Beyond the Checklist: The Place of Internal Controls in NERC CIP Compliance Programs
By JAMES BROSNAN
NERC CIP compliance is no longer a checklist exercise. Internal controls are now how the ERO Enterprise measures whether an entity can sustain compliance over time. This post breaks down what internal controls are, the preventive, detective, and corrective types, how entities test and evidence them, and how WECC's ICDCT and the December 2025 ERO Guide put controls at the center of audit scoping.
Overview
For years, many registered entities approached NERC CIP compliance as a checklist exercise: meet the requirement, generate the evidence, survive the audit, repeat. But the compliance landscape has matured, and the Electric Reliability Organization (ERO) Enterprise has made one thing increasingly clear: internal controls are a growing focus of the future of NERC CIP, and they have a well-earned place in any registered entity's compliance program. If you've sat through a CIP audit recently, you've likely heard the question that signals this shift: "How do you ensure...?" How do you ensure access is revoked within 24 hours? How do you ensure your baselines stay current? How do you ensure patches are evaluated every 35 days? When an auditor asks "how do you ensure," they aren't asking for a copy of the standard. They're asking about your internal controls. Entities with strong, well-documented internal controls programs can answer that question with confidence, and they're better positioned not just to pass audits, but to genuinely protect the Bulk Electric System (BES). If your organization still treats internal controls as an afterthought, now is the time to give them a seat at the table.
A Background on Internal Controls
Internal controls are not a NERC invention. The concept has deep roots in corporate governance, accounting, and enterprise risk management, most famously codified in the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control-Integrated Framework, first published in 1992 and updated in 2013. In the wake of financial scandals and legislation like the Sarbanes-Oxley Act, organizations across every industry learned that documented, repeatable, and verifiable processes are the backbone of trustworthy operations.
At its core, an internal control is any process, policy, procedure, or mechanism designed to provide reasonable assurance that an organization will achieve its objectives, whether those objectives relate to financial reporting, operational effectiveness, or, in the case of NERC CIP, cybersecurity and regulatory compliance. The COSO framework identifies five integrated components that make controls effective: the control environment (tone at the top), risk assessment, control activities, information and communication, and monitoring activities.
Applied to NERC CIP, internal controls answer a simple but critical question: How does your organization know, on an ongoing basis, that it is meeting its compliance obligations and managing cyber risk to BES Cyber Systems? If the honest answer is "we find out at audit time," your program has a gap.
What Are Internal Controls in the NERC CIP Context?
In the CIP world, internal controls are the mechanisms an entity puts in place to ensure that compliance activities happen correctly, completely, and on time, and that deviations are caught and corrected before they become violations or, worse, security incidents.
Consider CIP-004 personnel and access management as an example. The requirement says access must be revoked within 24 hours of a termination action. The internal controls are everything the entity builds around that requirement: an automated HR-to-access-management workflow that triggers revocation, a daily reconciliation report comparing active accounts against authorized personnel lists, a monthly management review of access changes, and an escalation procedure when a revocation fails to complete. The requirement tells you what must happen; the controls ensure it actually does.
The Different Types of Internal Controls
Internal controls are generally categorized by their function in the control lifecycle:
Preventive controls are designed to stop an error or noncompliance from occurring in the first place. Examples include role-based access provisioning workflows that require documented authorization before access is granted, change management approval gates before modifications to BES Cyber Systems, configuration baselines enforced through automated tooling, and segregation of duties so no single individual can both request and approve access.
Detective controls identify problems after they occur so they can be corrected quickly. These include periodic access reviews (such as the quarterly and 15-month reviews embedded in CIP-004), log monitoring and alerting under CIP-007, internal compliance assessments and mock audits, automated scans comparing actual configurations against approved baselines, and reconciliations between HR records and physical or electronic access lists.
Corrective controls address identified issues and prevent recurrence. Think of documented mitigation plans, root cause analysis processes, corrective action programs, and lessons-learned reviews that feed back into procedure updates and training.
