Empowering business agility Strengthening Internal Audit s impact and value

Similar documents
January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Healthcare Internal Audit: In a Time of Transition

Change is happening: Is your workforce ready? Many power and utilities companies are not, according to a recent PwC survey

Metrics by design A practical approach to measuring internal audit performance

fs viewpoint

Cybersecurity The role of Internal Audit

Middle Class Economics: Cybersecurity Updated August 7, 2015

CYBER SECURITY, A GROWING CIO PRIORITY

Managing the Shadow Cloud

Regulatory Compliance Management for Energy and Utilities

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Internal audit value optimization for insurance organizations

July New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity

Cybersecurity in the States 2012: Priorities, Issues and Trends

Empower loss prevention with strategic data analytics

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Security Awareness Training Solutions

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Managing cyber risks with insurance

Commodity Price Risk Management (CPRM) - Trends and Challenges for Corporates

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

A COMPLETE APPROACH TO SECURITY

Click to edit Master title style

IT Insights. Managing Third Party Technology Risk

Developing a robust cyber security governance framework 16 April 2015

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Third-Party Risk Management for Life Sciences Companies

Cyber Security and Privacy - Program 183

RSA ARCHER AUDIT MANAGEMENT

The IBM Solution Architecture for Energy and Utilities Framework

Cybersecurity. Considerations for the audit committee

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Realizing Hidden Value: Optimizing Utility Field Service Performance by Measuring the Right Things

HEALTH CARE AND CYBER SECURITY:

Public Company Accounting Oversight Board (PCAOB) Eighth Annual International Auditor Regulatory Institute. Washington, DC

Address C-level Cybersecurity issues to enable and secure Digital transformation

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Utility Supply Chain Talent Management

Under the Digital Dome: State IT Priorities, Trends and Perspectives

Why you should adopt the NIST Cybersecurity Framework

Maximising internal audit value

Succession planning: What is the cost of doing it poorly or not at all?

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

2015 Travelers Business Risk Index. Findings from a survey of U.S. business risk decision makers May 2015

Increase insight. Reduce risk. Feel confident.

Service supply chain as a source of competitive advantage How businesses are creating value from the service supply chain

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Continuous Network Monitoring

Building a Strategic Internal Audit Function. A 10-Step Framework

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Cyber security Building confidence in your digital future

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Cybersecurity: Mission integration to protect your assets

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

Tapping the benefits of business analytics and optimization

Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

Enterprise Security Tactical Plan

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

future data and infrastructure

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Governance, Risk, and Compliance (GRC) White Paper

Simplifying the audit through innovation

Cybersecurity Converged Resilience :

Transforming risk management into a competitive advantage kpmg.com

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

The digital future for energy and utilities.

State of Compliance 2014 Healthcare provider industry brief

April Managing cloud migration Contract restructuring and retained IT

Using data analytics and continuous auditing for effective risk management

How To Transform It Risk Management

ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

<Insert Picture Here> From Overload to Impact: An Industry Scorecard on Big Data Business Challenges

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.

Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

Optimizing Network Vulnerability

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Into the cybersecurity breach

Leveraging Network and Vulnerability metrics Using RedSeal

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Pipeline Components Traceability Utilities companies new frontier

PRIORITIZING CYBERSECURITY

Getting real about cyber threats: where are you headed?

The Internal Audit Analytics Conundrum Finding your path through data

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Accenture Risk Management. Industry Report. Life Sciences

Addressing FISMA Assessment Requirements

Cybersecurity Strategic Consulting

Cybersecurity and internal audit. August 15, 2014

Transcription:

www.pwc.com Empowering business agility Strengthening Internal Audit s impact and value Findings from the eighth annual survey of chief audit executives in power and utilities January 2014

