Tag Archives: SOX compliance

“Carpe Diem”: Oilfield Services Companies Eye the IPO Market

Posted on by

 

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Steve Hobbs, Managing Director
Public Company Transformation

 

Despite the recent downward trend in oil prices, the oil and gas industry overall is feeling optimistic, as evidenced by increased rig counts and production levels. Both are signs that the industry is on the rebound after a downturn that has persisted for well over two years. Renewed confidence and optimism about future growth have many companies in the sector thinking about pursuing an initial public offering (IPO). Among them: fast-growing and capital-hungry oilfield services providers.

These service businesses play an important role in supporting the oil and gas industry. They provide innovative technology, manufacturing of critical equipment, and services that allow oil and gas companies to enhance their existing infrastructure and processes so they can produce more at less cost.

The recent volatility in the oil and gas market hit oilfield services providers hard. In 2015 and 2016, many were burdened with significant debt and selling their services at a discount just to survive; several companies ended up filing for bankruptcy.

Now, less than a year after that dark period, oilfield services providers are driving IPO activity in the energy sector — outpacing exploration and production companies. Many of these private equity-backed companies have been waiting for conditions in the industry and capital markets to improve so they can execute an IPO as their forward strategy. Others are looking to an IPO as a way to raise much needed capital fast, to fuel growth and innovation.

What many oilfield services providers learn in exploring the IPO idea is that they simply aren’t prepared to make the leap. One reason is that these firms lack maturity in their business processes, and have limited alignment with GAAP accounting and insufficient infrastructure and personnel to support expansion. They are, essentially, startups. And like any startup or other fast-growing private company in any other sector, oilfield services providers must achieve a certain level of “readiness” before attempting to go public.

These firms are also at risk of making a mistake common among other businesses with IPO aspirations: underestimating the amount of time and personnel required to address the demands of a public company transformation. These pre-public companies must address six primary infrastructure elements on their journey to IPO readiness, including:

  • Corporate policies: These include governance, financial reporting and company policies, such as human resource and marketing policies. Like most startups, oilfield services providers are so focused on delivering their technology and services and trying to grow their market that they don’t spend enough time on essential back-office infrastructure for the business, such as creating formal policies. Structure and documentation are needed not only for compliance purposes, but also to help the company communicate to everyone, from investors to current employees and potential hires, how it operates, what its values are, and more — a basic expectation from an IPO candidate.
  • Corporate processes: Financial reporting processes are just one example of corporate processes that many oilfield services providers will need to upgrade substantially and standardize before going public. For instance, documentation about business agreements is likely inadequate because of the informality with which these service companies often approach deals — confirming terms with perhaps little more than a handshake. So, firms preparing to go public need to start moving now to formalize their agreements with business partners and create an appropriate paper trail. Many accounting and financial planning and analysis forecasting processes will also need to be augmented and automated because manual practices are error-prone and time-consuming.
  • People and organization: Any company that wants to go public needs a well-structured and experienced leadership team. The IPO process places huge demands on senior executives — especially the CEO and CFO, who will need to spend much of their time on the road meeting with analysts and potential investors. Once the IPO ball starts rolling, these executives won’t be able to focus much on everyday business needs. There needs to be a strong team in place, especially in the accounting/finance organization, to help guide the company in their absence, address external auditor considerations, and meet SEC filing deadlines on time.
  • Systems and data: Pre-IPO companies frequently report that their IT departments are a major area of focus during their readiness effort. IT general controls that pertain to Sarbanes-Oxley Act compliance and data security and privacy strategies and policies are just two key areas within IT that oilfield services providers will need to pay special attention to as they lay the groundwork for a public offering. A critical risk within the realm of IT system compliance is addressing the organization’s lack of segregation of duties (SoD) and the need for comprehensive monitoring of access for all critical business IT systems. It’s imperative for management to be directly involved in the SoD design process to clearly shape the roles and duties of personnel within the company prior to an IPO. Data security and privacy can be particularly wide in scope, including everything from cybersecurity policies to business continuity management planning.
  • Management reports (e.g., on internal control over financial reporting) and methodologies (e.g., for the offering price, for financial controls, significant accounting estimates) round out the six primary elements. Oilfield services providers must ensure they have them covered — and implement a sustainable infrastructure and strong organizational capabilities as well — before pursuing an IPO.

Addressing all the above is a complex and resource-intensive endeavor, and likely will require expert assistance on many fronts. This fact is not to dissuade oilfield services companies from seizing opportunities in the current oil and gas market.  But seizing the opportunity is one thing; managing the newly public company in the weeks and months following the IPO in a manner that is consistent with the expectations of regulators and shareholders and the company’s own executives’ vision is quite another. At issue here is sustaining confidence with regulators and shareholders. According to our experience across a wide variety of sectors, covering the six elements of infrastructure above in a thoughtful, proactive manner is a vital process in moving to the next stage successfully.

Can Your SOX Compliance Process Benefit From Some Fine-Tuning? Find Out With Our Latest Benchmarking Survey

Posted on by

By Brian Christensen, Managing Director
Executive Vice President, Global Internal Audit

 

 

 

The results of Protiviti’s latest SOX compliance survey are in, and one takeaway in particular – cost of SOX compliance – may be music to the ears of some companies. For many organizations, those costs were reported to be lower this year than last, even as the number of controls, as well as hours dedicated to compliance, increased.

