- Suppose your region provided compliance guidance for a requirement or you read about the issue in some official guidance, and you based your compliance approach for that requirement on what you had been told or read. You did this because this was the most recent guidance you could find. This doesn’t preclude you from still being found in violation at audit. NERC or your region may change its mind or decide it made a mistake, the CIP Standards Drafting Team may issue a draft requirement that clarifies the issue, FERC could issue an Order or a NOPR that affects the issue, etc. In other words, contrary to what I wrote in the previous post, just being able to show that your action was in accordance with the best guidance available at the time doesn’t give you a Get Out of Jail Free card for a future violation.[i]
- Even when your region provides guidance on a requirement, they aren’t expecting you to follow it blindly. If you have documentation of guidance issued by some “official” entity that contradicts the region’s guidance and you want to follow that guidance not the region’s, you should feel free to do so.
- And it seems the regions aren’t infallible and can change their minds! I was shocked…shocked! to hear this, of course.
“We will be, hopefully, reasonable in both our guidance and also our ultimate finding. But there is absolutely no way an auditor will declare today how it will find an entity in 2019. We have to see the facts and circumstances at the time of the audit. In the end, we take industry guidance under advisement and give it weight. But, to the extent the guidance includes errors or contradicts the language of the Requirement, we have no choice but to audit to the language of the requirement. The entity can appeal the auditor's finding through the enforcement process.
“So be very careful trying to characterize what an auditor will do in the future….(T)hat does not invalidate the appropriateness of an entity asking for advice and guidance. They are still better off than asking some of the consultants out there that have not been as closely involved with the CIP Standards.”