In industry downturn, energy producers combat increased risk with stronger internal controls

The U.S. Energy OpportunityOil prices are up over 20% from their mid-March lows, providing some stability and optimism to the upstream sector. But producers still face business conditions radically different from the buoyant markets of a year ago. At that time, nearly half of the industry participants in the 2014 Grant Thornton LLP survey of U.S. energy companies conducted in partnership with Hart Energy thought their biggest operational infrastructure challenge was finding and retaining the right people. A more likely response today would be learning to manage increased operational risk — including fraud — in the face of shrunken staff and reduced IT spending.

Companies now face the challenge of how quickly they can change their focus from expanding production to operational efficiency. “In some cases, management was spending money so quickly to complete wells that watching costs and safeguarding assets weren’t important concerns,” says Bruce Orr, Grant Thornton director, Advisory Services. “Now they are, but the shift in priorities doesn’t happen overnight. Many companies don’t have the controls in place to mitigate the risks they face.”

Reduced resources can hamstring efforts at improving control systems and processes. “As capital budgets get slashed and people are let go, more inefficiencies are created,” says Nick Vellani, Grant Thornton principal, Advisory Services. “Rather than solving a problem, companies will put a Band-Aid on it. That often means they are using more manual controls instead of automated controls, creating more opportunity for mistakes.”

How producers successfully deal with the industry’s changed fortunes will be decided by their financial condition and management strength. Some companies that overpaid for properties and allowed costs to get out of hand are in or near bankruptcy, and there’s little they can do at this point to change course. But well-managed producers that remain liquid are using the slump to fix the operational and systems integration issues they let slide during the boom. With the single-minded drive to expand put on hold, in-house staff now may have the time to do these projects.

The forces for enhanced operational effectiveness and efficiency are bolstered by the introduction of COSO 2013. The new framework’s strengthened requirements for risk assessment and its enhanced definitions of internal controls — including those in the fraud and IT areas — afford companies an excellent opportunity to improve their systems and processes.

The upshot is that well-managed companies with operational stability can use this hiatus in industry growth to strengthen their internal control function and position themselves for the next upturn in energy prices.

Stronger prevention measures to fight increased fraud risk, improve well cost control
Producers are now particularly vulnerable to increased fraud risk. Out in the field, the upstream sector is supported by a host of third-party providers — trucking companies, drillers, waste haulers, roustabouts and so on. Many of the third parties that producers typically engage are local, smaller companies that in an industry downturn face heightened competition and experience their own financial difficulties.

Most of these firms are honest, but with cash short, some will be tempted to overcharge — especially if they see that a customer doesn’t have strong controls at the field level. Other times, the mistakes in billing will be unintentional. But regardless of cause, producers need to deal with the exposure. “The best place to stop fraud is at the field ticket level,” says Orr. “It’s more difficult to discover in the back office — at that point, recovery becomes more difficult.”

Staff shortages
Indeed, back-office control functions are being challenged by tighter budgets that result in reduced staff doing more work, especially where shortsighted management sees accounting and control functions as good places to cut jobs. And even where headcount remains the same, staff morale suffers as expectations for bigger salaries and promotions dim. Thus, employees are doing additional work under greater pressure, with less incentive for performance. Meanwhile, less cash flow requires postponement of IT projects that could offset decreased HR.

Diminished staff also increases fraud risk because of the likelihood that a single employee will be performing tasks that should be done by two or more people with appropriate qualifications. “Segregation of duties doesn’t simply mean having different people perform different tasks in a control function,” says Orr. “It’s having the person with the right training, with the right position, in the organization doing the control.”

The fraud triangle
The overall result is that the company faces a fraud triangle that is more acute at each point from greater exposures, both internal and external:
  1. The motivation to commit fraud because of financial need increases
  2. Potential fraudsters can more easily rationalize their actions
  3. The opportunity to commit fraud in an atmosphere of weaker internal control increases

What producers can do
Companies can take these simple steps to mitigate fraud risk, reduce unintentional overcharges and improve control of well costs in the field:
  1. Strengthen field ticket control ― Improve training of staff in the field to heighten their awareness of exposures, inducing closer inspection of field tickets.
  2. Promote awareness of vendor contract terms — Those responsible for approving field tickets and vendor invoices should have a general awareness of vendor contract terms so that proper review can be performed and billing issues can be caught early.
  3. Adopt regular audits of vendors ― This effort includes:
    • Auditing invoices for compliance with pricing agreements (companies usually have two to three years’ audit rights), proper quantities billed, off-contract spend and any wasteful/abusive charges.
    • Reviewing payment histories to determine whether further investigation of potential irregularities is required.
  4. Review contracts more closely ― An examination of contract terms can often reveal nuances that generate cost savings. In the current environment, energy companies may have more leverage to obtain better contract terms.
  5. Have an approved vendor list ― Some producers don’t have one, and even those that do can let them become stale and out-of-date.

