Mitigating risks for oil and gas accounting fraud

Share
Digital lock image

Fraud, third-party supplier risk and data breaches are all operational and potential brand killers for any company. And preparing for fraudulent activity is no easy feat. It’s hard enough to run an oil and gas business in today’s uncertain times. It’s even harder mitigating fraud risk and preparing your company to handle a fraudulent action.

Companies are vulnerable right now as they look to manage their teams, customers, partners and suppliers. In March, the FBI issued warnings against increased fraud, advanced persistent threats and phishing attempts related to COVID-19.

Given the vast profits that the biggest oil and gas companies generate, it’s no surprise that fraud has wrought the industry since it began. Most owners and leadership teams think it may never happen to them, and that only the biggest companies are targets. This mindset can make a company vulnerable to fraud, leaving the door wide open for an employee or bad actor to take advantage and misappropriate the company’s assets.

What types of fraud are we talking about?

The Association of Certified Fraud Examiners (ACFE) estimates that fraud costs more than $990 billion annually. The ACFE defines fraud as:

“The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organization’s resources or assets.”

Fraud has four essential elements:

  1. The act involves a material false statement.
  2. There was knowledge that the statement was false when spoken.
  3. The victim relied on the false statement.
  4. Damages resulted from the victim’s reliance on the false statement.

Deterring fraud takes dedicated vigilance on management’s part and must be a top-level priority at all times. Our team of oil and gas accountants and experts have outlined automated and high-touch processes for companies of any size.

Create and define your alerts

Triggering alerts based on changes that are automated and mobile can often be the first line of defense to respond quickly.

Defining your alerts is the first step. You’ll want to bring key management executives and company stakeholders together to discuss and set the policy as to what tasks are priority. You can give each alert an identifier and a description, as well as when and how you get notified.

You also need to determine the number of users required to respond to the alerts, as well as whether or not those alerts should be combined based on the rules you set.

Following is a list of task definitions to consider for monitoring:

  • ACH Bank Account
  • Sub-Account Change
  • Account Change
  • Update/ Post/ Unpost Deposit(s)
  • Standard Entries Due in X Days
  • Account Balance (i.e. Cash account(s))
  • Posting Allowed Date Change
  • Restore Company Data
  • Invalid Password
  • Land Pmt Obligations
  • Land To-do

These tasks then need parameters defined. Examples can include:

  • Account change – Determine specific changes or a threshold on the number of changes as to when to generate an alert.
  • Automatically shut down after – This defines the amount of time prior to shut down of any internal email system. New alerts will not process and send until the program is launched again. Shutting down allows your system’s automatic backup to process and or any other server process to run without interference.
  • Warn alert manager if emailer is down on Saturday or Sunday – A user can be set as an alert manager and will be notified if the emailer is not running. These will be suppressed on weekends, unless these options are checked.
  • Email pending approvals – If using the AP approval process as well as the PO approval process, you can set up three (3) different email times to have the pending approvals alerts emailed, in addition to software popup notifications.

Secure Personal Identifiable Information (PII)

Personal Identifiable Information (PII) is any information or data that could potentially identify an individual. PII can be either sensitive or non-sensitive. Sensitive PII is information that has the potential to harm the individual. Non-sensitive PII is information found in public forums such as websites, public records and phone books.

No company wants sensitive PII compromised in any way. When this happens, not only is the data compromised but the company’s reputation can be damaged irreparably.

You should secure PII through user level security, specific security for PII, approvals processes, company and user level passwords, as well as your defined alerts. Examples include:

  • Strong password usage – Fraud and breach 101 will tell you that most company passwords are easy to breach. Be sure to follow the advice of your system administrator or IT team to determine the approach that best suits your company. Passwords can be set to be changed after a pre-defined number of days to add another layer of security.
  • User level security – Restricting access or enabling a zero trust mentality is critical. It is important for the system administrator to set a user’s security based on the access required to do their job but not everyone should have the same access.
  • User level password management – This is a security “must” to make sure that entries posted by a user are date and time stamped with their User ID and not made by someone else. Users must be vigilant to safeguard their passwords and bring it to management’s attention if they feel compromised in any way.
  • Change logs – Logging all changes, actions, and additions and deletions is a best practice to determine “what happened” in the event of an incident, as well as support any audits and Sarbanes Oxley (SOX) compliance.

Education and culture are the best prevention

Industry statistics cite that the number one way companies are hit with fraud and breach attacks is user error. And more often than not, the error is not malicious. In order to achieve a culture of transparency and compliance, any and all fraud prevention practices should come from the executive team. If leadership is practicing its internal controls on a daily basis, the company will follow suit much faster.

Ways companies can create a strong culture of transparency and compliance include:

  • Practice good hiring procedures – When hiring employees take into consideration whether the candidate meets your organization’s core values and would be a good “fit.” Institute background checks. Call references. Interview more than once if necessary.
  • Educate for red flags – Educating employees on a regular basis can help mitigate fraud risks. Teach your team how to recognize a potential fraud instance and how best to report it.
  • Conduct consistent and frequent audits – Conduct ongoing audits of your oil and gas accounting function to ensure your data is correct and free of any misstatements. Turn audits into a normal course of business so your employees are not surprised or lose productivity.
  • Distribute team functions – Creating a separation of duties within the accounting function is one of the cornerstones of fraud prevention. Using a distributed approach lets companies better track and recognize any abnormalities.

Planning for the unknown is never easy. And the different fraud prevention avenues you may take will be based on your company’s needs and policies. The key to a strong approach is to incorporate a well thought out plan that can be easily implemented, monitored, adopted by employees and updated on an ongoing basis. The more fraud prevention becomes part of your company’s DNA and standard operating procedure, the better prepared you will be to deter and mitigate any situation with respect to fraudulent activities. 

WolfePak Software is committed to ensuring a secure and safe operating environment for data and financial reporting. For more information about how WolfePak can evaluate and support your fraud prevention efforts, email us at sales@wolfepak.com or call +1 (325) 677-1543.