What in the World is Sarbanes-Oxley?

When the U.S. Occupational Safety and Health Act (OSHA) became law in the 1970s, a line heard often was "OSHA is not a small town in Wisconsin." Similarly, those faced with implementing the Sarbanes-Oxley Act in their plants today might hear: "What in the world is Sarbanes-Oxley?" The answer is not a simple one.

By Jeanine Katzel June 1, 2005

AT A GLANCE

Beyond finance, accounting

Law affects data gathering

Need for accurate reports

System interoperability

Risk management potential

Sidebars: What is Sarbanes-Oxley? Resources related to Sarbanes-Oxley compliance

When the U.S. Occupational Safety and Health Act (OSHA) became law in the 1970s, a line heard often was “OSHA is not a small town in Wisconsin.” Similarly, those faced with implementing the Sarbanes-Oxley Act in their plants today might hear: “What in the world is Sarbanes-Oxley?”

The answer is not a simple one. The Public Company Accounting Reform and Investor Protection Act of 2002 , more commonly known as Sarbanes-Oxley, is one of those laws that many have heard of, but few know much about—or want to. As with OSHA, few manufacturers want to address its mandates or incur the costs of compliance. But given time, the words Sarbanes-Oxley will become as commonplace as OSHA. SOX, as it is commonly called, is the law of the land, and it will not go away.

While SOX will not significantly change the daily routine of most automation and controls engineers, it will impact their businesses. And despite thoughts to the contrary, a familiarity with this legislation and what it means to the economic and operational well-being of a company just plain makes sense. A rapid and definitive response to the Enron and WorldCom scandals, the law puts in place a series of checks and balances to restore investor confidence. It made companies accountable for information they publish and gave executives no excuse for not knowing what their companies were doing.

SOX addresses audits, financial reporting and disclosure, conflicts of interest, and corporate governance. The Act also establishes supervisory mechanisms, such as the Public Company Accounting Oversight Board (PCAOB), to oversee accountants and accounting firms that are conducting external audits of public companies. (For background on the legislation, see accompanying section, “What is Sarbanes-Oxley?”)

How, then, does this affect plant automation and controls? Simply put, auditors are looking at more than numbers now. They are auditing the processes and controls associated with obtaining those numbers. They are validating how companies got to those numbers. And among those numbers are the process and production data that only controls and automation engineers can provide.

No more excuses

“The best advice I can give is to be prepared,” says Dennis Brandl, president of BR&L Consulting. “SOX may not affect automation and controls engineers directly, but it will affect them indirectly in the information they collect and manage on the factory floor. They will be required to report on any failure that may significantly impact the financial soundness of the company. They may have to record and track data they didn’t previously have to track. If a production failure may lead to a major change in the economic well-being or value of the company, then it is information stockholders need to know.”

No longer can a CEO or CFO say, “We didn’t know about this.” The purpose of the law is to make sure no one has any excuses. “Saying I didn’t know that was happening is no longer acceptable,” says Randy Kondor, OPC managing director at Matrikon. “SOX requires the CEO and CFO to be aware of what’s happening in their companies. They must establish measures or they will be liable. It is their responsibility to make sure everything is audited and that the data are available to show solvency. Auditors must be able to determine what’s going on.”

John Hagerty, vice president of research at AMR Research, says it’s about making sure that the numbers published to the outside world are defendable and controlled. “This is really a market enforcement activity,” he points out. “All along companies have had to state in their annual reports that they had control over what was going on. But people weren’t overly concerned about accuracy. SOX requires auditors to verify, separately and independently from the financial numbers, whether or not management’s statements are accurate.”

Unlike OSHA, SOX does not establish a bureaucracy to conduct investigations and impose penalties, though certainly some executives may be at risk of fines, even jail terms, over their actions. As in the past, auditors under SOX remain part of the private sector, impartial and independent. What SOX did do is establish the PCAOB, under the auspices the Securities and Exchange Commission (SEC), to audit the auditors. “Before SOX,” says Hagerty, “there was only industry-driven oversight. Now the auditors have a watchdog.”

It’s not just about numbers

SOX is more about reliability, accuracy, accountability, and security than numbers. All manufacturing—discrete and process, batch and hybrid—will be affected by SOX. Financial information disclosure must be supported by data that can be substantiated, identified, and made available. This translates to complete access to plant-floor information. As a result, control engineers need to be aware that they may be called upon to provide information about processes or operations, especially if that information is associated with shutdowns or upsets. Questions they may be asked include: When did you know about this problem? When did management find out?

Further, SOX compliance efforts are stimulating moves toward integrating automation systems with higher-level business systems. Most companies are selecting IT solutions for SOX compliance. Production departments can expect to be approached by IT or management and asked to provide information. Many will be charged with maintaining the information required for SOX compliance. IT and production will need to work together to ensure the correct data are being compiled and are accessible. When auditors ask where those numbers came from, the answers had better be there, immediately.

