“Carpe Diem”: Oilfield Services Companies Eye the IPO Market



By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Steve Hobbs, Managing Director
Public Company Transformation


Despite the recent downward trend in oil prices, the oil and gas industry overall is feeling optimistic, as evidenced by increased rig counts and production levels. Both are signs that the industry is on the rebound after a downturn that has persisted for well over two years. Renewed confidence and optimism about future growth have many companies in the sector thinking about pursuing an initial public offering (IPO). Among them: fast-growing and capital-hungry oilfield services providers.

These service businesses play an important role in supporting the oil and gas industry. They provide innovative technology, manufacturing of critical equipment, and services that allow oil and gas companies to enhance their existing infrastructure and processes so they can produce more at less cost.

The recent volatility in the oil and gas market hit oilfield services providers hard. In 2015 and 2016, many were burdened with significant debt and selling their services at a discount just to survive; several companies ended up filing for bankruptcy.

Now, less than a year after that dark period, oilfield services providers are driving IPO activity in the energy sector — outpacing exploration and production companies. Many of these private equity-backed companies have been waiting for conditions in the industry and capital markets to improve so they can execute an IPO as their forward strategy. Others are looking to an IPO as a way to raise much needed capital fast, to fuel growth and innovation.

What many oilfield services providers learn in exploring the IPO idea is that they simply aren’t prepared to make the leap. One reason is that these firms lack maturity in their business processes, and have limited alignment with GAAP accounting and insufficient infrastructure and personnel to support expansion. They are, essentially, startups. And like any startup or other fast-growing private company in any other sector, oilfield services providers must achieve a certain level of “readiness” before attempting to go public.

These firms are also at risk of making a mistake common among other businesses with IPO aspirations: underestimating the amount of time and personnel required to address the demands of a public company transformation. These pre-public companies must address six primary infrastructure elements on their journey to IPO readiness, including:

  • Corporate policies: These include governance, financial reporting and company policies, such as human resource and marketing policies. Like most startups, oilfield services providers are so focused on delivering their technology and services and trying to grow their market that they don’t spend enough time on essential back-office infrastructure for the business, such as creating formal policies. Structure and documentation are needed not only for compliance purposes, but also to help the company communicate to everyone, from investors to current employees and potential hires, how it operates, what its values are, and more — a basic expectation from an IPO candidate.
  • Corporate processes: Financial reporting processes are just one example of corporate processes that many oilfield services providers will need to upgrade substantially and standardize before going public. For instance, documentation about business agreements is likely inadequate because of the informality with which these service companies often approach deals — confirming terms with perhaps little more than a handshake. So, firms preparing to go public need to start moving now to formalize their agreements with business partners and create an appropriate paper trail. Many accounting and financial planning and analysis forecasting processes will also need to be augmented and automated because manual practices are error-prone and time-consuming.
  • People and organization: Any company that wants to go public needs a well-structured and experienced leadership team. The IPO process places huge demands on senior executives — especially the CEO and CFO, who will need to spend much of their time on the road meeting with analysts and potential investors. Once the IPO ball starts rolling, these executives won’t be able to focus much on everyday business needs. There needs to be a strong team in place, especially in the accounting/finance organization, to help guide the company in their absence, address external auditor considerations, and meet SEC filing deadlines on time.
  • Systems and data: Pre-IPO companies frequently report that their IT departments are a major area of focus during their readiness effort. IT general controls that pertain to Sarbanes-Oxley Act compliance and data security and privacy strategies and policies are just two key areas within IT that oilfield services providers will need to pay special attention to as they lay the groundwork for a public offering. A critical risk within the realm of IT system compliance is addressing the organization’s lack of segregation of duties (SoD) and the need for comprehensive monitoring of access for all critical business IT systems. It’s imperative for management to be directly involved in the SoD design process to clearly shape the roles and duties of personnel within the company prior to an IPO. Data security and privacy can be particularly wide in scope, including everything from cybersecurity policies to business continuity management planning.
  • Management reports (e.g., on internal control over financial reporting) and methodologies (e.g., for the offering price, for financial controls, significant accounting estimates) round out the six primary elements. Oilfield services providers must ensure they have them covered — and implement a sustainable infrastructure and strong organizational capabilities as well — before pursuing an IPO.

