Performing Governance Assessments
Myrk Harkins CIA, CBM
Agenda




Who Is Myrk Harkins?
A little about the Southern Company
Risk Based Auditing
Governance Model
2
Myrk Harkins
 Director of Internal Auditing West
 Bachelor of Science Civil Engineering
 Certified Internal Auditor & Certified Business
Manager
 33 Years Experience with Southern Company
 Power Plant Construction
 Plant Operations and Maintenance
 10 Years Internal Auditing
3
The Southern Company
 4.3 Million Customers
 Alabama Power, Georgia Power, Mississippi
Power, Gulf Power, Southern Power & Southern
Link
 42,000 MW of Generation (1 MW = 600 Homes)
 Revenue of $14.3 Billion
 Net Income of $1.6 Billion
4
Southern Company
Internal Auditing
We are a Risked Based Audit
Organization
5
Sample Company
Enterprise Risk Management
Risk Placement Guidelines:
$$$
Place risk here if…:
RED…focused management
attention is required
YELLOW…on-going active
monitoring by management is
required
Materiality of
Impact
Qualitative estimate of
the potential risk’s
impact on the specific
function/entity
GREEN…current management
action is sufficient
$
Likelihood
Scope of Control
6
Risk
$$$
10 4
Nuclear
Governance
failure
3
6
Change in federal
regulatory or legislative
policy
5
Materiality
of impact Catastrophic
Loss of constructive state
regulatory environment
2
Exposure to fuel
price/availability
11
Strategy selection
and implementation
7
Execution of the
financial plan
8
business interruption
1
Environmental
legislation or
regulation
Workforce issues
9
Deterioration of
corporate image
$
Likelihood
2007 Sample Company
Risk profile
Accountability
legislation or
1. Environmental
regulation
Evans/Johnson
Exposure to fuel
2. prices/availability
Johnson
Loss of constructive state
3. regulatory environment
Operating Company
CEOs
4. Nuclear
Brown
Catastrophic business
5. interruption
Management Council
6.
Change in federal regulatory or
Smith/Evans
legislative policy
7. Execution of the financial plan
Farmer
8. Workforce issues
Management Council
9.
Deterioration of corporate
image
10 Governance failure
11
Strategy selection and
implementation
Management Council
Ratcliffe/Farmer
Ratcliffe/Management
Council
7
Fraud Risk
Accountability
Capitalization of
1. Inappropriate
Evans/Taylor
Expenses
Inappropriate
False Compliance Reporting
1 Capitalization of
Political (Bribery (EPA, OSHA, FERC, etc.
Expenses
of Public
Officials, Illegal
2
3
Contributions)
Improper Use of
Strategy selection
Estimates and
and implementation
6
Judgments
Competitive Practices
(Unfair Competition –
7
Antitrust, Violation of
Inappropriate Executive
Territorial Service
Compensation
Agreements, Wholesale
8
Competition)
Intentional
Mistreatment of
Affiliate Transactions
Vendor Fraud (Bid
Rigging, Kickbacks,
etc.
9
Employee
Fraud/Misappropriation
of Assets
4
Materiality
of impact
$
Likelihood
2007 Sample Company
Fraud risk profile
Improper Use of Estimates and
2. Judgments
Ballard
False Compliance Reporting
3. (EPA, OSHA, FERC, etc.)
4.
Political (Bribery of Public
Beasley
Officials, Illegal Contributions)
Vendor Fraud (Bid Rigging,
5. Kickbacks, etc.)
Competitive Practices (Unfair
Competition - Antitrust,
6. Violation of Territorial Service
Agreements, Wholesale
Competition)
Intentional Mistreatment of
7.
Affiliate Transactions
Inappropriate Executive
8.
Compensation
9.
Operating Co CEOs
Employee Fraud /
Misappropriation of Assets
Management Council
Smith/Evans
Farmer
Management Council
Management Council
8
Audit Planning Process
SOCO Risk Profile
Audit
Fraud Risks
Executive Input
IA Staff Input
Annual
Residual
Risk
Assessment
Annual
Audit Plan
Audit
Engagement
Risk
Assessment
Audit
Engagement
Risk
Assessment
Engagement
Risk
Assessment
9
COSO
Southern Company’s Control Framework
10
Understanding Governance
What is Governance
Governance is composed of the key business processes utilized by
representatives of an organizations stakeholders (e.g. Shareholders
(BOD), management, etc.) to optimize value by providing reasonable
assurance that an entity achieves it business objectives.
SOCO ERM Program broadly defines governance as those business
processes, internal controls, decision tools, oversight structures and
corporate culture elements (Southern Style) that reasonably ensure
achievement of the Company’s goals and objectives.
(ERM at SOCO = Our Methodology for Managing the Business)
11
A Simplified Approach to Governance
(Company, Functional Activity, Business Unit, etc.)
 Everything Starts with Business Objectives
 Identify and Evaluate Significant Risks (Anything that
could prevent achievement of business objectives)
 Business Processes (Internal Controls & Governance
Processes) to Reasonably Ensure Achievement of
Business Objectives
 Assurance (Monitoring Level of Achievement and
Reporting)
12
A Simplified Approach to Governance
Assurance
Risk Assesment
Tone at the Top
Information
Communication
Information
Communication
Business Objectives
Business Processes
13
Objective Setting
“What are you trying to accomplish”
Strategic
Operational
Reporting
Compliance
Mission,
Purpose
Strategic Direction & Business Plan
Goals
14
Internal Environment
“Tone at the Top”
Risk Appetite
Management Commitment
Ethics
Competence
Responsibilities and Accountability
15
Risk Assessment Process
“What is going to keep you from your goals”
Identification
Assessment
Response
16
Business Processes
Control Activities
Company Policies
Procedures / Guidelines
Internal Controls
Information and Communication
Appropriate
Availability
Accurate / Complete
Timely
17
Assurance
“Monitoring”
Ongoing Activities
 Supervision
 Performance Measurement & Reporting
Assessment Processes
 Self
 Corp. Oversight (Internal Auditing)
 Independent
Reporting Deficiencies
 Follow Up & Corrective Actions
18
Practical Application
• Any Audit or Consulting Project
19
Questions & Comments
Myrk Harkins (rmharkin@southernco.com)
Phone – (205-257-2135)