December 24, 2024
Stakeholder Soapbox: Your Audit Report may be Worthless
A good audit report isn't enough to protect utilities from federal penalties after a reliability event, argues former NERC official Terry Brinker.

By Terry Brinker

If you are like me, some sounds drive you crazy. For example, nails raking across a blackboard have always made me cringe. Recently, another sound or comment has given me that same response. When I speak with companies about doing a compliance assessment, an internal controls evaluation or even a mock audit, often I hear, “We are good; we passed our most recent audit.” Someone may as well have just raked his or her nails across a blackboard.

NERC FERC audit

Just ask the entities involved in the 2011 Southwest Blackout how passing an audit helped their case in the subsequent investigation. I will tell you. It did not help. Federal regulators assessed $37 million in fines and penalties as a result of that event. Arizona Public Service was assessed a penalty of $3.25 million despite having passed an audit earlier in the year. The Western Electricity Coordinating Council and Peak Reliability, WECC’s successor as the reliability coordinator for most of the Western Interconnection, was penalized $16 million. Peak had recently passed a NERC certification, which is essentially an audit of an entity’s readiness and capabilities. No one received a get-out-of-jail-free card.

Entities have regarded a good audit report as proof that they have a good compliance program. In fact, your audit report may be worthless. Regional Entities perform audits and send a report to NERC. Often these regional auditors are folks with whom you either worked or see so often you become friends. Many potential violations are often reduced to recommendations or suggestions resulting in a clean audit report. After all, I know “Fred” or “Sue,” and they will clean up these little nits.

What is overlooked or simply not understood is that if there is an event involving your company, an anonymous complaint filed against you or a spot check is performed that results in an investigation, your friends — oops, I meant regional auditors — will not be able to help you. NERC and FERC will step in and kick the regions out faster than a drunk uncle at the family Christmas gathering. NERC and FERC will go through your company with a fine-tooth comb, reviewing compliance documents, listening to voice recordings, conducting interviews and getting staff on the record. They will leave no stone unturned.

Not to mention, NERC and FERC have a higher standard than the regions. I know because I was a senior investigator at NERC and was responsible for conducting the above-mentioned duties, which resulted in millions of dollars in fines and penalties for entities. And remember, you do not have to be the utility that caused the event. Imperial Irrigation District (IID) was penalized $12 million even though they did not initiate the event. This is why I stress to my clients that I am not just preparing them for an audit, but also closing any compliance gaps in case there is a reason for NERC or FERC to come snooping around.

Leadership at utility companies must ask themselves if they are comfortable having a “check the box” compliance program, which meets the letter of the law, or a robust compliance program that meets the spirit of the law and would withstand the rigors of audits and investigations alike. Organizations owe it to their stakeholders to have a robust risk management program that will greatly limit its liability. If internal controls evaluations, mock audits and compliance assessments are not a part of the risk management strategy, I question leadership’s commitment to be the best it can be. There will be another event that will lead to another investigation, and stiff fines and penalties will be handed out. In the words of Bruno Mars, “Don’t believe me just watch.”

“But we passed our audit!” will not help the utilities involved. So, let me ask, has your company conducted an internal controls evaluation, compliance assessment or mock audit lately? And remember, I hate the sound of nails raking across a blackboard.

Terry Brinker, who has 23 years of experience leading, facilitating and implementing improvements in power plant operations, control room operations, compliance and regulatory matters, is the president of Reliable Energy Advisors. Terry previously served in leadership roles during a five-year stint at NERC, where he served as senior manager of standards information and personnel certification, manager of registration services, and senior event investigator.

Commentary

Leave a Reply

Your email address will not be published. Required fields are marked *