Sarbanes-Oxley audits: coming soon

U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.


U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.

Flowmeter = accounting

Flow measurements are very important for many process industry companies because they are literally the company's 'cash register.' All revenue, and most cost data, reported by a process company is generated from or related to a flowmeter and associated equipment. It will be your responsibility, as an engineer or manager in a plant, to set up controls to ensure accuracy of those measurements.

Some of these flow measurements include incoming raw materials, outgoing products, and all critical measurements involved in moving materials through the plant.

When the SOX auditors arrive, they ask for proof that flow measurements are accurate, that you have procedures to ensure measurement accuracy, and that the plant's operators, engineers, and production accountants have been trained in the correct procedures for the measurement control process.

Overall purpose of a measurement control system is to provide company executives with 'reasonable assurance' that a material flow error will be prevented or detected and corrected. You do not have to prove the accuracy of every flow measurement in a plant or refinery.

Unless auditors suspect wrongdoing, they probably won't examine flow data, every flowmeter, flow history, meter balance report, or calibration procedure in great detail. Auditors want evidence that you have established proper procedures, employee training, and audit paths to ensure accurate data. To do this, they may interview plant managers, engineers, operators, and technicians. They will be auditing your process, not the data.

How to get ready

Top company executives are responsible for setting a 'tone from the top' environment that establishes guidelines for such a measurement control system. Engineers and managers will be responsible for determining what needs to be controlled and how to do it.

Some executive guidelines may include:

  • Establish key measurements needed in a 'risk assessment analysis;'

  • Document policies and procedures spelling out who does what and how;

  • Set up training programs for operators, engineers and company accountants on how to perform calibration or auditing procedures;

  • Establish the audit-ability of each key flow measurement system;

  • Report and track measurement deficiencies; and

  • Provide management support—and adequate funding—to develop the program.

Define controls

Risk analysis determines the most important plant flow measurements. These most likely will be the measurements encompassing custody transfer into and out of the plant, inventory systems, such as tank farms, and any other flow measurement that is used for financial purposes. This must be done by someone who understands the relationship between financial accounting requirements and flow measurement systems. Mistakes at this step can cascade through the entire control process. To help in risk analysis, some companies retain outside consultants experienced with SOX, who know auditors' interests.

Be prepared for all possibilities. One good place to start would be all the flow and tank level measurements that are forwarded to your enterprise system. Enterprise-level data may not satisfy the auditors, because most companies have not installed systems that can track changes to financial data as it moves internally.

Although you have no control over enterprise-level data after it is uploaded, it is your responsibility to verify that the data is accurate when it enters the system. This may require regular calibration of field instruments with sign-off procedures, meter balances, and data validation. Some software tools, including some asset management systems, allow the remote capture and archiving of flow measurement-related information, such as transmitter calibration data.

Ensuring that each measurement system is auditable requires setting up an audit path, or trail, following known industry standards. No such standards have been established by SOX auditors. However, if you follow commonly accepted industry standards (such as American Petroleum Institute Manual of Petroleum Measurement standards—API MPMS), it is highly likely that the auditors will accept them.

Finally, you need to train everyone involved in the internal measurement controls process. All must understand their roles, duties, and SOX-related paperwork and audit procedures that must be followed.

Enter the auditors

When SOX auditors arrive, they will ask:

  • Are controls satisfactory;

  • Are documented procedures being followed;

  • Is employee training sufficient;

  • If a system goes out of tolerance, is follow-up done to determine the action required;

  • Are measurement deficiencies resolved; and

  • Is management support adequate?

You must provide the necessary controls and procedures so company management and auditors have 'reasonable assurance' that plant flow measurements are accurate and accountable, and any errors that might cause major financial impacts will be prevented and/or detected and corrected.

Sarbanes-Oxley: Measuring up compliance
These are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Related articles
For related reading from Control Engineering , see:

Sarbanes-Oxley: Measuring up compliance
These are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Quality Assurance


  • Who is responsible for doing what?

  • Corrective/Preventative Actions

  • Internal Audits

Quality Control
Measurement Manual


  • Regulations and Standards

  • Gas and Liquid Measurement

  • Electronic Flow Measurement

  • Well Testing

  • Production Operations

  • Volumne Calculations

Company Specific Measurement Policies


  • Company Measurement Policies

  • Facility Meter Block Diagrams

  • Examples of data documentation

Author Information

Robert Fallwell is regional manager—Americas, Metco Services Ltd., Emerson Process Management, Calgary, Alberta, Canada

Sarbanes-Oxley Act of 2002

There are three key sections in SOX.

• Section 302: Defines corporate responsibility. The legislation requires the CEO and CFO to certify—in each annual or quarterly report—that they have reviewed the report, it does not contain any untrue statements, and they are responsible for establishing and maintaining internal controls to ensure the accuracy of reported data.

• Section 404: Contains details relating to the effectiveness of internal controls. It requires management to establish and maintain controls, assert effectiveness of controls over financial reporting, disclose any material weaknesses, and identify the internal control framework. An external auditor attestation contains an assessment of the internal control structure and procedures.

• Section 906: Lists penalties. Whoever certifies any statement made in a submitted report knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in the Act shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both.

Similar legislation exists in Canada.

How to comply with SOX

1. Develop a question/answer document to fit your organization, which should include:

• Corporate measurement policies;

• Meter design and installation criteria;

• Data flow management;

• Product allocation; and

• Area measurement policies

2. Update all metering schematics.

3. Identify and tag all sample points.

4. Conduct measurement reviews of selected facilities to determine a report card on your operations. This would include identifying non-compliance to requirements and non-compliance to good measurement practices identified in the QA/QC manual.

5. Develop an orientation program for the people involved in the PMP.

6. Identify a production measurement coordinator (PMC) and field measurement coordinators (FMC), defining their roles and responsibilities.

7. Provide training for the FMCs.

8. Develop action plans to address measurement deficiencies identified during the measurement reviews.

9. Conduct annual measurement reviews.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.