COVID-19 has spurred organizations to undergo widespread and rapid digital transformation. About one-third of the 500 small and medium-sized Canadian businesses surveyed by KPMG have accelerated their adoption of technology since the start of the pandemic.
With this rapid pace of digital transformation — and with more people working from home — there has also been an increase in the number of cyberattacks. And those attacks are becoming much more sophisticated. Audit committees need to ensure that management is prepared for future disruption to their business and have plans in place to tackle the increased risk of cyberattacks that digital transformation brings.
Energy and natural resource (ENR) companies are accelerating their move to cloud, enterprise resource planning systems and enterprise performance management solutions. “We’re seeing more focus on planning, budgeting and forecasting tools, and more robotics and process automation,” says Narmin Vasanji, Partner, Management Consulting, with KPMG in Canada.
Cost pressures in the oil and gas sector and collectability issues in the power and utilities sector mean organizations need to digitize their basic processes, says Vasanji. And there are still manual repetitive processes in finance that can easily be automated to cut spend. “Some of the biggest changes that COVID-19 accelerated in these industries were at first very basic, such as being able to work with digital records and manage processes remotely. The second area centred around being able to better forecast information,” she says.
The challenge of forecasting in the face of uncertainty surrounding the pandemic has accelerated innovations in intelligent forecasting. Multiple sources of data are being brought together and machine learning is being used to look at past trends and correlations to forecast variables such as cash flows and product demand. From a board perspective, this provides better visibility into their options for ensuring long-term financial stability.
Capital is king
“A big differentiator of Energy from other industries is the degree to which capital is king. Organizations need to be able to understand how they’re managing their capital spend and using it to drive innovation,” says Vasanji. And the current complex regulatory and political climate around the environment, sustainability and renewable energy present an additional challenge to decisions around how to manage capital and where to spend it.
Because capital is so important in the energy sector, the board will need to ask more questions about significant digital transformation programs such as what benefits can be quantified, the return on investment and the payback period expected from investing in technology such as cloud. They need to ask how the projects are tracking, and on large or longer-term projects they may want management to report on health checks or independent quality assurance reviews.
“From a board perspective, it’s about asking management the right questions around whether the company is using disruption and technology as a strategic advantage, whether the firm is going far enough, and how it’s doing compared to the competition. It’s about looking at the business model and asking if there’s anything else the company needs to do to take more market share or push the boundaries,” says Vasanji.
Benefits of digital transformation
One of the benefits of deploying new technology is that organizations can have better clarity on data source of truth. This allows companies to cleanse their data and put in place governance processes to manage the data, define primary system of record, and ensure more rigour and process around data creation. This cleaner data helps boards get a clearer, more trustworthy picture of the performance of the company and aids them in governance and decision making — which benefits both boards and audit committees.
A second benefit is more automated and preventative controls. Companies often rely on reports to tell them, after the fact, if something went wrong. But if they use the right technology to set up processes that catch issues at the front-end, they can prevent issues such as unauthorized transactions before they happen. For example, they can put into place a process where a purchase order cannot be processed without adequate approval. This type of system is also easier to audit because firms can test that the system is working rather than having to manually check each transaction.
Audit committees should be thinking about how new technologies will change the control environment and the risks this brings. Similarly, with the introduction of robotic process automation, they will need to understand how management is adapting their internal controls. They also need to ask about risks related to cloud and whether the firm will be more susceptible to cyber risk.
“With the recent rapid deployment of technology for work from home and digital transformation, not all the technologymay have been properly tested from a control standpoint,” says Julie Pépin, Partner, Internal Audit, Risk & Compliance Services, with KPMG in Canada.
Pépin points out that the human capital effect also needs to be considered. “We have a lot of dependency on IT personnel, but they’re busy supporting employees working from home so they may have less time to perform those IT controls that are necessary for financial reporting. Audit committees should ask management how this is being taken into account in their control environment,” she says.
Cyberattacks and operational technology
Cyberattacks were on the rise even before COVID-19, but there has been a dramatic increase with the move to remote work. “Companies in the ENR sector tend to have a lot of operational technology, and a lot of their infrastructure is run from a central operations centre. Often it’s the case that this technology hasn’t followed the same rigorous security protocols as information technology,” says Jeff Thomas, Partner, Advisory Services, with KPMG in Canada.
