RISK ADVISORY SERVICES. HYDRO UTILITIES Overview of Internal Audit & Control Services: 2014 Credentials

Transcription

1 RISK ADVISORY SERVICES HYDRO UTILITIES Overview of Internal Audit & Control Services: 2014 Credentials

2 THE INCREASED IMPORTANCE OF INTERNAL CONTROLS FOR HYDRO UTILITIES TO MEET THE OBJECTIVES OF FINANCIAL REPORTING AND CORPORATE GOVERNANCE ARE INDICATIVE OF THE EXPECTATIONS CORPORATE BOARDS AND REGULATORS NOW HAVE. ESPECIALLY IN REGARDS TO THE SYSTEM OF CHECKS AND BALANCES NEEDED TO ENSURE OBJECTIVES ARE ACHIEVED WHILE MAINTAINING OPERATIONAL AND FINANCIAL INTEGRITY. An Internal Audit (IA) function can be an important part of a company s management control structure for good governance. IA functions try to strike a balanced approach between new regulatory risks and a traditional focus on the business of operational auditing while leveraging relationships and experiences to mitigate risks, improve controls, and add value across the organization. Striking the right balance requires an evaluation and determination of the IA function s mission or objectives. As a strategic partner, BDO can be your valued advisor in providing skilled professionals to assist your company in establishing and enhancing the existing IA function or acting as your independent IA function. INTERNAL AUDIT AT WORK Published in Corporate Risk Canada, Vol. 2, No.2, April 2013 Benefits to an internal audit function: The importance of developing an independent review of risk management practices Historically, the establishment of an internal audit (IA) function was perceived as costly and not necessarily understood as adding value to the daily activities of an organization. Consequently, it was labelled by many as a cost centre. Most organizations today face new and emerging concerns about corporate governance leading to intense internal and external scrutiny. As a result, a reactive approach to internal audits is no longer acceptable. Contrary to what some still believe about an IA function, the purpose of its activity is to improve an organization s operations. Many previously saw an IA function simply as a method to assist management with alternate mechanisms of implementing risk management and control systems. As defined by the Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. Therefore, the function is meant to improve the overall effectiveness of risk management and corporate governance processes. It is also meant to become increasingly involved in senior level decision-making and protecting the organization against emerging risk. An IA Function, through the collaboration and integration of the disciplines of internal audit and risk management, can effectively lead to a stronger and more efficient process of decision-making, while enhancing an organization s overall risk management capability and value. Additionally, internal auditing should be aligned to ensure that objectives support the organization s vision, mission and values. For an IA function to operate effectively, the internal audit activity must be independent and objective in nature, where the chief audit executive functionally reports to the board and administratively reports to the chief executive officer. However, the ultimate success of an IA function is not dependent on the size of the organization or internal audit department, but rather on the proficiency, knowledge and skills of the internal audit members. Broadly speaking, there are three viable options open to the establishment of an IA function for most organizations: in-house, outsourced and hybrid. With the in-house option, a company hires its own chief audit executive and complete audit team. Internal auditors can obtain a comprehensive understanding of the key risks faced by their own organization and there is a higher level of ownership of the internal audit function. With the outsourced option, efficiencies are gained in setting up and executing the internal audit function as there is limited requirement on behalf of management to interview candidates and build an internal audit team. Moreover, it allows an organization to gain access to professionals with a global outreach and who are equipped with defined methodologies and audit tools. This option also allows the company to overstep the difficulty of recruiting qualified staff, or significant investment in non-core activities (e.g. investing in team infrastructure). The hybrid option involves an organization co-sourcing the IA function. In this model, the organization retains control over the internal audit function, while being able to leverage its existing resources with those of seasoned professionals who can provide diverse and specialized skills. A pitfall to the co-sourcing model is requiring continuous coordination and management of future audit activities, while maintaining the need for adequate training and recruitment activities. In a competitive market and economy where cost, flexibility and efficiency are key drivers, organizations are outsourcing more and more functions with the objective of reducing costs and, most importantly, allowing them to focus on their core competencies. AUTHORED BY: Ziad Akkaoui, CPA, CA, CISA Senior Manager, Risk Advisory Services Stefan Piech, MES (BE) Manager, Risk Advisory Services

