“Carpe Diem”: Oilfield Services Companies Eye the IPO Market



By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Steve Hobbs, Managing Director
Public Company Transformation


Despite the recent downward trend in oil prices, the oil and gas industry overall is feeling optimistic, as evidenced by increased rig counts and production levels. Both are signs that the industry is on the rebound after a downturn that has persisted for well over two years. Renewed confidence and optimism about future growth have many companies in the sector thinking about pursuing an initial public offering (IPO). Among them: fast-growing and capital-hungry oilfield services providers.

These service businesses play an important role in supporting the oil and gas industry. They provide innovative technology, manufacturing of critical equipment, and services that allow oil and gas companies to enhance their existing infrastructure and processes so they can produce more at less cost.

The recent volatility in the oil and gas market hit oilfield services providers hard. In 2015 and 2016, many were burdened with significant debt and selling their services at a discount just to survive; several companies ended up filing for bankruptcy.

Now, less than a year after that dark period, oilfield services providers are driving IPO activity in the energy sector — outpacing exploration and production companies. Many of these private equity-backed companies have been waiting for conditions in the industry and capital markets to improve so they can execute an IPO as their forward strategy. Others are looking to an IPO as a way to raise much needed capital fast, to fuel growth and innovation.

What many oilfield services providers learn in exploring the IPO idea is that they simply aren’t prepared to make the leap. One reason is that these firms lack maturity in their business processes, and have limited alignment with GAAP accounting and insufficient infrastructure and personnel to support expansion. They are, essentially, startups. And like any startup or other fast-growing private company in any other sector, oilfield services providers must achieve a certain level of “readiness” before attempting to go public.

These firms are also at risk of making a mistake common among other businesses with IPO aspirations: underestimating the amount of time and personnel required to address the demands of a public company transformation. These pre-public companies must address six primary infrastructure elements on their journey to IPO readiness, including:

  • Corporate policies: These include governance, financial reporting and company policies, such as human resource and marketing policies. Like most startups, oilfield services providers are so focused on delivering their technology and services and trying to grow their market that they don’t spend enough time on essential back-office infrastructure for the business, such as creating formal policies. Structure and documentation are needed not only for compliance purposes, but also to help the company communicate to everyone, from investors to current employees and potential hires, how it operates, what its values are, and more — a basic expectation from an IPO candidate.
  • Corporate processes: Financial reporting processes are just one example of corporate processes that many oilfield services providers will need to upgrade substantially and standardize before going public. For instance, documentation about business agreements is likely inadequate because of the informality with which these service companies often approach deals — confirming terms with perhaps little more than a handshake. So, firms preparing to go public need to start moving now to formalize their agreements with business partners and create an appropriate paper trail. Many accounting and financial planning and analysis forecasting processes will also need to be augmented and automated because manual practices are error-prone and time-consuming.
  • People and organization: Any company that wants to go public needs a well-structured and experienced leadership team. The IPO process places huge demands on senior executives — especially the CEO and CFO, who will need to spend much of their time on the road meeting with analysts and potential investors. Once the IPO ball starts rolling, these executives won’t be able to focus much on everyday business needs. There needs to be a strong team in place, especially in the accounting/finance organization, to help guide the company in their absence, address external auditor considerations, and meet SEC filing deadlines on time.
  • Systems and data: Pre-IPO companies frequently report that their IT departments are a major area of focus during their readiness effort. IT general controls that pertain to Sarbanes-Oxley Act compliance and data security and privacy strategies and policies are just two key areas within IT that oilfield services providers will need to pay special attention to as they lay the groundwork for a public offering. A critical risk within the realm of IT system compliance is addressing the organization’s lack of segregation of duties (SoD) and the need for comprehensive monitoring of access for all critical business IT systems. It’s imperative for management to be directly involved in the SoD design process to clearly shape the roles and duties of personnel within the company prior to an IPO. Data security and privacy can be particularly wide in scope, including everything from cybersecurity policies to business continuity management planning.
  • Management reports (e.g., on internal control over financial reporting) and methodologies (e.g., for the offering price, for financial controls, significant accounting estimates) round out the six primary elements. Oilfield services providers must ensure they have them covered — and implement a sustainable infrastructure and strong organizational capabilities as well — before pursuing an IPO.

Addressing all the above is a complex and resource-intensive endeavor, and likely will require expert assistance on many fronts. This fact is not to dissuade oilfield services companies from seizing opportunities in the current oil and gas market.  But seizing the opportunity is one thing; managing the newly public company in the weeks and months following the IPO in a manner that is consistent with the expectations of regulators and shareholders and the company’s own executives’ vision is quite another. At issue here is sustaining confidence with regulators and shareholders. According to our experience across a wide variety of sectors, covering the six elements of infrastructure above in a thoughtful, proactive manner is a vital process in moving to the next stage successfully.