Until now, there’s been segmentation between the operational technology (OT) networks and corporate networks, which is why there have been few attacks on OT. But that segmentation is breaking down with the increase in remote work — and the repercussions can be serious.
“If your corporate network is down for a week, you’re probably surviving, but if you’re down for a week on your upstream operations, or if power generation to the province goes out, those are huge problems,” says Thomas. From a cyber perspective, one of the most important aspects of the energy industry is the potential for human harm. If any of the OT systems aren’t behaving properly, it could result in damage that leads to harm to the surrounding community or to people getting hurt.
Often a nation-state is responsible for attacks on OT, and some of the larger state actors have a good picture of infrastructure in North America, including pipelines and refinery operations. Terrorists or criminals might also launch this type of attack but, “it almost doesn’t make sense anymore to segregate the threat actors by their intention. The criminal organizations are so specialized that the best thing for a terrorist organization, and sometimes governments, to do is hire a criminal organization to do the work for them,” says Thomas.
Another type of threat actor that is more problematic is the insider or partner. They don’t have to use the same techniques that an external hacker would because they already know about the network. They probably already have access and know what they’re after. Since IT is a cost centre for energy companies, they may not have the most sophisticated or up-to-date technology — usually, their networks are flat, meaning everything is connected, so if a threat actor gets onto the corporate network they have access to everything.
OT environments that control pipes or processes often run on legacy operating systems that can’t be updated because they’re not compatible with newer tools. Those need to be separated so that risk is reduced (or extra monitoring is required). Companies need to know where the most painful risk points are so they can start to put better controls in place.
How audit committees can approach resiliency
“In approaching cyber resiliency, audit committees need to be sure they clearly understand what their mandate is. There can be several committees under the board, and the audit committee may not be the one overseeing cyber risk,” says Thomas.
“Audit committees have a lot on their agenda,” says Pépin. “At the end of the day, the audit committee may have substantial oversight responsibility for a range of risks beyond financial reporting. They have to be proactive in ensuring they have the information they need. They should also discuss if they have the expertise and the time to oversee these areas.”
If cyber risk does fall within the scope of their responsibilities, then they need to know what risks they face, says Thomas. Management should determine the importance of each risk and put a value on it — and the audit committee needs to be aware of that value (in both dollar terms and Enterprise Risk Management impact criteria). And there must be agreement as to how much risk the firm is prepared to tolerate.
The audit committee will want to ask management what has been put in place to manage each risk and who has validated whether or not that’s an effective method of risk mitigation. It’s best to get a third-party opinion — someone to tell the committee that the controls are as effective as management believes them to be. Audit committees can do this by engaging third-party firms to do a penetration test or system and organization controls (SOC) report, which is an audit opinion on the effectiveness of information security controls.
Audit committees also need to look at what could potentially go wrong. For example, if you’re an energy company, your power generation system is hacked, there’s an overspin on the generator and it’s damaged, how big of an event is that? What’s the impact on the organization? Are there enough generation assets that can cover it?
Similarly, if you’re a shipper and your ability to operate the pipeline shuts down, then what’s the impact to you in dollar terms? And what are the enterprise risk management impact criteria? Is it health and safety, supplier relationships or dollars? Once you’ve determined the impacts of what could go wrong, you need to determine specifically what’s being done about them and who has validated whether that’s an effective method of risk mitigation.
“It’s surprising how unprepared some companies are when they do get breached, even if they’ve lined up a firm to help them with incident response. The audit committee needs to drive the conversation with management around creating a defensible position, understanding what could go wrong in the event of a breach and agreeing on what the organization is going to do when a breach happens,” says Thomas.
They should agree in advance on who will be involved, which security incidents will be brought to the attention of the audit committee, when they’ll be notified and by whom, and how much will be spent to remedy a breach (in the case of ransomware, it should be decided if the firm will pay the ransom).
Rapid change is occurring in the ENR sector. While this challenges audit committees to be vigilant in understanding and monitoring these changes, it also offers an opportunity for them to drive positive change in improving processes and data and protecting their systems and infrastructure from cyberattacks.
Jeff W.G. Thomas
Partner and Business Unit Leader, Advisory Services
KPMG in Canada
Prairies Management Consulting Geographic Leader
KPMG in Canada