How utility IA organizations plan to bolster their relevance and response to risks Authors Alan Conkle Jim Hanlon Andy Dahle Amanda Herron Jake Stricker Utilities are navigating dramatic and pronounced change. Demand management, smart grids, big data, shifting regulatory needs and growing capital investments are forcing utilities to change how they manage their businesses. At the same time, the growth of distributed generation, new sources of fossil fuel and the advent of shale gas and tight oil supplies are changing the industry s economics and demanding new strategies. Utility company internal audit (IA) groups are pivotal to their company s ability to navigate the risks inherent in these pervasive changes. However, PwC s eighth annual survey of Power and Utilities Chief Audit Executives (CAEs) found that IA groups are facing significant challenges in maintaining a central role. For example, respondents fear their groups won t have the required skills to keep pace with a growing portfolio of capital projects, increasing regulatory complexity, and new technologies. In addition, CAEs feel there is an opportunity to achieve closer alignment with the expectations of their stakeholders from the critical risks that should be IA s focus to advanced technologies that strengthen IA s efficiency and efficacy. In this year s survey, PwC delved into the challenges internal audit groups are grappling with and how they are charting a path to more vital corporate relevance: specifically, focusing on critical risks, stakeholder expectations, and new technology demands. To surmount these challenges, internal audit groups are embarking on fundamental changes to how they conduct their business. In this review of our research findings, we look at how: Risks are outpacing capabilities The increasing velocity and frequency of risks is a chief concern for IA. As a result, focusing on the critical risks their companies face is the number one improvement goal during the next 1-3 years. Technology risks are at the forefront of respondent concerns, demonstrated by the use and growing demand for IT auditors. In 2012, 17 percent of respondents to PwC s CAE survey reported that IT auditors made up 21 to 30 percent of their department s total resources. In 2013, the percentage almost doubled to 31 percent. The leap comes in response to mounting technology related risks, especially cyber security and largescale system implementations. 2014 Empowering business agility 1

Top ten risk areas ranked by respondents 5 Critical Severe 1 2 9 6 8 7 10 5 43 Significant Impact Moderate Marginal 1 Likelihood 5 Rare Unlikely Possible Likely Almost certain Key risks 1 2 3 4 5 IT and cyber security Construction/major capital projects Environmental regulatory changes Emerging technology Rate making and recovery 6 7 8 9 10 NERC CIP compliance Major system implementations and upgrades Operational compliance (electric and gas) Safety T&D asset management and maintenance There are opportunities for IA to assist in program governance, implementing more advance tools, and improving the company s capabilities to identify, protect, respond and recover from a cyber security event. Cyber security In this year s survey, respondents ranked IT and cyber security as the highest risk overall. The facts are sobering. For example, the average cost of a successful cyber-attack in the U.S. was $11.6 million in 2013, up from $8.9 million the year before, according to the Ponemon Institute s 2013 Cost of Cyber Crime Study 1. Hacktavists account for 58 percent of stolen data more than twice as much as is stolen by criminals 2. On average, attackers lurk on their victim s network for more than a year before being detected 3. Our survey also found that IA is heavily involved in security audits 84 percent of respondents say their department has covered information privacy and protection; 72 percent have focused on identity and access management; and 69 percent have addressed threat, intelligence and vulnerability management. The 2014 Global State of Information Security Survey, conducted by PwC, CIO Magazine, and CSO Magazine, which included 143 respondents from the power and utilities industry, found that most respondents have implemented blocking and tackling measures such as application firewalls, web content filters, malware/virus protection software and secure remote access. 4 However, There are opportunities for IA to assist in program governance, implementing more advance tools, 1 Ponemon Institute 2013 Cost of Cyber Crime Study 2 Verizon Data Breach Investigation Report 2012 3 Mandiant MTrends Report 2012 4 Power & Utilities Key findings from The Global State of Information Security Survey 2014, September 2013 2 Strengthening Internal Audit s impact and value 2014

