Joe Weiss asks: Does Sarbanes-Oxley apply to control systems?

Does Sarbanes-Oxley apply to Control Systems?The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. The legislation not only affects the financial side of corporations, but also affects the IT departments "¦.

SOX 404 and information technology

The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. ... Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act.


Internal control certifications

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared."    Control systems such as Distributed Control Systems (DSC), Supervisory Control and Data Acquisition Systems (SCADA), and Energy Management Systems (EMS) are IT systems and materially affect the financial health of companies utilizing these systems. Often, these systems are electronically connected to ERP systems. Failures of control systems to perform as designed can result in facility shutdowns, equipment damage with potential long term consequences, and/or impacts to personnel safety. These systems are already judged critical to the nation's well-being by DOE, DHS, EPA, etc. There has been at least one case where a cyber event occurred with a SCADA system that led to deaths, significant environmental destruction, significant economic impact, and ultimately led to the failure of the company. Consequently, it appears to me that SOX as written (not necessarily what was intended) should apply to control systems and their cyber security.    Joe Weiss PE, CISMApplied Control Solutions, LLC Cupertino, CA(408) 253-7934(408) 253-7974 Fax(408) 832-5396
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Joe, That's thought provoking around the idea of the intersection of Sarbanes-Oxley and cyber security. I need to bounce that off some folks around here to get their thoughts.</p> <p>S-O definitely applies to control systems where custody transfer is part of the scope, such as Oil and Gas production to Pipeline distribution. I wrote about this in an Emerson Process Experts blog post at: <a href=""> </a>.</p> <p>Take it easy,</p> <p>Jim</p>


  • <p>So it wasn't bad enough that we already had an alphabet soup of agencies and organizations making policy at every turn. Now we add SOX to the mix?</p> <p>SOX was designed for ERP and financial reporting integrity. Extending those policies to Industrial Control Systems could lead to disaster. I would hope that with all the confusion currently flowing around Control Systems Security, that Professional Engineers could be forgiven if they render a learned opinion or two in the presence of these often contradictory goals and policies.</p> <p>Meanwhile, these Industrial Control Systems Standards are engineering standards; not IT standards. Yes, there are IT people in the mix, because they eventually have to receive the data in some form and their assistance will be needed at some level.</p> <p>We also have state regulations in many places which assigns all responsibility for reporting to a plant superintendent. Clearly, SOX will have to suck up and deal with situations like that. I don't envision any court of law thinking that financial accounting should dictate environmental reporting standards.</p> <p>I think we can safely leave SOX with the IT crowd, and push the corporate ERP mess as far off as we can. Few can afford to upgrade or secure control systems the way SOX would have us act. We must inject a note of realism here, take control of what is properly an engineering discipline, and kick the wannabees out.</p> <p>Jake Brodsky</p>


  • <p>Jake, I don't think you get that choice. Fact is, lawyers run things, and lawyers will use SOX the first time something bad happens at a utility or at a large refinery or chemical plant. Think they won't? I wouldn't hold my breath.</p> <p>Walt</p>


RSS feed for comments on this page | RSS feed for all comments