In the wake of the Enron debacle, companies like Aquila – oil and natural gas utilities significantly involved in the merchant business – quickly decided to reposition their strategic focus and operations, and return to the business of being a core utility. Today, Aquila, based in Kansas City, Missouri, operates electricity and natural gas distribution utilities serving customers in seven U.S. states: Kansas, Minnesota, Missouri, Nebraska, Iowa, Michigan and Colorado. Aquila also owns and operates power generation assets. Previously UtiliCorp United, the company changed its name and stock symbol in 2002 and has total assets of $2.9 billion at June 30, 2004.
In part as a result of its decision to exit from its merchant business and wind down international operations, Aquila is undergoing a significant financial restructuring. This, in conjunction with Sarbanes-Oxley attestation requirements, has set the stage for much of the internal audit work now underway at the company.
Lynn Fountain is the vice president of risk assessment and audit services at Aquila. An audit manager for the company for seven years, she was promoted in February 2004 to her current position. Fountain and her team of 8 professional auditors are widely recognized in the audit industry as a group dedicated to innovation and progress.
Recently the subject of an article in Internal Auditor magazine on her approach to COSO, and a participant in a Webcast sponsored by the Institute of Internal Auditors, Fountain is well known for using facilitated sessions with leadership to identify and manage entity-level controls across the enterprise. The Aquila audit team has been successful in linking efforts related to enterprise risk management (ERM) with initiatives related to Sarbanes-Oxley, and she is spreading the word to her colleagues. “Just being out there in the corporate world and talking with other companies about what you are doing can be a learning experience,” Fountain says. “With Sarbanes-Oxley, it’s very helpful to find out what other companies are doing.”
According to Fountain, the audit group at Aquila is focusing on the company’s core processes in order to meet Sarbanes-Oxley reporting and attestation requirements next year. However, the audit team also must be prepared to continually monitor and analyze those processes. Fountain explains: “We are experiencing not just financial repositioning but also process improvement, and that means change. With Sarbanes-Oxley, there are many elements beyond financial reporting we have to examine. We base our audit work on COSO, so we continually evaluate our control environment.” In addition to overseeing the strategies, goals and project management related to Sarbanes-Oxley for the past 18 months, Fountain and her team have been involved in helping Aquila return to an ERM approach. “One of the ways we are doing that is that we are using an ERM-facilitated approach to reestablish the risk universe for Aquila, and assist in moving the company forward for further ERM analysis. We will be doing this in a facilitated meeting in September that will include members of the leadership team,” says Fountain. They have found that using facilitated sessions with management to measure entity-level controls enables the audit function to improve risk management, implement ERM and move the company forward on Sarbanes-Oxley compliance. The ERM approach will also be used to help establish the audit plan for 2005.
Integrating ERM in a facilitated entity-level evaluation
The COSO model states that evaluating internal controls requires both entity-level and activity-level examination. COSO has three objectives: effectiveness and efficiency of controls, reliability of financial reporting and compliance with laws and regulations. It also includes five distinct components: control environment, risk assessment, control activities, information/communication and monitoring.
As Aquila’s internal control experts, the audit team can explore the control environment from a risk-based audit perspective and use those risk methodologies to achieve goals related to Sarbanes-Oxley. “We decided to use our risk-based approach to identify what financial reporting elements must be examined,” she says. “So we stepped back, viewed the organization as a whole, identified key processes and targeted where the risks resided within those processes. We then determined whether those processes and risks were elements of compliance, operation or financial reporting – the three COSO drivers. With regard to Sarbanes-Oxley, the primary driver is financial reporting, but there is overlap from the first two.”
Much of this approach stemmed from concepts and methodologies related to ERM. “We use Protiviti software for Sarbanes-Oxley; that helps us tie in our risks and risk methodologies,” she says.
To explore and understand the five attributes of COSO and how they are applied across the organization requires more than testing; it requires observation and feedback. Fountain and her team chose not to use questionnaires to obtain this feedback. “I don’t like questionnaires,” she says. “People are filling them out based on their own personal understanding or lack of it. On a scale of one through five, what does a three really mean? Does it mean the same thing for everyone?”
To achieve a more value-oriented methodology for Aquila, the audit team began with identifying the risk capabilities that she and her group wanted to measure and then built a grid that defined the attributes of those capabilities within five stages.
For example, the company’s ethics policy is an important risk management capability for Aquila. The stages of that capability break down like this:
- Stage A – a formal code of ethics policy does not exist in the company.
