Empowering business agility Strengthening Internal Audit’s ...assets.fiercemarkets.net/public/sites/energy/reports/pwc1report.pdf · In this year’s survey, PwC delved into the

Empowering business agility Strengthening Internal Audit’s impact and value

Findings from the eighth annual survey of chief audit executives in power and utilities

January 2014

www.pwc.com

2014 Empowering business agility 1

AuthorsAlan Conkle Jim Hanlon Andy Dahle Amanda Herron Jake Stricker

Utilities are navigating dramatic and pronounced change. Demand manage-ment, smart grids, big data, shifting regulatory needs and growing capital investments are forcing utilities to change how they manage their busi-nesses. At the same time, the growth of distributed generation, new sources of fossil fuel and the advent of shale gas and tight oil supplies are changing the industry’s economics and demanding new strategies.

Utility company internal audit (IA) groups are pivotal to their company’s ability to navigate the risks inherent in these pervasive changes.

However, PwC’s eighth annual survey of Power and Utilities Chief Audit Executives (CAEs) found that IA groups are facing significant challenges in maintaining a central role. For example, respondents fear their groups won’t have the required skills to keep pace with a growing portfolio of capital projects, increasing regulatory complexity, and new technologies. In addition, CAEs feel there is an opportunity to achieve closer alignment with the expectations of their stakeholders—from the critical risks that should be IA’s focus to advanced technologies that strengthen IA’s efficiency and efficacy.

In this year’s survey, PwC delved into the challenges internal audit groups are grappling with and how they are charting a path to more vital corporate relevance: specifically, focusing on critical risks, stakeholder expectations, and new technology demands. To surmount these challenges, internal audit groups are embarking on funda-mental changes to how they conduct their business. In this review of our research findings, we look at how:

Risks are outpacing capabilities The increasing velocity and frequency of risks is a chief concern for IA. As a result, focusing on the critical risks their companies face is the number one improvement goal during the next 1-3 years.

Technology risks are at the forefront of respondent concerns, demonstrated by the use and growing demand for IT auditors. In 2012, 17 percent of respon-dents to PwC’s CAE survey reported that IT auditors made up 21 to 30 percent of their department’s total resources. In 2013, the percentage almost doubled to 31 percent. The leap comes in response to mounting technology related risks, especially cyber security and large- scale system implementations.

How utility IA organizations plan to bolster their relevance and response to risks

2 Strengthening Internal Audit’s impact and value 2014

Cyber securityIn this year’s survey, respondents ranked IT and cyber security as the highest risk overall. The facts are sobering. For example, the average cost of a successful cyber-attack in the U.S. was $11.6 million in 2013, up from $8.9 million the year before, according to the Ponemon Institute’s 2013 Cost of Cyber Crime Study 1. “Hacktavists” account for 58 percent of stolen data—more than twice as much as is stolen by criminals 2. On average, attackers lurk on their victim’s network for more than a year before being detected 3.

Our survey also found that IA is heavily involved in security audits—84 percent of respondents say their department has

covered information privacy and protection; 72 percent have focused on identity and access management; and 69 percent have addressed threat, intelli-gence and vulnerability management.

The 2014 Global State of Information Security Survey, conducted by PwC, CIO Magazine, and CSO Magazine, which included 143 respondents from the power and utilities industry, found that most respondents have implement-ed blocking and tackling measures such as application firewalls, web content filters, malware/virus protection software and secure remote access.4 However, There are opportunities for IA to assist in program governance, implementing more advance tools,

There are opportuni-ties for IA to assist in program governance, implementing more advance tools, and im-proving the company’s capabilities to identify, protect, respond and recover from a cyber security event.

1 Ponemon Institute 2013 Cost of Cyber Crime Study

2 Verizon Data Breach Investigation Report 2012

3 Mandiant MTrends Report 2012

4 Power & Utilities—Key findings from The Global State of Information Security Survey 2014, September 2013

Top ten risk areas ranked by respondents

Critical

Severe

Significant

Moderate

Marginal

Rare

1

5

5

IT and cyber security

Construction/major capital projects

Environmental regulatory changes

Emerging technology

Rate making and recovery

NERC CIP compliance

Major system implementations and upgrades

Operational compliance (electric and gas)

Safety

T&D asset management and maintenance

Unlikely Possible Likely Almost certain

Key risks

10

6

7

8

9

10

1

2

3

4

5

98 7 5

43

1

26

Likelihood

Imp

act

Source: 2013 Power and Utilities Internal Audit CAE Survey, PwC, 2013


and improving their capabilities to identify, protect, respond and recover from a cyber security event.

