Findings from the eighth annual survey of chief audit executives in power and utilities, January 2014
How Utility IA Organizations Plan to Bolster Their Relevance and Response to Risks
Utilities are navigating dramatic and pronounced change. Demand management, smart grids, big data, shifting regulatory needs and growing capital investments are forcing utilities to change how they manage their businesses. At the same time, the growth of distributed generation, new sources of fossil fuel and the advent of shale gas and tight oil supplies are changing the industry’s economics and demanding new strategies. Utility company internal audit (IA) groups are pivotal to their company’s ability to navigate the risks inherent in these pervasive changes.
However, PwC’s eighth annual survey of Power and Utilities Chief Audit Executives (CAEs) found that IA groups are facing significant challenges in maintaining a central role. For example, respondents fear their groups won’t have the required skills to keep pace with a growing portfolio of capital projects, increasing regulatory complexity and new technologies. In addition, CAEs feel there is an opportunity to achieve closer alignment with the expectations of their stakeholders—from the critical risks that should be IA’s focus to advanced technologies that strengthen IA’s efficiency and efficacy.
In this year’s survey, PwC delved into the challenges internal audit groups are grappling with and how they are charting a path to more vital corporate relevance: specifically, focusing on critical risks, stakeholder expectations and new technology demands. To surmount these challenges, internal audit groups are embarking on fundamental changes to how they conduct their business. In this review of our research findings, we look at how:
Risks are outpacing capabilities
The increasing velocity and frequency of risks is a chief concern for IA. As a result, focusing on the critical risks their companies face is the number one improvement goal during the next one to three years.
Technology risks are at the forefront of respondent concerns, demonstrated by the use and growing demand for IT auditors. In 2012, 17 percent of respondents to PwC’s CAE survey reported that IT auditors made up 21 to 30 percent of their department’s total resources. In 2013, the percentage almost doubled to 31 percent. The leap comes in response to mounting technology-related risks, especially cybersecurity and large-scale system implementations.
Top 10 Risk Areas Ranked by Respondents
- IT and cybersecurity
- Construction/major capital projects
- Environmental regulatory changes
- Emerging technology
- Rate making and recovery
- NERC CIP compliance
- Major system implementations and upgrades
- Operational compliance (electric and gas)
- T&D asset management and maintenance
In this year’s survey, respondents ranked IT and cybersecurity as the highest risk overall. The facts are sobering. For example, the average cost of a successful cyber attack in the U.S. was $11.6 million in 2013, up from $8.9 million the year before, according to the Ponemon Institute’s 2013 Cost of Cyber Crime Study1. “Hacktavists” account for 58 percent of stolen data—more than twice as much as is stolen by criminals2. On average, attackers lurk on their victim’s network for more than a year before being detected3.
Our survey also found that IA is heavily involved in security audits—84 percent of respondents say their department has covered information privacy and protection; 72 percent have focused on identity and access management; and 69 percent have addressed threat, intelligence and vulnerability management.
The 2014 Global State of Information Security Survey, conducted by PwC, CIO Magazine and CSO Magazine, which included 143 respondents from the power and utilities industry, found that most respondents have implemented blocking and tackling measures such as application firewalls, Web content filters, malware/virus protection software and secure remote access.4 However, There are opportunities for IA to assist in program governance, implementing more advance tools, and improving their capabilities to identify, protect, respond and recover from a cybersecurity event.
Current State: Penetration Testing
IA can play a more active role in helping to build the organization’s cyber defense capabilities by evaluating the current security stance. Many internal audit groups conduct penetration testing or evaluate the results of IT’s own penetration tests. Leveraging experienced professionals, penetration testing helps to identify weaknesses which hackers and other threats can try to exploit and can help IT to prioritize remediation tactics based on risk. Penetration testing also provides evidence of any exploitation, which can be a powerful demonstration tool for raising awareness of security threats.
The Next Step: Developing a Model for Evaluating Security Program Governance
Leading IA functions are going beyond penetration testing by also evaluating the effectiveness of security program governance. Strong security practices should be grounded in documented policies and procedures, and metrics should chart the progress of information security initiatives. Security measures should also include formal organization security risk management programs that define how the utility will respond if and when it detects a security event (e.g., security breach).