Addressing all the above is a complex and resource-intensive endeavor, and likely will require expert assistance on many fronts. This fact is not to dissuade oilfield services companies from seizing opportunities in the current oil and gas market.  But seizing the opportunity is one thing; managing the newly public company in the weeks and months following the IPO in a manner that is consistent with the expectations of regulators and shareholders and the company’s own executives’ vision is quite another. At issue here is sustaining confidence with regulators and shareholders. According to our experience across a wide variety of sectors, covering the six elements of infrastructure above in a thoughtful, proactive manner is a vital process in moving to the next stage successfully.

Can Your SOX Compliance Process Benefit From Some Fine-Tuning? Find Out With Our Latest Benchmarking Survey

By Brian Christensen, Managing Director
Executive Vice President, Global Internal Audit




The results of Protiviti’s latest SOX compliance survey are in, and one takeaway in particular – cost of SOX compliance – may be music to the ears of some companies. For many organizations, those costs were reported to be lower this year than last, even as the number of controls, as well as hours dedicated to compliance, increased.

We don’t know the specific reasons why the costs at some companies decreased but we have some reasonable guesses: The fact that many companies have now completed their adoption of the new COSO Internal Control – Integrated Framework most certainly is a factor. The cost of the COSO implementation work was estimated to be between $50,000 and $100,000 on average.

Another potential factor regarding costs is who, exactly, is doing the work. As we illustrate in our infographic, a majority of organizations either outsource or co-source SOX compliance activities. This, in effect, may be masking some SOX compliance costs, as the expense for these external resources may not be captured under direct SOX costs the organization is tracking.

One other important point: The downward cost trend is not across the board – in fact, the overall number of companies spending over $2 million annually rose this year compared to last.

In addition, we wanted to get some further insight into why some companies report increasing controls, as well as increased hours and costs, so we introduced a new parameter in our survey this year – number of unique locations per company. Not surprisingly, the results revealed that the more locations a company has, the higher the number of controls it has and the higher its SOX costs are. This trend is quite clear, and it should help companies plan for their SOX costs next year, based on their plans to expand, reduce, or keep the same their number of unique locations.

Another trend driving hours and costs up is the dynamic nature of the SOX controls environment. With regulatory changes and developments constantly in play – PCAOB, new revenue recognition standard, cybersecurity, SOC 1, etc. – the learning curve seems to always be up, dragging hours up as well.

I’ve just highlighted the top trends here. The survey report provides much more granular insights, by type and size of company, type of control environment and more. Interest in benchmarking and peer performance with regard to SOX compliance is strong, and we are confident that the survey report provides a useful benchmark with detailed numbers and explanations. Download the survey report here and watch our highlights video below.

Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny

Nichole MiniceBy Nichole Minice, Managing Director
Internal Audit and Financial Advisory



In a recent post recapping our webinar on rising SOX compliance costs, we cited increased external auditor scrutiny of “information produced by entity” (IPE), or electronic audit evidence, as contributing significantly to the increase in costs, with the testing and validation of IPE requiring almost twice the eight-hour average time required to test other internal controls.

External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on IPE, and the need for increased rigor to ensure that the information is accurate and reliable.

IPE is the raw material from which external audits are crafted. It is, therefore, critical for organizations to be able to “show their work” in a way that can easily be verified and validated. This applies both to the integrity of the data itself and the processes underlying the generation of reports that control owners rely upon when executing an internal control. Under PCAOB standards, an external auditor should rely on an entity-produced report or spreadsheet only if there is sufficient evidence to prove that the information within the IPE document is both accurate and complete.

In my own field experience, it’s not unusual to encounter anywhere from 100 to 150 process-level controls. Because of the precision required by external auditors to meet the PCAOB standards, each of these controls might require 12 to 14 hours to test.

Overall, one in five public companies tests IPE every time a control is tested. Again, while respondents to our survey reported a decrease in the number of controls tested, the amount of effort being spent on the controls they do test has increased, and IPE certainly is one of the big contributors to that.

In such an environment, it’s easy to see how automated controls might significantly reduce the time and effort required for verification, particularly in comparison with a traditional spreadsheet in which every formula is a potential point of failure.