Current state: Penetration testingIA can play a more active role in helping to build the organization’s cyber defense capabilities by evaluating the current security stance. Many internal audit groups conduct penetration testing, or evaluate the results of IT’s own penetra-tion tests. Leveraging experienced professionals, penetration testing helps to identify weaknesses which hackers and other threats can try to exploit, and can help IT to prioritize remediation tactics based on risk. Penetration testing also provides evidence of any exploita-tion, which can be a powerful demon-stration tool for raising awareness of security threats.

The next step: Developing a model for evaluating security program governanceLeading IA functions are going beyond penetration testing by also evaluating the effectiveness of security program governance. Strong security practices should be grounded in documented policies and procedures, and metrics

should chart the progress of information security initiatives. Security measures should also include formal organization security risk management programs that define how the utility will respond if and when it detects a security event (e.g., security breach).

To evaluate security program governance, IA groups can utilize a security capability maturity model to measure how security processes are defined, documented, operated, and monitored. Such a model will help the company understand how much value the organization is achieving from their security investments, and over time, how the organization is responding to changes in the security landscape. Socializing and agreeing on expectations for security capability maturity is a critical first step in developing a model that is tailored to the organization and its goals, and nurtures collaboration between IA and IT.

Security areas covered by Internal Audit

31% 47% 53% 63% 63% 69% 72% 84%

Training and awareness

Strategy,governance

and management

Securityarchitecture

Risk and compliance

management

Incident andcrisis management

Threat, intelligenceand vulnerability

management

Identity andaccess

management

Informationprivacy and protection



System implementationsThe volume of system implementations is increasing and the push from start to completion is increasingly aggressive—nearly 60 percent of 2013 CAE survey respondents say the volume of system implementations has grown over the past 12 months and practically all— 90 percent—agree that new system implementations are shaping their current and future audit plans.

Since the costs to make system changes increases as a project’s go-live date approaches, some internal audit groups are getting involved at the project initiation phase. By entering the process at the system selection and design stages, internal audit can verify that control considerations are addressed early. Trying to change a system or a business process at the end can be difficult, costly and some-times impractical or even impossible.

Business and regulatory risksAlthough technology-related risks top respondents’ concerns, several business and compliance risks are also on the radar.

Workforce challenges According to our survey, 41 percent of critical leadership positions and skillsets across the utilities surveyed will become vacant during the next five years as Baby Boomers reach retirement age. However, 72 percent of respondents say that the aging workforce has not changed their IA department’s focus.

Organizations will be confronted with growing leadership, knowledge and expertise gaps at the same time that competition for specialized technical and managerial skills intensifies. To support their companies, several IA groups are moving to the forefront of the workforce challenge. For example, in addition to supporting the effective-ness of succession plans, IA groups are conducting more robust workforce analysis and planning. Big data is also playing a major role. By combining an organization’s performance, survey and workforce data with public and other private information, companies can glean insights, predict future trends and mitigate workforce challenges.

Industry/business initiatives shaping current and future year IT audit plans

Note: Other responses included ERM implementation (39%), AMI (39%), outsourcing IT activities (35%), energy optimization programs (19%) alternative energy investments (19%), carbon reporting (6%) and nuclear plant development (3%).

90%

77%

Work management processes

Outsourcing (IT applications or data center)

Identity (user access) management tool implementation

Infrastructure changes

Business continuity management

NERC-CIP regulations

Mobility/mobile applications

New system implementations

71%

68%

64%

55%

55%

48%


Although technology-related risks top respondents’ concerns, several business and compliance risks are also on the radar, especially given the aging workforce and increasing frequency of rate-cases and capital projects.


Rate making and recoveryRate making and recovery are another source of considerable concern for utilities. Rate case frequency is growing after years of inactivity and rate freezes. In addition, increasing capital projects and IT investments are creating heavier funding needs. However, the number of professionals in a utility who have rate case experience is rapidly decreasing as many of these professionals retire. In PwC’s recent Rate Making Survey, only 33 percent of respondents say they were satisfied with the rate filing data in their systems. Eighty percent say that their rate case process could be improved and 70 percent have seen issues arise in rate case filings that resulted in additional work. Despite the high stakes, only 2 percent of IA respondents in this year’s CAE survey say their group is highly involved in rate case filings. IA has a prime opportunity to improve results, build regulator trust in the data and confirm that costs are appropriately included in rate filings.

