Source:- Oil and Gas Monitor
The oil and gas sector has been defending against fraud since the first oil well was drilled in the late 1800s. Today, the economic pressures resulting from overproduction of crude by OPEC nations (essentially fuelling a price war) and the oversupply of natural gas creates trigger points for fraud: pressure, opportunity and rationalization.
How big is the risk? Global statistics indicate that fraud costs companies an average of 5 percent of revenues each year, which in the oil and gas industry can translate to tens or hundreds of millions of dollars. This means when price downturns cut into margins, oil and gas companies should be doubling down on an ounce of prevention to reap a pound of cure.
Any business involved in the oil and gas sector—including producers, partners and suppliers—are vulnerable to fraud in a variety of areas. Low prices are causing shifts in investment, revenues and billables are dropping, and big capital projects being shut down or shifted offshore, creating an environment ripe for fraud. Stakeholders under financial pressure from losing wages, contracts, or income may be tempted to circumvent controls or regulations.
Let’s take a more detailed look at each of these within the current context of the oil and gas sector.
A strategic assessment is critical for determining where a business is most vulnerable based on its executive agenda and its business and legal entity structure. The Association of Certified Fraud Examiners outlines three major categories in its fraud tree: Corruption, Asset Misappropriation and Financial Statement Fraud. There are vulnerabilities throughout the supply chain – including upstream, mid-stream and downstream, and each business’ strategic risks will vary depending on whether it is a multi-national oil producer or a regional producer or supplier.
For multi-national oil producers, if higher-cost domestic projects are shut down in favour of emerging markets, then corruption is by far the highest reporting occurrence of fraud in the oil and gas sector. Many emerging markets have a nationalized oil and gas sector, and in order to secure contracts, third-party facilitators are used. Purchasing schemes, sales kickbacks, bid rigging, and bribery are all prevalent under corruption fraud schemes.
On the other hand, in production stages, where third-party contractors are hired for engineering, procurement, and construction, diligent oversight of assets, billing and timesheets is critical for preventing fraud. Other emerging risk areas to be considered include cybercrime, lack of governance, poor network security, intellectual property theft, and lack of a whistleblower hotline, to name just a few.
Based on strategic vulnerabilities specific to each business, map out control objectives needed to prevent or detect occurrences of fraud – at a macro- or micro-level of risk. Start by deconstructing the strategic fraud risk—say corruption or third-party oversight—into micro-level risks, and assess them using industry standard likelihood and impacts. Then, map key controls in the organization to mitigate the micro level risks.
An example of a corruption micro-risk is using a one-time vendor to facilitate an inappropriate payment. A corresponding mitigation control would be every one-time vendor transaction over a material threshold (say $20,000) must be reviewed by the Controller. Another control might be implementation of a gift-approval hotline that seeks pre-approval prior to offering a gift or benefit to a supplier or government official to ensure an adequate framework exists to prevent anti-bribery or corruption.
Every strategic area of vulnerability can be re-engineered into micro-level risks that can be measured with a key control to mitigate it. Think about processes like payroll, travel & expenses, purchase card programs, purchase-to-payment processes, comparing data from your ERP system to a third-party system for reconciliation, vendor billing review… the list goes on. All of these represent material revenues or expenses to your business that may require controls.
Now that the company has conducted a strategic assessment of the environment and mapped key controls and objectives to mitigate those vulnerabilities, how do you know the controls are effective? What level of assurance do they provide? Monitoring is the answer.
Expenses are a window into the soul of a company and, if someone isn’t continuously monitoring them, it may leave unfettered access to misconduct. Data analysis isn’t a skill or competency; it is a MUST for a robust fraud management program because it’s the only way to detect transactional needles in a big-data haystack.
Control objectives like Vendor Management or Third-Party Billing, or IT (e.g. Segregation of Duties, Logical Access, etc.) all have transactional data that can be measured and monitored. Exceptions can be detected based on thresholds established by your business owners. Records can be flagged and assigned for further review, investigation, and remediation to rule-out suspicious activity or escalate if a material control or policy gap exists.
Undertaking these three key steps in a fraud management program will help the company illuminate areas of strategic vulnerability, bestow confidence that the right controls are in place, and provide assurance over top-line revenues and operating expenses. This results in an environment that reduces occurrences of fraud and helps preserve margins in a time when price volatility is eroding profitability, competitiveness, and shareholder confidence.