Using the Sarbanes-Oxley Act

Who would have predicted that significant help in managing operational risks
would come from such an unlikely source: Section 404 of the Sarbanes-Oxley Act?
But, by voluntarily extending the Sarbanes-Oxley model by stretching management’s
study and evaluation of controls beyond financial reporting and control to operational
reporting and control, forwardthinking utilities may more effectively uncover
and manage regulatory and business risks, resulting in increased investor confidence.

So the scramble is on: Many public companies have staffed up internally and
hired outside resources to comply with Section 404 of the Sarbanes-Oxley Act.
These companies are consuming much in the way of time, manpower and money to
document, test and evaluate their internal control structures and procedures
for financial reporting. For example, an Ernst & Young survey of 100 major businesses
found that 70 percent of companies anticipate investing at least 10,000 hours
to comply with Section 404. Moreover, a survey by Financial Executives International
found that responding companies expect to pay an average of $732,100 for external
consulting, software and other assistance to comply. (Section 404 requires that
companies document and test controls three months before the end of the fiscal

For most of these companies, the end product of these significant investments
may result in an internal control report from management that accomplishes two
key objectives. First, it will help confirm management’s responsibility for
establishing and maintaining an adequate internal control structure and procedures
for financial reporting. Second, it will help assess how well the structure
and procedures work. The company’s external auditors must attest to, and report
on, management’s assessment as well as the effectiveness of internal controls
over financial reporting as of the assessment date.

When it’s all said and done, management at most companies will likely breathe
a sigh of relief, be glad it’s over, put Section 404 activities on the shelf
for awhile and move on to more invigorating activities.

It becomes clear, however, that forward-looking companies should consider taking
the logical next step of extending the Section 404 framework from the financial
side of the house to the operational side.

Yes, that’s right, voluntarily extend the Section 404 mindset to operations,
proactively immersing the entire organization in the identification, documentation
and testing of operational controls.

Changing a Mindset

Many companies view elements of Sarbanes-Oxley as time-consuming and expensive.
However, beyond the direct improvements resulting in financial reporting, such
efforts have additional potential upside as well. The most important upside
is: taking the expertise developed in documenting, measuring and testing financial
controls and applying it to operations.

In many ways, it is no more than the logical next step. Those who translate
everything they’ve learned on the financial side of the house to the operations
side will emerge from the 404 process the strongest.

The need for better operational controls and reporting has never been greater
for utilities. Over the past decade, new players, new regulations and new market
forces have shaken up the once-stable utility industry. The landscape is littered
with ill-fated attempts at deregulation, high-profile business failures and
scandals at energy trading organizations. Consumers are angry and confused,
investors are wary and state and federal legislators and regulators are determined
to return order to an industry that they believe is in desperate need of it.
All of these factors – plus the capitalintensive nature of the business – point
to increased need for vigorous risk management practices, policies and procedures.

The dawning of Section 404 financial reporting presents a golden opportunity
for management teams to put processes in place that manage risk from its origin
– operations. Without thorough operational control, true financial control may
be difficult to attain.

Focus on Financial

In all but the most sophisticated companies, operational controls traditionally
have been underdeveloped compared with the financial side. The group most often
charged with operational controls – the internal audit function – is usually
focused on compliance, instead of the operational issues that ultimately affect
financials. This focus on financial controls will only grow as compliance with
Section 404 is institutionalized.

In many companies, oversight of operational processes and controls is scattered
throughout the organization. More often than not, the job of mandatory operational
reporting – to various state and federal energy, health and safety, and environmental
regulatory agencies – falls on different functions within the organization,
such as human resources. By default, these departments within a company become
the keepers of various data and information, reporting them to regulatory agencies
on a habitual basis. Because it lacks systemic control, standardized processes
and oversight, this ad hoc reporting style can create significant risks.

As a result, internally driven challenges to what organizations are doing operationally
are often nonexistent. A lot of upward reporting occurs, but not a lot of peer
review or systematic checks and balances. And it’s only through those approaches
that gaps can be uncovered and addressed before they create problems.

Sarbanes-Oxley is forcing companies to be more forthcoming and expose their
financial control risks. To truly control financial risks, however, companies
should think about looking even deeper and identify the operational risks from
which their financial risks emanate. The principles of Section 404 can give
them the tools to do so.

The Payoff: Fewer Surprises

Having stringent operational controls and reporting processes in place can
alert management to potential trouble spots long before their effects show up
in financial statements. This is because there is a very clear and close link
between operational and financial reporting. Financial reports are simply a
reflection of what has happened in operations. Unfortunately, management’s first
look at what happened operationally frequently occurs when the financial statements
are produced. When the results aren’t what they’d expected or hoped for, they
then try to fix the problem, but by then it’s too late. In essence, management
works backward from the financial statements.

Having operational controls and processes in place, documented and monitored
could serve as an early warning system and allow a company to address what is
happening operationally on a more real-time basis. Long before financial statements
are produced, management would recognize that things aren’t going as anticipated
and take corrective action. Many of the recent headline-grabbing corporate scandals
and failures might have been prevented or mitigated with better operational
controls and oversight. With better operational controls, management at these
companies could have known early on that they had a fundamental business problem
brewing and could have acted on it, avoiding all of the tragedy that followed.
Unfortunately, they didn’t understand what was happening in their companies
operationally, and by the time they discovered it, they didn’t have enough time
to manage it.

What to Do

Companies that determine to extend assessment of controls beyond those dealing
with financial reporting will immediately be faced with a daunting task: deciding
where to start.