Controls can also be described along another dimension: manual versus automated. Manual controls rely on human performance, such as a supervisor signing off on an access request or an analyst reviewing logs. Automated controls are executed by systems, such as a script that disables accounts upon HR termination events or a tool that blocks unauthorized ports. Automated controls tend to be more consistent and easier to evidence, while manual controls provide judgment and flexibility. Mature programs use a deliberate blend of both, and importantly, they document which controls map to which CIP requirements.
How Entities Ensure Compliance Requirements Are Being Met
A strong internal controls program is more than a stack of procedures. Leading entities typically build their programs around several key practices.
Mapping controls to requirements. Every applicable CIP requirement and part should be traceable to one or more controls. A controls matrix, identifying the control, its type, its owner, its frequency, and the evidence it produces, is the foundational artifact of any program.
Assigning clear ownership and accountability. Each control needs a named control owner responsible for its performance, and management needs visibility into control health. Tone at the top matters: when executives treat compliance as a reliability and security function rather than a paperwork burden, the whole program performs better.
Controls testing and self-monitoring. It isn't enough to design a control and assume it works. Entities need to test their controls to confirm they are operating as intended. Periodic controls testing evaluates both design effectiveness (would this control catch or prevent the issue it's meant to address?) and operating effectiveness (is the control actually being performed, correctly and on schedule?), the same distinction used in professional auditing standards such as the GAO Yellow Book (GAGAS). Testing can range from re-performing a sample of access reviews, to validating that an automated revocation workflow fires as expected, to tabletop walkthroughs with control owners. Between testing cycles, ongoing self-monitoring, including reconciliation reports, trend dashboards, control performance metrics, and internal spot checks, keeps a continuous pulse on control health so that issues surface in days rather than years. Together, controls testing and self-monitoring give an entity firsthand assurance that its compliance obligations are being met, rather than waiting for a regional engagement to find out.
Evidence generation as a byproduct, not a scramble. Well-designed controls produce their own evidence in the normal course of business, such as approval records, review sign-offs, and automated reports. When audit time arrives, the evidence already exists.
Self-reporting and correction. When a control detects a potential noncompliance, mature entities investigate, self-report where appropriate, and execute mitigation. As we've written before, self-reporting is a sign of program maturity, not weakness. The ERO Enterprise's risk-based approach rewards this behavior: entities that find, fix, and report their own issues demonstrate exactly the kind of internal control effectiveness that regulators want to see, and it is a significant factor in disposition decisions such as Compliance Exceptions and Find, Fix, Track (FFT) treatment.
Continuous improvement. Root cause analysis, lessons learned from controls testing, and program refreshes keep controls aligned with changes in the CIP standards, the entity's asset base, and the threat landscape.
The Future of Internal Controls Programs and the ERO's Growing Emphasis
Internal controls are a clear focus of the future of NERC CIP, and the ERO Enterprise, meaning NERC and the six Regional Entities, has been increasingly vocal about it. Through the Compliance Monitoring and Enforcement Program (CMEP), the ERO has moved beyond asking only "did you comply?" to also asking "how do you ensure you comply?", and that second question is answered by an entity's internal controls. Compliance monitoring engagements increasingly include an evaluation of the controls an entity has built around its CIP obligations, not just the compliance evidence those obligations produce.
This emphasis shows up in several concrete ways. The evaluation of internal controls now informs how a Regional Entity scopes and conducts compliance monitoring on a continuous basis. Under the December 2025 ERO Enterprise Guide for Internal Controls, which retired the older voluntary Internal Controls Evaluation (ICE) process, controls are assessed inside every CMEP activity rather than through a separate, periodic review. Entities that can demonstrate effective, well-documented controls give Regional Entities reason to tailor the nature, timing, and extent of monitoring, which can mean lighter-touch engagements and more targeted testing. Importantly, the new Guide no longer lets a tested control stand in for requirement testing. Controls instead shape how residual risk is judged and how the Compliance Oversight Plan is built. Entities with weak or undocumented controls invite deeper scrutiny and more traditional, detailed testing. Strong controls also matter after a potential noncompliance is identified: the presence of a control that detected the issue, and the quality of the controls environment overall, factor into how the matter is dispositioned. For a full breakdown of this shift, see our companion post, From Spot Evaluations to Continuous Oversight: NERC's New Internal Controls Model.