A more robust information technology environment provides a more reliable control environment, so we expect to see automated controls lead to a lot more efficiencies and eliminate human errors associated with manual entries into spreadsheets.

Not surprisingly, we’ve noticed that large accelerated and accelerated filers — entities that have adopted automated controls and reporting out of necessity and therefore tend to be more mature in their control environment — are doing the best job of managing the increasingly granular and transparent reporting requirements.

But companies of all sizes are making progress in this area, and we expect to see that continue. Well over half of the organizations surveyed reported that they have at least moderate plans to continue to automate their controls in 2016. We certainly see this trend at our clients and anticipate seeing more as organizations evolve from newly-public into more established entities.

Bottom line: In the current audit environment, organizations are placing an increasing emphasis on quality over quantity of controls. We’re seeing controls getting stronger, and the rigor from external audit related to PCAOB pressure certainly has an impact on that. I also think that companies are reaping the benefits of these strong controls that they can rely on internally and are looking to reduce the amount of controls that they ultimately have to focus on. It is important in all this that companies have a solid rationale behind their testing approach and communicate with their external auditors early and often.

Is Your Company Private? The SEC Still Has Advice for You.

Steve HobbsBy Steve Hobbs
Managing Director, Public Company Transformation




At Protiviti, we routinely counsel private companies that a good governance and control structure is a sound business strategy for any company, and particularly for fast-growth companies with outside investors. If you don’t believe us, just ask the Securities and Exchange Commission (SEC).

Recently, SEC chair Mary Jo White gave a speech at Stanford University, directly addressing private companies. “Being a private company comes with serious obligations to investors and the markets,” White said. “For the new and evolving markets to be successful, all investors need confidence that they are being treated fairly and that the full range of risks are transparently disclosed.”

She went on to say, “Some of the principles that characterize public companies – transparency with investors, controls on financial reporting, strong corporate governance – have applicability and relevance to private companies, especially those pre-IPO companies that aspire to go public, and should not be overlooked or avoided, whether or not mandated by federal law or a SEC regulation.”

So, what are those pre-IPO “musts” that private companies should do now to create good governance and control structure? It comes down to two key pieces of advice:

  • Start early. Understanding the timeline of events and transformation in an IPO process is key. We recommend certain tasks be done prior to an IPO. Such tasks include evaluating the internal control and governance environments and identifying areas of risk as well as areas for improvement.
  • Know the potential issues before they arise. There are a number of issues that companies typically face during the first year of being public. If you plan properly, you can address most of these issues prior to the IPO, and then identify and address the rest as they evolve. Examples include lack of internal buy-in or understanding of the importance of proper controls, minimally documented policies and procedures, and internal control gaps.

Finally, I blogged not long ago about our latest Guide to Public Company Transformation. It contains a wealth of information, in a helpful Q&A format. It’s a good way to take care of the second point I make here – knowing the issues. The early start, that’s up to you.

Revenue Recognition Webinar Series: Industry Considerations and Cross-Functional Implications

Chris WrightChris Wright, Managing Director
Leader of Protiviti’s Finance Remediation and Reporting Compliance practice



By now, regular readers of this blog should be well-aware that new Financial Accounting Standards Board (FASB) revenue recognition rules will apply to reporting periods beginning after December 15, 2018 — and will be allowed a year earlier for those who are ready. Now is the time for companies to be considering the potential effects of this change and running diagnostic exercises to determine how much work will be required to adapt their policies, procedures and controls to the new rules in time to be ready for their chosen or mandated due date.

Protiviti launched the Revenue Recognition webinar series in November of last year, working through the six elements of infrastructure, delineating the probable impacts of the transition process in each. The final installment — Industry Considerations and Cross-Functional Implications —  was held on July 23.

Chris Wright, Managing Director and leader of our Finance Remediation and Reporting Compliance practice, wraps up our post-blog Q&A series by answering some of the top questions posed during the live session.

Q: How will the new revenue recognition standards affect internal controls and how will that affect Sarbanes-Oxley (SOX) audits?

