How To Focus Your Audit Plan To Effectively Monitor Risk

1

• How To Focus Your Audit Plan To Effectively
  Monitor Risk
• AGA/EEI 2009 Chief Audit Executives Conference
• Patty Shell - VP and General Auditor, Dominion
• June 24, 2009

2
Dominion Snapshot
Dominions combination of markets, assets,
operations and regulatory environments is
concentrated in the Mid-Atlantic and Northeast
regions of the U.S.
27,400 MW of electric generation 1.2 trillion
cubic feet equivalent of proved natural gas
reserves 6,000 miles of electric
transmission 14,000 miles of natural gas
transmission, gathering and storage
pipeline Nearly 1 trillion cubic feet of natural
gas storage operated Cove Point LNG
Facility 2.4 million electric customers in VA
and NC 1.2 million natural gas customers in
OH 1.6 million nonregulated retail customers in
12 states
Map excludes Peoples and Hope LDCs
3
Dominion Snapshot
4
Who Is Responsible for Monitoring Risk?
VP Governance?
Board of Directors?
Executive Management?
Internal Audit?
Treasurer?
ERM?
Credit Risk Group?
CFO?
Accounting Controls Group?
Chief Compliance Officer?
Corporate Risk Committee?
Chief Risk Officer?
Management Risk Oversight Committee?
Business Units?
Accounting?
Security?
General Counsel?
Audit Committee?
Insurance Risk Management Group?
5
Risk Governance at Dominion
6
Risk Governance at Dominion

• The players
• Board of Directors
• Audit Committee
• CAE and CCO provide regular reports and updates
• Finance and Risk Oversight Committee (FROC)
• CRO provides regular reports and updates
• Compensation, Governance and Nominating Committee
  (CGN)
• VP Governance provides regular reports and
  updates
• Executive Management tone at the top

7
Risk Governance at Dominion

• The players
• VP Governance/Corporate Secretary
• Tactical and compliance focus reports to CEO
• Executive compensation
• Coordination of Board level governance activities
• Chief Compliance Officer (SVP General Counsel)
• Tactical and compliance focus
• Coordination and oversight of Dominion Ethics
  Program
• Administration of compliance hot-line
  (third-party provider)
• Annual compliance survey
• Training/education

8
Risk Governance at Dominion

• The players
• Chief Risk Officer (VP)
• Strategic, financial, operation and compliance
  focus reports to CFO
• Pull all owner and control groups together to
  focus on risk assessment, monitoring, and
  communication
• Facilitates BU Risk Assessments/Improvement Plans
• Provides a common framework for the BUs
• Fosters cross BU and cross enterprise discussion
• Facilitates Unusual Event Risk Assessments
• Develops enterprise level view from underlying BU
  assessments
• Leads enterprise level improvement efforts
• Chief Audit Executive (VP)
• CAE reports to audit committee administratively
  reports to CEO
• Independent review of other risk functions and
  processes
• Financial, operational, compliance and strategic
  focus

9
Risk Governance at Dominion

• The players
• Management Risk Oversight Committee (MROC)
• Executive management committee responsible for
  reviewing and discussing BU and Corporate risk
  assessments Chaired by Corporate CFO
• Evaluates gap analysis on controls and assigns
  executive team responsibility to design,
  implement and report on improvements
• CRO, CCO, CAE and VP Governance are all members
  in addition to BU CFOs and support functions
  (HR, IT, supply chain, public policy etc.)
• Credit and Commodity Risk Group
• Centralized controls related to credit and
  commodity risk
• Provides reports to the MROC

10
Risk Governance at Dominion

• The players
• Insurance/Corp Risk Group
• Financial focus reports to Treasurer
• Centralized controls related to insurable risks
• Provides reports to the MROC
• Business Units
• Owners of Business Unit risk and controls
• Strategic, operational, financial and compliance
  focus
• Support (back office) groups
• Accounting, finance, tax, HR, legal, IT

11
Keys to Successful Coordination of Risk
Governance Activities

• Culture of compliance
• Executive level risk committee (MROC)
• Clear definition of responsibilities
• Use of a common framework
• Leverage (dont duplicate) results and findings
  of other functions
• Collaborate with other functions to address
  potential issues, gaps and opportunities (dont
  work in a silo)

12
Keys to Successful Coordination of Risk
Governance Activities

• Give and receive input on risk assessments, audit
  plans, surveys, Board and Committee
  presentations, etc.
• Schedule education sessions with the Board
• Risk management, not risk avoidance risk is not
  just about potential for loss but also about
  reduced opportunity for gain
• Communicate often with everyone! (two-way,
  cross-functional dialog)

13
Focusing the Audit Plan

• Annual risk assessment
• Rolling audit plan quarterly risk reviews
• Quarterly CEO/CFO updates
• MROC meeting discussions
• Mapping of CRO risk assessment to audit plan
• Mapping of BU improvement plans to audit plan
• Monthly Finance team meetings
• Disclosure committee meetings
• Entity level control testing results (Monitoring)
• Quarterly leadership updates
• Quarterly security updates
• Compliance survey response review
• Fraud risk assessment input
• SOX steering committee
• SOX testing and documentation review

14
Focusing the Audit Plan

• Key Risk maps (output from the CRO facilitated
  risk assessments) and Improvement Plans
• MROC discussions
• Results of Fraud Risk Assessment
• Liquidity of assets/fraud potential
• Audit Frequency (including previous audit
  results/follow-up)
• Financial exposure/impact
• 10-K risk factors and future issues
• Control environment considerations
• Key indicators/significant events or changes
  (internal and external)
• Management discussions
• Operational considerations
• Regulatory and Compliance considerations
• Strategic importance
• Information Technology considerations (mission
  critical systems, complex applications)
• Resource availability