We don’t know the specific reasons why the costs at some companies decreased but we have some reasonable guesses: The fact that many companies have now completed their adoption of the new COSO Internal Control – Integrated Framework most certainly is a factor. The cost of the COSO implementation work was estimated to be between $50,000 and $100,000 on average.

Another potential factor regarding costs is who, exactly, is doing the work. As we illustrate in our infographic, a majority of organizations either outsource or co-source SOX compliance activities. This, in effect, may be masking some SOX compliance costs, as the expense for these external resources may not be captured under direct SOX costs the organization is tracking.

One other important point: The downward cost trend is not across the board – in fact, the overall number of companies spending over $2 million annually rose this year compared to last.

In addition, we wanted to get some further insight into why some companies report increasing controls, as well as increased hours and costs, so we introduced a new parameter in our survey this year – number of unique locations per company. Not surprisingly, the results revealed that the more locations a company has, the higher the number of controls it has and the higher its SOX costs are. This trend is quite clear, and it should help companies plan for their SOX costs next year, based on their plans to expand, reduce, or keep the same their number of unique locations.

Another trend driving hours and costs up is the dynamic nature of the SOX controls environment. With regulatory changes and developments constantly in play – PCAOB, new revenue recognition standard, cybersecurity, SOC 1, etc. – the learning curve seems to always be up, dragging hours up as well.

I’ve just highlighted the top trends here. The survey report provides much more granular insights, by type and size of company, type of control environment and more. Interest in benchmarking and peer performance with regard to SOX compliance is strong, and we are confident that the survey report provides a useful benchmark with detailed numbers and explanations. Download the survey report here and watch our highlights video below.

Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny

Posted on by

Nichole MiniceBy Nichole Minice, Managing Director
Internal Audit and Financial Advisory

 

 

In a recent post recapping our webinar on rising SOX compliance costs, we cited increased external auditor scrutiny of “information produced by entity” (IPE), or electronic audit evidence, as contributing significantly to the increase in costs, with the testing and validation of IPE requiring almost twice the eight-hour average time required to test other internal controls.

External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on IPE, and the need for increased rigor to ensure that the information is accurate and reliable.

IPE is the raw material from which external audits are crafted. It is, therefore, critical for organizations to be able to “show their work” in a way that can easily be verified and validated. This applies both to the integrity of the data itself and the processes underlying the generation of reports that control owners rely upon when executing an internal control. Under PCAOB standards, an external auditor should rely on an entity-produced report or spreadsheet only if there is sufficient evidence to prove that the information within the IPE document is both accurate and complete.

In my own field experience, it’s not unusual to encounter anywhere from 100 to 150 process-level controls. Because of the precision required by external auditors to meet the PCAOB standards, each of these controls might require 12 to 14 hours to test.

Overall, one in five public companies tests IPE every time a control is tested. Again, while respondents to our survey reported a decrease in the number of controls tested, the amount of effort being spent on the controls they do test has increased, and IPE certainly is one of the big contributors to that.

In such an environment, it’s easy to see how automated controls might significantly reduce the time and effort required for verification, particularly in comparison with a traditional spreadsheet in which every formula is a potential point of failure.

A more robust information technology environment provides a more reliable control environment, so we expect to see automated controls lead to a lot more efficiencies and eliminate human errors associated with manual entries into spreadsheets.

Not surprisingly, we’ve noticed that large accelerated and accelerated filers — entities that have adopted automated controls and reporting out of necessity and therefore tend to be more mature in their control environment — are doing the best job of managing the increasingly granular and transparent reporting requirements.

But companies of all sizes are making progress in this area, and we expect to see that continue. Well over half of the organizations surveyed reported that they have at least moderate plans to continue to automate their controls in 2016. We certainly see this trend at our clients and anticipate seeing more as organizations evolve from newly-public into more established entities.

Bottom line: In the current audit environment, organizations are placing an increasing emphasis on quality over quantity of controls. We’re seeing controls getting stronger, and the rigor from external audit related to PCAOB pressure certainly has an impact on that. I also think that companies are reaping the benefits of these strong controls that they can rely on internally and are looking to reduce the amount of controls that they ultimately have to focus on. It is important in all this that companies have a solid rationale behind their testing approach and communicate with their external auditors early and often.

Keeping Pace with SOX Compliance – COSO, Costs and the PCAOB

Posted on by

Every year, one of Protiviti’s most highly anticipated studies is our Sarbanes-Oxley Compliance Survey, in which we assess the current state and maturity of SOX compliance in public companies, along with factors influencing their efforts and costs. In our 2014 survey, the results of which we released today, there are a number of notable takeaways suggesting that, as a result of the new COSO framework and PCAOB inspection reports, among other factors, new hurdles are emerging in the SOX compliance process.

Infographic-2014-SOX-Compliance-Survey-Protiviti

Our key findings:

  • Companies are getting started, albeit slowly, with implementing the new COSO framework.
  • There is measurable fallout from the PCAOB’s inspection reports.
  • Compliance costs are going up but are still manageable for many.
  • Organizations continue to automate more processes and controls.

For more information and detailed survey results, I invite you to visit www.protiviti.com/SOXsurvey. Also, you can check out our infographic and video here.

Jim

https://www.youtube.com/watch?v=VnTnYi2NzAs