Empowering business agility Strengthening Internal Audit s impact and value

Transcription

1 Empowering business agility Strengthening Internal Audit s impact and value Findings from the eighth annual survey of chief audit executives in power and utilities January 2014

2

3 How utility IA organizations plan to bolster their relevance and response to risks Authors Alan Conkle Jim Hanlon Andy Dahle Amanda Herron Jake Stricker Utilities are navigating dramatic and pronounced change. Demand management, smart grids, big data, shifting regulatory needs and growing capital investments are forcing utilities to change how they manage their businesses. At the same time, the growth of distributed generation, new sources of fossil fuel and the advent of shale gas and tight oil supplies are changing the industry s economics and demanding new strategies. Utility company internal audit (IA) groups are pivotal to their company s ability to navigate the risks inherent in these pervasive changes. However, PwC s eighth annual survey of Power and Utilities Chief Audit Executives (CAEs) found that IA groups are facing significant challenges in maintaining a central role. For example, respondents fear their groups won t have the required skills to keep pace with a growing portfolio of capital projects, increasing regulatory complexity, and new technologies. In addition, CAEs feel there is an opportunity to achieve closer alignment with the expectations of their stakeholders from the critical risks that should be IA s focus to advanced technologies that strengthen IA s efficiency and efficacy. In this year s survey, PwC delved into the challenges internal audit groups are grappling with and how they are charting a path to more vital corporate relevance: specifically, focusing on critical risks, stakeholder expectations, and new technology demands. To surmount these challenges, internal audit groups are embarking on fundamental changes to how they conduct their business. In this review of our research findings, we look at how: Risks are outpacing capabilities The increasing velocity and frequency of risks is a chief concern for IA. As a result, focusing on the critical risks their companies face is the number one improvement goal during the next 1-3 years. Technology risks are at the forefront of respondent concerns, demonstrated by the use and growing demand for IT auditors. In 2012, 17 percent of respondents to PwC s CAE survey reported that IT auditors made up 21 to 30 percent of their department s total resources. In 2013, the percentage almost doubled to 31 percent. The leap comes in response to mounting technology related risks, especially cyber security and largescale system implementations Empowering business agility 1

4 Top ten risk areas ranked by respondents 5 Critical Severe Significant Impact Moderate Marginal 1 Likelihood 5 Rare Unlikely Possible Likely Almost certain Key risks IT and cyber security Construction/major capital projects Environmental regulatory changes Emerging technology Rate making and recovery NERC CIP compliance Major system implementations and upgrades Operational compliance (electric and gas) Safety T&D asset management and maintenance There are opportunities for IA to assist in program governance, implementing more advance tools, and improving the company s capabilities to identify, protect, respond and recover from a cyber security event. Cyber security In this year s survey, respondents ranked IT and cyber security as the highest risk overall. The facts are sobering. For example, the average cost of a successful cyber-attack in the U.S. was $11.6 million in 2013, up from $8.9 million the year before, according to the Ponemon Institute s 2013 Cost of Cyber Crime Study 1. Hacktavists account for 58 percent of stolen data more than twice as much as is stolen by criminals 2. On average, attackers lurk on their victim s network for more than a year before being detected 3. Our survey also found that IA is heavily involved in security audits 84 percent of respondents say their department has covered information privacy and protection; 72 percent have focused on identity and access management; and 69 percent have addressed threat, intelligence and vulnerability management. The 2014 Global State of Information Security Survey, conducted by PwC, CIO Magazine, and CSO Magazine, which included 143 respondents from the power and utilities industry, found that most respondents have implemented blocking and tackling measures such as application firewalls, web content filters, malware/virus protection software and secure remote access. 4 However, There are opportunities for IA to assist in program governance, implementing more advance tools, 1 Ponemon Institute 2013 Cost of Cyber Crime Study 2 Verizon Data Breach Investigation Report Mandiant MTrends Report Power & Utilities Key findings from The Global State of Information Security Survey 2014, September Strengthening Internal Audit s impact and value 2014