Business continuityAs a result of mounting storm costs and the scrutiny of utility response to disasters such as Hurricane Sandy, business continuity is a major risk area. However, only 56 percent of survey respondents say that their organization has fully implemented a business continuity plan. In addition, only 38 percent report that their companies have performed a business impact analysis (BIA) for all business departments. The costs to conduct a BIA for every business process and system of a company would be significant, if not prohibitive. As a result, some IA groups are working with the business and its IT organization to prioritize which systems and operations must have back up support in the event of failure.

Documentation of rate case processes and controls

Involvement of Internal Audit in respondent’s rate case filings

Note: Answers include only those for whom rate cases are applicable


43%

21%

36%

Yes, for most jurisdictionsand filings

Yes, for some jurisdictionsand filings

No, they are not documented

Highly involved Somewhat involved Not involved at all

2% 48% 48%


Capital projects planningAlmost every respondent—97 percent—says that their organization has signifi-cant ongoing or planned capital projects. Transmission systems are aging and utilities are trying to add alternative energy sources to the grid. As environ-mental concerns increase on the part of government and society, utilities are converting coal-fired plants to gas or installing scrubbers to reduce dangerous emissions. More than 70 percent of respondents say that some of these projects will be subject to regulatory reasonableness reviews. Seventy percent say IA assists or advises the business on project governance, risk management and/or project controls related to capital projects planning.

Increasing efficacy and efficiencyThe number and velocity of risks is growing faster than many IA depart-ments’ ability to address them—only 16 percent of respondents feel that their departments have the needed skills to address current and emerging risks.

In addition, many IA groups feel that it may not be feasible to develop the needed skills to address all critical risks their companies face. To fill capability gaps, 74 percent of respondents are turning to co-sourced auditors and 43 percent have implemented guest auditor programs.

Meeting the skillset challenge To make the most sound talent sourcing decisions, leading IA organizations are turning to formalized personnel plans, and assessing risk areas in conjunction with existing staff skillsets to identify shorter-term and longer-term needs, and determining whether strategic hiring, guest programs, or sourcing to fill a skills gap would be the most effective.

The power of analytics Analytics is a force multiplier. It empow-ers auditors to audit more extensively with fewer hours which, in turn, provides opportunities to develop new skills and direct existing resources to the most pressing concerns.

Co-sourced auditors Formal staff rotation Guest auditors

Plans including formal staff rotations or co-sourced auditors

0%

>0–10%

>10–20%

> 20%

Note: Meeting the skillset challenge

26%

67%59%

31%

7%

17%

13%

3% 3%

33%

30%

11%



Indicative of analytics’ growing impor-tance, our survey found that the use of continuous auditing is on a steep upward trajectory. In 2012, for example, only 31 percent of respondents said continuous auditing was very important. This year, the number has increased to 57 percent.

To develop a data analytics function, there are several keys to success. Building a business case to obtain buy- in from senior management is critical. Understanding and leveraging tools and analytics already embedded within the company’s systems eliminates duplicate efforts. Data analytics functions that fail often try to boil the ocean with several analytical projects commencing at the onset of the program—starting with a pilot approach to prove a return on investment can instead lay the ground-work for a successful program. Having the right resources with deep data analytics experience is also crucial at the onset of the program—sending inexperi-enced auditors to data analytics training and expecting immediate results can be a recipe for disaster. Synergizing

extensive data analytics knowledge with IA personnel having a deep understand-ing of business processes has proven to drive value while spreading technical capabilities. Finally, sharing technology with the business and teaching the business how to self-monitor can improve business performance while allowing IA personnel to focus on more strategic concerns.