The direction of travel is clear: the ERO Enterprise wants entities to internalize compliance rather than outsource assurance to the audit cycle, and internal controls are the mechanism for doing exactly that. Programs, guidance documents, and regional outreach over the past several years have consistently signaled that internal controls are no longer optional window dressing. They are an increasingly important lens through which regulators evaluate an entity's compliance posture, alongside traditional compliance evidence. With the December 2025 Guide, that direction is now formalized rather than merely emerging: expect more engagement questions framed as "how do you ensure," more attention to controls documentation and testing, and more recognition for entities whose controls programs demonstrate sustained, self-correcting compliance. As the grid absorbs new technologies, including cloud services, virtualization, and increasingly interconnected OT environments, the entities best equipped to keep pace will be those whose controls provide continuous assurance between point-in-time audits.
WECC's ICDCT: The Internal Controls Data Collection Template
The Western Electricity Coordinating Council (WECC) has operationalized its emphasis on internal controls through the Internal Controls Data Collection Template, or ICDCT, an Excel-based questionnaire WECC uses to collect and analyze a registered entity's internal controls ahead of Compliance Monitoring and Enforcement Program (CMEP) monitoring activities and audits.
The ICDCT provides a standard, structured format for entities to describe the internal controls related to the NERC Reliability Standards in scope for an upcoming monitoring activity. Through the template, entities provide narrative descriptions and structured data about their controls, including how each control is designed and implemented, the roles responsible for performing it, how it is monitored, and how it mitigates the risks associated with the in-scope standards.
WECC typically sends the ICDCT to a registered entity several months before an audit, on the order of six months before commencement, with responses due about 60 days later, so that the information can be analyzed before the engagement is finalized. WECC uses the completed template to obtain a structured inventory of the entity's internal controls, evaluate how those controls mitigate identified reliability and security risks, and tailor the audit or monitoring scope, timelines, testing plans, requests for information (RFIs), and evidence requests accordingly. Completed ICDCT responses may then be referenced throughout the monitoring engagement, alongside other tools such as the O&P evidence spreadsheet and the CIP Evidence Request Tool (ERT).
The message the ICDCT sends to registered entities in the Western Interconnection is clear: your internal controls are now a formal input to how your compliance engagements are scoped and conducted. Entities preparing to complete the ICDCT should ensure their controls documentation is current, their control-to-requirement mapping is complete, control owners can clearly articulate the design, implementation, and monitoring of their controls, and evidence of control performance is readily retrievable. A blank copy of the ICDCT is publicly available on WECC's website, so entities can and should review it well before a monitoring notification ever arrives. WECC's front-loaded approach is exactly the model the December 2025 ERO Enterprise Guide now validates across all Regions.
The Bottom Line
Internal controls have a firm place in NERC CIP compliance programs. They help transform compliance from a periodic, reactive scramble into a continuous, self-correcting discipline, and they embody a simple truth that both regulators and security professionals share: an entity that knows its own state, including its assets, its access, its configurations, and its deviations, is an entity that is both compliant and secure. With the ERO Enterprise placing growing emphasis on internal controls and regions like WECC formally collecting and analyzing controls information through tools like the ICDCT, internal controls are a clear focus of the future of NERC CIP. Entities that invest in them now, not as audit preparation but as an integral component of their compliance and security programs, will be well positioned for what comes next.
The checklist still matters. But the entities that pair it with strong internal controls will be the ones best prepared for the future of NERC CIP.