Regulatory Compliance

GAP ANALYSIS / EVIDENCE REVIEW

CIP Corps can conduct program reviews and provide you and your organization with a comprehensive gap analysis with discrete action items to close compliance gaps. Additionally, CIP Corps will provide a list of Good Utility Practices (GUP) and cyber security recommendations in line with industry standards such as Cyber Security Framework for Critical Infrastructure or SP800-53, and physical security standards in line with ASIS recommended practices.

Our senior consultants have years of experience as auditors and leads in compliance programs, technical implementors and regulators, which gives them a unique insight into compliance program oversight and gap analysis.

CIP Corps often performs these reviews in conjunction with a mock audit, however, based on an entity’s unique needs and characteristics, a gap analysis can be done ad hoc.  The comprehensive report will provide your organization with a detailed roadmap to improve reliability, compliance and security posture. CIP Corps has custom questionnaires, data requests and compliance evaluation tools that we use to evaluate your compliance program with each applicable standard requirement and part.

MOCK AUDITS AND AUDIT PREPARATION

A mock audit can help your organization prepare for an audit with realistic audit-based processes and interviews.  CIP Corps can leverage these techniques in order to expose gaps and weaknesses within your processes and provide opportunities to strengthen and reinforce your compliance posture, ensuring your audit readiness.  CIP Corps can do this as part of a compliance review, gap analysis, or as a stand alone exercise designed to simulate the rigors of audit and gauge overall preparedness leading into a compliance oversight event.

Some of the hallmarks of this approach, simulating a real audit are:

  • Notices of Audit

  • Data requests

  • Interviews

  • Completed RSAWS, similar to what a regional entity would do to assess compliance

  • Timeframes realistic to what an actual audit would entail

Part of this process includes a detailed debrief and scoring of how the entity performed for the mock audit, including areas for improving the audit process, interviews, and responses to data request.  Of course, CIP Corps will discuss audit findings as well as highlight compliance gaps that should be closed prior to an oversight activity by regulators.

NERC REGISTRATION SUPPORT

CIP Corps can help your organization with registration and help you navigate the complex roles of determining responsibility for compliance with NERC Reliability Standards. Timely and accurate registration can avoid many of the headaches and potential pitfalls associated with incorrect registration.  Let our team of experienced consultants help whether or not the registration is planned, or the Regulators have determined your entity needs to register for additional functions. We can provide gap analysis based on the current standards, provide roadmaps to full compliance, and we can help with self-certification, and most importantly, our team has been involved with registration issues for many years and can help negotiate on your behalf in terms of registration time frames and registered functions.

COMPLIANCE PROGRAM MANAGEMENT

CIP Corps promotes and offers a number of different services in order to manage and mitigate compliance risk:

  • Developing a Strong Internal Controls Program

  • Evidence Retention and Management

  • Timely and periodic Program Review

  • Executive Reporting

  • Culture of Compliance activities

  • Cyber Security Awareness

  • Physical Security Awareness

INTERNAL CONTROLS

CIP Corps understands the keys to avoiding compliance violations is a strong internal controls program.  As the Regional Entities, NERC and FERC increase scrutiny of internal compliance programs during Compliance Enforcement Actions (i.e. Audits, Spot Checks, Investigations, etc.) a strong internal controls program is vital to reducing audit scope, increasing positive outcomes from oversight activities and reducing violations should they occur. CIP Corps can help with:

  • Program creation

  • Implementation

  • Documenting evidence

  • Customizing controls to your environment

  • Closing the monitoring gap and providing periodic monitoring of controls

  • Providing customized executive reports

  • Current program gap analysis services

  • Training to SME’s and Executives

EVIDENCE MANAGEMENT

Evidence retention and cataloguing  a critical component of compliance, and CIP Corps can help your organization implement a Commercial-of-the-Shelf (COTS) solution to support evidence retention, or we can bring in our experts who will help implement a customized solution tailored to your Organization. 

Whatever your GRC needs are, CIP Corps can help you implement it, ensuring your compliance efforts are documented and you have the right evidence at the right time.

COMPLIANCE PROGRAM DEVELOPMENT AND TRAINING

CIP CORPS can create and implement a full internal compliance program for Registered Entities. We can provide a turnkey, templatized solution, or provide custom, entity driven Policies, Process, and Procedure documents.  . Our turnkey solutions can be easily adapted and customized to your organizations parameters. Our templates include all of the elements that are required by Reliability Standard Audit Worksheets. When developing a compliance program for a Registered Entity, CIP Corps ensures the Policies, Processes, and Procedures align with existing business practices. It’s our goal to ensure we build a program that adapts to current business practices, and not the other way around.