A: Internal and SOX audits, which test controls, will be impacted in a downstream manner through changes in accounting policy, which is likely to be affected by the new rules, and more so in some industries than others. Industries that rely on long-term and percentage-of-completion contracts — construction and aerospace, for example, and anyone who is manufacturing for the defense industry — are particularly likely to see substantial changes. If the company has to recognize revenue sooner, or based on different indicators, that will have to be baked into a new accounting policy. If that policy changes, then what people do at their desktops — in the accounting organization, the operations and logistics areas, in treasury and tax, and in HR, where they compute the commissions, etc. — may also change. And of course, whenever you change processes, you have to assess whether the controls you had in place before address any additional risks that come from that change. This is where the flow-through effect of the new rules could move all the way into the domains of internal and SOX audits.

Q: Does this new standard do away with percentage-of-completion accounting for long-term contracts?

A: As an academic matter, yes. As a practical matter, however, its effects may not go away completely. All generally accepted accounting principles regarding revenue recognition are replaced by the new standard. The rules on percentage-of-completion accounting have been around for 35 years. Companies have gotten used to them. What’s really going to be a challenge is to separate and account for multiple margins and deliverables – the delivery of one plane, one tank, or one building — within a single contract. One contract might have separate streams with different margins from quarter to quarter, or year to year.

Down the road, it’s not inconceivable that companies may not only change accounting policies as a result of the new standard, but also change their pricing and their approach to accounting. That’s why we recommend a cross-functional view of the new rules. If the initial diagnostic has determined a need for substantial change, it is important to assemble a team with a full view of all upstream and downstream impacts. Without assessing the gap between the new rules and the current rules, there is a potential to overestimate the simplicity or complexity of the changes — we need to get past guessing. The diagnostic assessment needs to start at the treetops and get to a granular level, and happen sooner rather than later.

Q: What are the biggest issues facing manufacturers whose standard “free-on-board” (FOB) terms are FOB shipping point, but do have some FOB destination customers?

A: As a practical matter, the new rules shouldn’t affect a company’s policy regarding the point at which ownership of goods transfers to the recipient. What needs to be clear is the terms, and that there are no further performance obligations — policies, procedures and controls. From a cross-functional perspective, it is important to test this process all the way through, and the sales force needs to be educated to make sure that what they are telling customers matches the terms in the company’s contract — terms which are the basis for the company’s new accounting policy.

Q: What should internal audit do to prepare for the changes?

A: Chief audit executives (CAE) are in a unique position as liaisons between the audit committee and management. The audit committee will likely want to weigh in on things like prospective versus retroactive reporting and early adoption. CAEs need to make sure that these items are on the audit committee agenda and that they are being addressed. On the management side, internal audit needs to at least attend diagnostic and subsequent project management meetings, and ideally should be represented as a fully participating voice in the project management organization. Although internal auditors should not be writing accounting policy, they play a big role in making sure revenue recognition issues, particularly the cross-functional implications — both upstream and downstream — are considered and addressed. We’re seeing that plans for testing the consistent application of the new rules may require a different skill set than some companies have committed to, and that they need to move from junior internal auditors with checklists to more senior personnel with more developed critical thinking capabilities. Otherwise, how can the CAE expect the internal audit function to be effective in challenging senior accounting officers as they apply a very different accounting approach to such a critical area as revenue recognition?

The new revenue recognition standard is an important and complex issue that could have process, policy and control implications throughout your organization. To help you and your organization navigate this change, we have established the microsite protiviti.com/revenuerecognition, with links to all five of our recorded webinars, and additional thought leadership on this topic.

COSO 2013 Implementation Webinar: Your Questions Answered

Keith Kawashima

Keith Kawashima, Managing Director
Internal Audit and Financial Advisory practice



Wrapping up our Internal Audit Awareness Month webinar Q&A series, Keith Kawashima, managing director in our Silicon Valley office, answers some of the questions we weren’t able to get to in our April 29th webinar, Top 10 Lessons Learned From Implementing COSO 2013.

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive update to its original 1992 Internal Control — Integrated Framework. This COSO framework is the de facto framework used by more than 99 percent of the organizations required to comply with Section 404 — Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX). Based on financial filings reviewed through the end of May, 2015, approximately 83 percent of companies subject to the external auditor attestation requirement have transitioned from the 1992 version of COSO to the revised 2013 version.

