| KEY MANAGEMENT ELEMENTS FOR ENERGY UTILITIES TO SUCCEED IN THE SARBANES-OXLEY ACT | ||||
|
||||
The electricity wholesale market is a complex and risky environment. Even though utilities have typically kept to a non-speculative strategy, they still face risks, and thereby control problems, rivaling those of large financial institutions. Risk in the wholesale market involves complex and volatile elements such as:
1. Market price fluctuations.
2. Financially unstable counter-parties
3. Doubtful regulatory cost recovery and detrimental rulemaking.
Magnifying the effects of these risks are some aspects of day-to-day operations. Common events and decisions may now have much wider consequences. Plant outage has proven, in many cases, to have massive financial impact on an organization. Other purely operational decisions can have the same effect. Take, for example, a hydro utility’s decision to hold additional water in a reservoir over a holiday weekend. This decision inadvertently pushed the bulk power operations into a short position, causing an unexpected loss of million dollars.
Under Sarbanes-Oxley all material event disclosure must be exceptionally rapid, thorough and accurate. The structure of the Act causes all information passing through the threshold of disclosure to become wholly and permanently bound to the disclosing officers. As such the Act is expressly constructed to place responsibility, and liability, squarely on the shoulders of corporate executives. The way it achieves this is by eliminating what was previously an officer’s most effective defense: the reasonable reliance defense. Note: The Exchange Act of 1934 allows that an officer can only be held civilly liable if he/she had the mental state to deceive. The control framework contemplated by Sarbanes-Oxley is so comprehensive that it makes the possibility of an unintentionally false disclosure almost impossible.
Sarbanes-Oxley seeks to regulate three issues:
a) disclosure management,
b) internal management, and
c) deadlines
a) Disclosure Management
The disclosure management requirement (§302) requires utilities to implement systems “which summarize valid data, and ensure accurate and informed disclosure”. This section is meant to ensure that information from across the enterprise is sufficiently analyzed and distilled to enable informed decision making at the executive level.
§302 was the first provision under the Act and is best known for requiring officers to attest to the validity of financial disclosures. It is highly likely that utilities have been able to accomplish the first round of compliance with this section through manual processes and validation. Section 302 outlines much more than an attestation requirement. It also outlines what might be called a “disclosure staging” framework. This is where information and the result of analytics is passed to executives for decision making. It also requires thorough documentation of the basis upon which decisions are being made.
A great deal of care should be taken when implementing compliance with this provision as the record indicates that the SEC feels this section implicitly demands continually improving disclosure staging. So, even though utilities may have passed the first round of §302 compliance, the very same framework may not be acceptable in the following year. The importance of maintaining a robust disclosure staging framework is paramount, because it does serve as the control of last resort. That is, under the reasonable reliance defense, it is almost impossible to sustain an argument that an officer did not know what they were disclosing. Even if such an argument were put forth it would be tantamount to admitting failure to comply with this requirement. Utilities should expect disclosure staging under §302 to be a primary target for SEC enquiry. This is a knock-on effect of the fraud perpetrated by Enron. Therefore, in relation to this section it is essential to understand that compliance demands more than the establishment of disclosure committees and manual processes. It demands close attention to how data is assembled, used in analytics, and documented for executive decision making.
If we take, for example, statements by a utility that “commodity price movements either -8% or 8%, would cause a maximum gain or loss of 1.6 million dollars.” This statement may be true but when taken into context against the overall stated strategy of the company the utility is implicitly making statements that could be viewed as highly misleading. In the case of this particular utility these statements were disclosed while the company was experiencing an unexpected and prolonged forced outage at one of its facilities. This outage has cost the utility over 180 million dollars. When viewing this event against the statement that its market risk is limited to 1.6 million dollars it is apparent that information is being made available to executives in a way that would prevent what appears to be a very misleading statement.
b) Internal Management
Internal management and control for financial reports, rules under §404 for “internal controls over financial reporting”, is both the broadest requirement and operates at a high level of detail. The section envisages control over all the systems that feed into financial reports. However, as discussed below, this includes much more than, “how one came up with the numbers.” This provision also includes requirements around the controls and analytics necessary to support overall corporate objectives. Rules under §404 require:
1. A statement of management’s responsibility for establishing and maintaining adequate internal controls over financial reporting for the company; Note: equal movement upward and downward implicitly discloses that the utility experiences a perfect correlation between positions and price changes in the underlying commodity. While possible, it should be noted that implicit disclosures as described here should be documented by an evaluation of the linearity or non-linearity of those positions relative to market price changes. The presence of non-linear products such as options may make these statements highly misleading.