Keep vendor fraud risk low with these key COSO guidelines

Internal Control — Integrated Framework: Framework and Appendices — commonly known as COSO 2013 — provides an excellent opportunity for organizations to tackle the fraud challenges they now face.

While the earlier COSO 1992 framework considered fraud, COSO 2013 expands the discussion substantially and dedicates one of its 17 principles to fraud. Principle 8 states:

“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

The first point of focus for this principle summarizes the various components of fraud: “fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.” The remaining three points of focus largely reflect the three elements of the fraud triangle, namely, the (1) incentives and pressures, (2) opportunity, and (3) attitudes and rationalization for committing fraud.

The impact of COSO 2013 is that where previously fraud had been considered primarily in terms of satisfying SOX requirements, it is now viewed as part of the overall risk assessment, which addresses fraud at the entity level, not merely at the transaction level.

Many energy producers have not thought a great deal about fraud — at least not in the systematic way that COSO 2013 now requires. Although most companies have had some written policies to address fraud, few have documented their fraud practices sufficiently to evaluate the adequacy of their fraud management processes.1  Against a backdrop of an increased fraud threat, risk management champions within the organization can look to COSO 2013 to support their case for a stronger risk assessment and prevention program.
Doing more with less: Robust IT controls in the face of reduced capital outlays
The impact from the downturn on IT investment has been substantial. When oil prices were buoyant, there was a strong push toward automation, including projects in the field that could report back to the home office on production and revenue. In many cases, producers have now put those projects on hold. In some cases, the cutbacks have led to a worse-case scenario: Not only has the company not decreased its risk profile as it had expected, but it now faces increased exposures because it has mixed IT environments — some wells have automated IT, others do not — running multiple processes. And as in other administrative areas, there may be fewer IT staff, creating segregation of duties issues.

Third-party providers
The heavy reliance on third-party providers for all parts of the company’s operations defines and complicates the internal control challenge. Producers typically have several IT-based third-party providers that play a key role in the company’s operational infrastructure.

SaaS for functions like general ledger maintenance is a good example. When engaging SaaS firms, producers need to ask: What are the controls that separate multiple computing environments? Is it the producer’s responsibility to ask those questions, or is it automatically done on its behalf?

Cloud providers for data storage represent another important service. In this area, a particularly pressing issue is “Who owns the data?” Cloud providers have been known to include clauses in their contracts that, in effect, say, “Any data you put on our servers — your technologies, your engineering plans, etc. — becomes our intellectual property.” Producers need to pay particular attention to such language — it’s their data, not the cloud provider’s, and they need to own it.

SOC reports
As in the production side of the business, third-party IT providers are experiencing more competition in the marketplace. Some will be motivated to take shortcuts and provide fewer services than originally contracted. SOC reports are useful for ensuring that controls are truly in place — but simply getting a SOC report isn’t sufficient.

What producers can do

In attempting to mitigate risk with outsource service providers, producers need to ensure they:
  1. Have specific right-to-audit clauses
  2. Determine the controls are in place and how frequently those controls get tested, correcting problems as appropriate
  3. Ensure that the remedy — e.g., the cash payback — to the producer is sufficient if there’s a failure at the provider’s end

Vellani articulates the broad risk challenge companies face and how to meet it: “Not all companies are thinking through risk from well to financial statement,” he says. “With so many functions being performed by third parties, there are a lot of touch points along the way where the concept of risk gets lost. There’s no full ownership of where cybersecurity lays. What companies need to do is ascertain who owns the risk, and then ensure the proper controls are in place.”

Efficient operations, savvy producers’ hidden strength
Only a Pollyanna would see low energy prices as the ideal business environment for the upstream sector. But the reality is that expanding company operations and exploiting drilling opportunities is highly preferred to downsizing and retreat.

At the same time, booming oil markets drew a lot of actors that didn’t have the knowledge or experience to succeed in a less buoyant price environment. Left standing in the industry shakeout are those well-managed companies who have always recognized the importance of operational stability in succeeding during both good times and bad. These producers are now increasing their organizational strength through better internal controls, improving their risk profile and positioning them well for the next upsurge in energy prices.

1  See Grant Thornton CorporateGovernor, “COSO 2013 framework boosts fraud risk assessment and prevention,”