It doesn’t seem like that long ago. The massive financial collapse of Enron Corp. took place back in 2001, finally culminating with the company’s declaration of bankruptcy on Dec. 2 of that year. Enron shareholders lost a total of $74 billion. Enron employees lost billions’ worth of 401(k) plan benefits.

At the time, it was the largest corporate bankruptcy ever.

Enron’s virtual disintegration exposed unprecedented accounting and corporate fraud. When the U.S. Securities and Exchange Commission (SEC) launched a probe into Enron’s finances in October 2001, many pipeline executives were afraid that the industry would face a complete loss of credibility in the financial community.

No pipe problem
But Enron’s pipeline business wasn’t the problem. During the dot-com era in the 1990s, Enron reinvented itself. It was no longer just a pipeline company; it launched initiatives in energy supply and the Internet. It built power plants and started an online trading business. Enron also entered the broadband communications market and even launched a water company.

Enron was flying high. The company had undergone a spectacular transformation that made it a darling of Wall Street and winner of numerous innovation awards. However, Enron severely overvalued its new assets and implemented a series of financial schemes to cover up big losses in those new businesses.

When the dot-com bubble burst in 2000, Enron found itself overexposed in the market, and the collapse began.

Ultimately, it was the dot-com industry, not the pipeline industry, which rocked the investing world. By the end of 2000, the dot-coms had lost well over $1.7 trillion in market value.

The federal government had to step in. Not only were the dot-coms crashing, the country was in a recession, and Enron-like accounting scandals were coming to light in other industries at companies such as Adelphia, Peregrine Systems, Tyco International and WorldCom. WorldCom’s bankruptcy in June 2002 eclipsed Enron’s. The scandals shook public confidence in U.S. securities markets. With midterm elections coming up in November of that year, action on the part of the government proceeded quickly.

‘Remarkable consensus’
The House and Senate undertook hearings that focused on the scandals. According to then-Sen. Paul Sarbanes, D- Md., “[The Senate] hearings produced remarkable consensus on the nature of the problems: inadequate oversight of accountants, lack of auditor independence, weak corporate governance procedures, stock analysts’ conflict of interests, inadequate disclosure provisions, and grossly inadequate funding of the Securities and Exchange Commission.”

Congressman Mike Oxley, R-Ohio, introduced the “Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002,” which passed the House in April that year. Meanwhile, Sen. Sarbanes was working on his own legislation and introduced the “Public Company Accounting Reform and Investor Protection Act of 2002,” which passed in the Senate that July. A reconciled version of the two acts, formally named the “Sarbanes-Oxley Act of 2002,” took only a day to pass overwhelmingly in the House and Senate. President George W. Bush signed the act into law on July 30, 2002.

Soon, people were using the abbreviation “SOX” for the new law.

SOX was intended to ensure the reliability of publicly reported financial information and restore investor confidence in U.S. capital markets. It revised numerous laws dating back to the Franklin D. Roosevelt administration during the Great Depression, including the Securities Act of 1933 and the Securities Exchange Act of 1934. SOX significantly expanded responsibilities for corporate boards, directors, executives, auditors, attorneys and securities analysts. It also subjected this group of people to serious penalties for non-compliance.

Today, SOX continues to loom large across all industries. Its reach extends from the C-suite and board of directors, deep into company routines such as day-to-day operations in oil and gas measurement departments. Because SOX required companies to implement processes that ensure the accuracy of reported results, the integrity of the measurement process was brought into finer focus.

SOX is organized into 11 titles or sections, most of which address the measurement process in one way or another. The two most important are Sections 404 and 409.

Section 404 has been the most controversial provision in SOX. It states that it is management’s responsibility to maintain a sound internal-control structure for financial reporting and to assess its own effectiveness. It is the responsibility of the auditors to attest to the soundness of management’s assessment and report on the state of the overall financial control system.

Section 409 covers real-time disclosures. In terms that are easy to understand, companies are required to disclose to the public, on an urgent basis, information about material changes in their financial condition or operations.

Dynamic nature
For those who are not involved with compliance on a day-to-day basis, the dynamic nature of SOX could seem surprising. Since 2002, there have been few legal challenges or revisions to the law. Given that it was produced so hastily, that is surprising.

The Jumpstart Our Business Startups (JOBS) Act of 2012, signed by President Barack Obama, did exempt emerging growth companies from certain SOX requirements, such as those in Section 404.

The Financial CHOICE Act that passed the House of Representatives last year relieves some of the SOX auditing requirements for internal controls at smaller institutions; however, CHOICE has run into a roadblock in the Senate. Meanwhile, the Senate has passed the Economic Growth, Regulatory Relief and Consumer Protection Act, other legislation that has similar intentions to CHOICE but includes nothing related to SOX.

In either case, SOX is a relatively minor issue. The main intentions of the CHOICE Act and the Economic Growth, Regulatory Relief and Consumer Protection Act are to overturn significant portions of the Dodd-Frank Act, which was signed into law in 2010. We will have to see if a reconciled version of the two includes any SOX-related provisions.

Many industry groups do have their sights set on SOX Section 404, and we shouldn’t be surprised to see more legislation to that effect. For instance, the Community Bank Access to Capital Act of 2017 would relax Section 404 compliance for banks with less than $1 billion in assets.

Still, the bottom line is that SOX has endured the past 16 years largely intact and unscathed. Why, then, is there so much new compliance activity?

