Sarah Pumfrett discusses internal audit’s role when it comes to carbon sustainability.
‘The green economy’ and ‘renewable energy’ have become household topics of conversation around Europe over the past decade. The ‘throwaway society’ that has replaced the ‘make do and mend’ mentality of just a couple of generations ago contributes significantly to the rate of natural capital depletion, leaving accountants wondering what is meant by ‘sustainability reporting’ and auditors wondering how to provide assurance that risks to business objectives are effectively managed.
Planning the audit
When planning the audit, ask yourself ‘what assurance does the audit committee want from this report?’
Choosing which risks to assure will depend on the entity involved. Auditors for central government may be focused on policy decisions driving energy security, stability and sustainability (including low carbon consumerism over time); those involved in manufacturing may be concerned with a reduction in:
- natural capital depletion (recycled rather than virgin components)
- product energy consumption (controlled shutdown where excessive time on standby, cycling of electricity according to automated control as is the case with a fridge in steady state operation).
Auditors also need to be aware of subtleties in terminology, which may obscure the fundamental points that underpin the objectives. A good example of such a subtlety is the difference between ‘sustainable’ and ‘renewable’ energy:
- sustainable energy: must permanently, and effectively, replace its legacy equivalent, while reducing the associated environmental harm (calculated using lifecycle accounting for both technologies). Hydro power is sustainable
- renewable energy: is generated from an inexhaustible source (regeneration is at least equivalent to usage, or the source is not ‘used up’ during generation). Wind provides renewable energy.
Lifecycle accounting takes cognisance of the full cost of the activity including: mining for components, transportation, processing and manufacture to final product; transportation and installation of product, operational maintenance, and full site decommissioning (to original state prior to installation) through to recycling or final disposal. It also encompasses all relevant components that form part of the activity (not only considering the generating plant, but also transportation of component parts to the plant – eg gas pipelines from the refinery to a gas generation unit – and pylons/underground cabling and sub-station infrastructure between the generation unit and consumer).
Consideration of objectives and risks
Whether differentiating between sustainable and renewable matters depends on assurance required. For example, if the objective is to generate all power through renewable energy, then moving exclusively to wind power could be the answer. Therefore, it would be possible for an auditor to confirm that moving exclusively to wind power would achieve the objective. However, this would ignore the facts that:
- power blackouts would be inevitable when the wind was too high or low for the operational design range of the turbines
- grid-balancing issues could result in surges, potentially blowing end user equipment and excessive wear and tear through power fluctuations
- environmental harm from rare earth mining, transmitted turbulence (eg soil compaction), ecological damage (barotraumas to bats and birds), and human health concerns (wind turbine syndrome) may outweigh the benefits of renewable energy generation.
It becomes critical to understand the subtleties of terminology at the audit preparation stage, when asking the questions:
- why should we generate energy from renewable sources?
- is this the true objective?
In discussion with management, you may establish the real objective is not ‘to generate power from renewable sources’ but ‘to reduce carbon dioxide emissions, in a bid to halt global warming’. Another objective may be ‘to diversify from reliance on oligarch enterprises in politically unstable locations, thus eradicating oil price related fluctuations’. By understanding the true drivers, you are better prepared to provide the right assurance by looking at the correct risks.
I have highlighted in bold the ‘real’ objectives although they are couched with ‘misleading’ secondary objectives (in italics), which may nonetheless be relevant where multiple strands are to be audited. For example, ‘halting global warming’ could involve: reducing the ruminant population (methane production); banning climate control (central heating, air conditioning etc) or geo-engineering (eg deployment of ‘space blankets’ or ‘asteroid dust clouds’).
In relation to decarbonising energy generation, risks would include: in utilising a technology that cannot operate in ‘base load’ mode (a fluctuating power generator that cannot be controlled, such as wind):
- back-up power generators would increase emissions due to operating on a compensating/ fluctuating, rather than steady-state, schedule
- the manufacture, commissioning and decommissioning of additional infrastructure results in an increase in emissions above traditional generation
- significantly greater maintenance required due to operating outside intended design, increasing secondary emissions through increased production, transportation and decommissioning of consumable components.
In relation to reducing exposure to price-fluctuations from market oligopoly, consider:
- the Chinese monopoly of rare earth mining, and potential for price fluctuations and material restrictions, for construction and lifecycle maintenance
- whether the costs of duplicated infrastructure (to provide energy when wind generation fails) and subsidies (renewable obligation certificates and feed in tariffs) outweigh benefits.
In independently considering risks, you may generate ‘different’ risks than the risk register. This is useful to facilitate discussion with management and get a better understanding of the identification, quantification, and appreciation of the risks, and ensure that the audit team understands the risk appetite (and perhaps blind spots) on the subject.
It is valid to challenge management to demonstrate identification and assessment of your risks with quantification in terms of velocity and impact. Note that ‘likelihood’ is not relevant for gross risk determination but is relevant in considering the control framework cost benefit analysis. If a low likelihood, high impact, high velocity risk exists, it should be recorded with the evidence of when it was last reviewed and accepted and this should be assessed with the knowledge that the risk environment changes over time. Review of the risk register seldom identifies ‘emerging risks’ (obsolescent technology in a rapid dynamic and innovative environment, perception changes of end users etc) therefore discussing ‘the elephant in the room’ adds value.