5 Security areas covered by Internal Audit 31% 47% 53% 63% 63% 69% 72% 84% Training and awareness Strategy, governance and management Security architecture Risk and compliance management Incident and crisis management Threat, intelligence and vulnerability management Identity and access management Information privacy and protection and improving their capabilities to identify, protect, respond and recover from a cyber security event. Current state: Penetration testing IA can play a more active role in helping to build the organization s cyber defense capabilities by evaluating the current security stance. Many internal audit groups conduct penetration testing, or evaluate the results of IT s own penetration tests. Leveraging experienced professionals, penetration testing helps to identify weaknesses which hackers and other threats can try to exploit, and can help IT to prioritize remediation tactics based on risk. Penetration testing also provides evidence of any exploitation, which can be a powerful demonstration tool for raising awareness of security threats. The next step: Developing a model for evaluating security program governance Leading IA functions are going beyond penetration testing by also evaluating the effectiveness of security program governance. Strong security practices should be grounded in documented policies and procedures, and metrics should chart the progress of information security initiatives. Security measures should also include formal organization security risk management programs that define how the utility will respond if and when it detects a security event (e.g., security breach). To evaluate security program governance, IA groups can utilize a security capability maturity model to measure how security processes are defined, documented, operated, and monitored. Such a model will help the company understand how much value the organization is achieving from their security investments, and over time, how the organization is responding to changes in the security landscape. Socializing and agreeing on expectations for security capability maturity is a critical first step in developing a model that is tailored to the organization and its goals, and nurtures collaboration between IA and IT Empowering business agility 3

6 Industry/business initiatives shaping current and future year IT audit plans New system implementations 90% Mobility/mobile applications 77% NERC-CIP regulations 71% Business continuity management 68% Infrastructure changes 64% Identity (user access) management tool implementation Outsourcing (IT applications or data center) Work management processes 48% 55% 55% Note: Other responses included ERM implementation (39%), AMI (39%), outsourcing IT activities (35%), energy optimization programs (19%) alternative energy investments (19%), carbon reporting (6%) and nuclear plant development (3%). Although technologyrelated risks top respondents concerns, several business and compliance risks are also on the radar, especially given the aging workforce and increasing frequency of rate-cases and capital projects. System implementations The volume of system implementations is increasing and the push from start to completion is increasingly aggressive nearly 60 percent of 2013 CAE survey respondents say the volume of system implementations has grown over the past 12 months and practically all 90 percent agree that new system implementations are shaping their current and future audit plans. Since the costs to make system changes increases as a project s go-live date approaches, some internal audit groups are getting involved at the project initiation phase. By entering the process at the system selection and design stages, internal audit can verify that control considerations are addressed early. Trying to change a system or a business process at the end can be difficult, costly and sometimes impractical or even impossible. Business and regulatory risks Although technology-related risks top respondents concerns, several business and compliance risks are also on the radar. Workforce challenges According to our survey, 41 percent of critical leadership positions and skillsets across the utilities surveyed will become vacant during the next five years as Baby Boomers reach retirement age. However, 72 percent of respondents say that the aging workforce has not changed their IA department s focus. Organizations will be confronted with growing leadership, knowledge and expertise gaps at the same time that competition for specialized technical and managerial skills intensifies. To support their companies, several IA groups are moving to the forefront of the workforce challenge. For example, in addition to supporting the effectiveness of succession plans, IA groups are conducting more robust workforce analysis and planning. Big data is also playing a major role. By combining an organization s performance, survey and workforce data with public and other private information, companies can glean insights, predict future trends and mitigate workforce challenges. 4 Strengthening Internal Audit s impact and value 2014

