Home

Joe Weiss asks: Does Sarbanes-Oxley apply to control systems?

July 10, 2007

Does Sarbanes-Oxley apply to Control Systems?The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. The legislation not only affects the financial side of corporations, but also affects the IT departments "¦.

SOX 404 and information technology

The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. ... Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act.

Internal control certifications

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiariesis made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." Control systems such as Distributed Control Systems (DSC), Supervisory Control and Data Acquisition Systems (SCADA), and Energy Management Systems (EMS) are IT systems and materially affect the financial health of companies utilizing these systems. Often, these systems are electronically connected to ERP systems. Failures of control systems to perform as designed can result in facility shutdowns, equipment damage with potential long term consequences, and/or impacts to personnel safety. These systems are already judged critical to the nation's well-being by DOE, DHS, EPA, etc. There has been at least one case where a cyber event occurred with a SCADA system that led to deaths, significant environmental destruction, significant economic impact, and ultimately led to the failure of the company. Consequently, it appears to me that SOX as written (not necessarily what was intended) should apply to control systems and their cyber security.Joe Weiss PE, CISMApplied Control Solutions, LLCCupertino, CA(408) 253-7934(408) 253-7974 Fax(408) 832-5396 Cell[email protected]