3 BDO internal audit methodology Our methodology is based on the world s best practices for Internal Audit services. It reflects standards established by the Institute of Internal Auditors International Professional Practices Framework, Standards for the Professional Practice of Auditing and Standards for Risk Management. Stages 1 to 3 of our methodology (depicted in the figure below) set out our approach to risk-based planning. It is designed to understand the complexities of the operating environments in which the risk-based Internal Audit function is planned and performed. Our understanding is built in consultation with key stakeholders. Supported by our own network of energy and utility sector specialists, it provides the basis for the development of a risk-based review strategy and plan. Essentially, our understanding is applied and developed throughout all phases of our iterative process. BDO internal controls optimization Our BDO approach and methodology attempts to assess the mitigation of key risks to achieve control optimization and minimize your costs of compliance including: About BDO Around the world 5 th The international BDO network is the fifth largest accounting network in the world. 135 Present in 135 countries 1, 100+ Over 1, 100 offices globally. 48, 000+ More than 48, 000 partners and staff world wide. $5.672 BILLION Total combined fee income of US $5.672bn (2011). STAKEHOLDER COLLABORATION Understand the Project QUALITY ASSURANCE Reporting Collaboration 4 Execution Risk Assessment Planning and Design CONTINUOUS COMMUNICATION 3 In Canada partners working with nearly 3, 000 staff offices across the country. 50, 000+ Over 50, 000 business clients in Canada. $425 MILLION Total combined fee income of CA $425M (2011). reduced control documentation requirements (e.g. narratives, flow diagrams, matrices) and associated change management efforts a reduction in the number of key controls reduced testing as a result of the implementation of standardized control procedures in multi-location environments reduced samples for testing as a result of an increase in the use of system-based controls and a corresponding reduction in manual controls

4 The BDO Internal Audit Continuum In recent years the Internal Audit function has taken a more dynamic or value added approach and now provides consulting on the overall Risk Assessment Approach within an organization as well as providing assistance with process improvement or process reengineering. The BDO Internal Audit Continuum depicts the range from the traditional compliance approach to the more dynamic value added Risk Management approach. Compliance approach Financial and regulatory compliance audits Operational auditing Review internal risk assessment process Business approach Enterprise risk approach Risk management approach Selecting an IA function for your hydro utility Broadly speaking, there are three options available to your organization. We set out below the three options of running an Internal Audit function, together with some background information on how each option could work for an organization. Also found below are the implications (benefits and draw backs) of each model. OPTION A OPTION B OPTION C A wholly in-house internal audit function Head of Internal Audit is a full time employee of the company In-house internal audit team Head of Internal Audit and internal audit team are internal staff Company builds full in-house team of generalists and subject matter specialists A co-sourced internal audit function a "partnership approach" Head of Internal Audit is a full time employee of the company Partner files resourcing and skills gaps Head of Audit is internal staff Company builds core in-house team BDO provides subject matter specialists and covers any resourcing and skill gaps A fully outsourced internal audit function Head of Internal Audit is a full time employee BDO Partner Partner provides internal auditors Head of Audit provided by BDO Relationship management and staffing provided by BDO Fully flexible model Option A Option B Option C Implication In-house Co-sourced Outsourced Leading edge internal audit Direct control over internal audit Impact upon people Flexibility of resources Access to skills Need for ongoing investment Knowledge of company Overall quality of result Positive Neutral Negative