Security areas covered by Internal Audit 31% 47% 53% 63% 63% 69% 72% 84% Training and awareness Strategy, governance and management Security architecture Risk and compliance management Incident and crisis management Threat, intelligence and vulnerability management Identity and access management Information privacy and protection and improving their capabilities to identify, protect, respond and recover from a cyber security event. Current state: Penetration testing IA can play a more active role in helping to build the organization s cyber defense capabilities by evaluating the current security stance. Many internal audit groups conduct penetration testing, or evaluate the results of IT s own penetration tests. Leveraging experienced professionals, penetration testing helps to identify weaknesses which hackers and other threats can try to exploit, and can help IT to prioritize remediation tactics based on risk. Penetration testing also provides evidence of any exploitation, which can be a powerful demonstration tool for raising awareness of security threats. The next step: Developing a model for evaluating security program governance Leading IA functions are going beyond penetration testing by also evaluating the effectiveness of security program governance. Strong security practices should be grounded in documented policies and procedures, and metrics should chart the progress of information security initiatives. Security measures should also include formal organization security risk management programs that define how the utility will respond if and when it detects a security event (e.g., security breach). To evaluate security program governance, IA groups can utilize a security capability maturity model to measure how security processes are defined, documented, operated, and monitored. Such a model will help the company understand how much value the organization is achieving from their security investments, and over time, how the organization is responding to changes in the security landscape. Socializing and agreeing on expectations for security capability maturity is a critical first step in developing a model that is tailored to the organization and its goals, and nurtures collaboration between IA and IT. 2014 Empowering business agility 3

Industry/business initiatives shaping current and future year IT audit plans New system implementations 90% Mobility/mobile applications 77% NERC-CIP regulations 71% Business continuity management 68% Infrastructure changes 64% Identity (user access) management tool implementation Outsourcing (IT applications or data center) Work management processes 48% 55% 55% Note: Other responses included ERM implementation (39%), AMI (39%), outsourcing IT activities (35%), energy optimization programs (19%) alternative energy investments (19%), carbon reporting (6%) and nuclear plant development (3%). Although technologyrelated risks top respondents concerns, several business and compliance risks are also on the radar, especially given the aging workforce and increasing frequency of rate-cases and capital projects. System implementations The volume of system implementations is increasing and the push from start to completion is increasingly aggressive nearly 60 percent of 2013 CAE survey respondents say the volume of system implementations has grown over the past 12 months and practically all 90 percent agree that new system implementations are shaping their current and future audit plans. Since the costs to make system changes increases as a project s go-live date approaches, some internal audit groups are getting involved at the project initiation phase. By entering the process at the system selection and design stages, internal audit can verify that control considerations are addressed early. Trying to change a system or a business process at the end can be difficult, costly and sometimes impractical or even impossible. Business and regulatory risks Although technology-related risks top respondents concerns, several business and compliance risks are also on the radar. Workforce challenges According to our survey, 41 percent of critical leadership positions and skillsets across the utilities surveyed will become vacant during the next five years as Baby Boomers reach retirement age. However, 72 percent of respondents say that the aging workforce has not changed their IA department s focus. Organizations will be confronted with growing leadership, knowledge and expertise gaps at the same time that competition for specialized technical and managerial skills intensifies. To support their companies, several IA groups are moving to the forefront of the workforce challenge. For example, in addition to supporting the effectiveness of succession plans, IA groups are conducting more robust workforce analysis and planning. Big data is also playing a major role. By combining an organization s performance, survey and workforce data with public and other private information, companies can glean insights, predict future trends and mitigate workforce challenges. 4 Strengthening Internal Audit s impact and value 2014

