Stop worrying about compliance let your back office help you

Dec. 1, 2007

15 min read

Kevin E. Schmidt, Enertia Software Midland, Tex.

Is this scenario keeping you up at night? You receive a letter from the nearest US Attorney’s office: “We are conducting routine audits of Sarbanes-Oxley (SOX) compliance within the oil and gas industry. An auditor will be arriving at your offices Monday and will be requesting information on a variety of transactions in production, accounting, and land use by your company. Please have all information available.”

Would you be prepared?

Of course, the basic year-end compliance requirements of SOX and other state and federal regulations may be enough on their own to cause an oil and gas executive to toss and turn at night. With this in mind, it’s the wise executive who decides to be proactive. It’s best to meet and exceed the regulations because they aren’t going away. If anything, they are changing again amid new standards, but they will be with us for the long term.

Sarbanes-Oxley has very specific rules, which require company executives to be fully aware of all technology assets owned by the enterprise, and must personally certify all financial reports. In the oil and gas industry this covers a lot of material and sensitive information, easily more than one individual can hold in his head. The potential risks of non-compliance include fines, jail sentences, and damages to a company’s reputation that could take years to repair.

Media reports over the years since SOX became law in 2002 have indicated that legislators are going to lighten the regulatory load due to businesses lobbying against the expense of compliance.

In my business, which is providing software support products for every aspect of the vertically integrated upstream oil and gas industry, the reality is that regulators are constantly asking for more. And it’s not just government regulators. Litigation of all sorts is now requiring companies to provide data access at a level never before contemplated.

The problem many companies in our industry have is siloed data digitally stored in multiple places with poor or no synchronization, no way to be sure what’s current and what’s correct right now. And as to older data, it’s often scattered and sometimes just lost.

Mergers and acquisitions have led to paper files being thrown away before they could be scanned, and computer records that were either never provided to the acquirer, or were simply put on discs which are now buried at the bottom of some storage facility. As far as compliance with government regulations are concerned, this can be a disaster.

© Photographer: Marge Ross Agency: Dreamstime.comClick here to enlarge image

In July, Oil & Gas Financial Journal covered the issues of fraud that can trip up a company (http://www.ogfj.com/articles/article_display.cfm?ARTICLE_ID=297744&p=82). While outright criminal behavior can and should bring fines and censure, many a SOX compliance mishap is innocently caused by the realities of the industry: mergered companies, legacy systems, and a wide variety of reporting and data managing software products that don’t talk to one another.

In this article, I’d like to examine solutions to these problems, so your company won’t have to worry about that auditor or attorney dropping by.

21st century realities

The economic issues confronting the oil and gas industry make it imperative that our processes work seamlessly. However, we’re far-flung, with offices and facilities that are sometimes continents away from each other. Even companies that are relatively small will have personnel and processes divided. The industry is also undergoing a tremendous amount of merger and acquisition action, dividing and uniting disparate groups and their data.

Well, this is all OK, even dynamic and exciting, as long as the data collection necessary is done in a clean, efficient manner and is able to integrate across departments and programs.

Let’s consider the data we’re talking about:

Production raw measurement, third party volumes, allocation network configurations, allocations, comparisons to forecast, financial budgets, marketing, balancing and related business performance information.
Accounting All the transactions that power the enterprise - AP, deposits & AR, JIB, AFE, revenue, service company inventory and invoicing, PO and receipts and the general ledger.
Revenue - integrated with production allocation results, volume and imbalance ownership and pricing data necessary to support today’s continually changing complex business arrangements.
Land ownership, contractual agreement obligations, acreage analysis, seamless maps linked directly to and all your images and related master file and transaction history.
Service companies materials and inventory management, PO and invoicing; operations and joint interest billing; time entry with expenses and equipment utilization for billing or Trade invoices with sales tax to affiliated entities and outside parties.
Gas control/marketing calculations for goal and available volumes based on real-time production data, price indexes and deductions defined by gathering agreement with invoice and transaction generation to support the marketing, pricing, distribution and balancing functions.
Historical reporting historical data on all of the above, re-run off all the original data not cold storage information actually the exact same information from all processes across the enterprise supported by the actual live data.

