Internal Audit Priorities for the Energy Sector
After polling the attendees by sector and sub-sector (perhaps through the use of voting technology), the session will drive into the four major risk areas impacting the energy and resources sector. These risk areas will be common across the five sub-sectors (oil and gas producers, power and utilities, mining, oilfield services, and midstream). Each component area will include a description of the key risks for stakeholders, guidance and rationale for internal auditors to be focused on these risks, and outlining strategies/tactics to evaluate the risk exposures. The four key areas include the following:
Cost containment – energy firms, particularly in oil/gas are challenged to keep their development and production costs. Savings can translate directly to the bottom line in most cases. Strategies described will include VFM projects, advanced analytics, vendor/project audits, and royalty/tariff assurance.
Regulatory compliance – in addition to describing evolving requlatory regimes, we also hope to describe efforts undertaken by firms for ESG (environmental, social and governance) to measure the sustainability and ethical impact of business investments. Suggested tactics include audits of various second line assurance providers (and the challenges inherent in this work).
Combined Assurance – this element will address the perception that audit fatigue may be experienced generally as a result of the proliferation of compliance groups and overlapping mandates. We will describe efforts undertaken by leading organizations to integrate the work of second line and operational audit groups to reduce costs and incrase overall assurance.
Cyber – system reliability risks are elevated in the power and utilities sub-sector because their facilities may be regarded as critical infrastructure. Cyber risks unique to SCADA systems, which dominate the energy industry, will also be described. Tactics to evaluate IT systems include, but are not limited to, system reviews, security testing, social engineering, and desktop exercises.
The session is intended to be highly interactive and we will actively seek the input of attendees into to the approaches used in their respective organizations. To expand audit coverage in the priority areas outlined, we intend to challenge current “traditional” assumptions around internal audit planning, conduct and reporting to maximize limited resources.