Most utilities face no shortage of operational risks, and there are essentially
four ways to address them:

  • Insuring them;
  • Hedging them;
  • Learning to live with them because they don’t pose a threat for significant
    loss; and
  • Mitigating them through improved operational and financial controls.

Because it’s impossible, and probably unnecessary, to address every risk, we
suggest employing two criteria for identifying those to tackle immediately.
First, try to zero in on the critical “handfuls” that pose the most significant
potential for loss. Second, consider addressing those that lend themselves to
mitigation by improved internal controls. This would include defining and mapping
the process as it currently exists, defining what it ideally should look like,
and implementing a plan to fill in the gaps.

Internal audit functions are the likely candidates to make suggestions to management
for implementing 404-like practices in operations. But to do so, they will need
to create a new model for developing, implementing and monitoring operational
controls – a revamp that is long overdue in most companies. In the future, the
internal audit groups that deliver the most value to their organizations will
be those that offer innovative solutions to operational control problems.

Though each company faces a unique set of challenges, there are a handful of
likely candidates for Section 404-like documentation, review and testing at
most utilities.

Near the top of the list are energy procurement and commodity trading activities.
In the mid- to late-1990s, most utility companies took advantage of price-risk
protection offered by the use of derivatives by creating their own trading groups
to interact and transact with major trading houses. These groups quickly gained
tremendous market power – constrained only in limited fashion by their regulatory
authorities – and developed significant expertise and sophistication in negotiating
transactions using complicated derivatives.

But as these trading groups grew in sophistication, their operational controls
did not keep up. As a result, they present significant risk from lack of, or
inappropriate, controls over the segregation of duties, as well as the authorization,
validation and confirmation of transactions. Even after numerous high-profile
collapses within the industry, many utilities today still have to increase a
level of scrutiny over controls within their trading departments. While 404
has caused them to focus on controls regarding segregation of duties between
the front-, middle- and back-office functions, the initiation of transactions
and the ensuing confirmation, there are still major operational control issues
that utilities should address, including:

  • Determination of the appropriate authority limits, including spending limits,
    contract length limits, capital at risk or other parameters in line with the
    corporate governance objectives of the organization and the expectation of
  • Credit policies, including collateral requirements and credit limits for
  • Document retention and price reporting policies to provide safe harbor relative
    to regulatory requirements;
  • Segregation of transactions between regulated and unregulated entities under
    the same corporate umbrella;
  • Realignment of compensation models vis-à-vis the trading strategies of the
    organization; and
  • Reassessment of the controls surrounding the physical movement of the commodity,
    including scheduling to minimize imbalances.

Another likely candidate for operational control overhaul in many utilities
is the process surrounding approval, initiation and management of capital construction
projects. Long-term, tangible assets remain the backbone of utilities, and their
integrity must be maintained through frequent upgrades, expansion, repair and

Often, utilities lack appropriate controls over project approval and initiation.
Because field personnel and operations crews are tasked with completing capital
projects within tight deadlines, projects can be established and executed with
minimal scrutiny from an operational standpoint.

A utility’s ability to navigate the new regulatory landscape is another operational
aspect worthy of close examination. During the 1990s and early 2000s, many utilities
dramatically altered their strategic growth plans to focus on nonregulated energy
entities that held the allure of higher, market-based returns. Stable, cash-generating
regulated activities, while still at the core of the utility business, were
often labeled as “slow growth” or “no growth” enterprises. As a result, the
in-house regulatory affairs capabilities of many utilities, once large and well-staffed,
changed focus and shrunk dramatically.

Fast forward to 2005. Because of recent spectacular deregulation failures,
many nonregulated energy service offerings have declined or disappeared over
the last few years. Many utilities have gone back to the basics – safely maintaining
their assets, reliably delivering energy and collecting revenue in a timely
manner – with regulated activities once again accounting for the lion’s share
of utilities’ growth prospects.

During the period of infatuation with nonregulated businesses, there was little
major utility rate case activity. Now with the focus shifting back to regulated
activities, many utilities are likely to no longer have the inhouse capabilities,
skill sets or resources to mount any significant rate case work.

As energy utilities embark on their strategy development beyond the first year
of 404, they must discover resources capable of reviving their own industry
expertise, market intelligence and regulatory insight. As these resources are
added, implementing a framework where operational controls are present provides
the best opportunity to manage risk and prevent many of the mistakes of the

Who Will Lead?

Because recent business failures and scandals have created an environment that
puts internal operational controls under the microscope, it’s logical to think
that many companies will embrace this idea. But that’s not likely to happen.

Managements are so focused on 404 implementation that many may fail to recognize,
due to time and resource constraints, that assessing financial reporting controls
is only half the battle. To date, the investment community has not placed a
great deal of emphasis on strong operational controls. But it reacts negatively
to financial reporting control failures, often not realizing that these failures
usually result from the lack of operational controls. Investors and other constituents
of these companies will come to that realization when another scandal occurs
despite Section 404 compliance.

If Section 404-weary management does not lead the charge to extend this concept
to operational controls and reporting, the call for stronger operational controls
will likely come from regulators, boards of directors, audit committees, investors,
rating agencies and other stakeholders, as they realize that Section 404 compliance
does not address all ills a company faces. When this happens, investors and
other constituents will then place a premium on organizations that are well-managed
and have best-in-class operational controls.

The irony is that, for companies consumed with the Section 404 compliance flurry,
a promising solution for addressing their operational risks could be right in
front of them.