Rethinking Compliance
After a decade, many power and utility executives still regard the Sarbanes-Oxley Act of 2002 (SOX) as a pure compliance exercise, causing a recurring drain on resources and personnel.
But some believe it’s time for a new way of thinking.
Chief financial officers (CFO) of power and utility companies have the opportunity to reconsider their SOX programs as an opportunity to potentially improve compliance, create operating efficiencies and trim costs. Doing so will require that CFOs automate controls and workflows, commit to continuous improvement and integrate compliance programs across the organization.
The challenge is to move from an essentially reactive risk-management mindset to a proactive approach that anticipates risks.
This rethink is possibly an ambitious agenda. U.S. power and utility companies are yoked to a heavy load of compliance requirements from state regulators, the North American Electricity Reliability Corp. (NERC), the Federal Energy Regulatory Commission (FERC), the Department of Energy, the Securities and Exchange Commission (SEC), and other regulatory agencies. With so many agencies in the mix, it’s no surprise the rules are constantly changing.
Most executives, in fact, believe that regulations will increase in the coming year. A global survey of executives and risk-management leaders conducted by PwC found that nearly 62 percent of utilities respondents rank changes in regulations and government policies as a top risk this year. (See Risk in Review, PwC, March 2012.)
Compounding these increased regulatory obligations are lingering economic uncertainties. Power and utility companies remain under tremendous pressure to do more with less—especially as projected capital spending associated with upgrading fossil and other generation plants, in addition to projected investments in new technology such as smart grid, has capital project budgets in the billions for most. Couple this with the limited ability to increase rates in this struggling economy and the pressure state commissions are feeling from ratepayers to maintain or even lower current rates.
CFOs have a lot to worry about, and might think their SOX programs are operating efficiently. Financial controls have been approved, the program is in place, and the process appears to be working. This type of thinking, however, ignores today’s continuously evolving financial risks and opportunities to address those risks more holistically and cost-effectively. For most companies, the challenge is to move from an essentially reactive risk-management mindset to a proactive approach that anticipates risks by combining the right controls and continuous monitoring with streamlined, automated compliance processes.
It’s a challenge that can pay off with compelling rewards. In helping power and utility companies update their SOX programs, a comprehensive compliance initiative can generate significant savings. Dollars don’t tell the whole story, however; SOX controls can be extended to other compliance requirements to unify and improve monitoring and reporting across the enterprise.
Three key steps can help companies get more value from their SOX programs: Expand the use of technology to automate controls and enable continuous testing; constantly monitor and improve lean processes; and integrate compliance controls across regulatory requirements.
Automating for Efficiency
Automation of controls, testing, and workflows for SOX activities can significantly ease control testing efforts while boosting reliability. Put simply, automated processes are typically more effective than manual efforts because they are executed consistently and they reduce the possibility for human error. At the same time, automated processes eliminate the cost of duplicated efforts across divisions. That’s why it’s beneficial to consolidate and streamline SOX controls before they’re automated.
A disciplined, comprehensive assessment of manual controls across the enterprise is useful to identify opportunities for automation. Possibilities include more automated processing that allows users to only follow up on exceptions outside the defined parameters. In addition, automation of workflows, such as controls and procedures for SOX Section 302 certification, can eliminate time-consuming paper chasing. Similarly, manual journal entries and reconciliations, which can be extensive in the utility industry, also can be automated. More and more, utility companies are considering automation of calculations such as unbilled revenue. Historically, this process has been dependent on manual inputs and reviews, which can take a significant amount of time at the end of the month or quarter, and bring a higher risk of error.
Automation can lay the groundwork for improved operational efficiencies by extending SOX controls to other non-financial processes. This is because companies that comprehensively examine their SOX risks are better able to identify gaps in other compliance programs. For example, utilities can improve their storm damage response capabilities by extending applicable SOX controls to their response plans.
Operational improvements also can be found by automating controls in conjunction with other IT and business process initiatives. Many utility companies have seen IT projects fall behind, run significantly over budget, and experience multiple scope changes. If those projects are considered for automation after go-live but due to the other demands on the IT organization, are never implemented, they can result in lost opportunities to optimize the process. Today, however, most vendor packages provide a significant number of configurable options that companies can use to develop a more automated control environment, allowing utilities to take advantage of the significant investments they’ve already made in their IT infrastructure.
