In early May, EnergySec released a very important “opinion piece” that I think all people involved with NERC compliance (not just NERC CIP) should study carefully; this includes employees of NERC entities, NERC and FERC, as well as consultants providing compliance services to NERC entities. More generally, it includes anyone who cares about the integrity of the process of auditing NERC standards.
I won’t try to summarize this document, since it speaks very eloquently for itself. You need to read it very carefully, not just for what it says but for the implications of what it says. This means you really have to read it as you read the poems, short stories, etc. you were assigned to read in high school or college English classes (and you did read them, didn’t you?).
Just like in high school or college, I am going to give you an assignment. I want you to:
- Read the document carefully. Twice.
- Keep in mind that this document was written by ex-auditors (three of the principals of EnergySec are ex-WECC auditors). Try to understand the pain they must be feeling due to the actions described in the document – that is, what they believe those actions are doing to their long-cherished ideals of Auditor Independence.[i]
- This is a very tightly-written document. Many of its most-important points are stated only in a single sentence, and may not even be the main subject of the sentence. Look for those points.
- Ask yourself the following questions: “What are the implications of EnergySec’s argument for the future of NERC CIP auditing and compliance?”; “What are the implications for the other NERC standards?”; “What are the implications for the ERO itself?”[ii]
Remember, most of your grade for this course will depend on this assignment. And don’t tell me your dog ate it.
Note on 4/1/16: I have just linked this post in a post I put up today. Please note that EnergySec's conclusion in their opinion piece isn't the same as mine. I am saying the SGAS have most likely made CIP v5 (and v6) unenforceable in the strict sense that violations that are appealed to the Federal courts will never be upheld. EnergySec is saying the SGAS constitute a serious threat to auditor independence, but they don't go as far as my conclusion.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.
[i] Coincidentally, I have been learning a lot about Auditor Independence, in the almost two months since I joined the Advisory arm of a public accounting firm. There are very strict and thoroughgoing rules that apply not just to the auditors themselves, but to all of the rest of us who couldn’t explain the difference between a credit and a debit to save our lives. I have to follow some of the same rules described in the EnergySec document.
[ii] The notices for the SGAS now carry disclaimers stating they’re not providing compliance guidance, etc. However, I believe the main thrust of EnergySec’s objections to the SGAS is that the simple fact that the meetings are closed to the wider NERC community, and no record is published of them, constitutes a huge threat to auditor independence, if it doesn’t destroy it altogether. It is quite clear that the SGAS won’t be opened up, and their results won’t be shared with the community.