The story of how ENOC’s internal audit department elevated itself from a compliance focused function to become a valued business partner
Emirates National Oil Company (ENOC) is a regional integrated oil & gas group owned by the Government of Dubai. ENOC has over 7,000 employees and operates through over 30 subsidiaries covering oil & gas production, storage facilities, energy trading, gas stations and other areas. These subsidiaries operate mainly in the UAE, Saudi Arabia, Africa, Central Asia, Singapore and Korea. ENOC’s motto is ‘Behind Every Successful Journey.’ The Directorate of Internal Audit and Business Ethics (IA&BE) is one of the corporate departments within the ENOC group and is led by Aley Raza, Director Internal Audit and Chief Ethics & Compliance Officer (DIA). It reports to ENOC Board Audit Committee functionally and administratively to the Chief Executive Officer (CEO). In addition to its core assurance role, it has actively worked with ENOC management to improve governance and control processes at a corporate level and across its subsidiaries.
IA&BE’s vision is ‘To be recognised by all stakeholders as a professional business partner…’
IA&BE has significantly evolved and widened its scope of contribution over the years. IA&BE has two functions – Internal Audit (IA) and Business Ethics & Compliance (BE). IA&BE was established with a small team of three professionals and has now grown to eighteen professionals with different industry experience and advanced qualifications and certification. In addition, the department has transformed from being a business support division to a value-added internal audit function through management support, understanding stakeholder needs and taking on new initiatives.
“Our focus is not only on enhancing our performance and productivity but doing so with the highest levels of business principles. Since inception we have been led by our core values of team work, integrity, transparency, respect and customer focus. We have further strengthened this with the inception of a Business Ethics & Compliance function and a Code of Business Conduct that is applicable across every operation of ENOC and its group companies as well as its partners.” said Saeed Khoory, ENOC’s Chief Executive Officer (CEO).
“Our focus is not only on enhancing our performance and productivity but doing so with the highest levels of business principles” Saeed Khoory, ENOC’s Chief Executive Officer
A Foundation for Excellence
In 2000, EPPCO IA and ENOC IA were merged to form ENOC group IA function. Since 2000, the function was more focused on delivering value though organisation and business support studies like organisation reviews, restructuring and development of policies and procedures for the group.
After 2007, a new Board was formed and ENOC’s new CEO was appointed. The changes in management resulted in steady shift in the department’s approach from being a business support to a risk based internal audit function. The necessary shift in internal audits in the organisation arose due to the rapid alterations in market trends and their incorporation into the business control environment.
Furthermore, ENOC’s crowning achievement during this era was the formation of a non-executive Audit Committee, which has served as the driving force behind many of the department’s achievements. Now IA&BE provides assurance services to entire ENOC group, its various subsidiaries and joint ventures.
Apart from the core activity of providing assurance services to various entities and departments within the group, IA&BE has played a key role supporting ENOC management in streamlining and establishing a control framework in various group companies and enhancing corporate governance framework.
IA&BE adheres to quality measurement criteria prescribed by IIA in performing internal audits and related activities and according to a survey done by PWC, IA&BE ranked amongst top 25 per cent in the region in providing a cost effective and efficient service. IA&BE has been awarded ISO 9001:2008 Quality Certification by the Lloyds Register Quality Assurance (LRQA) in December 2010.
The department has proved to be an effective resource pool by assigning audit professionals to group entities. IA&BE contributes effectively to the group’s objective of UAE National Development and has also designed an effective training programme to equip them with auditing skills sets.
Enterprise Risk Management (ERM)
Although the department had transformed into an effective service provider, it was predominantly focused on service delivery of internal audits to the group. It was now time to focus on enterprise-wide initiatives which strengthen control environment at ENOC.
The department was already conducting risk assessments as part of the internal audit planning and execution under the guidance of ENOC Audit Risk Committee (EARC). As ENOC was undergoing organisational restructuring, the department worked on a risk assessment framework including specifying the roles and responsibilities of ERM function, its establishment and reporting structure.
