• Phone
  • Contact us
  • Locations
  • Search
  • Menu


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
Close this video

Embedding risk management into audit regimes to achieve better compliance is an easy three step process

By Sue Paul, PA energy market expert

Most energy markets have some form of audit regime in place to assure stakeholders that the market is being operated compliantly. 

But energy markets have hundreds of participants and thousands of obligations, with a range of business processes/systems to support those obligations. It is not cost effective to examine every aspect of the market. As Independent System and Market Operators (ISMOs) and energy regulators around the world reign in their budgets, achieving the right balance between cost and assurance will be key. For example, flattening demand in Australia means a lower operating budget for the Australian Energy Market Operator, which recovers fees based on energy usage, while in New Zealand and the Philippines political pressure means regulators are conservative when approving market fees & budget.

Energy regulators and ISMOs can ensure their audits provide a robust level of assurance while remaining cost-effective by adopting a simple three step risk-based approach to audit management.

1. Adopt a structured approach to identifying and analysing compliance risks

A structured approach to risk assessment will enable you to create an inventory that quantifies the nature of the compliance risks in your market. This will allow you to capture your compliance risks and provide a sound basis for specifying audit scope and focus based on the significance of each risk. 

For example, Elexon, the ISMO in the UK, applies the ISO 31000:2009 risk management framework  to compile a comprehensive register of settlement risks categorised by severity. Likewise, we have leveraged our insights through years of auditing ISMOs to compile a list of hundreds of compliance risks relating to market/systems operations and settlement, and clearing. We use this risk register to determine which business areas to dedicate effort and focus to as described below.

2. Specify audit parameters based on compliance risk

With compliance risks analysed, you will be in a position to map them against owners and obligations, and to plan an appropriate audit regime. This will involve:

  • Audit scope related to compliance risk. Audit scope can span three key areas:  process compliance, market software and Information and Communications Technology (ICT) systems. In our experience, ISMO audits should include all three components, as ISMOs’ market and ICT systems implement critical obligations relating to dispatch and settlement. For other entities (e.g. meter data providers) a narrower scope, involving operational compliance and light-touch testing of market software only, is sufficient.
  • Audit focus areas. Mapping risks against obligations and business process areas will enable you to determine where to focus audit effort. For example, PA’s audits of dispatch processes focus most heavily on dispatch calculations, exercise of ISMO discretion in dispatching out of merit and issuance of dispatch advisories to participants, as these are the areas where breaches can have the most adverse outcomes.
  • Rotating audit scope to include lower risk areas. From time to time, it’s important to scrutinise lower risk areas in more detail to ensure non-compliance in these areas does not go undetected (e.g. recurring breaches caused by staff ignoring process controls).

3. Embed risk management into your audit regime by continually monitoring compliance risk so that audits are dynamic and risk-reflective

Risks evolve so audit regimes need to evolve too. You can keep your audits dynamic and risk-reflective by regularly updating the risk register to reflect new and changing risks (e.g. as previous high-risk areas become less severe due to the introduction of process automation/documentation; or as lower risk areas become severe due to recurring incidents and process/staffing changes). 

Our insight

The costs associated with auditing complex energy markets can be out of proportion to the value the audit delivers in terms of meeting regulatory and strategic obligations – and can actually work against the ISMO or regulator’s intention, which is to protect value for stakeholders. Embedding risk management in the audit regime helps ensure resources and effort is targeted to deliver a more cost-efficient and effective audit, without comprising compliance. 

Find out more about our work in energy and utilities.

Contact the energy and utilities team

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.