7 Documentation of rate case processes and controls Yes, for most jurisdictions and filings Involvement of Internal Audit in respondent s rate case filings Yes, for some jurisdictions and filings 36% 43% No, they are not documented 2% 48% 48% 21% Highly involved Somewhat involved Not involved at all Note: Answers include only those for whom rate cases are applicable Rate making and recovery Rate making and recovery are another source of considerable concern for utilities. Rate case frequency is growing after years of inactivity and rate freezes. In addition, increasing capital projects and IT investments are creating heavier funding needs. However, the number of professionals in a utility who have rate case experience is rapidly decreasing as many of these professionals retire. In PwC s recent Rate Making Survey, only 33 percent of respondents say they were satisfied with the rate filing data in their systems. Eighty percent say that their rate case process could be improved and 70 percent have seen issues arise in rate case filings that resulted in additional work. Despite the high stakes, only 2 percent of IA respondents in this year s CAE survey say their group is highly involved in rate case filings. IA has a prime opportunity to improve results, build regulator trust in the data and confirm that costs are appropriately included in rate filings. Business continuity As a result of mounting storm costs and the scrutiny of utility response to disasters such as Hurricane Sandy, business continuity is a major risk area. However, only 56 percent of survey respondents say that their organization has fully implemented a business continuity plan. In addition, only 38 percent report that their companies have performed a business impact analysis (BIA) for all business departments. The costs to conduct a BIA for every business process and system of a company would be significant, if not prohibitive. As a result, some IA groups are working with the business and its IT organization to prioritize which systems and operations must have back up support in the event of failure Empowering business agility 5

8 Plans including formal staff rotations or co-sourced auditors Co-sourced auditors Formal staff rotation Guest auditors 3% 3% 0% >0 10% >10 20% > 20% 11% 26% 13% 7% 30% 17% 67% 31% 59% 33% Note: Meeting the skillset challenge Capital projects planning Almost every respondent 97 percent says that their organization has significant ongoing or planned capital projects. Transmission systems are aging and utilities are trying to add alternative energy sources to the grid. As environmental concerns increase on the part of government and society, utilities are converting coal-fired plants to gas or installing scrubbers to reduce dangerous emissions. More than 70 percent of respondents say that some of these projects will be subject to regulatory reasonableness reviews. Seventy percent say IA assists or advises the business on project governance, risk management and/or project controls related to capital projects planning. Increasing efficacy and efficiency The number and velocity of risks is growing faster than many IA departments ability to address them only 16 percent of respondents feel that their departments have the needed skills to address current and emerging risks. In addition, many IA groups feel that it may not be feasible to develop the needed skills to address all critical risks their companies face. To fill capability gaps, 74 percent of respondents are turning to co-sourced auditors and 43 percent have implemented guest auditor programs. Meeting the skillset challenge To make the most sound talent sourcing decisions, leading IA organizations are turning to formalized personnel plans, and assessing risk areas in conjunction with existing staff skillsets to identify shorter-term and longer-term needs, and determining whether strategic hiring, guest programs, or sourcing to fill a skills gap would be the most effective. The power of analytics Analytics is a force multiplier. It empowers auditors to audit more extensively with fewer hours which, in turn, provides opportunities to develop new skills and direct existing resources to the most pressing concerns. 6 Strengthening Internal Audit s impact and value 2014

9 Areas where respondents use continuous auditing the most Employee expense and procurement cards 72% AP, disbursements, POs, purchasing, other expenses Journal entry testing 40% 72% Fraud audits 40% Supply chain and inventory 36% Payroll, overtime, time reporting 20% Operations analytics 20% Financial statement analytic 20% Note: Lower ranking responses include construction fraud monitoring (12%), validation of monthly close process (12%), treasury and cash management compliance (8%), energy procurement and trading (4%), customer care (including call centers and billing) (4%) Leading internal audit departments stress the importance of having a seat at the table. Indicative of analytics growing importance, our survey found that the use of continuous auditing is on a steep upward trajectory. In 2012, for example, only 31 percent of respondents said continuous auditing was very important. This year, the number has increased to 57 percent. To develop a data analytics function, there are several keys to success. Building a business case to obtain buyin from senior management is critical. Understanding and leveraging tools and analytics already embedded within the company s systems eliminates duplicate efforts. Data analytics functions that fail often try to boil the ocean with several analytical projects commencing at the onset of the program starting with a pilot approach to prove a return on investment can instead lay the groundwork for a successful program. Having the right resources with deep data analytics experience is also crucial at the onset of the program sending inexperienced auditors to data analytics training and expecting immediate results can be a recipe for disaster. Synergizing extensive data analytics knowledge with IA personnel having a deep understanding of business processes has proven to drive value while spreading technical capabilities. Finally, sharing technology with the business and teaching the business how to self-monitor can improve business performance while allowing IA personnel to focus on more strategic concerns. Thinking like stakeholders Creating stronger alignment with stakeholder expectations is another top priority for IA groups over the next months. To develop and gain a deeper understanding of their company s strategy, IA should anchor its planning process in a thorough knowledge of the company s growth, costreduction, and compliance objectives. Leading internal audit departments stress the importance of having a seat at the table. This includes attendance at key strategy and planning meetings, governance and risk management discussions, and other executive sessions. With this seat, internal audit 2014 Empowering business agility 7

