Risk & Control
- Enterprise Risk Management (ERM)
- Internal Audit & Process Assurance
- Market Audit and Assurance
- Contract, Risk & Compliance (CRC)
- Capital Programme Lifecycle Review
- Continuous Control Monitoring & Automated Reconciliation
- ERP Controls & Assurance
Enterprise Risk Management has never been a hotter topic. The past few years have witnessed a number of unexpected events that have damaged, and in some cases destroyed businesses – from the financial markets crash, the 2010 volcanic ash cloud and the Macondo tragedy in the Gulf of Mexico. Over the next few years, the organisations that succeed will have a clear view of where they want to be in the value chain, a clear understanding of what might prevent them getting there and knowledge of how to manage this effectively e.g. those with good risk management.
Why is it an issue?
- Many organisations in the E&R sector face some serious societal risk challenges: carbon emissions, working with local communities and the environmental impact of their business. In an increasingly globalised and connected world, managing these risks is becoming vital.
- Regulation: the sector faces ever increasing and changing regulation. Companies need to react to and manage these changes and the corresponding risks in a timely manner. An especially hot topic at the moment is the industry’s response to the UK Bribery Act.
- Existing value protection: specific assets are generally critical to the operating model of E&R organisations from a critical mine to a piece of technology. The risks to these assets needs to be identified and managed.
We assist companies to improve their risk management in a number of ways:
- We can perform an independent assessment of existing risk practices, comparing to internationally recognised standards and leading practice to allow senior management and Boards to take assurance as to what is happening and provide a roadmap for improvement.
- We also assist companies in developing and implementing their risk management frameworks from the definition and embedding of risk appetite to identifying key risk indicators and performing deep dives into how specific risks are being managed.
- We have worked with a large number of organisations across a variety of sectors in recent years, which allows us to bring a unique perspective into what ‘good’ looks like. There is no ‘one size fits all’ solution to risk management, but Deloitte has developed an extensive set of tools and methodologies to allow us to rapidly add significant value to a company’s risk management approach.
Our Internal Audit services provide assurance to Management and the Audit Committee over the design and operation of business process and IT controls.
A robust control environment is key to any organisation; however, it is especially important for organisations that are complex, cost driven and focusing on efficiencies – all common characteristics of organisations operating in the E&R sector. Our approach to Internal Audit is to provide a specialist service that supplements core risk and control specialists with subject matter experts as required. This specialist input, together with our independence and flexible approach to different internal audit staffing models has helped us build a broad range of E&R focused internal audit expertise.
Why is it an issue?
- The breadth of specialist skills required by Internal Audit functions is increasing. In most cases it simply isn’t realistic or cost effective for an Internal Audit function to retain the specialist skills they need on a permanent basis.
- Internal Audit functions typically have no, or adhoc, analytic capabilities supporting the delivery of their audit plan. This means that Internal Audit cannot cost effectively carry out population level queries on key business data sets to support the higher quality audit planning and execution activities.
- Heads of Internal Audit need to deliver an Internal Audit function that is "fit for purpose", allowing clients to take objective assurance over their organisation's key risks and responses to the issue driven requirements of its key stakeholders.
- We can provide Internal Audit services under flexible project, co-sourcing or outsourcing models.
- We will work with the Head of Internal Audit to develop and deliver a sustainable analytics programme either internally operated and/or externally supported.
- Our team can perform a robust and independent review of the Internal Audit function focusing on five key themes: purpose and remit, position and organisation, processes and technology, people and knowledge, performance and communication. We can provide concise and useful feedback to the Head of Internal Audit and the Audit Committee, developing realistic action plans to improve the strategic positioning and effectiveness of the Internal Audit function.
- As well as assessing that adequate controls are in place and operating effectively, we work with clients to help them understand and document their end-to-end processes highlighting the key risks relevant to the process concerned.
Prosecutors and regulators across the globe are increasingly active in enforcing competition and anti-bribery and corruption legislation. The number of enforcement actions, the size and nature of the fines and penalties and the number of jurisdictions within which enforcement actions have been brought have all increased significantly over the last few years. In December 2008 Siemens AG agreed a $1.6bn settlement with US and German officials under the Foreign Corrupt Practices Act (FCPA). In the UK, the Bribery Act has introduced new and more easily applied offences which are increasingly likely to see this trend continue.
Why is it an issue?
The E&R sector has a number of characteristics which make it susceptible to breaches, including:
- Joint ventures
- Use of sales agents
- Government contracts and relationships
- Operations in high risk, politically unstable countries
- Challenge of embedding fraud awareness across large, global organisations.
