Sarbanes-Oxley audits: coming soon

U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.

By Robert Fallwell July 1, 2006

U.S. Sarbanes-Oxley Act of 2002 (SOX) requires companies to establish and maintain internal controls to ensure the accuracy of reported data. Soon you will be ushered into a conference room and told that you have to prove that flow measurements in your plant or refinery are accurate. Knowing SOX requirements beforehand will help you prepare for compliance.

Flowmeter = accounting

Flow measurements are very important for many process industry companies because they are literally the company’s ‘cash register.’ All revenue, and most cost data, reported by a process company is generated from or related to a flowmeter and associated equipment. It will be your responsibility, as an engineer or manager in a plant, to set up controls to ensure accuracy of those measurements.

Some of these flow measurements include incoming raw materials, outgoing products, and all critical measurements involved in moving materials through the plant.

When the SOX auditors arrive, they ask for proof that flow measurements are accurate, that you have procedures to ensure measurement accuracy, and that the plant’s operators, engineers, and production accountants have been trained in the correct procedures for the measurement control process.

Overall purpose of a measurement control system is to provide company executives with ‘reasonable assurance’ that a material flow error will be prevented or detected and corrected. You do not have to prove the accuracy of every flow measurement in a plant or refinery.

Unless auditors suspect wrongdoing, they probably won’t examine flow data, every flowmeter, flow history, meter balance report, or calibration procedure in great detail. Auditors want evidence that you have established proper procedures, employee training, and audit paths to ensure accurate data. To do this, they may interview plant managers, engineers, operators, and technicians. They will be auditing your process, not the data.

How to get ready

Top company executives are responsible for setting a ‘tone from the top’ environment that establishes guidelines for such a measurement control system. Engineers and managers will be responsible for determining what needs to be controlled and how to do it.

Some executive guidelines may include:

Establish key measurements needed in a ‘risk assessment analysis;’

Document policies and procedures spelling out who does what and how;

Set up training programs for operators, engineers and company accountants on how to perform calibration or auditing procedures;

Establish the audit-ability of each key flow measurement system;

Report and track measurement deficiencies; and

Provide management support—and adequate funding—to develop the program.

Define controls

Risk analysis determines the most important plant flow measurements. These most likely will be the measurements encompassing custody transfer into and out of the plant, inventory systems, such as tank farms, and any other flow measurement that is used for financial purposes. This must be done by someone who understands the relationship between financial accounting requirements and flow measurement systems. Mistakes at this step can cascade through the entire control process. To help in risk analysis, some companies retain outside consultants experienced with SOX, who know auditors’ interests.

Be prepared for all possibilities. One good place to start would be all the flow and tank level measurements that are forwarded to your enterprise system. Enterprise-level data may not satisfy the auditors, because most companies have not installed systems that can track changes to financial data as it moves internally.

Although you have no control over enterprise-level data after it is uploaded, it is your responsibility to verify that the data is accurate when it enters the system. This may require regular calibration of field instruments with sign-off procedures, meter balances, and data validation. Some software tools, including some asset management systems, allow the remote capture and archiving of flow measurement-related information, such as transmitter calibration data.

Ensuring that each measurement system is auditable requires setting up an audit path, or trail, following known industry standards. No such standards have been established by SOX auditors. However, if you follow commonly accepted industry standards (such as American Petroleum Institute Manual of Petroleum Measurement standards—API MPMS), it is highly likely that the auditors will accept them.

Finally, you need to train everyone involved in the internal measurement controls process. All must understand their roles, duties, and SOX-related paperwork and audit procedures that must be followed.

Enter the auditors

When SOX auditors arrive, they will ask:

Are controls satisfactory;

Are documented procedures being followed;

Is employee training sufficient;

If a system goes out of tolerance, is follow-up done to determine the action required;

Are measurement deficiencies resolved; and

Is management support adequate?

You must provide the necessary controls and procedures so company management and auditors have ‘reasonable assurance’ that plant flow measurements are accurate and accountable, and any errors that might cause major financial impacts will be prevented and/or detected and corrected.

Sarbanes-Oxley: Measuring up compliance These are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Related articlesFor related reading from Control Engineering , see:

“What in the World is Sarbanes-Oxley?”

“Bioterrorism Act: Burden or Benefit?”

Sarbanes-Oxley: Measuring up complianceThese are the basic elements of a production measurement process needed to comply with Sarbanes-Oxley.

Quality AssuranceDocument

Who is responsible for doing what?

Corrective/Preventative Actions

Internal Audits

Quality ControlMeasurement Manual

Regulations and Standards

Gas and Liquid Measurement

Electronic Flow Measurement

Well Testing

Production Operations

Volumne Calculations

Company Specific Measurement Policies

Company Measurement Policies

Facility Meter Block Diagrams

Examples of data documentation

Author Information

Robert Fallwell is regional manager—Americas, Metco Services Ltd., Emerson Process Management, Calgary, Alberta, Canada

Sarbanes-Oxley Act of 2002

There are three key sections in SOX.

• Section 302: Defines corporate responsibility. The legislation requires the CEO and CFO to certify—in each annual or quarterly report—that they have reviewed the report, it does not contain any untrue statements, and they are responsible for establishing and maintaining internal controls to ensure the accuracy of reported data.

• Section 404: Contains details relating to the effectiveness of internal controls. It requires management to establish and maintain controls, assert effectiveness of controls over financial reporting, disclose any material weaknesses, and identify the internal control framework. An external auditor attestation contains an assessment of the internal control structure and procedures.

• Section 906: Lists penalties. Whoever certifies any statement made in a submitted report knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in the Act shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both.

Similar legislation exists in Canada.

How to comply with SOX

1. Develop a question/answer document to fit your organization, which should include:

• Corporate measurement policies;

• Meter design and installation criteria;

• Data flow management;

• Product allocation; and

• Area measurement policies

2. Update all metering schematics.

3. Identify and tag all sample points.

4. Conduct measurement reviews of selected facilities to determine a report card on your operations. This would include identifying non-compliance to requirements and non-compliance to good measurement practices identified in the QA/QC manual.

5. Develop an orientation program for the people involved in the PMP.

6. Identify a production measurement coordinator (PMC) and field measurement coordinators (FMC), defining their roles and responsibilities.

7. Provide training for the FMCs.

8. Develop action plans to address measurement deficiencies identified during the measurement reviews.

9. Conduct annual measurement reviews.