Embed Size (px)
Citation preview
Performing Governance Assessments
Myrk Harkins CIA, CBM
2
Agenda
Who Is Myrk Harkins? A little about the Southern Company Risk Based Auditing Governance Model
3
Myrk Harkins
Director of Internal Auditing West Bachelor of Science Civil Engineering Certified Internal Auditor & Certified Business
Manager 33 Years Experience with Southern Company
Power Plant Construction Plant Operations and Maintenance 10 Years Internal Auditing
4
The Southern Company
4.3 Million Customers Alabama Power, Georgia Power, Mississippi
Power, Gulf Power, Southern Power & Southern Link
42,000 MW of Generation (1 MW = 600 Homes) Revenue of $14.3 Billion Net Income of $1.6 Billion
5
Southern Company Internal Auditing
We are a Risked Based Audit
Organization
6
Sample CompanyEnterprise Risk Management
Qualitative estimate of the potential risk’s
impact on the specific function/entity
RED…focused management attention is required
GREEN…current management action is sufficient
YELLOW…on-going active monitoring by management is required
Risk Placement Guidelines:
Place risk here if…:$$$
Materiality of Impact
Scope of ControlLikelihood
Current L
evel of R
esidual Risk
$
7
2007 Sample Company Risk profile
Materialityof impact
Risk Accountability
1. Environmental legislation or regulation Evans/Johnson
2. Exposure to fuel prices/availability Johnson
3. Loss of constructive state regulatory environment
Operating Company CEOs
4. Nuclear Brown
5. Catastrophic business interruption Management Council
6. Change in federal regulatory or legislative policy Smith/Evans
7. Execution of the financial plan Farmer
8. Workforce issues Management Council
9. Deterioration of corporate image Management Council
10 Governance failure Ratcliffe/Farmer
11 Strategy selection and implementation
Ratcliffe/Management Council
9
8
Loss of constructive state regulatory environmentNuclear
Change in federal regulatory or legislative policy
Governance failure
Workforce issues
Execution of the financial plan
4
3
116
Likelihood$
$$$
1
2
5
10
Exposure to fuel price/availability
Catastrophic business interruption
Environmental legislation or regulation
7
Strategy selection and implementation
Deterioration of corporate image
8
2007 Sample Company Fraud risk profile
Materialityof impact
Fraud Risk Accountability
1. Inappropriate Capitalization of Expenses Evans/Taylor
2. Improper Use of Estimates and Judgments Ballard
3. False Compliance Reporting (EPA, OSHA, FERC, etc.) Operating Co CEOs
4. Political (Bribery of Public Officials, Illegal Contributions) Beasley
5. Vendor Fraud (Bid Rigging, Kickbacks, etc.) Management Council
6.
Competitive Practices (Unfair Competition - Antitrust, Violation of Territorial Service Agreements, Wholesale Competition)
Smith/Evans
7. Intentional Mistreatment of Affiliate Transactions Farmer
8. Inappropriate Executive Compensation Management Council
9. Employee Fraud / Misappropriation of Assets Management Council
9
8
False Compliance Reporting (EPA, OSHA, FERC, etc.Political (Bribery
of Public Officials, Illegal Contributions)
Competitive Practices (Unfair Competition – Antitrust, Violation of Territorial Service Agreements, Wholesale Competition)
Inappropriate Executive Compensation
Intentional Mistreatment of Affiliate Transactions
4
3
6
Likelihood$
1
2
5
Improper Use of Estimates and Judgments
Vendor Fraud (Bid Rigging, Kickbacks, etc.
Inappropriate Capitalization of Expenses
7
Strategy selection and implementation
Employee Fraud/Misappropriation of Assets
9
Audit Planning Process
Fraud Risks Annual Residual
Risk AssessmentExecutive Input
IA Staff Input
SOCO Risk Profile
Annual Audit Plan
Audit
Audit
Audit
Engagement Risk
Assessment
Engagement Risk
Assessment
Engagement Risk
Assessment
10
COSO Southern Company’s Control Framework
11
What is Governance
Governance is composed of the key business processes utilized by representatives of an organizations stakeholders (e.g. Shareholders (BOD), management, etc.) to optimize value by providing reasonable assurance that an entity achieves it business objectives.
SOCO ERM Program broadly defines governance as those business processes, internal controls, decision tools, oversight structures and corporate culture elements (Southern Style) that reasonably ensure achievement of the Company’s goals and objectives.
(ERM at SOCO = Our Methodology for Managing the Business)
Understanding Governance
12
A Simplified Approach to Governance(Company, Functional Activity, Business Unit, etc.)
Everything Starts with Business Objectives
Identify and Evaluate Significant Risks (Anything that could prevent achievement of business objectives)
Business Processes (Internal Controls & Governance Processes) to Reasonably Ensure Achievement of Business Objectives
Assurance (Monitoring Level of Achievement and Reporting)
13
Tone at the Top
Business Objectives
Business ProcessesAssurance
Info
rmatio
nC
om
mu
nicatio
n
InformationCommunication
Info
rmat
ion
Co
mm
un
icat
ion
Risk Assesment Information
Communication
A Simplified Approach to Governance
14
Mission, Purpose Strategic Direction & Business PlanGoals
StrategicOperationalReportingCompliance
Objective Setting “What are you trying to accomplish”
Microsoft Word Document
15
Internal Environment “Tone at the Top”
Risk AppetiteManagement CommitmentEthicsCompetenceResponsibilities and Accountability
Microsoft Word Document
16
Risk Assessment Process “What is going to keep you from your goals”
IdentificationAssessmentResponse
Microsoft Word Document
17
Business Processes
Control ActivitiesCompany PoliciesProcedures / Guidelines Internal Controls
Information and CommunicationAppropriateAvailabilityAccurate / CompleteTimely
Microsoft Word Document
18
Assurance“Monitoring”
Ongoing Activities Supervision Performance Measurement & Reporting
Assessment Processes Self Corp. Oversight (Internal Auditing) Independent
Reporting Deficiencies Follow Up & Corrective Actions
Microsoft Word Document
19
Practical Application
• Any Audit or Consulting Project
Microsoft Word Document