To evaluate security program governance, IA groups can utilize a security capability maturity model to measure how security processes are defined, documented, operated and monitored. Such a model will help the company understand how much value the organization is achieving from their security investments and over time, how the organization is responding to changes in the security landscape. Socializing and agreeing on expectations for security capability maturity is a critical first step in developing a model that is tailored to the organization and its goals and that nurtures collaboration between IA and IT.
The volume of system implementations is increasing and the push from start to completion is increasingly aggressive—nearly 60 percent of 2013 CAE survey respondents say the volume of system implementations has grown over the past 12 months and practically all (90 percent) agree that new system implementations are shaping their current and future audit plans.
Since the cost to make system changes increases as a project’s go-live date approaches, some internal audit groups are getting involved at the project initiation phase. By entering the process at the system selection and design stages, internal audit can verify that control considerations are addressed early. Trying to change a system or a business process at the end can be difficult, costly and sometimes impractical or even impossible.
Business and Regulatory Risks
Although technology-related risks top respondents’ concerns, several business and compliance risks are also on the radar.
According to our survey, 41 percent of critical leadership positions and skill sets across the utilities surveyed will become vacant during the next five years as Baby Boomers reach retirement age. However, 72 percent of respondents say that the aging workforce has not changed their IA department’s focus.
Organizations will be confronted with growing leadership, knowledge and expertise gaps at the same time that competition for specialized technical and managerial skills intensifies. To support their companies, several IA groups are moving to the forefront of the workforce challenge. For example, in addition to supporting the effectiveness of succession plans, IA groups are conducting more robust workforce analysis and planning. Big data is also playing a major role. By combining an organization’s performance, survey and workforce data with public and other private information, companies can glean insights, predict future trends and mitigate workforce challenges.
Rate Making and Recovery
Rate making and recovery are another source of considerable concern for utilities. Rate case frequency is growing after years of inactivity and rate freezes. In addition, increasing capital projects and IT investments are creating heavier funding needs. However, the number of professionals in a utility who have rate case experience is rapidly decreasing as many of these professionals retire. In PwC’s recent Rate Making Survey, only 33 percent of respondents say they were satisfied with the rate filing data in their systems. Eighty percent say that their rate case process could be improved and 70 percent have seen issues arise in rate case filings that resulted in additional work. Despite the high stakes, only 2 percent of IA respondents in this year’s CAE survey say their group is highly involved in rate case filings. IA has a prime opportunity to improve results, build regulator trust in the data and confirm that costs are appropriately included in rate filings.
As a result of mounting storm costs and the scrutiny of utility response to disasters such as Hurricane Sandy, business continuity is a major risk area. However, only 56 percent of survey respondents say that their organization has fully implemented a business continuity plan. In addition, only 38 percent report that their companies have performed a business impact analysis (BIA) for all business departments. The costs to conduct a BIA for every business process and system of a company would be significant, if not prohibitive. As a result, some IA groups are working with the business and its IT organization to prioritize which systems and operations must have back-up support in the event of failure.
Capital Projects Planning
Almost every respondent—97 percent—says that their organization has significant ongoing or planned capital projects. Transmission systems are aging and utilities are trying to add alternative energy sources to the grid. As environmental concerns increase on the part of government and society, utilities are converting coal-fired plants to gas or installing scrubbers to reduce dangerous emissions. More than 70 percent of respondents say that some of these projects will be subject to regulatory reasonableness reviews. Seventy percent say IA assists or advises the business on project governance, risk management and/or project controls related to capital projects planning.
Increasing Efficacy and Efficiency
The number and velocity of risks is growing faster than many IA departments’ ability to address them—only 16 percent of respondents feel that their departments have the needed skills to address current and emerging risks. In addition, many IA groups feel that it may not be feasible to develop the needed skills to address all critical risks their companies face. To fill capability gaps, 74 percent of respondents are turning to co-sourced auditors and 43 percent have implemented guest auditor programs.
Meeting the Skill Set Challenge
To make the most sound talent sourcing decisions, leading IA organizations are turning to formalized personnel plans, assessing risk areas in conjunction with existing staff skill sets to identify shorter-term and longer-term needs and determining whether strategic hiring, guest programs or sourcing to fill skills gaps would be the most effective.
