Comment from Marc Tritschler
Time: February 12, 2008, 5:27 am

This is clearly a difficult concept to explain i.e., what functionality does your control system need to have in order to be within SOX scope? The metering example and the other example didn’t answer the question clearly (for me anyway). My interpretation of what was said is that any system which provides data which is then used in a calculation of revenue or cost is within scope, meaning that any system measuring and reporting quantities which is then used to calculate revenue or cost based on those quantities is within scope. So electricity metering (which provides data to billing) is clearly within scope, and measurement of delivery of volume, for example, is within scope where revenue or cost calculations are based on the volume supplied/delivered.

Please correct me if I am wrong!

Thanks,

Marc

Comment from Dale Peterson
Time: February 12, 2008, 7:50 am

Marc - It is difficult. Obviously the point we wanted to hammer home was just because your control system has a big financial impact it does not necessarily fall into SOX scope. Financial reporting is the key.

Once a few questions come in on the blog I’ll ask Bob to respond so stay tuned.

My impression from talking with Bob was the revenue side was the key, not the cost side. He gave a specific example in the podcast where a manufacturing DCS was out of scope because it only impacted the amount of cost not reporting of cost. I also believe the auto manufacturer example I quoted is instructive.

To me the reachback question is the most difficult. If a system is in SOX scope, what about a system that feeds information to that system.

I would argue that a AMI/AMR system would be in scope, but electric distribution, transmission and generation would not be in scope. I think one of the key points is to be prepared with a coherent argument in SOX terms (impact on financial reporting) prior to meeting with the auditors.

Comment from Marc Tritschler
Time: February 12, 2008, 8:08 am

Dale,
I still think that quantity measurement, where that quantity is used in revenue or cost calculations, is in scope. If I am correct, then metering of generation, transmission and distribution could all be within scope as the metered values have a direct impact on revenue/cost calculations, and subsequent settlement.
Marc

Comment from Dale Peterson
Time: February 12, 2008, 10:04 am

Marc - then wouldn’t every manufacturing DCS have to be in scope? and clearly internal and external auditors have viewed that many are not. I think it is the difference between production and delivery. I know electric utilities that have made the decision, ratified by auditors, that the metering system is the only application/system in the controls environment in SOX scope.

Also the concepts of transactions and interaction with the financial system seems to be key.

The complexity and impact of a wrong conclusion (either way) make this an important issue.

Comment from Ralph Langner
Time: February 12, 2008, 11:58 am

Without having listened to the podcast, this sounds to me like as soon as you have MES, your SCADA/DCS that interfaces the MES is likely to be within SOX scope.

Comment from CallBEFOREYouDig
Time: February 12, 2008, 1:58 pm

It isn’t clear that there is an effective argument to limit reachback, unless you can argue that the economic quantities at some level of granularity are not material. For example, if you use programmable RTU’s to calculate revenue-related quanitities, then what is the argument that would prevent SOX from reaching all the way back through the SCADA system to the RTU? Would it make a difference if you have 10 RTU’s making revenue-related measurements vs. 10,000?