Changing compliance
It turns out that even if the law doesn’t change, compliance rules do.

SOX required the SEC to implement the initial rulings that put the law into practice. One of the SEC’s actions, dictated by SOX Title I, was the creation of the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms providing audit services.

Since then, the PCAOB has been actively issuing new auditing standards, for example, to govern audits of internal controls. In 2016, the PCAOB issued a proposal to further refine the potential reporting requirements around critical audit matters (CAMs). As a result, external auditors have faced increasing inspection report requirements from the PCAOB and are placing more focus on evaluating deficiencies. While the past two years have been very busy for external auditors, the CAMs effects, including the measurement function, extend throughout companies.

SOX also required management at public companies to select an internal control framework and annually assess and report on the design and operating effectiveness of their internal controls. Once SOX was passed into law, most companies adopted the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 1992 framework. COSO’s release of an updated version in 2013 caused an uptick in activity that has only recently returned to normal.

The Financial Accounting Standards Board (FASB) has also issued standards that affect SOX compliance. Companies are now updating controls documentation to comply with the FASB’s new revenue recognition standards. The FASB update on Revenue from Contracts with Customers is effective for fiscal years beginning after Dec. 15, 2017.

A more recent FASB update overhauls lease accounting and is effective for fiscal years beginning after Dec. 15, 2018.

Many of the dynamics come from companies themselves. Since 2002, mergers and acquisitions have continued to be rampant, but business processes have also drastically changed; companies are undergoing digital transformations and finding that regulations or enforcement actions by other federal agencies such as the Federal Energy Regulatory Commission, Department of Transportation/Pipeline and Hazardous Materials Safety Administration and Bureau of Land Management all have SOX implications.

Meanwhile, energy industry companies seek to optimize SOX compliance, streamline their audits and minimize costs.

The measurement function
While SOX immediately impacted measurement operations following passage in 2002, more recent actions on the part of COSO, FASB, PCAOB and government regulatory agencies have continued to make SOX compliance a moving target.

Compliance is now more than maintaining measurement integrity and keeping close tabs on monthly closeouts and reporting how lost and unaccounted-for quantities are handled. Controls have to be in place, processes must be thoroughly documented, compliance with those processes must be proven, failures that result in material errors must be reported and cybersecurity incidents must be disclosed.

It is now more important than ever to document everything that a SOX audit might require—including the entire measurement process. The entire team must understand the information contained in all measurement records and documentation. The PCAOB further requires clear proof that the manager who approved the process actually reviewed it in detail.

Documenting the entire measurement process can be daunting, but we know many cases in which this work has been completed. A measurement automation application really helps organize it. All office and field processes must be included. In addition to routine processes such as monthly closeout, processes for prior period adjustments, system balancing, data validations, anomaly management and handling of lost and unaccounted-for quantities must be documented.

Processes inevitably change, too, making revision tracking extremely important. A revision report must document not only what changed but also how and why. The result of the change must be tracked as well, and all personnel involved must be identified and their contributions specified.

Many of the PCAOB’s updated audit requirements affect measurement audits, which are now more critical than ever. A measurement audit will evaluate how effective a company’s measurement process is, identify potential financial exposures and specify areas for improvement.

Measurement audits
Typically, the measurement audit thoroughly evaluates the measurement process, how well it is documented, how the company complies with it and how the company documents that compliance. It also assesses corrective actions and how they are recorded. The audit could assess selected process equipment such as meters and tanks. Inspections and maintenance of all process equipment must be included in the company’s measurement process.

The process must also include all policies, procedures, controls and training. New PCAOB requirements mean that not only does the measurement process require a description of a particular provision, such as training, it also requires the company to document how it complies with that description and to record the occurrence of all training sessions.

Many of the new requirements related to SOX are information technology (IT) -focused, particularly regarding security.

With IT and operating technology merging, some measurement departments have found themselves responsible for the measurement computing infrastructure. That brings an entirely new list of implementation measures and reporting requirements into play.

Companies are required to disclose cybersecurity incidents. This brings scrutiny to a reporting company’s cybersecurity implementation. Management must document and enforce access controls, user identification and authentication, review and monitoring of user accounts, and security of online information.

All cybersecurity measures taken, including hardware and software in use, must be reported. Security product reports must include version management and update history.

Disclosures must include malicious-software detection, correction and prevention; unauthorized software; and violation of security protocols, including activity reports.

Risk assessments must be included, and management must report on plans to address any potential problems it uncovers.

Compliance dynamics
Although SOX has endured the past 16 years largely unchanged, new rules and requirements on the part of various entities such as COSO, the FASB and PCAOB have injected dynamics into SOX compliance. Due to the vast reach of SOX reporting requirements, even seemingly unrelated actions on the part of regulatory agencies and corporations can affect SOX compliance.

Most of these activities have direct consequences for oil and gas company measurement departments. It’s now a lot more than maintaining measurement integrity. Processes must be thoroughly documented and compliance with those processes proven. Management review must also be proven. In addition, failures that result in material errors must be reported, and cybersecurity incidents must be disclosed.

With talk of new potential challenges to SOX, and with anticipation that activity on the parts of COSO, FASB, PCAOB and others will go on, SOX compliance will continue to be a dynamic process.

Mike Squyres is president of Flow-Cal Inc.