5 BDO's Hydro Utility Internal Controls Maturity model The model below outlines the different stages of maturity that an organization s collective internal controls can achieve. Attaining of the Optimized stage is not common but is realized by organizations that continually adjust, monitor, test, assess and modify internal controls to ensure the set is the most appropriate. This level requires significant resources and effort and is normally selected as an end destination only for organizations that have deemed internal controls as a key to meeting their long term critical objectives. Most organizations target a minimum of level 3 and a goal of level 4. Understanding your organization s maturity level by key cycle, location or risk area can provide useful information on the likelihood of controls continuing to be effective and the resources required to maintain effective controls. BDO control maturity model 1. Control is ad hoc with minimal effectiveness. 2. Intuitive 3. Standardized 4. Managed 5. Optimized Control is ad hoc with minimal effectiveness. Control is in place and repeatable. Control is documented and communicated. Control is complemented by effective monitoring and measurement. Control is continuously reviewed for best practices, efficencies and organizational changes. Types of internal audits Specific to Hydro Utilities While there are multiple hot topics impacting the hydro utility industry and LDCs across Ontario, the creation of an internal audit function can help your senior management team and audit committee gain an independent and objective review of your organization s risk management processes. With the recent discussions over industry amalgamation, high targets for conservation and demand management imposed by the Ontario Energy Board ( OEB ), implementation of Smart Meters, Time-of-Use billing, and processing of meter reads through the Meter Data Management and Repository (MDM/R), LDCs face numerous challenges as it deals with resource constraints, a regulated environment and emerging issues. On some of our recent internal audit mandates, our team has addressed those emerging issues. We have summarized two examples of scope below: Conservation and Demand Management ( CDM ) reporting requirements against the Master CDM Agreement with the Ontario Power Authority ( OPA ) eligibility of program administration expenses against the Program Administration Budget ( PAB ) complete and timely reporting of each initiative to the OPA measuring results of the CDM program initiatives against the OPA implementing strategies for meeting CDM targets and developing the annual report to the OEB Credit, Billing and Collection application of the Credit & Collection policies that are developed in accordance with OEB regulations based on Customer Service Rules for Electricity effectiveness in compiling smart meter data and rolling out Time-of- Use pricing and the accuracy of billings establishing and updating billing rates in the system developing processes and systems used to store credit, data, compile billing and collection information assessing whether the existing billing system and information technology resources are adequate to meet the needs of the organization evaluating the controls over Credit, Billing & Collection to ensure proper initiation, authorization, processing and review assessing whether roles and responsibilities surrounding Credit, Billing & Collection are appropriately segregated Additionally, the items below provide a synopsis of a typical LDCs audit universe when performing the risk assessment exercise and determining the priorities of internal audits: Financial Reporting Payroll Customer Service Human Resources Regulatory Information Technology

6 Privacy & Security Operations Field Services/Line Construction Metering & Conservation Procurement Health & Safety Engineering Services CDM & Energy Services Community Energy Initiative Corporate Communications Whistleblower Policy Hydro utility and energy sector credentials Electricity sector experience BDO has a long history of working with clients in the electricity sector that includes significant organizations in the province of Ontario. Over the last few years, our services expanded beyond the audit of financial statements and tax advisory. Other advisory services that we now provide to this sector include: IFRS conversion assistance and training Internal audit outsourcing or co-sourcing Internal controls over financial reporting advisory System conversion audits Forensic and investigative services IT security audits including PCI advisory OEB Regulatory reporting and rate filing assistance PILs and HST advisory Hydro industry group: Nationally, BDO has established an internal Hydro Industry Group dedicated to the people who serve this sector. The purpose is to encourage collaboration among the firm s auditors and advisors of hydro utilities. As questions, issues, or new legislation arise, our professionals can circulate the matter for discussion by the group. This has been an extremely effective method of researching and resolving client issues such as addressing rate-regulated IFRS updates, accounting for PILs, and best practices in regulatory accounting. The group includes members of BDO Risk Advisory Services, National Audit, Tax and Assurance personnel to identify and address issues impacting our Utility clients on the move to IFRS and to develop and relay practical solutions. From a broader spectrum, BDO provides a full range of services tailored to help clients address their changing needs in key segments of the electricity sector. For decades, our more than 100 dedicated electricity sector partners and professionals have helped over 4,000 clients in Canada and many more internationally. Rate regulated industry Ever since the introduction of IFRS for rate regulated entities, BDO s RAS team has been working closely with numerous hydro utility companies to assist them with their conversion to IFRS as well as other requirements. Our broader Rate Regulated industry experience includes the following: Regulatory accounting: Presented and co-presented with the Ontario Energy Board at various conferences and industry groups on various topics impacting electricity distribution companies. Topics included IFRS conversion issues, rate filings under MIFRS, and adopting a change in useful lives of property plant and equipment in your rate filing. These sessions have allowed BDO to advocate our clients concerns and influence the OEB s subsequent rules and expectations. Internal audit: Developed the internal audit universe and executed internal audits based on IA plans approved by the Audit Committee. Specialty audits include Conservation and Demand Management (CDM), Community Energy Implementation (CEI), and Billing and Collection including Time-of-Use implementation. Accounting for fixed assets: Established methods to assist LDCs in developing individual component accounting with regards to items of PP&E to adhere with IFRS and the OEB s expectations. This included system changes or implementations and the related internal controls. Adopting IFRS: Developed a set of IFRS illustrative financial statements shared with past and present clients that were used as a guide when preparing financial statements under the new standard. This included on-line presentation of the statements and a question and answer period. Industry description Electric power transmission, control and distribution National client count 96 Water, sewage and other systems 39 Hydroelectric power generation 21 Utilities 8 Grand total 164 **Active clients as of May 27, 2014