The U.S. Congress enacted SOX, in 2002, in the wake of several high-profile public company financial frauds, to provide additional comfort to investors that public company financials were built on reasonable standards. Among other things, this legislation created the Public Company Accounting Oversight Board (PCAOB) and charged it with establishing auditing and related professional practice standards for registered public accounting firms to follow in the preparation and issuance of audit reports.

Below, Keith addresses some SOX-specific questions regarding the application of COSO 2013.

Q: Given the increased regulatory focus on internal control deficiencies, how does COSO connect the dots between deficiencies and the scope of potential misstatements they could create?

A: The PCAOB is telling external auditors that they need to further scrutinize both the design and operating effectiveness of a company’s internal controls over financial reporting, as well as to better support the conclusions they come to in their evaluation of ICFR. Both the old COSO framework and the revised framework have five components by which internal controls were evaluated. The new framework further expands and defines each of those five components through its 17 mandatory principles. These principles are broken down even further through the points of focus.

For a control environment to be deemed to be effective, the company needs to be able to demonstrate that all principles are present and functioning, as well as operating together. The application of the new framework has and will continue to help both the external auditors and management to identify control gaps and evaluate the potential exposure that these gaps create. This allows them to understand the potential for misstatement that exists and helps to size the gaps as deficiencies, significant deficiencies or material weaknesses.

Q: If there is a discrepancy between the COSO 2013 internal control framework and SOX, which takes precedence? And what part of SOX compliance, specifically, does COSO address?

A: The COSO internal controls framework was released 10 years before the Sarbanes – Oxley act was passed. As one can imagine, both the 1992 and 2013 version were designed for broader application than those required by the internal controls over financial reporting (ICFR) evaluation required to comply with SOX section 404. While the focus of SOX is limited to the controls in place to ensure material accuracy of the company’s outwardly facing financial reports, the COSO framework is intended to apply more broadly to the company’s overall internal control environment. This has led some companies to either intentionally or un-intentionally expand their control evaluation efforts beyond what is required for SOX purposes. As it pertains specifically to SOX, however, COSO has clearly communicated that it has provided a thorough and useful framework for evaluating internal controls, and continues to reiterate that it is not a legislative body. The SOX 404 requirement continues to focus on a top-down risk-based scoping approach. It also has defined the evaluation criteria and reporting requirements for control gaps or deficiencies. COSO has stated that in the instance where additional criteria is required, the framework is flexible enough to accommodate it. So for SOX, the focus will be on ICFR, and the evaluation and reporting requirements remain aligned to the SOX criteria of deficiency, significant deficiency and material weakness.

Q: The PCAOB, which was created by SOX, has said that not enough work is being done by external auditors to verify the presence and functioning of internal controls over outsourced processes and third-party vendors within the scope of ICFR. How can COSO 2013 be applied to address this concern?

A: I think it’s important to recognize that while a company can outsource a process, it can never outsource the responsibility for maintaining an appropriate control environment over that process, particularly when the outputs from that process have an impact on public financial statements.

External auditors and management both need to conclude that the overall control environment is adequate and that all 17 of the COSO principles are present and functioning, regardless of whether a process or a series of processes is performed by the company or by third-party providers. The additional granularity of the revised version – including additional emphasis for areas such as use and reliance on technology and an enhanced focus on fraud risks and other areas – helps us to understand the broad control environment, including areas where outsourcing in deployed.

For a more in-depth examination of COSO 2013 internal control framework and how to implement it, you might be interested in Protiviti’s Frequently Asked Questions (FAQ) COSO publication, as well as our 5-part webinar series covering COSO 2013. Follow the links below to register for one, or all, of the free archived sessions:

COSO 2013: What is New, What Has Changed, Why Does it Matter, and Other Frequently Asked Questions (May 28, 2014)
COSO 2013: Managing the Project for Success and IPO Readiness (June 4, 2014)
COSO 2013: Mapping Controls to Principles (June 11, 2014)
COSO 2013: The Implications to IT Controls (June 18, 2014)
COSO 2013: Assessing Fraud Risks in ICEFR and Implementation Insights Panel (June 25, 2014)

Protiviti is offering these webinar Q&As in May as part of Internal Audit Awareness Month. For additional information about the month-long initiative, spearheaded by the Institute of Internal Auditors, please visit The IIA’s website.