2. Management’s assessment of the effectiveness of the company’s internal controls over financial reporting as at the end of the company’s most recent fiscal year;
3. A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal controls over financial reporting ; and
4. A statement that the registered public accounting firm that audited the company’s financial statements has issued an attestation report on management’s assessment of the company’s internal controls over financial reporting.
It is important to understand which elements in the organization must be covered by such controls, such as:
1. Pertain to the maintenance of records which “accurately and fairly reflect the transactions and dispositions of the assets of the registrant at a reasonable level of detail”;
2. Provide reasonable assurance that the transactions are recorded so as to permit preparation of financial statements in accordance with GAAP; and that receipts and expenditures are being made in accordance with the authorization of management and directors;
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.
Utilities can meet three reasons for challenges to comply with section 404:
1st challenge is that the process of implementing “financial controls” requires a detailed mapping and integration of “how one came up with the numbers”. Many utilities that have, or are going through, the process of identifying all the relevant systems that “touch” the general ledger have identified anywhere from 60 to over 300 different internal systems that materially contribute to financials. This makes compliance very difficult for utilities. Different systems have different architectures, naming conventions, problematic interfaces and other difficult technical issues. It is a certainty that utilities will have to rationalize systems in order to meet fundamental compliance requirements.
2nd challenge is that “financial controls” as defined by the SEC is far larger than just “how one came up with the numbers.” The system established must also include a variety of controls and analytics that evaluate data quality. For example, it is an express requirement that all material transactions be accounted for in the control framework. However, this can be very difficult for utilities where many common transactions are highly complex. For example, a power plant is an operationally complex asset. This asset produces physical energy positions that have very important financial and accounting implications. The ability of the control framework to capture the unique elements of this plant is, therefore, a primary consideration. Going beyond what’s in the numbers also includes the provision regarding the control of assets. Utilities must implement systems that prevent unauthorized transactions. This, again, may require utilities to rationalize older legacy systems that are not designed to facilitate this type of control framework. Every utility must participate in the wholesale market.
3rd and most important consideration is that system implementations do not equal compliance. Compliance flows directly from the expressly identified strategy of the company. Once identified, utilities must identify the key risks to that strategy. For example, if the overall strategy is the non-speculative operation of assets, elements such as the concise definition of a speculative trade, how transactions are executed and a series of risk limits become critical components of compliance. If a utility has adopted a non-speculative wholesale trading strategy it must set relevant trading controls (audit trail, trader limits, risk evaluation, etc). A deficiency in these controls may enable traders to speculate without the knowledge of the enterprise, expressly violating the requirement that utilities control the unauthorized use of assets. Our experience is that there is often weak definition and process for categorizing deals as ‘hedge’ or ‘speculative’. It is not uncommon for ‘speculative’ trading to be termed ‘information trading’, ‘margin trading’, or even ‘dynamic hedging’ since the ‘A’ word is often deemed politically unacceptable.
c) Deadlines
The final requirement is deadlines (“timeliness” §409). This provision requires that material events are reported in “real time”. Current discussion and commentary indicates that “real time” is the time within 48 hours. The most difficult section under the Act is Section 409. This provision requires reporting of material events in real time. The time sensitive nature of this section is placing exceptional pressure on a utility’s data infrastructure. The average utility has hundreds of different systems that may or may not be integrated to varying different levels. Each interface between systems is potentially a point of failure contributing to non-compliance. Note: The timetable demanded by the SEC (Security & Exchange Commission) does not allow for a utility to wait for regular general ledger information then the Act requires much more frequent G/L updates. Often applications managing operational data are incapable of producing even if the level of detail is available the data will have to be fed into other systems capable of delivering dynamic real time analytics.
There are critical areas that play important role in Sarbanes-Oxley compliance, and which can not be resole without a technology base solution. They are: (i) data (transaction, management system); (ii) data reconciliation; (iii) market management; (iv) risk management (credit risk and risk analysis);
(i) Data: Utilities typically consist of tens of divisions, each of which is a potential point of noncompliance. Even when narrowing the divisions down to those principally participating in the wholesale market, there are fundamental data issues that make compliance difficult. In the average utility one will find a wide and inconsistent variety of systems, data hierarchy, field naming conventions and detail behind data elements. At a minimum the Act requires transaction details, but the overall complexity can make the seemingly simple task of supplying those details very difficult. Very often the information is kept in disparate systems and/or spreadsheets. This makes basic aggregation at the executive level impossible and non-compliance inevitable. In practice, poor data often forces utilities to “fudge” the transaction details to create congruence with the results generated from general ledger. Poor data structures also make implementation of controls very difficult.