Documentation of rate case processes and controls Yes, for most jurisdictions and filings Involvement of Internal Audit in respondent s rate case filings Yes, for some jurisdictions and filings 36% 43% No, they are not documented 2% 48% 48% 21% Highly involved Somewhat involved Not involved at all Note: Answers include only those for whom rate cases are applicable Rate making and recovery Rate making and recovery are another source of considerable concern for utilities. Rate case frequency is growing after years of inactivity and rate freezes. In addition, increasing capital projects and IT investments are creating heavier funding needs. However, the number of professionals in a utility who have rate case experience is rapidly decreasing as many of these professionals retire. In PwC s recent Rate Making Survey, only 33 percent of respondents say they were satisfied with the rate filing data in their systems. Eighty percent say that their rate case process could be improved and 70 percent have seen issues arise in rate case filings that resulted in additional work. Despite the high stakes, only 2 percent of IA respondents in this year s CAE survey say their group is highly involved in rate case filings. IA has a prime opportunity to improve results, build regulator trust in the data and confirm that costs are appropriately included in rate filings. Business continuity As a result of mounting storm costs and the scrutiny of utility response to disasters such as Hurricane Sandy, business continuity is a major risk area. However, only 56 percent of survey respondents say that their organization has fully implemented a business continuity plan. In addition, only 38 percent report that their companies have performed a business impact analysis (BIA) for all business departments. The costs to conduct a BIA for every business process and system of a company would be significant, if not prohibitive. As a result, some IA groups are working with the business and its IT organization to prioritize which systems and operations must have back up support in the event of failure. 2014 Empowering business agility 5

Plans including formal staff rotations or co-sourced auditors Co-sourced auditors Formal staff rotation Guest auditors 3% 3% 0% >0 10% >10 20% > 20% 11% 26% 13% 7% 30% 17% 67% 31% 59% 33% Note: Meeting the skillset challenge Capital projects planning Almost every respondent 97 percent says that their organization has significant ongoing or planned capital projects. Transmission systems are aging and utilities are trying to add alternative energy sources to the grid. As environmental concerns increase on the part of government and society, utilities are converting coal-fired plants to gas or installing scrubbers to reduce dangerous emissions. More than 70 percent of respondents say that some of these projects will be subject to regulatory reasonableness reviews. Seventy percent say IA assists or advises the business on project governance, risk management and/or project controls related to capital projects planning. Increasing efficacy and efficiency The number and velocity of risks is growing faster than many IA departments ability to address them only 16 percent of respondents feel that their departments have the needed skills to address current and emerging risks. In addition, many IA groups feel that it may not be feasible to develop the needed skills to address all critical risks their companies face. To fill capability gaps, 74 percent of respondents are turning to co-sourced auditors and 43 percent have implemented guest auditor programs. Meeting the skillset challenge To make the most sound talent sourcing decisions, leading IA organizations are turning to formalized personnel plans, and assessing risk areas in conjunction with existing staff skillsets to identify shorter-term and longer-term needs, and determining whether strategic hiring, guest programs, or sourcing to fill a skills gap would be the most effective. The power of analytics Analytics is a force multiplier. It empowers auditors to audit more extensively with fewer hours which, in turn, provides opportunities to develop new skills and direct existing resources to the most pressing concerns. 6 Strengthening Internal Audit s impact and value 2014

Areas where respondents use continuous auditing the most Employee expense and procurement cards 72% AP, disbursements, POs, purchasing, other expenses Journal entry testing 40% 72% Fraud audits 40% Supply chain and inventory 36% Payroll, overtime, time reporting 20% Operations analytics 20% Financial statement analytic 20% Note: Lower ranking responses include construction fraud monitoring (12%), validation of monthly close process (12%), treasury and cash management compliance (8%), energy procurement and trading (4%), customer care (including call centers and billing) (4%) Leading internal audit departments stress the importance of having a seat at the table. Indicative of analytics growing importance, our survey found that the use of continuous auditing is on a steep upward trajectory. In 2012, for example, only 31 percent of respondents said continuous auditing was very important. This year, the number has increased to 57 percent. To develop a data analytics function, there are several keys to success. Building a business case to obtain buyin from senior management is critical. Understanding and leveraging tools and analytics already embedded within the company s systems eliminates duplicate efforts. Data analytics functions that fail often try to boil the ocean with several analytical projects commencing at the onset of the program starting with a pilot approach to prove a return on investment can instead lay the groundwork for a successful program. Having the right resources with deep data analytics experience is also crucial at the onset of the program sending inexperienced auditors to data analytics training and expecting immediate results can be a recipe for disaster. Synergizing extensive data analytics knowledge with IA personnel having a deep understanding of business processes has proven to drive value while spreading technical capabilities. Finally, sharing technology with the business and teaching the business how to self-monitor can improve business performance while allowing IA personnel to focus on more strategic concerns. Thinking like stakeholders Creating stronger alignment with stakeholder expectations is another top priority for IA groups over the next 12-36 months. To develop and gain a deeper understanding of their company s strategy, IA should anchor its planning process in a thorough knowledge of the company s growth, costreduction, and compliance objectives. Leading internal audit departments stress the importance of having a seat at the table. This includes attendance at key strategy and planning meetings, governance and risk management discussions, and other executive sessions. With this seat, internal audit 2014 Empowering business agility 7