This need is prompting companies to respond with data monitoring and collection systems that are comprehensive, secure, integrated, and interoperable. BR&L Consulting’s Brandl recommends working with a real-time data historian or data analysis system. “Manufacturing may not need to put specific solutions in place,” he says, “but it does need to continue to apply the good practices it already has in place. For those who have not yet put in data historians, SOX adds impetus for doing so.”

Gregg Le Blanc, technical strategist at OSISoft, concurs. “As with most regulations, it’s all about getting to the data. What’s taking place on the plant floor? Who has access to data? Who may have changed that data? Operations need to have a database that shows who did what when.”

Higher level, clearer view

Better visibility is the way Kevin Bernier, director of Proficy software for GE Fanuc, puts it. “SOX is all about better reporting, better visibility, better all-around knowing what’s going on with your company. This means knowing what’s happening in all aspects of the operation and having the ability to report on it accurately. That information must be available in case anything goes awry.”

To validate the revenue recognized by the company, says Bernier, business systems will need to have access to production operations to prove the products were produced and shippped. “Therefore, systems need to be in place that interface what is happening on the plant floor to and with what is happening on the business level. The roles of enterprise resource planning systems, such as SAP or Oracle, are becoming more important.”

Data integration raises concerns not only about costs, but about security as well. IT departments have established identity security for business networks, explains Matrikon’s Kondor, but secure systems may limit interoperability and necessary communications between systems. On the other hand, open and interoperable system may compromise security. Balancing these issues becomes a challenge under SOX legislation that says if a problem occurs, there must be no question that data has been altered or removed.

AMR’s Hagerty admits compliance costs are high. “We’ve estimated there will be $6.1 billion spent on SOX in 2005. That’s money above and beyond what would ordinarily be spent on auditing procedures.” But these costly requirements can be turned to advantage by using the software, procedures, and methods put in place for compliance to see more deeply into operations. Indeed some companies are doing just that, looking at possible risk management benefits that improved data management and system interoperability and communication can bring to the operational as well as the financial side of business. Ideally, data collection and management systems should extend to the plant floor where the process begins and business transactions got started. In some cases SOX has fostered a clearer view of processes and controls across the whole business.

SOX is not just about making sure finances are in good shape, explains AMR’s Hagerty. “It’s about knowing where and when you might have risks to the business. This risk management approach to the world can actually start changing fundamentally how companies look at things. How do I deal with a plant that has been damaged? Are there ways to keep a line from going down, to minimize damage? This is moving to a higher level. Some of these operational benefits may come as outgrowths of the Sarbanes-Oxley Act, if not directly attributed to it.”

Connect the dots

Don’t think that the plant floor isn’t part of SOX. Warns AMR’s Hagerty: “If you contribute to the overall financial condition of your firm, if you make or sell something, then by definition you are part of the process. You may not be under the thumb of compliance right now, but you contribute because you are part of the ongoing operation of the business.

“Listen with open ears. Everything is connected. If management comes to you for help in understanding process and production data, don’t resist. Try to understand how your dot connects to other dots in the business. You may not be that far away from where revenue gets generated. Think about what you do in terms of what it means to the profitability of the firm.”

From an automation and controls perspective, SOX translates to accountability to the financial and accounting departments within the company more than compliance to the act itself. What happens, says GE Fanuc’s Bernier, will be “more of an internal pressure. You’ll have finance putting pressure on IT to give them the right information. IT, in turn, will turn to the plant-floor operations to make sure the right data are being transferred back and forth.”

It has been a year since SOX took effect. The SEC is reassessing the legislation. But nothing indicates the law will be repealed. Guidelines for what a company can and cannot do, and who can do it, will probably be firmed up, but don’t expect SOX to go away. It’s the law. And it’s not a one-time activity; it’s a process. It’s about maintaining controls over time—in the boardroom and on the plant floor.

What is Sarbanes-Oxley?

Do you remember WorldCom? Enron? The Sarbanes-Oxley Act of 2002 is a direct reaction to the high-profile scandals surrounding the fall of these and other firms. Put in place to restore investor confidence and also to help shore up a staggering economy following the events of 2001, the bi-partisan effort went from conception to law in less than two months. Primary architects were Sen. Paul S. Sarbanes, D-MD and ranking member of the Senate Banking Committee; and Rep. Michael G. Oxley, R-OH, chair of the House Committee on Financial Services.

The intent is “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.” Signed into law on July 30, 2002, it requires all public companies to meet certain financial reporting requirements for end-of-year financial statements and quarterly reports.

Compliance with the 66-page document includes the establishment of an accounting framework that generates financial reports with verifiable data. Any and all revisions must be documented. Fines and prison terms can result from non-compliance or the submission of inaccurate information, even if it is mistakenly given.

Resources related to Sarbanes-Oxley compliance

Many Internet sites contain information about the Sarbanes-Oxley Act and its impact on business. Here are a few Web sites that provide background on SOX:

For additional reading on Sarbanes-Oxley from Control Engineering (

Sarbanes-Oxley and manufacturing IT , February 2005

Engineers and Sarbanes-Oxley , January 2005