A company with incredibly deep pockets can create an internal software package to handle all this data and make it interact with each other, train their employees to use it and hire and maintain on the necessary IT and back office personnel to police and archive siloed material; Halliburton announced this year that they have done so. Most energy companies, however, have been trying to muddle through with a variety of solutions:

Microsoft Excel spreadsheets for every kind of item, often designed by an individual user. A common problem is that one Excel spreadsheet will not necessarily interact with another even in the same office.
Legacy software that is based on a data design that was originated 20-30 years ago and upgraded through “customization,” often leaving holes; or so altered over the years that it cannot be integrated with other programs, even ones with the same original software code version.
Relatively expensive, whiz-bang looking Dashboards that do bring a lot of spreadsheet databases together but often cannot specify the age of the data or when it was last altered. Many of these running on, yet again, siloed data warehouses.

None of these siloed programs are ideal in the Sarbanes-Oxley age we now live in. SOX and other regulations and the lawyers who work in their own bubbles generally expect even the small companies to manage their data as well as an expensive Halliburton-like Enterprise KM solution. Companies are looking for a way to meet this demand while still gaining ROI on their software purchase.

The good news is, this is actually possible. The key is to not try to retrofit an old or inappropriate package on top of what companies already have. Instead of trying to “customize” back office software to fit your company, look at exactly what you have, what you need, and find the solution that will integrate into your pre-existing intranet and yet fold all the functionality you need into a fresh application.

In my company’s experience, one size fits nothing. Every company is a little different. ROI for trying to fold your data needs into a cookie-cutter and then paying for all the bugs and changes that engenders is usually depressing. So don’t even go there. I also recommend you decide what works best for your enterprise large, medium or small and don’t just follow what the guy down the block does. Look hard to find what best fits your needs. There are lots of experts out there now, so buyer beware.

Security

One of the biggest issues for many companies when considering bringing all their data into SOX compliance is the risk of security breaches. With all the data being auditable, doesn’t that mean it will also be “hackable?” Not necessarily. Again, it depends on the quality of the product you use. Excel spreadsheets, even in a “read only” environment, are imminently hackable. In fact they are vulnerable to all kinds of sabotage, mistaken alterations, faulty entries, and confused formulas.

Older programming languages are vulnerable to poor maintenance processes and more mistakes because they are not what current education and commercial developers use anymore. It isn’t necessarily malicious. “I’ll just make a quick adjustment to this code,” says a helpful 20-something in a new job or offshore facility. This does happen, and we can expect more of it as a generation who grew up as comfortable with code as our dads were with internal combustion engines comes into the office. Of course, the problem is that “little adjustment” might have repercussions that result in lost business opportunity and potentially a fine somewhere down the road.

Dashboards that pull from a variety of data sources are usually limited to certain “eyes only” but this can be problematic when it comes to pulling auditing reports and noting who had authority to do what, spend what and approve what, when.

Siloed data may seem more secure because it’s hard to get to, but a lawsuit or government audit might turn into an expensive nightmare if some crucial piece of data can’t be found or certified by company executives in a timely manner. Because adequate digital security does exist, the auditor is not going to cut your small energy company any slack.

In fact, just a cursory study of the cost-effectiveness of managing siloed data vs. the ROI in appropriate integrated back office software makes it clear that the time has long since come for everyone to be in the digital data world. Why pay for the personnel and facilities to maintain reams of paper data that can be misfiled and can’t be cross-referenced?

Here’s another thing about security: SOX requires digital security anyway. Auditors will check to see who has access to data, who doesn’t, and proof that such rules are enforced. Security can be programmed in to control who can see and who can alter data; which data this or that group can see but not alter, and which data is unavailable except at the highest levels.

It’s best to find a solution to this requirement that offers outside auditors a clear report on all programmed security without actually giving them access to your code. Surprisingly, few back office software products offer this amenity. I recommend you insist upon it. A simple electronic file listing all the security protocols, along with any and all patches and new program release changes (automatically populated), will fulfill that SOX requirement without opening your digital drawers to outside view.

Knowledge management

More and more oil and gas executives are unwilling to accept printed, pretty data from their direct reports; they have the sophistication in computer usage to want to find the information themselves. Of course this is why so many companies have turned to Executive Dashboards they allow the illusion of data control by providing fast snapshots of what’s going on in back office processes.

While we agree that the Dashboard plays a vital role, we believe the next step up from an executive dashboard is a software product that serves as a more sophisticated dashboard that is available throughout the enterprise and across departments. By being data-driven across every aspect of the business, auditors, approved user groups, and specified individuals can drill down, across, and through any and all transactions throughout the company, past and present. Who approved that expense? Who authorized that person and when? Who altered that invoice, when and by what authority? How did that purchase affect the budget of a department across the country?

