Sarbanes-Oxley audits: coming soon

U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.


U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.

Flowmeter = accounting

Flow measurements are very important for many process industry companies because they are literally the company's 'cash register.' All revenue, and most cost data, reported by a process company is generated from or related to a flowmeter and associated equipment. It will be your responsibility, as an engineer or manager in a plant, to set up controls to ensure accuracy of those measurements.

Some of these flow measurements include incoming raw materials, outgoing products, and all critical measurements involved in moving materials through the plant.

When the SOX auditors arrive, they ask for proof that flow measurements are accurate, that you have procedures to ensure measurement accuracy, and that the plant's operators, engineers, and production accountants have been trained in the correct procedures for the measurement control process.

Overall purpose of a measurement control system is to provide company executives with 'reasonable assurance' that a material flow error will be prevented or detected and corrected. You do not have to prove the accuracy of every flow measurement in a plant or refinery.

Unless auditors suspect wrongdoing, they probably won't examine flow data, every flowmeter, flow history, meter balance report, or calibration procedure in great detail. Auditors want evidence that you have established proper procedures, employee training, and audit paths to ensure accurate data. To do this, they may interview plant managers, engineers, operators, and technicians. They will be auditing your process, not the data.

How to get ready

Top company executives are responsible for setting a 'tone from the top' environment that establishes guidelines for such a measurement control system. Engineers and managers will be responsible for determining what needs to be controlled and how to do it.

Some executive guidelines may include:

  • Establish key measurements needed in a 'risk assessment analysis;'

  • Document policies and procedures spelling out who does what and how;

  • Set up training programs for operators, engineers and company accountants on how to perform calibration or auditing procedures;

  • Establish the audit-ability of each key flow measurement system;

  • Report and track measurement deficiencies; and

  • Provide management support—and adequate funding—to develop the program.

Define controls

Risk analysis determines the most important plant flow measurements. These most likely will be the measurements encompassing custody transfer into and out of the plant, inventory systems, such as tank farms, and any other flow measurement that is used for financial purposes. This must be done by someone who understands the relationship between financial accounting requirements and flow measurement systems. Mistakes at this step can cascade through the entire control process. To help in risk analysis, some companies retain outside consultants experienced with SOX, who know auditors' interests.

Be prepared for all possibilities. One good place to start would be all the flow and tank level measurements that are forwarded to your enterprise system. Enterprise-level data may not satisfy the auditors, because most companies have not installed systems that can track changes to financial data as it moves internally.

Although you have no control over enterprise-level data after it is uploaded, it is your responsibility to verify that the data is accurate when it enters the system. This may require regular calibration of field instruments with sign-off procedures, meter balances, and data validation. Some software tools, including some asset management systems, allow the remote capture and archiving of flow measurement-related information, such as transmitter calibration data.

Ensuring that each measurement system is auditable requires setting up an audit path, or trail, following known industry standards. No such standards have been established by SOX auditors. However, if you follow commonly accepted industry standards (such as American Petroleum Institute Manual of Petroleum Measurement standards—API MPMS), it is highly likely that the auditors will accept them.

Finally, you need to train everyone involved in the internal measurement controls process. All must understand their roles, duties, and SOX-related paperwork and audit procedures that must be followed.

Enter the auditors

When SOX auditors arrive, they will ask:

  • Are controls satisfactory;

  • Are documented procedures being followed;

  • Is employee training sufficient;

  • If a system goes out of tolerance, is follow-up done to determine the action required;

  • Are measurement deficiencies resolved; and

  • Is management support adequate?

You must provide the necessary controls and procedures so company management and auditors have 'reasonable assurance' that plant flow measurements are accurate and accountable, and any errors that might cause major financial impacts will be prevented and/or detected and corrected.

Sarbanes-Oxley: Measuring up compliance
These are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Related articles
For related reading from Control Engineering , see:

Sarbanes-Oxley: Measuring up compliance
These are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Quality Assurance


  • Who is responsible for doing what?

  • Corrective/Preventative Actions

  • Internal Audits

Quality Control
Measurement Manual


  • Regulations and Standards

  • Gas and Liquid Measurement

  • Electronic Flow Measurement

  • Well Testing

  • Production Operations

  • Volumne Calculations

Company Specific Measurement Policies


  • Company Measurement Policies

  • Facility Meter Block Diagrams

  • Examples of data documentation

Author Information

Robert Fallwell is regional manager—Americas, Metco Services Ltd., Emerson Process Management, Calgary, Alberta, Canada

Sarbanes-Oxley Act of 2002

There are three key sections in SOX.

• Section 302: Defines corporate responsibility. The legislation requires the CEO and CFO to certify—in each annual or quarterly report—that they have reviewed the report, it does not contain any untrue statements, and they are responsible for establishing and maintaining internal controls to ensure the accuracy of reported data.

• Section 404: Contains details relating to the effectiveness of internal controls. It requires management to establish and maintain controls, assert effectiveness of controls over financial reporting, disclose any material weaknesses, and identify the internal control framework. An external auditor attestation contains an assessment of the internal control structure and procedures.

• Section 906: Lists penalties. Whoever certifies any statement made in a submitted report knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in the Act shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both.

Similar legislation exists in Canada.

How to comply with SOX

1. Develop a question/answer document to fit your organization, which should include:

• Corporate measurement policies;

• Meter design and installation criteria;

• Data flow management;

• Product allocation; and

• Area measurement policies

2. Update all metering schematics.

3. Identify and tag all sample points.

4. Conduct measurement reviews of selected facilities to determine a report card on your operations. This would include identifying non-compliance to requirements and non-compliance to good measurement practices identified in the QA/QC manual.

5. Develop an orientation program for the people involved in the PMP.

6. Identify a production measurement coordinator (PMC) and field measurement coordinators (FMC), defining their roles and responsibilities.

7. Provide training for the FMCs.

8. Develop action plans to address measurement deficiencies identified during the measurement reviews.

9. Conduct annual measurement reviews.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security