One of the most significant elements of the UK Bribery Act is that it introduces the ‘corporate offence’ which extends the reach of UK enforcement agencies beyond personal liability to enable the prosecution of commercial organisations for failing to prevent a bribe. The E&R industry is especially susceptible to this regulation and the only defence available under the Act is to demonstrate that they have ‘adequate procedures’ in place to prevent bribery, both by their own employees and others acting on their behalf such as agents and third parties.
We are uniquely positioned to help clients navigate this challenging area and can support organisations by helping them consider and/or implement:
- An assessment of the nature and extent of the organisation’s risks relating to bribery.
- Support and/or advise upon the implementation of a compliance programme that addresses bribery and competition legislation.
- An independent assessment of an organisation’s compliance programme if already established.
With deregulated markets, separation between production, distribution and supply and demanding requirements imposed by regulators and governments, there is a need for independent assurance over market, settlements and system operators, the supporting complex systems and processes, and the systems and processes put in place by market participants. We are the leading provider of market and regulatory assurance services across electricity, gas and water in UK and Ireland and can separately advise participants on relevant controls and data quality.
Why is it an issue?
- Deregulated energy and water market arrangements are complex involving multiple parties, bespoke systems and detailed technical requirements with a significant, direct financial impact on participants. In some markets, activity performed by competitor organisations can have a direct effect on settlements volumes and charges. Furthermore, the development of environmental schemes by governments and regulators has increased the complexity, added to the processing burden and resulted in some specific financial impacts.
- Market audits are often regulator or market code requirements intended to mitigate risk of monopoly elements within otherwise open markets. Most government environmental schemes contain specific audit requirements, often EU-driven, to verify information being used as the basis of incentive payments or for environmental emissions reporting. Market and regulatory assurance is required to provide recipients of information with confidence over the integrity and accuracy of the underlying systems, processes and information compilation.
- Independent market assurance is essential where the actions of market operators, settlement administrators and data providers can have a significant impact on participants. With their reliance on the robustness and integrity of central functions, market participants have a keen interest in seeing that the market operator has discharged its obligations in line with the relevant market code without unduly favouring particular participants or segments, and without introducing error into the settlements processes. As a result there is need for independent assurance services to provide all participants in the market with confidence that the operator and other organisations are complying. This is especially important as the action (or lack thereof) of an individual participant can affect the position of others, potentially with whom they are in direct competition.
- Performance of market audits is on a variety of different basis including ISAE3000 and ISRS4400 for gas, electricity or water markets.
- Assurance engagements to assess compliance with regulation particularly under environmental and social policy schemes.
- Readiness/advisory services – helping audited entities understand what to expect from a market audit and be prepared for potential adverse findings and to reduce resource requirements. This is of particular relevance to new markets/new participants.
Ensuring that business partners deliver on their obligations can maximise revenue, protect your brand, improve operational efficiency and reduce cost. Third party relationships are prevalent and important in the value chain, but have frequently escaped validation and verification and often third parties (outsourcers, suppliers, joint venture partners, distributors and licensees) self report their performance. We are seeing organisations increasingly wanting to verify, as well as trust, their business partners.
Why is it an issue?
- Third parties bring risks to the E&R organisations that impact on brand reputation, customer safety and experience, financial revenues and costs.
- From capital projects to distribution contracts and licensee relationships, each third party has a specific set of risks that need to be managed and governed.
- Assessing and managing contract and third party risks not only provides positive assurance but if conducted properly can be revenue generative.
- Developing an internal governance framework and assessing existing process and controls is proven to yield cost savings in the long run.
Our Contract Risk & Compliance (CRC) professionals have experience of multiple third party reviews across the sector:
- In respect of outsourcing, supply arrangements and joint ventures, we can establish whether third parties are compliant and delivering expected benefits, whilst also helping organisations understand if they are managing their own obligations effectively.
- In the distribution channel, rebates, special pricing, discounts and other complexities can lead to error and value leakage. Routine monitoring of business partners can result in improved visibility and value for both parties.
- In licensing and royalty bearing arrangements, certainty over the accuracy of reporting is crucial as brands are developed, markets explored and products are distributed. Across the spectrum of third party relationships we have the tools, experience and knowledge to deliver value.
Major capital investment projects typically require significant investment of time, money and human resources over a number of years. During the recession and credit crunch organisations dramatically reduced their investment programmes to conserve cash; however, government organisations are now progressing significantly in infrastructure projects (for example Crossrail or the London Underground upgrade in the UK). Investors are also encouraging private companies to invest in projects to generate returns (particularly in Oil & Gas and Mining) where hundreds of billions of dollars have been committed to resource extraction projects in the last 12 months.