Create IT Internal Controls as Unique as Your Startup

Steve Hobbsby Steve Hobbs
Protiviti Public Company Transformation Solution Leader and Managing Director



With all the challenges startups face just to get off the ground, is it any wonder if thoughts of compliance requirements are not top-of-mind? Nevertheless, as the board and CFO know all too well, IT controls must become a top priority as the company matures and considers an IPO. Without proper IT controls, you run the risk of hurting both the top line and the filing deadlines.

Traditional internal controls, however, can run counter to the company’s culture and competitive mindset. To satisfy control and compliance requirements without disrupting the company’s culture of independence and innovation, we suggest that startups create their own IT general controls (ITGC). Our point-of-view paper, Agile Technology Controls for Startups – a Contradiction in Terms or a Real Opportunity?, discusses these matters at length.

While setting up your unique ITGC framework, here are key items to address:IT controls graphic

  • Analyze the system environment. It’s important to focus on the necessities. Understand which systems and processes are in scope for the purpose of the compliance audit and determine if some systems can be excluded. Identify owners of each process, and eliminate unnecessary redundancies by aggregating processes under common owners when possible.
  • Identify and support key corporate data activities. Utilize existing development operations (DevOps) and agile process activities to eliminate unnecessary, unaligned and ineffective control activities. DevOps and agile process activities should be the basis for identifying and defining key ITGCs, such as test case coverage or automation of regression testing. Add additional control activities as necessary and consider alternative approaches to mitigating risk.
  • Define a future-state vision. Create a road map to envision easily how all the processes fit together. Rather than adding new manual activities, you may find that there are automated controls that can be leveraged for ITGCs to increase efficiency. Don’t forget to keep an eye on a “backlog” of improvement opportunities and initiatives that you should consider as you move toward the future.

Cybersecurity Capabilities: Jordan Reed Answers Questions from our Internal Audit Capabilities and Needs Survey Webinar in March

Jordan ReedJordan Reed, Managing Director
Internal Audit and Financial Advisory practice



More than 800 chief audit executives and audit professionals from around the world participated in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Our subject-matter experts discussed the results in depth in a March 24th webinar, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions.

We received so many questions from webinar attendees that we were unable to address them all within the allotted time. A number of those questions centered on cybersecurity. Jordan Reed, a managing director in Protiviti’s Houston office, answers those questions here:

Q: Do you typically see cybersecurity risks discussed with audit committees, or would that be better situated at the board risk committee?

A: I see both, although more frequently at the board level. Some companies have risk committees that focus specifically on areas like technology and other emerging risks, and cybersecurity certainly fits within that scope. Others provide education, current events and hot topics for the full board, and cybersecurity almost always finds its way onto that agenda. If the board delegates its risk oversight responsibility to the audit committee, then that committee may oversee the management of cyber threats. To the extent cybersecurity has been included in an internal audit risk assessment or internal audit, the topic and results would obviously be discussed with the audit committee versus the entire board. Additionally, any security breach that required a public disclosure would certainly be discussed with the audit committee. So you can see, there is no one-size-fits-all approach.

Q: Can you provide more information about The IIA’s GAIT framework?

A: The best answer to this would come from The Institute of Internal Auditors’ website:

“The IIA’s General Assessment of IT Risk (GAIT) series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.

The IIA classifies GAIT as recommended guidance under its international professional practices framework (IPPF). GAIT practice guides include:

  • The GAIT methodology: A risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act.
  • GAIT for IT general control deficiency assessment: An approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies.
  • GAIT for business and IT risk: Guidance for helping identify the IT controls that are critical to achieving business goals and objectives.”

Q: Does increasing board engagement with cybersecurity require a more technically astute appointee, similar to members with finance backgrounds, so the severity of threats can be better understood?

A: We are seeing a lot of organizations starting to move in that direction. As you might expect, this has been especially true for organizations with a greater concentration of “crown jewels,” such as personally identifiable information — financial services, retail and healthcare companies, for example.

Q: Should cybersecurity be addressed within the organization’s audit charter?

A: Yes, it is already covered in most of the charters I see, in the “Responsibility” section of the Internal Audit Activity Charter. I typically do not see cybersecurity specified at that granular of a level, but it is covered within the overall responsibilities of the internal audit function.

Please see Protiviti’s 2015 Internal Audit Capabilities and Needs Survey Report for additional insights on cybersecurity and other topics.