"We need people in internal audit who have a technological viewpoint because that’s the future. We also need critical thinkers and good communicators. That won’t change, because internal auditors need to gain people’s trust very quickly and establish an air of collaboration and honesty."
- Gary Daugherty, Vice President, Internal Audit
Occidental Petroleum Corporation is an international oil and gas exploration and production company with operations in the United States, the Middle East and South America. It is one of the largest U.S. oil and gas companies, based on equity market capitalization, and the biggest operator and oil producer in the Permian Basin in the southwestern United States. At the end of 2018, Occidental had more than 38,000 employees and contractors supporting its operations worldwide.
The company’s Midstream and Marketing segment is composed of several businesses that purchase, market, gather, process, transport or store hydrocarbons and other commodities. Occidental also has a wholly owned subsidiary, OxyChem, which is a major North American chemical manufacturer. Dallas-based OxyChem manufactures PVC resins, chlorine and caustic soda, which are essential to developing products such as plastics, pharmaceuticals and water treatment chemicals.
"Outsourcing that heavy workload also helps Occidental’s internal audit team and their co-source partners focus on other projects that create value for the business."
Occidental, which is organized in Delaware, was founded in California in 1920. Occidental maintained corporate headquarters in Los Angeles until about five years ago, when the company decided to move its corporate functions to Houston — the headquarters city of its oil and gas business.
Gary Daugherty, Occidental’s vice president of internal audit, oversees a lean team in Houston — two directors, one manager and one senior auditor. However, the function receives ample support for projects through its co-sourcing partners. “I would say our co-sourcing model for internal audit is unique among our peers in the oil and gas sector,” says Daugherty. “My team manages and scopes all the projects, but we co-source most of our work with others. So, rather than bringing in subject-matter specialists on a project-by-project basis, we partner with our service providers.”
Establishing ERM and Overseeing ERP Controls Design
The co-sourcing model for internal audit has been in place at Occidental since 1998; previously, the company outsourced all of its audit work. The team performs between 70 and 80 internal audits per year, including assurance and advisory projects, cybersecurity reviews, Sarbanes-Oxley (SOX) compliance, and contract compliance audits. It still relies on a third-party provider to handle contractor audits, however, which represent about 40% of the audit work in terms of volume, according to Daugherty. “Outsourcing contractor audits provides a lot of cost recoveries to the business and helps us tighten our contract terms and conditions,” he says.
Outsourcing that heavy workload also helps Occidental’s internal audit team and their co-source partners focus on other projects that create value for the business. For example, the auditors are collaborating with one of their longtime co-source partners to drive Occidental’s enterprise risk management (ERM) initiative. “We wanted risk ownership to reside within the business,” says Daugherty. “So, in the first phase of the project, we set up an ERM council, which is made up of five key executives who report directly to the CEO, and an ERM team with about 20 high-level business owners.”
The second phase of the ERM initiative, to be completed by the end of 2019, centers largely on data. “We’re developing dashboards with key risk indicators and key performance indicators for monitoring any changes in risk,” says Daugherty. “It’s been a really fun and eye-opening experience for us.”
Another major project internal audit is helping to support is the oil and gas group’s implementation of SAP S/4HANA. The enterprise resource planning (ERP) suite went live in Occidental’s South American operations at the start of 2019 and will be rolled out in the United States in 2020. “We’re doing a lot of pre-implementation work,” says Daugherty. “We’ve performed several comparative process reviews, looking at some major processes for oil and gas, like materials management, maintenance, production and measurement, and supply chain management. We’re trying to ensure that process and application controls are designed properly. In addition, we’re involved in the SAP pre-implementation controls review of IT general controls, configuration settings, and user access roles and responsibilities.”
"Embracing more sophisticated tools for data analysis and reporting was one of the team’s first steps toward becoming a next-generation internal audit function."
These projects alone would be enough to keep any internal audit function very busy — even a team that co-sources. But Occidental’s internal auditors also have a list of projects to tackle in 2019 that was shaped by their annual risk assessment in 2018. “We looked at major initiatives for Occidental, from the SAP S/4HANA implementation to cybersecurity, and married those things with the top critical enterprise risks and emerging risks we identified in the first phase of our ERM project,” Daugherty says. “That effort defined what we call our ‘mission-critical’ projects for 2019 — the projects that are locked in for the year. Other projects may be added or deferred depending on changes in our business and risk profile.”
Developing Dashboards, Automating Work and Tracking Issues
As Occidental implements new processes and systems to improve how it operates, internal audit is working to modernize, too. Daugherty says his team’s commitment to innovation and transformation is “about driving efficiency and doing more with fewer resources — better, faster and more cost-effectively.” It’s also about making sure that internal audit “doesn’t get left behind.”
