An Audit Report on Well-plugging within the Railroad Commission’s Oil and Gas Regulation and Cleanup Program
July 2013
Report Number 13-040
Overall Conclusion
The Railroad Commission (Commission) follows a process for prioritizing and recommending oil and gas wells for plugging that incorporates risk-based factors and complies with requirements in the Texas Natural Resources Code. As part of its Oil and Gas Regulation and Cleanup Program, the Commission creates annual plugging goals for its Oil and Gas Division's district offices. The district offices follow the Commission's policies and procedures to prioritize wells eligible for plugging and recommend the specific wells that should be plugged.
The Commission also has effective processes and related controls to establish, maintain, and collect the financial assurances from oil and gas well operators that are required by Texas Natural Resources Code, Chapter 91. The financial assurances are cash, bonds, or letters of credit that operators provide and that fund the Commission's plugging of wells. However, the Commission should strengthen certain controls related to its financial assurance processes to help ensure that it can collect on those financial assurances before they expire. In 63 (98 percent) of the 64 cases that auditors tested, the Commission appropriately sent demands to collect on operators' financial assurances. However, in one instance the Commission did not collect on an operator's $25,000 letter of credit. In that instance, the letter of credit expired before the Commission determined that it should have collected on that letter of credit.
The Commission has adequate information technology security policies, user access policies, use of generic user id accounts, change management policies, password controls for applications, and physical security controls for its mainframe. However, the Commission should strengthen certain controls for its mainframe and Oilfield Cleanup (OFCU) application in the areas of review of user access, segregation of programmer duties, password controls for servers, and physical controls over the Commission's data center.
Auditors communicated less significant issues to Commission management separately in writing.