Performing Governance Assessments Myrk Harkins CIA, CBM

2 Agenda  Who Is Myrk Harkins?  A little about the Southern Company  Risk Based Auditing  Governance Model

3 Myrk Harkins  Director of Internal Auditing West  Bachelor of Science Civil Engineering  Certified Internal Auditor & Certified Business Manager  33 Years Experience with Southern Company  Power Plant Construction  Plant Operations and Maintenance  10 Years Internal Auditing

4 The Southern Company  4.3 Million Customers  Alabama Power, Georgia Power, Mississippi Power, Gulf Power, Southern Power & Southern Link  42,000 MW of Generation (1 MW = 600 Homes)  Revenue of $14.3 Billion  Net Income of $1.6 Billion

5 Southern Company Internal Auditing We are a Risked Based Audit Organization

6 Sample Company Enterprise Risk Management Qualitative estimate of the potential risk’s impact on the specific function/entity RED …focused management attention is required GREEN …current management action is sufficient YELLOW …on-going active monitoring by management is required Risk Placement Guidelines: Place risk here if…: $$$ Materiality of Impact Scope of Control Likelihood Current Level of Residual Risk $

Sample Company Risk profile Materiality of impact RiskAccountability 1. Environmental legislation or regulation Evans/Johnson 2. Exposure to fuel prices/availability Johnson 3. Loss of constructive state regulatory environment Operating Company CEOs 4.Nuclear Brown 5. Catastrophic business interruption Management Council 6. Change in federal regulatory or legislative policy Smith/Evans 7.Execution of the financial plan Farmer 8.Workforce issues Management Council 9. Deterioration of corporate image Management Council 10Governance failure Ratcliffe/Farmer 11 Strategy selection and implementation Ratcliffe/Management Council 9 8 Loss of constructive state regulatory environment Nuclear Change in federal regulatory or legislative policy Governance failure Workforce issues Execution of the financial plan Likelihood $ $$$ Exposure to fuel price/availability Catastrophic business interruption Environmental legislation or regulation 7 Strategy selection and implementation Deterioration of corporate image

Sample Company Fraud risk profile Materiality of impact Fraud RiskAccountability 1. Inappropriate Capitalization of Expenses Evans/Taylor 2. Improper Use of Estimates and Judgments Ballard 3. False Compliance Reporting (EPA, OSHA, FERC, etc.) Operating Co CEOs 4. Political (Bribery of Public Officials, Illegal Contributions) Beasley 5. Vendor Fraud (Bid Rigging, Kickbacks, etc.) Management Council 6. Competitive Practices (Unfair Competition - Antitrust, Violation of Territorial Service Agreements, Wholesale Competition) Smith/Evans 7. Intentional Mistreatment of Affiliate Transactions Farmer 8. Inappropriate Executive Compensation Management Council 9. Employee Fraud / Misappropriation of Assets Management Council 9 8 False Compliance Reporting (EPA, OSHA, FERC, etc. Political (Bribery of Public Officials, Illegal Contributions) Competitive Practices (Unfair Competition – Antitrust, Violation of Territorial Service Agreements, Wholesale Competition) Inappropriate Executive Compensation Intentional Mistreatment of Affiliate Transactions Likelihood $ Improper Use of Estimates and Judgments Vendor Fraud (Bid Rigging, Kickbacks, etc. Inappropriate Capitalization of Expenses 7 Strategy selection and implementation Employee Fraud/Misappropriation of Assets

9 Audit Planning Process Fraud Risks Annual Residual Risk Assessment Executive Input IA Staff Input SOCO Risk Profile Annual Audit Plan Audit Engagement Risk Assessment Engagement Risk Assessment Engagement Risk Assessment

10 COSO Southern Company’s Control Framework

11 What is Governance Governance is composed of the key business processes utilized by representatives of an organizations stakeholders (e.g. Shareholders (BOD), management, etc.) to optimize value by providing reasonable assurance that an entity achieves it business objectives. SOCO ERM Program broadly defines governance as those business processes, internal controls, decision tools, oversight structures and corporate culture elements (Southern Style) that reasonably ensure achievement of the Company’s goals and objectives. (ERM at SOCO = Our Methodology for Managing the Business) Understanding Governance

12 A Simplified Approach to Governance ( Company, Functional Activity, Business Unit, etc.)  Everything Starts with Business Objectives  Identify and Evaluate Significant Risks (Anything that could prevent achievement of business objectives)  Business Processes (Internal Controls & Governance Processes) to Reasonably Ensure Achievement of Business Objectives  Assurance (Monitoring Level of Achievement and Reporting)

13 Tone at the Top Business Objectives Business Processes Assurance Information Communication Information Communication Information Communication Risk Assesment Information Communication A Simplified Approach to Governance

14  Mission,  Purpose  Strategic Direction & Business Plan  Goals Strategic Operational Reporting Compliance Objective Setting “What are you trying to accomplish”

15 Internal Environment “Tone at the Top”  Risk Appetite  Management Commitment  Ethics  Competence  Responsibilities and Accountability

16 Risk Assessment Process “What is going to keep you from your goals”  Identification  Assessment  Response

17 Business Processes  Control Activities  Company Policies  Procedures / Guidelines  Internal Controls  Information and Communication  Appropriate  Availability  Accurate / Complete  Timely

18 Assurance “Monitoring”  Ongoing Activities  Supervision  Performance Measurement & Reporting  Assessment Processes  Self  Corp. Oversight (Internal Auditing)  Independent  Reporting Deficiencies  Follow Up & Corrective Actions

19 Practical Application Any Audit or Consulting Project

Questions & Comments Myrk Harkins Phone – ( )