The Board decided to establish the ERM function under Group Finance Department. However, the department provided resource for the function and continues to provide guidance for development of ERM policies in line with the COSO and ISO31000 as well as part of Enterprise Risk Management Committee (ERMC) chaired by CEO. The introduction of the ERM process has allowed internal audit to focus on providing assurance on establishment of controls and mitigating risks.
Business Ethics & Compliance
The second major enterprise-wide initiative driven by the department was launch of ENOC’s Code of Business Conduct (the Code). Building on the Core Values of ENOC, the Code reflects ENOC commitment to uphold the highest ethical values in ‘The Way We Lead.’
The Code was developed in-house by ENOC in collaboration with corporate departments and business units, while being spearheaded by the IA&BE, and fully supported by the Board of Directors’ Audit Committee. Human resources, procurement and other policies, were linked to the Code to ensure its integration in key business activities. Subsequently, a programme was designed to sustain the principles of the Code and reinforce a culture of ethical behaviour. Business Ethics & Compliance (BE&C) function was established under the IA&BE with the DIA assuming the additional role of the Chief Ethics & Compliance Officer (CECO).
Reporting to CECO and managing BE&C function is Hend Al Rumaithi, a UAE national.
Having BE&C with IA gives the function necessary independence to carry out its mandate effectively. A Business Ethics Committee has been formed and chaired by the CEO to make key decisions in relation to handling reported cases, conflict of interest disclosure and other compliance matters.
The introduction of the Ethics Hotline was a major achievement. ENOC’s Ethics Hotline is a confidential multilingual independent platform managed by an external independent service provider and available through a phone and online reporting system. The purpose of the hotline is to report any conduct that may be in violation with the Code and cultivate a positive work environment. Updates on the reported cases are also provided to ENOC Board Audit Committee.
ENOC Code of Business Conduct, supported by a programme and a function, fosters a positive ethical working environment and is embedded in the day-to-day business activities in The Way We Lead.
“As the business moves we adapt and evolve internal audit accordingly” Aley Raza, ENOC’s Director of Internal Audit
IA&BE has been part of various successful initiatives at ENOC group which have enhanced governance and also assisted in strengthen tone at the top at the group. ENOC strongly believes that good governance has contributed substantially to the success of the company and is essential for good business prospects in the long-term. To further enhance Corporate Governance (CG) practices at ENOC, Saeed Khoory initiated a Corporate Governance Programme in 2012.
A Steering Committee comprising members of ENOC Group Finance, Legal and the Directorate of Internal Audit and Business Ethics has been set up to promote and roll-out the corporate governance framework.
The ENOC CG programme provides a governing framework, structure and system by which ENOC and its’ companies are directed and controlled to set their objectives, define means to attain these objectives, and establish their monitoring mechanisms.
The Corporate Governance Progression Level Matrix adopted by ENOC has six key attributes and four levels starting with ‘compliance with laws and basic corporate governance formalities’ to ‘corporate governance leadership.’
The programme is well-founded as it has been benchmarked with various regional and international CG Codes and inputs have been sought from institutions like the Organisation for Economic Cooperation and Development’s Guidelines (OECD), Hawkmah and GCC BDI. IA&BE staff are also part of the taskforce working to revise the OECD guidelines for State-Owned Enterprises.
Aley Raza said: “The CG programme is designed to support ENOC in its new investment strategy. A strong CG framework will successfully support all stages of the investment process and hence, the Company’s overall prospects to build a strong growing enterprise.”
The IA&BE department has come a long a way since its establishment. Though the number of people has remained the same, the roles they play have changed significantly. The commitment and dedication of the IA&BE team, as well as the support of the senior management, the CEO and the Audit Committee, have all been instrumental to the department’s climb to the top. But has the department achieved its vision of becoming a ‘professional business partner’? It might be so, however, Raza believes that there is still room for growth. “Our vision is to continue our journey, rather than come to complete stop.”
From the incredible journey shown in the IA&BE department, we can take away one very important lesson from ENOC, and that is that Internal Audit should continuously evolve to meet the needs of the business.