Internal Audit is evaluated by the following quantitative and qualitative metrics 35% 41% 34% 47% 53% 82% Average training hours for IA staff Multiple factors (Balanced scorecard) Time to issue reports Budget-to-actual hours spent on audits Budget-to-actual cost of the IA department Number of audits completed vs. planned 16% 35% 51% 73% 76% Positive change facilitated by IA (e.g. recommendations implemented)* Talent development Execution on IA plan projects Performance reviews Customer satisfaction results Note: 5% are also evaluated by other IA staff survery results, follow up resolutions, number of management request executed. gains a real-time understanding of the organization s objectives and the risks to achieving those objectives, and can proactively help the utility improve the most critical processes for managing those risks. A dynamic and collaborative relationship with executive management not only works to improve internal audit s understanding and alignment to key risks, but key stakeholders can see the value of internal audit when they re focusing on areas of greatest concern. Making sure risk prioritization views are in sync with other key stakeholders is another way to improve alignment. Too often risks are prioritized and reported differently by other groups to senior management and the Audit Committee. Combined risk assurance maps can be a valuable tool to support collaboration. These maps document the critical risks a company faces and what level of assurance is provided by each of three lines of defense management, functional oversight and internal audit. Yet, only 49 percent of respondents say their companies develop combined risk assurance maps, and this number remains flat with 2012 survey results. Measure and report on what matters Although key objectives for IA are focusing on critical risks and tightening alignment with stakeholders, most IA departments do not measure themselves on progress toward those objectives. More than 80 percent of respondents report that their group is measured on the number of completed audits versus planned while only 16% are measured on positive change facilitated through IA. 8 Strengthening Internal Audit s impact and value 2014

To establish more impactful performance metrics, leading CAEs are meeting with their Audit Committee Chair and other key stakeholders to refresh performance measures that drive continuous improvement. Once the performance measures are set, IA should report regularly on its value to senior management and the audit committee. When IA conducts audits, the business customers it works with often see the value the group provides. However, in many organizations, senior management may not be apprised of that value on an ongoing basis. The opportunity for internal audit is profound. As the utility industry confronts rapid and dramatic change, companies face ever more daunting risks. IA can become a stronger defense against those risks and, thereby, increase its relevance and value to the enterprise. Our survey found that Chief Audit Executives are already planning their paths toward more vital relevance. IA groups are sharpening their focus on risks the enterprise faces, especially technology. They are also tackling capability gaps in their departments and turning to analytics and other technologies to fortify their efficiency and effectiveness. About the research The survey included participants from 42 power and utility companies. More than 55 percent of respondent companies generate 60 percent of revenues from electric utility operations. Most respondent companies have gas utility operations and non-regulated energy operations. However, only 35 percent generate more than 20 percent of revenues from these operations. Forty-four percent of respondent companies have greater than $15 billion in assets. 2014 Empowering business agility 9

www.pwc.com For more information Alan Conkle US Power and Utilities Risk Assurance Leader (312) 298-4461 alan.conkle@us.pwc.com Jim Hanlon US Power and Utilities Internal Audit Leader (214) 754-5007 james.r.hanlon@us.pwc.com Andy Dahle US Power and Utilities Partner (312) 298-3582 andrew.j.dahle@us.pwc.com Amanda Herron US Power and Utilities Director (214) 754-7579 amanda.c.herron@us.pwc.com Jake Stricker US Power and Utilities Director (612) 596-6066 jake.j.stricker@us.pwc.com 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors BS-14-0251

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information