Some transaction management systems implemented in the early stages of deregulation were based on code and data structures from the financial sector. These older systems are unlikely to provide the detail needed for compliance. This is because of the difficulty of reconciling the complexity of an energy transaction to that of a financial transaction. Energy contracts and physical positions flow dynamically, and often according to complex volume definitions. Systems must therefore be able to accommodate non-standard transactions. It is not uncommon for traders to have to make subjective decisions of how to best represent complex deals in legacy systems, clearly a non-compliant process. The provisions of §404 expressly require the ability to capture and consolidate complex and irregular transactions. The security of older transaction management systems should also be examined closely. The danger of using old technology is that the systems may be vulnerable to hacking and data. The ability to maintain a detailed audit trail of transaction information, both standard and non-standard, is a minimal requirement under the Act. The provisions of §404 expressly require systems designed to prevent the unauthorized use of company assets. Furthermore the criminal liability sections under the Act (§802) revolve primarily around the retention and prohibition against destruction of documents. While most utilities do have audit trail processes in place there are widespread and notable deficiencies. Utilities often have two transaction management systems in place. The first is a “term” oriented system that manages positions one month away from delivery and greater. The second is a “real time” system that manages positions one week to an hour ahead of delivery. While most term systems have audit trails in place, many real time systems do not.
(ii) Data reconciliation: In the energy sector difficulties arise out of the incongruence of dates and time. Transactions may not be accounted for on similar time intervals. For example, because term transactions and real time transactions are not managed on the same system there may be incongruence between a block term position and how that position is viewed when going through delivery. This is an area of “fudge factoring” in which the volume is pulled via a manual or is integrated process and causes a cascade of inaccuracy including mark to market error and difficulty in assessing quickly the impact of a major event on the real time desk. The typical trading floor comprises a handful of traders and a floor full of settlement personnel. This is because much of the wholesale gas and power market operates on old and slow technology. Companies can no longer wait 90 or 120 days to determine the financial results of daily operations. Utilities should closely examine their processes around automated settlement with counter-parties. Utilities should also implement a robust predictive or “shadow” settlement process that alerts executives to significant settlement and cash events.
(iii) Market management: Utilities should subject market management to a high level of scrutiny. Market manipulation was fundamental in allowing Enron to inflate earnings inappropriately. The way in which utilities manage market price information has become one of the most important aspects of reporting on wholesale operations. Good market management supports accurate reporting information and consequently becomes an express requirement under the Act (§404 in particular). Price information underpins a tremendous amount of disclosure decisions. Often price information is aggregated in several different places across the enterprise. For financial reporting it is imperative that data curves be managed across the enterprise using a consistent and documented approach by following reasons:
(iv) Risk management: In the shadow of Enron, credit risk and counter-party management has become of paramount importance. While certainly a financial exposure exercise, credit risk is also directly related to controlling the unauthorized use of assets as directed by §404. Some utilities have a high risk of unauthorized transactions because of the location and structure of credit operations. The credit department often operates remotely from mainstream wholesale market operations. In some cases, credit risk and control is little more than an accounts-receivable statement issued to the trading desk at a semi-regular interval. The Act requires utilities to: (1) manage counter-party relationships at a high level of detail. Often counter-party relationships are complex with a series of parent, child, limits that in the absence of systems may be difficult to analyze in a reasonable period of time; (2) have access to detailed contract information, real time position and mark to market updates; if possible some form of forward-looking risk evaluation; (3) have the ability to quickly disable trading with any counter-party, and (4) have the ability to regularly draw external updates, such as credit scores, from third parties. Many utilities have implemented risk metrics across the enterprise to determine potential exposures. This is fundamental to meeting the internal controls requirement. In order to comply with the Act an enterprise must be able to evaluate risk events ahead of time and in real time. Risk analytics are a key function at the disclosure staging level, providing executives with the information necessary to decide not only whether something is material in the first place, but also to calculate the probable future effect on the enterprise. Risk analytics are expressly demanded under the act, as such metrics form the basis for “disclosure related assertions” under §404. Risk metrics are the fundamentals behind each 10K’s “Qualitative Statements on Risk.”
In the conclusion to all above mentioned the key elements for success to comply with the Sarbanes-Oxley Act are careful consideration of the operational strategy and risks, thorough identification of all systems impacting the general ledger, comprehensive IT solution, and creation of a compliance oriented culture to meet the subjective aspects of the Act.
To join in on the conversation or to subscribe or visit this site go to: http://www.energypulse.net