- Stage B – an informal ethics policy exists, but communications of the policy is weak and inconsistent.
- Stage C – a formal ethics policy exists, and communication is adequate, but not all aspects of the policy are well understood throughout the organization, and the policy is updated infrequently.
- Stage D – a formal, well-communicated ethics policy exists. It is understood throughout the organization and updated regularly. However, the policy should be more thoroughly monitored.
- Stage E – a formal ethics policy exists and is considered best practice.
In Aquila’s risk assessment and audit services approach, a group of management level individuals are gathered in a facilitated session. Keypads are distributed for electronic voting. As participants read through their choices on the defined grid, they vote on the stage they feel Aquila is in with regard to that particular capability or process. The votes are displayed on a screen.
“As a facilitator you look for a consensus,” Fountain says. “However, if you have real outliers, you stop immediately and discuss so that you can understand why people voted the way they voted. This helps to bring the real issues to the surface. You will be able to illustrate the various insights of the participants and begin to understand, for example, how our ethics policy is perceived, both at the line level and the corporate level.”
For each process, there are myriad attributes to examine. In the example of an ethics policy, the audit team helps participants explore the policy itself, reporting procedures, values and monitoring, to name a few. All the attributes are voted on during the session, which typically takes one full day. At the end of the session, Fountain is able to convey to the participants what stage, overall, the company is in for each key process. For Aquila, given the recent surge of change and restructuring, Stage D is an adequate level of control for the time being.
“We look for votes below a stage C, and this helps us identify the COSO elements that we need to focus on as a company as we move forward with Sarbanes-Oxley,” she says.
Training, communication and partnership
To further enhance internal controls and work related to Sarbanes-Oxley, Fountain helped Aquila’s software vendor – Red Hawk Communications, the widely recognized vendor with experience in online training for employees – write an online training module about internal controls. “The concept is, ‘What are internal controls and how do they impact my job’?” Fountain says. “This applies to everyone in the organization, from an accounts payable clerk to the vice president of an operating unit.” The training module helps support both the overall control environment at Aquila, as well as Sarbanes-Oxley-related initiatives. Red Hawk Communications also assisted Aquila with its ethics and its safety training modules.
As a member of the Edison Electric Institute (EEI), a group of directors and vice presidents of utilities companies, Fountain will be speaking at a September conference of utilities on COSO. “We have taken COSO elements and integrated them with ERM. Our audits also integrate Sarbanes-Oxley issues, such as fraud. In essence, we are using our Sarbanes-Oxley lessons learned and incorporating them into our audit process,” she says.
The Aquila audit team works hard to communicate with process owners and include their viewpoint in all of the audit team’s initiatives. The focus is also on communicating effectively with the rest of the company. “We receive many requests from all over the organization, from major project evaluation to work we can do at the back end,” Fountain says. “We have to evaluate those requests and determine whether there is a risk-based need for our group to juggle other audits. It is a balancing act, but that is why it’s part of our commitment to communicate, to all parts of the organization, exactly what we are doing for Sarbanes-Oxley. Often, the special requests are already incorporated in the Sarbanes-Oxley process. All of the auditors work hard to establish solid relationship. All of our managers and lead seniors have assigned business areas and they work closely with process owners. This helps establish good relationships because people know who to call.”
A strong partnership exists between the audit group and Aquila’s leadership team. Fountain focused on that while she was an audit manager, and she maintains that focus now. “I’m making trips to all of our seven states, talking to leadership about Sarbanes-Oxley, ERM, what we are doing and how it impacts them. Also, this year we are piloting a new state assessment process designed to evaluate risk and controls on a state-by-state level,” she says.
The Aquila audit team always faces the challenge of balancing process improvement initiatives with internal audit work. Aquila is making great strides with its restructuring effort, as well as its process efficiency projects, so progress has been solid. “Process improvement means change, and if change affects a control related to Sarbanes-Oxley, we have to know what it is and be prepared to test and re-test it, so that we are on time for attestation,” Fountain says. “As a company, we are getting back on track and continuing to look hard at what we can improve.”
As Aquila moves forward, the audit team will help implement continuous monitoring tools, analysis tools, other audit improvement techniques and management testing. She also will continue to spearhead efforts related to integrating ERM. “Since the audit function has most of the experience in this area, we can be the facilitators, helping to make sure that ERM pervades the company.”
Interview with Lynn Fountain, Vice President of Risk Assessment and Audit Services, conducted August 2004.