Embracing more sophisticated tools for data analysis and reporting was one of the team’s first steps toward becoming a next-generation internal audit function. “We had plenty of historical data, but we had to collect it, put it in Excel or Access, run graphics, and then make a PowerPoint presentation so that we could share it,” says Daugherty. “Now, it’s all automated.”
The internal auditors use TIBCO Spotfire Data Visualization and Analytics software to create dashboards that supplement their reporting to the audit committee. “The dashboards provide an automatic snapshot of where we are in terms of our overall plan status, project tracking, aging of open internal audit issues, open SOX compliance deficiencies and contractor audit results,” says Daugherty.
Occidental’s internal auditors attend five audit committee meetings annually, and their time to prepare for those meetings has been significantly reduced thanks to their use of data analytics. “The tool basically tracks everything for us, and it’s very interactive,” says Daugherty. “We can drill down into the data to get details on demand and answer any questions that the audit committee may have. And the issue tracker lets us gauge where we are on all outstanding issues. We’ve loaded every issue for every audit that we’ve done over the last seven years into the tracker.”
Establishing an “Opt-Out Methodology” for Data Analytics
As part of their efforts to increase their overall efficiency, the internal audit team at Occidental updated their methodology in 2018. “We incorporated automated process maps for internal audit project execution, follow-up and SOX testing,” says Daugherty. “Now, you can click on a process icon to get to our templates and report formats — it’s our entire methodology, from planning to fieldwork to reporting. It’s a good training tool for our co-sourcing partners.”
Daugherty also introduced the concept of “opt-out methodology” to the internal audit team. Daugherty explains: “We tell our auditors that we will use data analytics on every project that we initiate unless they opt out. But to opt out, they must get my approval. We’ve found that this methodology really drives the use of data analytics, whether it’s visualization of data or using data analytics within a project to test entire data sets rather than sampling. In some cases, we’ve even taken the data analytics tools that we’ve developed and turned them over to the business.”
Daugherty also says he’s eager for his team to increase collaboration with the IT organization and the business to get the full benefit of Occidental’s data power. “There are silos of data scientists, quants [quantitative analysts] and other folks in the business doing their own thing with data,” says Daugherty. “Now, it’s time for our team to either leverage what’s already been developed or work directly with the business and IT to develop something that we all can use.”
Real-time assurance tools are one example that Daugherty has in mind. “We could set up monitors to track any fluctuations or anomalies or deviations in data, starting with simple things like travel and entertainment expense reporting, delinquent payments, AR gaining, or slow-moving inventory,” he explains. “Then, we could do comparative process reviews of activities among all the business units. From there, we could drive more targeted audits, like spot audits, of those anomalies.”
"Daugherty says access to specialized skills is a key reason that Occidental relies heavily on co-sourcing for internal audit work."
Raising the Visibility of the Function — and Thinking About Bots
Daugherty says access to specialized skills is a key reason that Occidental relies heavily on co-sourcing for internal audit work. When Daugherty does need to hire staff for his core team, he says it can take time to find someone with the right mix of abilities who can help the internal audit function keep making strides with its innovation and transformation efforts. Through the co-sourcing model, the team has scalability and can bring the right resources at the right time to meet its needs.
Daugherty says, “We need people in internal audit who have a technological viewpoint because that’s the future. We also need critical thinkers and good communicators. That won’t change, because internal auditors need to gain people’s trust very quickly and establish an air of collaboration and honesty.”
The work that Daugherty and his team are doing to drive innovation and transformation in the function has not gone unnoticed at Occidental — in fact, it’s helped to raise their visibility. “What we’ve been able to achieve is coming through in our audits and deliverables, and that’s resonating throughout the organization,” says Daugherty. “We have people coming to us asking, ‘Hey, we know you have unique skills and tools — can you assist us with this project?’ or ‘Can you give us that technology?’”
"The work that Daugherty and his team are doing to drive innovation and transformation in the function has not gone unnoticed at Occidental — in fact, it’s helped to raise their visibility."
Another area that the internal audit team at Occidental is just starting to explore — which will likely grab the attention of the business — is robotic process automation (RPA). “We’re wondering what we can do with RPA,” says Daugherty. “Can we develop bots to do our SOX testing, for example? We probably spend about 35% of our time on internal controls over financial reporting and IT general controls — and that’s out of roughly 30,000 hours a year. Developing bots that can help us and our co-sourcing partners be more efficient with SOX testing is the next generation of internal audit, too.”
Click here to access the full list of profiles.