The Power of Analytics
Analytics is a force multiplier. It empowers auditors to audit more extensively with fewer hours which, in turn, provides opportunities to develop new skills and direct existing resources to the most pressing concerns.
Indicative of analytics’ growing importance, our survey found that the use of continuous auditing is on a steep upward trajectory. In 2012, for example, only 31 percent of respondents said continuous auditing was very important. This year, the number has increased to 57 percent.
To develop a data analytics function, there are several keys to success. Building a business case to obtain buy-in from senior management is critical. Understanding and leveraging tools and analytics already embedded within the company’s systems eliminates duplicate efforts. Data analytics functions that fail often try to boil the ocean with several analytical projects commencing at the onset of the program—starting with a pilot approach to prove a return on investment can instead lay the groundwork for a successful program. Having the right resources with deep data analytics experience is also crucial at the onset of the program—sending inexperienced auditors to data analytics training and expecting immediate results can be a recipe for disaster. Synergizing extensive data analytics knowledge with IA personnel having a deep understanding of business processes has proven to drive value while spreading technical capabilities. Finally, sharing technology with the business and teaching the business how to self-monitor can improve business performance while allowing IA personnel to focus on more strategic concerns.
Thinking Like Stakeholders
Creating stronger alignment with stakeholder expectations is another top priority for IA groups over the next 12 to 36 months. To develop and gain a deeper understanding of their company’s strategy, IA should anchor its planning process in a thorough knowledge of the company’s growth, cost reduction and compliance objectives. Leading internal audit departments stress the importance of “having a seat at the table”. This includes attendance at key strategy and planning meetings, governance and risk management discussions and other executive sessions. With this seat, internal audit gains a real-time understanding of the organization’s objectives and the risks to achieving those objectives and can proactively help the utility improve the most critical processes for managing those risks. A dynamic and collaborative relationship with executive management not only works to improve internal audit’s understanding and alignment to key risks, but key stakeholders can see the value of internal audit when they’re focusing on areas of greatest concern.
Making sure risk prioritization views are in sync with other key stakeholders is another way to improve alignment. Too often risks are prioritized and reported differently by other groups to senior management and the Audit Committee. Combined risk assurance maps can be a valuable tool to support collaboration. These maps document the critical risks a company faces and what level of assurance is provided by each of three lines of defense—management, functional oversight and internal audit. Yet only 49 percent of respondents say their companies develop combined risk assurance maps, and this number remains flat with 2012 survey results.
Measure—and Report on—What Matters
Although key objectives for IA are focusing on critical risks and tightening alignment with stakeholders, most IA departments do not measure themselves on progress toward those objectives. More than 80 percent of respondents report that their group is measured on the number of completed audits versus planned while only 16 percent are measured on positive change facilitated through IA.
To establish more impactful performance metrics, leading CAEs are meeting with their Audit Committee Chair and other key stakeholders to refresh performance measures that drive continuous improvement. Once the performance measures are set, IA should report regularly on its value to senior management and the audit committee. When IA conducts audits, the business customers it works with often see the value the group provides. However, in many organizations, senior management may not be apprised of that value on an ongoing basis.
The opportunity for internal audit is profound. As the utility industry confronts rapid and dramatic change, companies face ever more daunting risks. IA can become a stronger defense against those risks and thereby increase its relevance and value to the enterprise. Our survey found that Chief Audit Executives are already planning their paths toward more vital relevance. IA groups are sharpening their focus on risks the enterprise faces, especially technology. They are also tackling capability gaps in their departments and turning to analytics and other technologies to fortify their efficiency and effectiveness.
About the Research
The survey included participants from 42 power and utility companies. More than 55 percent of respondent companies generate 60 percent of revenues from electric utility operations. Most respondent companies have gas utility operations
and non-regulated energy operations. However, only 35 percent generate more than 20 percent of revenues from these operations. Forty-four percent of respondent companies have greater than $15 billion in assets.
1 Ponemon Institute 2013 Cost of Cyber Crime Study
2 Verizon Data Breach Investigation Report 2012
3 Mandiant MTrends Report 2012
4 Power & Utilities—Key findings from The Global State of Information Security Survey 2014, September 2013