10 Internal Audit is evaluated by the following quantitative and qualitative metrics 35% 41% 34% 47% 53% 82% Average training hours for IA staff Multiple factors (Balanced scorecard) Time to issue reports Budget-to-actual hours spent on audits Budget-to-actual cost of the IA department Number of audits completed vs. planned 16% 35% 51% 73% 76% Positive change facilitated by IA (e.g. recommendations implemented)* Talent development Execution on IA plan projects Performance reviews Customer satisfaction results Note: 5% are also evaluated by other IA staff survery results, follow up resolutions, number of management request executed. gains a real-time understanding of the organization s objectives and the risks to achieving those objectives, and can proactively help the utility improve the most critical processes for managing those risks. A dynamic and collaborative relationship with executive management not only works to improve internal audit s understanding and alignment to key risks, but key stakeholders can see the value of internal audit when they re focusing on areas of greatest concern. Making sure risk prioritization views are in sync with other key stakeholders is another way to improve alignment. Too often risks are prioritized and reported differently by other groups to senior management and the Audit Committee. Combined risk assurance maps can be a valuable tool to support collaboration. These maps document the critical risks a company faces and what level of assurance is provided by each of three lines of defense management, functional oversight and internal audit. Yet, only 49 percent of respondents say their companies develop combined risk assurance maps, and this number remains flat with 2012 survey results. Measure and report on what matters Although key objectives for IA are focusing on critical risks and tightening alignment with stakeholders, most IA departments do not measure themselves on progress toward those objectives. More than 80 percent of respondents report that their group is measured on the number of completed audits versus planned while only 16% are measured on positive change facilitated through IA. 8 Strengthening Internal Audit s impact and value 2014

11 To establish more impactful performance metrics, leading CAEs are meeting with their Audit Committee Chair and other key stakeholders to refresh performance measures that drive continuous improvement. Once the performance measures are set, IA should report regularly on its value to senior management and the audit committee. When IA conducts audits, the business customers it works with often see the value the group provides. However, in many organizations, senior management may not be apprised of that value on an ongoing basis. The opportunity for internal audit is profound. As the utility industry confronts rapid and dramatic change, companies face ever more daunting risks. IA can become a stronger defense against those risks and, thereby, increase its relevance and value to the enterprise. Our survey found that Chief Audit Executives are already planning their paths toward more vital relevance. IA groups are sharpening their focus on risks the enterprise faces, especially technology. They are also tackling capability gaps in their departments and turning to analytics and other technologies to fortify their efficiency and effectiveness. About the research The survey included participants from 42 power and utility companies. More than 55 percent of respondent companies generate 60 percent of revenues from electric utility operations. Most respondent companies have gas utility operations and non-regulated energy operations. However, only 35 percent generate more than 20 percent of revenues from these operations. Forty-four percent of respondent companies have greater than $15 billion in assets Empowering business agility 9

12 For more information Alan Conkle US Power and Utilities Risk Assurance Leader (312) Jim Hanlon US Power and Utilities Internal Audit Leader (214) Andy Dahle US Power and Utilities Partner (312) Amanda Herron US Power and Utilities Director (214) Jake Stricker US Power and Utilities Director (612) PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors BS