a spreadsheet that serves as a checklist 
for all requirements of Reliability Standards that are to be audited.
---------------------------------------------------------------------------

    \7\ Cf. Guidance on Filing Reliability Notices of Penalty, 124 
FERC ] 61,015, at P 21 (2008) (Notice of Penalty Guidance Order) 
(observing that the format and content of compliance staff forms and 
questionnaires directly influence the quality and relevance of the 
information and documentation elicited in response).
---------------------------------------------------------------------------

    8. Compliance audit teams should request that registered entities: 
(1) organize responses to data requests and other audit evidence into 
the format that the audit team will use to match evidence to compliance 
with particular requirements; and (2) cross-reference the information 
provided to the audit team to specific requirements of the Reliability 
Standards being audited. Registered entities' responses should label 
all information that is responsive to a particular audit team request 
relating to specific requirements.
    9. Each audit team should allot sufficient time to complete its 
review of responses to pre-audit data requests before beginning site 
visits or similar efforts. During pre-audit preparation, audit teams 
should identify and examine any mitigation plans and associated 
documentation pertaining to standard requirements to be audited, 
including assessing, as relevant, whether mitigation plan milestones 
have been met, mitigation plans have been completed in a timely manner 
and whether completion of a mitigation plan was sufficient to bring the 
registered entity into compliance with applicable requirements.\8\
---------------------------------------------------------------------------

    \8\ We recently highlighted the importance of ascertaining 
whether a mitigation plan has been completed on time, including 
adequate review of documentation or self-certifications submitted by 
a registered entity, so as to bring the registered entity into 
compliance with applicable requirements. Notice of Penalty Guidance 
Order at P 35-37.
---------------------------------------------------------------------------

C. Procedures During the Compliance Audit

    10. A compliance audit should ascertain that the registered entity 
is in compliance with a requirement or that there is evidence that a 
violation of the

[[Page 6283]]

requirement has occurred. A compliance audit team should not consider 
or discuss whether a monetary penalty or some other sanction would be 
appropriate if the Regional Entity finds that the registered entity has 
violated the requirement. Nor should a compliance audit team base its 
decision regarding whether evidence of a violation exists upon the 
resources or time needed for litigation or settlement of a related 
notice of alleged violation.\9\ The Commission would look with disfavor 
on the conclusions of a compliance audit that is based in any way on 
these considerations.
---------------------------------------------------------------------------

    \9\ This separation of roles is consistent with our own staff's 
practice. See 2008 Report on Enforcement at 26-27.
---------------------------------------------------------------------------

    11. We emphasize that NERC and Regional Entities need to be as 
consistent as possible about the level of evidence or documentation 
that is needed to demonstrate compliance for particular requirements.
    12. A compliance audit conducted by NERC or a Regional Entity 
should include an assessment of the registered entity's Reliability 
Standards compliance program. We suggest that NERC and the Regional 
Entities discuss how NERC's audit guidelines and audit data requests 
and questionnaires could better elicit information on the factors 
discussed in our recent Policy Statement on Compliance.\10\
---------------------------------------------------------------------------

    \10\ Compliance with Statutes, Regulations, and Orders, 125 FERC 
] 61,058 (2008).
---------------------------------------------------------------------------

    13. If an audit team learns about a situation that does not appear 
to involve a current or ongoing violation of a Reliability Standard 
requirement, but instead represents an area of concern that could 
become a violation, we expect the team to notify the registered entity 
of the situation, discuss it with the entity, and document such 
discussions in the compliance audit report. We remind audit teams that 
they are expected to fully test compliance with any non-actively 
monitored standard if the teams find evidence during the audit of non-
compliance with such a standard.\11\
---------------------------------------------------------------------------

    \11\ See NERC Rule of Procedure 401.6 and CMEP section 3.1.4.
---------------------------------------------------------------------------

    14. We believe implementation of this guidance will improve the 
consistency of compliance audits relating to Reliability Standards and 
result in greater compliance with them.

    By the Commission.
Kimberly D. Bose,
Secretary.
[FR Doc. E9-2527 Filed 2-5-09; 8:45 am]
BILLING CODE 6717-01-P