Why is it an issue?
Given the scale of the expenditure, complexity and duration of major capital investment projects how can stakeholders and boards be reassured that:
- Capital is being invested wisely and that investment cases are robust
- Projects will be safely delivered to time, budget and to the required quality
Deloitte takes a holistic view of the end-to-end capital investment lifecycle to:
- Identify the key risks within the process in a structured way using our proprietary risk management tools such as the Risk Intelligence MapTM and vulnerability methodology
- Assess the effectiveness of controls and mitigating actions to address key risks
- Test the design and operational effectiveness of key controls as part of a structured approach
The strength of our service is enhanced through the use of multi- disciplinary teams with expertise in each area of the capital investment lifecycle:
- Our data analytics teams can assess sub-contractor compliance with contracts and regularly identify overpayments which can be recovered by organisations
- Our internal audit and controls specialists can reassure organisations over the design and effectiveness of operational and financial controls and can make focused recommendations for improvement, drawing on the skills of our other specialists as required.
The evolution of Continuous Controls Monitoring: implementation of a technical solution, enabled with business knowledge to strengthen detective and monitoring controls across key processes in efficient and effective ways.
Analytic techniques allow organisations to focus on reducing costs, increasing revenue, enhancing compliance and releasing working capital by enabling interrogation of 100% of transactional data sets. Specialist tools can be used to automate elements of balance sheet reconciliations reducing and focusing manual effort to resolve specific exceptions and key judgement areas.
Why is it an issue?
- Information required to support full monitoring of processes and controls can sit across multiple systems with no integrated reporting available
- Development of new reports and drill-down into detail is often expensive and/or time consuming
- Typical monitoring controls, including third line of defence (i.e. Internal Audit), are limited to sampling small volumes at random from very large transactional volumes
- Manual compliance monitoring in high-risk areas is both labour and cost intensive
- The sheer volume of regular reconciliations across a global enterprise can involve a significant level of staff time and hence cost
- With high volumes of electronic flows and programmed or automated controls, a traditional manual approach may not be feasible.
We offer scalable (at global level) and flexible (multi system) solutions. Key activities include:
- Providing real time data analysis, forensic scrutiny, exceptions management and reporting capability including detective system Segregation of Duties(SoD) information as well as system optimisation insights and detective system application controls
- Supporting multi-dimensional analysis e.g. transactions, master data, configuration, SoD and application security controls
- Implementing a ‘building block’ approach so organisational control over direction of delivery is maintained
- Flexibility in delivery allows for change of direction as business needs change
- Advisory support in the selection of appropriate tools and the subsequent implementation and configuration.
Enterprise Resource Planning (ERP) projects represent some of the largest investments that organisations make, both in terms of direct financial spend and ongoing resource commitments. Successful SAP or Oracle implementations can significantly reduce costs through efficiencies and represent an opportunity to streamline and standardise processes globally.
Measuring return on investment is a complex process. Developing sustainable mechanisms to continually access risk, compliance, system usage and drive improved performance is the key to increasing return on investment and user satisfaction.
Why is it an issue?
- Limited visibility of the risks associated with ERP applications for key business processes and limited oversight relating to the compliance of the ERP
- Due to the complexity of the system, the volume of transactions and the material nature of account balances, there is a high risk that material mis-statement of the account balances could occur
- Management and internal/external Auditors review and place reliance on appropriateness of controls embedded within the ERP. If irregularities are found, reliance on the control environment for the integrity of financial accounts is reduced, which may result in additional costs to manually substantiate the business financial accounts and low confidence in the control environment.
Our solutions cover all components of ERP including:
- Process and control design - creating efficient processes, robust control frameworks and designing strong controls, by effectively utilising system configuration and reporting controls
- Security and role design – remediating and redesigning security and role design to minimise segregation of duties (SoD), sensitive access & privileged access issues.
- Optimisation – monitoring deviation from the original business case and business needs to ensure efficient use of the ERP allowing clients to maximise the functionality of their ERP landscape
- Business change and system embedding – performing risk assessments, creating business governance, designing processes, controls and business training to ensure ERP projects are embedded and realised
- Implementation healthcheck – provide a complete picture of system upgrades and implementations throughout the project lifecycle by performing an independent rigorous ‘top down’ and ‘bottom up’ view across the programme
- Use of third party tools (e.g. GRC/ArcSight/ACL) – identifying and quantifying audit and compliance risks and enabling clients to effectively monitor and react to business and ERP risks.