Constraints on in-person activities because of the COVID-19 pandemic could result in the streamlining of future audits, SERC Reliability said at the 2021 Spring Reliability and Security Seminar this week.
ERO Pandemic-related Measures Extended Again.)
While the suspension disrupted SERC’s procedures for investigating noncompliance by registered entities, members of the regional entity’s audit staff said the experience has been helpful too.
“The remote virtual audit process has given us challenges, but it’s also allowed us the opportunity to build processes that will allow us to be more efficient performing audits in the future,” said Ted Bell, a critical infrastructure protection compliance auditor at SERC. “We’ve been challenged to use our technology in new ways, to exercise greater communication and scheduling flexibility, and to find new and different ways of communicating.”
Relationships Key to Success
One of the biggest lessons of the pandemic was the importance of maintaining a productive relationship between the audit teams and registered entities. To lessen the burden on utilities trying to implement COVID-related distancing and sanitation requirements, SERC changed its 120-day audit notification to allow entities to complete the first level of its Evidence Request Tool within the first week of receiving the audit notification letter. This meant that the auditors were able to “perform sampling earlier in the process,” while the utility could start on the second level earlier.
SERC’s normal audit procedure also assumes examiners will be able to visit the registered entity in person to interview staff and inspect facilities. The pandemic meant auditors would have to find some other way of getting the required information.
“Normally we look forward to the … on-site week. We know that we’re going to have one-on-one, face-to-face contact with individuals, and any pending requests or clarification that’s needed … we’ll get that information,” said Barbara Marion, SERC’s senior operations and planning compliance auditor. “Well, that was not an option at this time. Because of the nature of virtual auditing, collaborative efforts were necessary, [and] consistent communication was key.”
In some cases this meant expanding the areas where entities could self-certify, but in-person contact could not be replaced so easily in other regards. For example, Bell noted that in the case of “a previous risk … identified through a self-report of previous monitoring engagement,” the RE could not rely on the entity’s word that it had corrected the problem.
Video Visits Expected to Continue
For these cases the RE implemented technology tools such as video conferencing as much as possible. In extreme cases, this saw the team replicating the “the three rooms you might have in an on-site audit,” with separate chat rooms for subject matter experts, audit staff and entity representatives. This worked, but sometimes caused problems for staff who were unaccustomed to such arrangements.
“One of the things that we learned quickly is to make sure that you’re muted and unmuted on the appropriate calls,” Bell said. “So if we started hearing from the other room when we weren’t supposed to we would immediately mute [that line].”
Despite these growing pains, auditors said the experience has been positive overall: The unprecedented situation forced them to improve their relationships with registered entities and their familiarity with new technology. While the RE is looking forward to being able to resume on-site audits, Todd Curl, SERC’s senior manager of compliance monitoring, confirmed that utilities can expect audit teams in the future to more closely examine whether such visits are actually necessary.
“Please understand, if we don’t have a need to go on-site, we won’t,” Curl said. “A good rule of thumb is, the higher the risk, the better the probability that we’ll … need to come on-site at least for some aspect of the audit.”