Earlier this year, many Oil and Gas companies were racing to IPO in an effort to capitalize on the crude oil price rise. Companies were looking to raise cash to complete two major objectives:
- Eliminate debt caused by the downturn
- Expand assets to increase capacity for the upturn
These companies made a strong strategic move to grow and mitigate the growing debt and competition risk. However, with change comes new compliance risks which must be mitigated. Public companies require a new compliance burden around Internal Controls over Financial Reporting (ICFR). Most companies have a few years to prepare for these burdensome Audits, thanks mostly to SOX 404(c) and a PCAOB interpretive release 2007; however, management is still required to self-certify the effectiveness of their internal controls. SOX 404 is something many companies put off, forcing their CFO to certify ICFR are in place without any genuine confidence. With oil prices recent volatility, Oil and Gas companies need to be prepared for sudden price hikes that could push their public float, assets, and/or revenue over the SOX 404(c) threshold requiring an ICFR external audit. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring the new controls do not slow down efficiency.
Prior to an IPO, Oil and Gas companies must understand what SOX 404 specifically means for them. An IPO is not the time to be blindly confident in ICFR, but rather a chance to uncover and address potential weaknesses. Here’s what companies need to know to help identify and mitigate their control risks:
No more auditor safety net – O&G Companies that still lean on their auditors to uncover deficiencies could get hit with an ICFR deficiency. Per COSO 2013, public companies are now responsible for their own internal control risk assessments and proactive monitoring of control effectiveness. More simply, companies are now responsible for their own asset cycle counts, inventory counts, account reconciliations, controls, etc. How can a company take control without their auditors? Perform a COSO 2013 Risk Assessment to map out their controls matrix and identify their areas of risk.
Covering more than the activity level controls – Activity level controls are often the controls that every CFO thinks he/she has covered. From a process standpoint, this is often true. However, the key difference between private and public processes is the required documentation needed to ensure controls are in place. Leverage the risk assessment to map out all the key controls in process flows. Each key control needs documentation to test and to confirm that it happens successfully. Examples of documentation include written approval, meeting minutes, system audit trail, email chains. Pick what makes the most sense for your company and begin documenting.
Insufficient roles and responsibilities – Most private O&G companies run very lean on the compliance side and, therefore, have some omitted roles and responsibilities that need to be filled. Utilize the risk assessment to identify these areas early and to assign roles and responsibilities to experienced professionals. Making early steps towards ensuring a strong tone at the top and governance structure.
Overlooking IT – IT is typically not a popular department for most private O&G companies, and is often overlooked in risk assessments. Focus on securing your financial systems. This means confirming a strong infrastructure is in place to prevent unauthorized data changes and documenting a segregation of duties matrix to ensure users cannot make any unauthorized transactions.
Spending time on the above tasks will go a long way to confirming a company’s transition to the public sector is smooth and less burdensome.
Implementing COSO 2013 framework to support a proper ICFR can be a time-consuming process and can quickly get out of hand if the wrong approach is taken. Here are some best practices when rolling out ICFR for Sox 404:
- Leverage the Risk Assessment’s key risks when deciding where to design internal controls.
- Each key risk should have controls that are both prevention and detection controls. Relying too heavily on one over the other can cause greater risks.
- Define the key processes and map out each key control so that the team will better understand the whole process, ensuring efficiently designed controls.
- Ensure that all controls are designed with an expected output or evidence that can be tested.
- Quality over Quantity is the most important factor when developing a controls framework.
- Training, Tone at the Top, procedural documents, process flows, and narratives all help to certify each control has strong operational effectiveness.
- Assign Control owners and have them confirm whether they performed their control each month.
The above best practices will ensure a properly developed controls framework that will not over-complicate or hinder process efficiencies. As oil prices continue to stabilize we should see more and more O&G companies IPO in effort to reduce debt accumulated over the last 2-3 years. The companies who IPO need to understand the ensuing compliance risks and mitigate those risks in the most efficient way.
Trenegy is a non-traditional consulting firm experienced in designing, implementing, and testing successful controls frameworks. Learn how Implementing Internal Controls can be smooth and straight-forward. Find out more: firstname.lastname@example.org.