)
Articles Archive
 |
September 2003
Corporate Accountability Reforms Require Energy Firms to Improve Transaction Controls
Described by George W. Bush as "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt", Sarbanes-Oxley reached its first birthday recently. But while the jury is still out on its effects, there is no doubt that it has reduced the scope for corporate malfeasance. Here, MATTHEW FRYE of OpenLink discusses the impact and effects of the Act for Energy companies.
One of the results of last year's Sarbanes-Oxley Act is that energy companies -especially those still relying on patchwork solutions of disparate, antiquated (or orphaned) systems which require significant manual workarounds for their transaction management needs - have a lot of compliance work cut out for them. Signed into law on July 30th, 2002, Sarbanes-Oxley is believed to be the most crucial US legislation affecting corporate governance, financial disclosure, and public accounting since the landmark securities laws passed after the country's 1929 stock market crash.
Rules for a Post-Enron New World Order
The act - named after its chief authors, Sen. Paul Sarbanes (D-Maryland) and Rep. Mike Oxley (R-Ohio) - was passed in response to scandals involving Enron Corp., Arthur Anderson, and others. Among other things, it requires companies to retain electronic documents, proscribes tougher criminal penalties for altering or destroying records, and created a powerful Public Company Accounting Oversight Board.
Since its signing, The Securities and Exchange Commission (SEC) has been working on regulations to implement various provisions of the law. On May 27th, 2003, the SEC voted to adopt rules requiring company executives to report annually on the internal safeguards that are built into their financial reporting procedures, as required by Section 404 of the law. Under the final rules, an organization's internal control report would have to contain:
- A statement of responsibility for establishing and maintaining adequate internal control over financial reporting for the company
- A statement identifying the framework used to evaluate the effectiveness of this internal control
- An assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year
- A statement that its independent auditor attested to the assessment
This internal evaluation must be conducted using a recognized control framework and, according to the guidelines, the company must retain records, "that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant."
The SEC goes on to state that firms must, "provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management." And finally, companies must provide a reasonable assurance that their systems will prevent or detect, on a timely basis, unauthorized acquisition, use, or disposition of assets that could have a material effect on their financial statements.
The theory behind all of this is that enhanced operating control requirements will better protect companies and their stockholders against 'rogue traders' whose unauthorized actions can - and have in the past - bankrupted their employers.
A Reality Check
The compliance date of June 15th, 2004 has left many energy companies scrambling to assess the business impact and their vulnerabilities. Some have hired consultants, some have left compliance in the hands of the CFO and their staff, and others, slower in their reaction, are doing little. Since the act is relatively new and untested, companies are not clear about what steps must be taken to ensure compliance.
A good place to start is to review how transactions are managed within each company. If the firm has a well-established audit department or committee that actually reviews and approves internal control procedures and protocols, it is ahead of the game. Unfortunately, most energy trading activities and their conventional practices often are at odds with control and compliance procedures. For example, traders are often not required to enter their own trades into a firm's trading and risk management systems. Or traders are allowed to use their own or company-sanctioned Excel spreadsheets for pricing and position management purposes because they claim other tools, especially those from trading and risk management systems, are of no value. Yet, one bad cell formula can be very costly and is the very kind of operational risk that the Sarbanes-Oxley Act targets.
Since most energy firms rely on patchwork solutions on a daily basis, they also have to deal with constant integration-related problems. In addition, the company's official book of records is likely maintained or spread across multiple systems, including spreadsheets. For instance, physical positions are maintained in the scheduling system and/or Excel spreadsheets, while financial trades are kept within the risk system. Implementing sound, rigorous control over these typical patchwork scenarios will be a major challenge for any firm.
An Unexpected Silver Lining
The good news is that energy firms that have recently implemented new systems are in a much better position to tackle this compliance issue. Some have replaced multiple systems with a new Straight-Through-Processing solution (STP), while others have installed new risk or scheduling systems. If you have replaced multiple systems with an STP solution, then you are much closer to the compliance goal post, assuming that the new system has all the modern facilities such as full audit capabilities, detailed user security privileges, multi-step validation, and secured database control, to mention a few. You can now focus on developing proper control protocols and procedures (around the new system) as well as implementing effective tools for managing and measuring operational risk factors, completing the support for the first three requirements and objectives of Sarbanes-Oxley.
If you have a new basic deal-capture, risk, or logistics system, you are still ahead compared to a typical patchwork scenario. Your strategy should be to leverage the new-found capabilities of the system, regardless of its primary focus, and ask: "Can this new system manage the firm's book of records?" If not, you must look to see how to supplement it so that it can, at least, be the anchoring system within a larger solution. And, if budgets are tight - as many are - you'll need to balance working with what you have with developing more elaborate control and compliance procedures to specifically support this 'anchoring' approach. Finally, implementing robust (more than just effective) operational risk tools may just push you over the hump. The key word here is 'robust', meaning that these tools must have proactive facilities to track and monitor losses due to operational risks (e.g., failed manual workarounds, dropped interfaces, human errors, etc.), and measurement capabilities to prevent such losses in the future. Examples of robust risk measurement capabilities are: Key Risk Indicator Analysis, Anomalies Detection, and Stress Testing on Plausible Operational Failures.
For the Rest
If you are already struggling with the daily problems of aging patchwork solutions, your compliance problem could be even larger, and your organization's senior management has to consider one simple question: "Even if you can develop the most elaborate control and compliance procedures around your failing patchwork environment, will your auditor sign off on it?" If the answer is no, you'll have no choice but to upgrade your environment. If a wholesale upgrade project seems too costly and risky, you must at least eliminate your weakest link and leverage its replacement as the new anchoring system.
The best way to do this is to identify system solutions that can replace your weakest point today, while offering additional capabilities that can be substituted for other aging functionality in the future, allowing you to gradually upgrade your environment based on available budgets. The key to this approach is identifying an anchor solution with flexible and comprehensive capabilities, which, once implemented, allows you to map out the remainder of your upgrade and compliance work.
Although most companies may view the additional requirements under Sarbanes- Oxley as onerous, for those still relying on spreadsheets with limited security features, the impact could be far worse. While the act introduces new penalties of up to US$25 million and imprisonment for up to 20 years for a person who, "knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record" -including electronic - with the intent of impeding a government investigation, the liability of the company that facilitates this action by not taking adequate precautions could be far worse. With these penalties as a guideline, is it really worth the risk?
Matthew Frye is Managing Director of OpenLink's Houston, Texas, division. With over 20 years of experience in energy markets, including trading, risk management, and operations software, Frye leads a team of business analysts and software engineers focused on dynamic, integrated solutions for energy trading firms.
As seen in Commodities Now magazine - September 2003
Copyright © 2003 Isherwood
Production Ltd. All rights reserved.
)