Thinking like stakeholdersCreating stronger alignment with stakeholder expectations is another top priority for IA groups over the next 12-36 months. To develop and gain a deeper understanding of their compa-ny’s strategy, IA should anchor its planning process in a thorough knowl-edge of the company’s growth, cost-reduction, and compliance objectives. Leading internal audit departments stress the importance of “having a seat at the table”. This includes attendance at key strategy and planning meetings, governance and risk management discussions, and other executive sessions. With this seat, internal audit

Areas where respondents use continuous auditing the most

Note: Lower ranking responses include construction fraud monitoring (12%), validation of monthly close process (12%), treasury and cash management compliance (8%), energy procurement and trading (4%), customer care (including call centers and billing) (4%)

72%

Financial statement analytic

Operations analytics

Payroll, overtime, time reporting

Supply chain and inventory

Fraud audits

Journal entry testing

AP, disbursements, POs, purchasing, other expenses

Employee expense and procurement cards

72%

40%

40%

36%

20%

20%

20%


Leading internal audit departments stress the importance of “having a seat at the table”.


gains a real-time understanding of the organization’s objectives and the risks to achieving those objectives, and can proactively help the utility improve the most critical processes for managing those risks. A dynamic and collaborative relationship with executive management not only works to improve internal audit’s understanding and alignment to key risks, but key stakeholders can see the value of internal audit when they’re focusing on areas of greatest concern.

Making sure risk prioritization views are in sync with other key stakeholders is another way to improve alignment. Too often risks are prioritized and reported differently by other groups to senior management and the Audit Committee. Combined risk assurance maps can be a valuable tool to support collaboration. These maps document the critical risks a company faces and what level of assur-

ance is provided by each of three lines of defense—management, functional oversight and internal audit. Yet, only 49 percent of respondents say their companies develop combined risk assurance maps, and this number remains flat with 2012 survey results.

Measure—and report on— what mattersAlthough key objectives for IA are focusing on critical risks and tightening alignment with stakeholders, most IA departments do not measure themselves on progress toward those objectives. More than 80 percent of respondents report that their group is measured on the number of completed audits versus planned while only 16% are measured on positive change facilitated through IA.

Internal Audit is evaluated by the following quantitative and qualitative metrics

Number of audits completed vs. planned

82%

Average traininghours for IA staff

35%

16%

Positive changefacilitated by IA

(e.g. recommendationsimplemented)*

Multiple factors(Balanced scorecard)

35%

41%

Talent development

Time toissue reports

51%

34%

Execution on IA plan projects

Budget-to-actualhours spent on audits

73%

47%

Performancereviews

Budget-to-actualcost of the IAdepartment

76%

53%

Customersatisfaction results

Note: 5% are also evaluated by “other” IA staff survery results, follow up resolutions, number of management request executed.



To establish more impactful perfor-mance metrics, leading CAEs are meeting with their Audit Committee Chair and other key stakeholders to refresh performance measures that drive continuous improvement. Once the performance measures are set, IA should report regularly on its value to senior management and the audit committee. When IA conducts audits, the business customers it works with often see the value the group provides. However, in many organizations, senior management may not be apprised of that value on an ongoing basis.

The opportunity for internal audit is profound. As the utility industry confronts rapid and dramatic change, companies face ever more daunting risks. IA can become a stronger defense against those risks and, thereby, increase its relevance and value to the enterprise. Our survey found that Chief Audit Executives are already planning their paths toward more vital relevance. IA groups are sharpening their focus on risks the enterprise faces, especially technology. They are also tackling capability gaps in their depart-ments and turning to analytics and other technologies to fortify their efficiency and effectiveness.

The survey included participants from 42 power and utility companies. More than 55 percent of respondent companies generate 60 percent of revenues from electric utility operations. Most respondent companies have gas utility operations and non-regulated energy operations.

However, only 35 percent generate more than 20 percent of revenues from these operations. Forty-four percent of respondent companies have greater than $15 billion in assets.

About the research

www.pwc.com

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors BS-14-0251

Alan ConkleUS Power and Utilities Risk AssuranceLeader(312) 298-4461 [email protected]

Jim HanlonUS Power and Utilities Internal AuditLeader(214) 754-5007 [email protected]

Andy DahleUS Power and Utilities Partner(312) [email protected]

Amanda HerronUS Power and Utilities Director(214) [email protected]

Jake StrickerUS Power and Utilities Director(612) [email protected]

For more information

Documents

Empowering business agility Strengthening Internal Audit’s ...assets.fiercemarkets.net/public/sites/energy/reports/pwc1report.pdf · In this year’s survey, PwC delved into the