Incident tracking and management is part of SOX and it’s part of good management. Within your data management software, you should be able to input and monitor a wide variety of projects. We work in a dynamic industry that requires us to be nimble, so as changes are implemented, your reports should be automatically and instantly updated, while old reports are still maintained actively for auditable reference because the data support that, not because you copied all the data to cold storage.

Your back office software should track all changes and updates to data within your specified parameters, and every time a change is inputted the appropriate people are notified via automatically generated email, so everything is referenced. Of course not everything needs to be tracked at microscopic levels. But financial issues in particular require careful monitoring now, and specific “incidents” can be programmed for flags to do this for you.

Process reports need to be available forever and the data for the processes should support prior period adjustments for corrections caused by measurement errors, human errors or whatever else affects these transactions. In fact, pretty much nothing should ever be deleted and it should be maintained with full transparency in your integrated solution. Our company is maintaining some clients with hundreds of concurrent users each who require 200 gigs of server memory and that is just continuing to grow. This is another element of SOX. Until the government tells you, don’t delete. Everything should be accessible and researchable.

There is no simple way to “plug and play” this kind of software, true. However, once the basic set up is complete your company executives can manually run reports at any time or they can set up such reports for themselves using a scheduler to run at specific intervals. Different incident types can be set up to run on different schedules and for different, specialized groups of company management.

Company executives can choose to monitor and create incident reports for highly sensitive information more often than for less sensitive data. There are as many ways now for an executive to parse data so that it will be useful to that day’s requirements as there are companies in the energy field. The generation now stepping into the oil and gas industry C-suites is making its management determinations based on his or her own research.

Integration

Especially in companies which have come together through mergers, data redundancy can become a confusing problem for auditors and managers alike. Your back office solution should automatically filter redundancies out so reports are clear.

Once a transaction is in the system, it should not be repeated anywhere, although every subsequent action taken in relation to that transaction should be recorded and tracked. Also, when an auditor, whether internal or external, requests a file, if it is linked to another file or image for whatever reason, it should be available so the related, or “dependent” data is obvious to the user and identified at the outset. This not only avoids confusing double-entries, it allows a truly transparent look at business processes and data so management can correct problems faster, more efficiently, and with confidence.

Another element for many of our clients in the oil and gas industry is the need to account for a variety of other assets. Many privately held energy companies are also involved in related, but certainly different, industries. Many companies run separate applications for their vertical labor and service sector activities for these vertically integrated companies this is no longer necessary. All this data can be integrated.

Integration of data so that compliance problems enterprise-wide can be avoided is crucial. However, while SOX may be the reason for an initial investment in an application software to monitor financial and production realities, once companies experience a truly integrated, solid software solution for their back office processes, they discover that the ROI is phenomenal. When inventory, purchasing, orders, sales tax all are fully and vertically integrated, it can be a beautiful thing.

Client case study

Mack Energy, in New Mexico, is an example of a company that decided it needed this kind of capability. During a divestiture of one of its subsidiaries earlier this year, the company went through data related to more than 600 wells over 22 years, under scrutiny of auditors, both internal and external.

“The beauty of it was that we could slice and dice the data any way we needed to, and we could go through every transaction and get to any piece of data or document that we needed to find in a painless way,” said Brad Bartek, CFO of Mack Energy, which used Enertia Software to accomplish this task. Prior to moving to a complete back office solution, Mack Energy used four or five different systems across its companies and services, which include oil and gas development, oilfield supplies, drilling, a service company and even a commercial pecan farm. Now, a single software product can handle all of it and allow integrated oversight.

Nightmare or no problem?

So, back to that nightmare scenario. The auditor arrives, and as often happens, she cherry-picks a list of transactions she would like to go through.

No problem, you say. Here’s a system interface we all use that includes all the images, all the linked documents and everything that’s been done to every item related to those transactions from start to finish; who had access, who altered anything, who saw anything. Want a copy?

Bad day solved.

About the author

Click here to enlarge image

Kevin E. Schmidt [[email protected]] is president, CEO, and chairman of the board of Enertia Software, a software development and technical services company offering a fully integrated enterprise-level system specifically tailored to the oil and gas industry, along with development, implementation, and business consulting services. Schmidt worked as a land man before he entered the computer software field.