Continuous testing and monitoring of controls is still a relatively new concept for most companies. Among power and utility companies that have implemented smart meters, automated—and very frequent—meter reads have generated a flood of customer and operational data. Data analytics tools can help utilities understand this information to find the needles in the haystack, which becomes increasingly difficult with the volume of data—typically going from one meter read a month to a meter read every 15 minutes. If designed appropriately these tools can more effectively identify possible errors and control breakdowns than the current manually intensive controls.
It’s important to note that cost savings generated by automation won’t be instant, but will more likely accrue over time. When factored across processes, departments and reporting quarters, the savings become significant—and recurring.
Lean Processes
An effective SOX program must constantly monitor and reassess controls to create a system of continuous improvement. In doing so, the SOX program ceases to be a box-checking exercise and becomes a source of re-evaluated and constantly enhanced processes. These efficiencies ultimately should pay off in lower costs.
In a lean SOX program, processes are streamlined to support the compliance function, controls are continually monitored for possible improvements, and unnecessary steps are identified and eliminated. The lean control optimization process shouldn’t only consider control optimization opportunities but also how SOX programs are organized and whether there are efficiency opportunities to reducing commonly dispersed structures into one consistent structure.
It’s important to note that investing time and effort up front will pay off over time. Relatively simple actions like continual scoping, to eliminate scope-creep and ensure that controls operate effectively and mitigate risk, should minimize costs year after year.
While power and utility companies typically assess their compliance risks annually, many really don’t benefit from this effort since most programs are on auto pilot with users just focused on doing what they did the previous year versus stepping back and taking a fresh look at the process for efficiency and better risk mitigation. In addition, most power and utility companies don’t often link their efficiency programs with the current SOX programs. Kaizen and other lean programs are designed to diagnose a process for efficiency opportunities. These activities provide a great opportunity to re-examine the controls within these processes and really challenge whether they are the right controls that would best mitigate the risk while achieving the company’s efficiency goals.
Another common shortcoming is that SOX program employees often don’t complete their tasks in a timely manner. What’s more, many SOX programs are now dispersed within the organization. A lean SOX program requires that leaders ensure that staffing and performance are aligned with program needs.
Power and utility companies that maintain a low-cost, high-value SOX program over time likely will gain an edge in being viewed as a best practice operating entity as compared to its peers. Among regulators, increased value and efficiency speaks just as loudly as reduced costs.
Integrated Compliance
Coordination of multiple compliance programs is one way to increase the value and efficiency of SOX programs. This is because the coordination of efforts among various programs enhances knowledge sharing, which can enable more intelligent and proactive insights while eliminating redundancies and cutting costs.
Companies that achieve integrated compliance typically see enhanced synergies among functions such as SOX, internal audit, enterprise risk management, and compliance. Indeed, the most successful organizations don’t simply share information or integrate functions. Rather, they gain synergies by aligning and integrating activities such as risk assessments, control monitoring and testing, reporting, and deficiency management. This level of integration requires that companies break down silos of information and technologies across the organization. This remains a significant challenge in the industry.
To begin integration of two or more compliance programs, SOX administrators should identify a single control that meets multiple compliance efforts. For many power and utility companies, the logical starting point lies in the regulatory overlaps between NERC and SOX programs. Applying SOX controls to NERC inputs and reporting can help companies better identify risks and increase confidence in data integrity. This type of integrated compliance also can improve business processes by allowing program administrators to fix broken processes that are common to multiple regulations before integrating them. Again, efficiencies should increase across programs and across the organization.
An Informed SOX Program
Power and utility companies that increase the relevancy of their SOX programs through automation, continuous improvement, and integration of compliance initiatives stand to gain more than enhanced efficiencies and cost savings. They can also better attract and retain employees who are intellectually engaged in understanding risks and controls across the enterprise.
In an integrated SOX program, team members will be required to understand critical processes and overall operational goals. For these employees, SOX compliance will no longer be a rote routine but rather a deliberative process that seeks to manage and improve processes across divisions. An updated SOX program can provide a unique training ground for developing key talent while simultaneously improving the overall compliance program.
An engaged and informed team ultimately will enable power and utility companies to better articulate how they effectively manage SOX compliance costs and add value across the organization. This is a positive message that utilities can present to state commissions, ratepayers and rating agencies to demonstrate a commitment to managing costs and providing better service.
ABOUT THE AUTHORS: Sean Riley is an assurance partner in PwC’s power and utilities practice. Alan Conkle is a partner with PwC’s power and utilities practice, and leads the U.S. power and utilities risk assurance practice.