From Spot Evaluations to Continuous Oversight: NERC’s New Internal Controls Model
By Patrick Miller
NERC’s December 2025 ERO Enterprise Guide replaces the old Internal Controls Evaluation (ICE) model with continuous, risk based internal control oversight embedded across Compliance Monitoring and Enforcement (CMEP) and Joint Monitoring. This shift makes control design, evidence, and effectiveness a core driver of Compliance Oversight Plans (COPs), audit depth, and how the Regions measure compliance maturity.
Overview
On January 9, NERC quietly posted a document that will materially change how registered entities are monitored, assessed, and governed under the Compliance Monitoring and Enforcement Program (CMEP): the ERO Enterprise Guide for Internal Controls (December 2025).
At a surface level, the update looks procedural. In practice, it formalizes a fundamental shift in how the ERO Enterprise views compliance. Internal controls are no longer a special evaluation activity. They are now the core lens through which risk, oversight, and regulatory trust are measured.
What the New Guide Is Doing
The 2025 Guide explicitly defines how Compliance Enforcement Authorities (CEAs, read Regional Entity) will understand, assess, and rely on internal controls as part of the risk based CMEP model. NERC states that internal controls are used to demonstrate reasonable assurance of future compliance and to inform how CEAs build and adjust Compliance Oversight Plans (COPs).
Internal controls are now evaluated continuously across all CMEP touchpoints including audits, spot checks, self certifications, and Joint Monitoring Activities. They are no longer something that is reviewed in isolation or on a special schedule. This moves CMEP away from snapshot audits and toward persistent risk based oversight.
The ICE Model Is Gone
One of the most consequential changes is what was removed. The 2017 Guide was structured around the Internal Controls Evaluation (ICE) process. ICE was a voluntary, periodic activity that allowed entities to demonstrate control maturity and potentially reduce audit scope. It created a separation between compliance testing and control testing.
The 2025 revision eliminates ICE entirely. All references to ICE and the ICE process were removed.
Internal controls are now evaluated inside every CMEP activity rather than through a standalone ICE program or one-time control review. There is no longer a special off ramp where an entity can demonstrate maturity once and then rely on that result. Control effectiveness is now always in play.
From Key Controls to Risk Governance
The 2017 Guide included detailed guidance on Key Internal Controls. Appendix A walked CEAs and entities through how to identify failure points, map controls to those failure points, and in some cases test a single key control instead of dozens of individual requirements. That entire framework has been removed.
The 2025 Guide no longer instructs CEAs to substitute controls for requirement testing. Instead, it tells CEAs to use internal controls to understand residual risk, sustainability, and governance quality when shaping COPs and selecting monitoring tools. This signals a shift away from compliance optimization and toward enterprise risk oversight.
What WECC’s ICDCT Reveals About Where CMEP Is Headed
All NERC Regions evaluate internal control design and effectiveness during audits and other CMEP activities. Some Regions use early RFIs to gather control information in advance of fieldwork. Others distribute pre-audit surveys that ask about global or entity-wide controls.
What distinguishes WECC is not that it evaluates internal controls, but when and how it does so.
WECC asks registered entities to submit a structured internal control inventory well in advance of audit scoping through its Internal Controls Data Collection Template (ICDCT). That allows controls to shape audit scope, testing strategy, and the Compliance Oversight Plan from the beginning, rather than being reconstructed later through interviews, narratives, or ad hoc requests.
The December 2025 ERO Enterprise Guide effectively validates this front-loaded approach by requiring CEAs to understand, assess, and update internal controls continuously and to use them to drive COPs and CMEP tool selection. Whether a Region uses ICDCT, early RFIs, or control surveys, the outcome is now the same: controls must be captured early enough to influence risk-based oversight rather than simply reviewed after the fact.
How Controls Are Now Evaluated
Under the new Guide, CEAs formally evaluate internal controls using professional auditing standards, including GAGAS. Controls are assessed across three dimensions:
Design: Does the control logically address the risk?
Implementation: Is it operating as designed?
Effectiveness: Is it actually reducing risk?
The Guide explicitly states that narrative descriptions are not enough. Controls must produce evidence. Live re performance, system outputs, audit trails, and operational data are now the basis for determining whether a control is effective.
This aligns CMEP with how modern audit, cyber, and operational risk functions operate in other critical infrastructure sectors (and common practice, in general).
Global vs Operational Controls
The new Guide also formalizes a two tier control model:
Global or Entity Wide Controls: These include risk management programs, governance structures, compliance tracking systems, and executive oversight. They demonstrate whether the organization manages risk in a structured and repeatable way.
Operational Controls: These are the controls embedded in specific processes like CIP change management, access reviews, patching, incident response, and operational procedures.
CEAs are instructed to evaluate both layers together when determining whether an entity can sustain compliance over time.
Controls Now Drive COPs
Perhaps the most important operational change is that internal controls now directly influence:
Which CMEP tools are used
How often you are monitored
How deep testing goes
Where enforcement risk concentrates
CEAs are explicitly allowed to change the nature, timing, and extent of compliance monitoring based on their understanding of an entity’s internal controls. In other words, internal controls are now a regulatory trust score.
Why This Matters for Registered Entities
Under the old ICE model, internal controls were something you prepared for and presented. Under the new model, they are something you live inside every day.
Utilities that have:
Integrated compliance tooling
Automated evidence
Risk driven governance
Real time operational controls
…will see less friction, fewer deep dives, and more tailored oversight.
Utilities that still rely on:
Manual tracking
Static spreadsheets
After the fact evidence
Audit only preparation
…will find themselves under tighter and more frequent scrutiny, even if they are not technically noncompliant.
Bottom Line
The ERO Enterprise Guide for Internal Controls (December 2025) is not a minor update. It is the final step in moving CMEP from periodic audits to continuous, risk driven regulatory supervision. Regions that already capture controls early through mechanisms like ICDCT, pre-audit RFIs, or control surveys are already operating in the model NERC just made permanent.
Internal controls are no longer a side program. They are how the ERO Enterprise decides how much it trusts you to run a safe, reliable, and secure grid. That is the new compliance reality.