For example, the government may have concerns over legislative compliance; particularly in relation to the United Nations Economic Commission for Europe (UNECE) findings (ACCC/C/2008/23, ACCC/C/2008/27, ACCC/C/2008/33 and ACCC/C/2012/68) on non-compliance with the Aarhus Convention. According to Pat Swords, the chemical engineer and chartered environmentalist who brought the 2012 case and whose career spans designing industrial plants to implementing EU environmental legislation and training industry/regulators across central and eastern Europe, ‘the ruling says the ... EU Environmental Legislation was not complied with. This has never happened before, that the implementation of an EU Directive, in this case Directive 2009/28/EC on renewable energy, has been declared to be unlawful. To put it mildly, from a legal perspective this opens up a flood gate of further legal challenges.'
Local authorities, tasked with ensuring permitted developments are appropriate and justified, will need to consider the risks of inappropriate decisions based on inadequate environmental impact assessments, failure to apply the precautionary principle in relation to medical and scientific evidence, and the ability to process the volume of applications in accordance with prescribed timelines, without sacrificing quality etc. The consequence of wrong decisions may include blighting long-term residential amenity and property values (resulting in a lowering of council tax income), reducing income from tourism or other investment in the local economy, increasing medical, educational and social care costs, and increasing demands on environmental services staff (eg noise complaints to environmental health officers).
Developers’ risks may include:
- claims for damages for property devaluation, recent evidence indicates a detrimental impact of up to 40% on homes (and the Aarhus Convention ruling, which opens the door for legal challenges including injunctions and damages claims) resulting in profit reduction and reputational damage that could include bankruptcy in worst case scenario
- HMRC investigations and tax avoidance penalties, where separate legal entities are used to segment liability and ensure the VAT registration threshold is not breached
- retrospective subsidy reductions if/when government policy changes, undermining project economics
- where insolvencies strike developers, landowners may face an abandoned, dangerous, and toxic structure over which they have no ownership, but which, for safety reasons, they may be forced to decommission in an environmentally responsible manner.
Auditors should also ensure management has explored upside gains - eg government-related carbon dioxide reduction initiatives could include:
- consumption reduction (lowering cost of living) perhaps by mandating ‘energy ratings’ record the full supply chain, lifecycle impact, to inform consumer purchasing
- promoting long-term investment in sustainability over short-term investment in renewable (potentially relating to inappropriately derived and meaningless targets to generate enduring benefits rather than sunk costs).
Fieldwork and test planning
The test programme should cover both the design and the operational effectiveness of the controls that relate to the key risks for that entity. The control framework should manage the gross risks (those the entity carries with no controls in place), to the net risks (management’s risk appetite or the amount by which things ‘can go wrong’ while still achieving the entity’s objectives). It is critical to focus on the key risks rather than auditing compliance to management’s processes which tells you nothing about whether the processes are fit for purpose, only whether they are followed.
Every test programme should be specific to the entity because even similar organisations may have very different risk appetites and objectives, therefore template programmes do not form the basis of an effective internal audit function. Without generating a test plan, some well-documented risks that have manifested include:
- Denmark sells power to Sweden and Norway (who generate through hydro power) at below cost price while paying market rates to import when wind power is unavailable.
- reputational exposure followed the ‘leaking’ to the internet of one Danish manufacturer’s lobbying of their government to suppress health related concerns and the associated protective legislation that was in process amid suggestions that GDP profits/exports must be prioritised over residents' health and safety
- challenges to the Scottish government on the stated employment figures for the sector resulted in the embarrassing disclosure that the figures stated by the government had been provided by the industry promoter but had not been independently verified; and the quality as well as the quantity of jobs was questioned by campaigners
- excepting hydro and nuclear, emission issues result from ramping up and down output from backup base load generators designed for steady production. No credible evidence has been provided to demonstrate that wind power positively contributes a sustainable reduction to environmental harm, with some evidence that it increases rather than decreases ‘greenhouse gas’ emissions when lifecycle rather than operational carbon accounting is applied (eg rare earth mining; concrete production; manufacture and installation of turbines; decommissioning and disposal/recycling of turbines, including removal of concrete bases and reinstatement of land)
- the government has mandated that all power companies must diversify their generation thereby removing any option for consumers to ‘shop around’. Consumers are paying not only for the wind power, but also to replace base load generators such as Combined Cycle Gas Turbines (CCGT), nuclear plants etc. In other words, consumers are paying for double the capacity needed to ensure there is power. This inefficiency is likely to increase ‘fuel poverty’ where consumers cannot afford to use the power. Residents’ only alternative if they do not wish to fund this folly is to disconnect from the mains supply.
Closing the audit and reporting
In concluding the audit, consider the effectiveness of the control framework in managing the gross risks down to the net risks. It is also not too late to consider whether the net risk is appropriate as, by the end of the audit, the audit team will have a far greater understanding of the risks and rewards involved. If management is taking risks that do not appear to be aligned with the organisation’s normal risk appetite, or if the risks taken do not align with the communicated risk profile, then do not be afraid to make that clear in the executive summary of the report.
Sarah Pumfrett commenced her internal audit career with a local authority in 1998 before switching to the oil and gas industry in 2002.
The author is writing in a personal capacity and the views expressed above do not necessarily reflect those held by ACCA or her employer.