In Articles

Earlier this year, many oil and gas companies were racing to IPO in an effort to capitalize on the crude oil price rise. Companies were looking to raise cash to complete two major objectives:

  1. Eliminate debt caused by the downturn
  2. Expand assets to increase capacity for the upturn

These companies made a strong strategic move to grow and mitigate the growing debt and competition risk. However, with change comes new compliance risks which must be mitigated. Public companies require a new compliance burden around Internal Controls over Financial Reporting (ICFR). Most companies have a few years to prepare for these burdensome audits, thanks mostly to SOX 404(c) and a PCAOB interpretive release in 2007. However, management is still required to self-certify the effectiveness of their internal controls. SOX 404 is something many companies put off, forcing their CFO to certify ICFR is in place without any genuine confidence. With oil prices’ recent volatility, oil and gas companies must be prepared for sudden price hikes that could push their public float, assets, and/or revenue over the SOX 404(c) threshold, requiring an ICFR external audit. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring the new controls do not slow down efficiency.

Prior to an IPO, oil and gas companies must understand what SOX 404 specifically means for them. An IPO is not the time to be blindly confident in ICFR, but rather a chance to uncover and address potential weaknesses. Here’s what companies need to know to help identify and mitigate their control risks:

You can’t rely on an auditor safety net. Oil and gas companies that still lean on their auditors to uncover deficiencies could get hit with an ICFR deficiency. Per COSO 2013, public companies are now responsible for their own internal control risk assessments and proactive monitoring of control effectiveness. More simply, companies are now responsible for their own asset cycle counts, inventory counts, account reconciliations, controls, etc. How can a company take control without auditors? Perform a COSO 2013 Risk Assessment to map out the controls matrix and identify areas of risk.

You must cover more than the activity level controls. Activity level controls are often the controls that every CFO thinks they have covered. From a process standpoint, this is often true. However, the key difference between private and public processes is the required documentation needed to ensure controls are in place. Leverage the risk assessment to map out all the key controls in process flows. Each key control needs documentation to test and to confirm that it happens successfully. Examples of documentation include written approval, meeting minutes, system audit trails, and email chains. Pick what makes the most sense for your company and begin documenting.

Identify insufficient roles and responsibilities. Most private oil and gas companies run lean on the compliance side and, therefore, have some omitted roles and responsibilities that need to be filled. Utilize the risk assessment to identify these areas early and to assign roles and responsibilities to experienced professionals. Make early steps toward ensuring a strong tone at the top and governance structure.

Don’t overlook IT. IT is typically an unpopular department for most private oil and gascompanies, and is often overlooked in risk assessments. Focus on securing your financial systems. This means 1) confirming a strong infrastructure is in place to prevent unauthorized data changes, and 2) documenting a segregation of duties matrix to ensure users cannot make any unauthorized transactions.

Spending time on these tasks will go a long way in confirming a company’s transition to the public sector is smooth and less burdensome.

Implementing COSO 2013 framework to support a proper ICFR can be a time-consuming process and can quickly get out of hand if the wrong approach is taken. Here are some best practices when rolling out ICFR for Sox 404:

Control Design

  1. Leverage the Risk Assessment’s key risks when deciding where to design internal controls.
  2. Each key risk should have controls that are both prevention and detection controls. Relying too heavily on one over the other can cause greater risks.
  3. Define the key processes and map out each key control, ensuring efficiently designed controls, so the team will better understand the whole process.
  4. Ensure all controls are designed with an expected output or evidence that can be tested.
  5. Quality over quantity is the most important factor when developing a controls framework.

Control Operation

  1. Training, tone at the top, procedural documents, process flows, and narratives all help to certify each control has strong operational effectiveness.
  2. Assign control owners and have them confirm whether they performed their control each month.

These best practices will ensure a properly developed controls framework that will not over-complicate or hinder process efficiencies. As oil prices continue to stabilize, we should see more and more oil and gas companies IPO in effort to reduce debt accumulated over the last 2-3 years. The companies who IPO need to understand the ensuing compliance risks and mitigate those risks in the most efficient way.

Trenegy is a non-traditional consulting firm experienced in designing, implementing, and testing successful controls frameworks. Implementing internal controls can be smooth and straightforward. Contact us at to learn more.

Recent Posts

Start typing and press Enter to search