7 CASE STUDY BDO s Risk Advisory Services team was recently engaged by a major Hydro Utility as their internal auditors for the next three years. The Internal Audit function is being added to provide this Hydro Utility (or the Company ) with an independent and objective review of their risk management activities while ensuring that the organizational objectives support and align with their vision, mission and values. For companies operating in the energy sector, the general focus is to integrate sustainable business practices into the Company s day-to-day operations as well as developing plans for sustainable energy projects (i.e. solar energy, district energy or combined heat and power) that support Ontario s Green Energy and Economy Act and the Company s Community Energy Initiative. Therefore, our engagement with the Company extended to both subsidiaries of the Company: the first one provides local electricity distribution to the City under a regulated regime by the Ontario Energy Board, while the other non-regulated company provides renewable and alternative energy to the City. BDO s mandate includes a fully outsourced Internal Audit function on the following deliverables and milestones over the fiscal years 2013 through to 2015: Develop the Internal Audit Universe (i.e., a summary of the Company s auditable entities) that will be included in the annual risk assessment and used to derive the annual audit plan. This is facilitated through meetings with functional managers across the organization to understand the unique operations of every department. Understand regulated and unregulated markets and competition. Complete a review of the Company s strategic plans and objectives to identify significant initiatives and systematic changes it has planned which will need to be reflected into a risk assessment and audit plan. Develop an Internal Audit Charter that describes mission, independence and objectivity, scope and responsibilities, authority, accountability and standards of the Internal Audit function outsourced to BDO. Based on the previously compiled audit universe, perform a risk identification and assessment exercise to identify the organization s risks and assess their likelihood and impact. This will determine the overall severity of each risk (i.e., identified risks are generally comprised of strategic, operational, regulatory or financial risks). The completed risk assessment will be the backbone to developing the strategic Internal Audit Plan which focuses on the Company s high priority risks and ensures proper risk coverage. The Company s management will review the plan, after which the BDO team will present it to the Audit Committee for approval. Execute the various audits identified in the audit plan by the development of the audit scope and objective for each auditable area and performing operational effectiveness testing. Compile audit reports that summarize the complete work program and audit findings by listing the observation, implication and recommendation for each finding. Obtain and document management responses for each finding in the final report that will be shared with the project sponsor and the applicable members of management. Document audit findings in BDO s automated Internal Audit software to facilitate the remediation of findings by assigning due dates and owners for each finding. The software triggers automated follow-up reviews with action plan owners to ensure timely and adequate remediation efforts are in place to address the risk. Report key findings with management and attend Audit Committee meetings on a periodic basis. Complete an Audit Report with supporting schedules that include additional information regarding performance and financial audits. The execution of the audits and deliverables is very time sensitive and has required BDO staff to be efficient and professional, with an ability to quickly establish relationships with each municipality to gain agreement to any proposed adjustments. To date, the service team has been able to complete all of the audits successfully, receiving positive feedback from the Company s management.

8 Carlo Mariglia, CPA, CA, CIA, CISA Partner, Risk Advisory Services Ziad Akkaoui, CPA, CA, CISA Senior Manager Stefan Piech, MES (BE) Manager, Sales, Risk Advisory Services BDO Canada LLP TD Bank Tower Wellington Street West PO Box 131 Toronto ON M5K 1H1 Tel: Fax: