by Sandford Liebesman, Ph.D.
The Sarbanes-Oxley Act (SOX) was passed in 2002 in response to financial scandals at Enron, WorldCom, and other organizations. On December 2, 2001, Enron filed for bankruptcy with $62.8 billion in assets. This was followed by WorldCom with $107 billion, the largest bankruptcy in history. Thousands of investors lost billions of dollars and an incalculable amount of confidence. Executives for these corporations and other companies have been found guilty of defrauding the public and are now serving long jail terms.
The preamble to SOX explains the reason for its creation: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws…." SOX has fundamentally changed the business and regulatory environment, and business leaders can't afford to underestimate the scope of the changes.
In 2003 Paul Palmes, John Walz, and I started the SOX community within the American Society for Quality. Our goal was to show that quality and environmental management standards, such as ISO 9001 and ISO 14001, can support financial management systems and help with compliance to SOX. That goal now includes linking the various management systems so that duplication of effort will be eliminated or reduced, and the overall management of organizations will be more cost-effective.
This article takes a look at the relationships between SOX and quality management systems (QMS) based on ISO 9001 and ISO 14001, keeping in mind the links between each. That's followed by an eight-point program for accomplishing the links and an explanation of the bottom-line values that will result.
SOX consists of 11 major sections, each with a number of subsections. Several key subsections are of major concern to organizations. Subsection 101--"Establishment; Administrative Provisions," created the Public Company Accounting Oversight Board, which registers and monitors public accounting firms and develops the auditing standards used by them. Subsection 302--"Corporate Responsibility for Financial Reports," defines corporate responsibility for financial reports and requires companies' CEOs and CFOs to state, under penalty of law, that they have reviewed the reports and confirm that they contain no omissions or misstatements of material facts.
Other subsections require whistleblower protection; real-time reporting of material events; and criminal penalties for defrauding stockholders, altering documents, tampering with records, or hindering investigations. Top managers are very concerned with these subsections because of the criminal penalties that they're subject to if they fail to comply.
The final subsection of major concern is 404--"Management Assessment of Internal Controls," which requires creating a system of internal control that top management must assess for effectiveness. This subsection has caused organizations the greatest concern because of the high cost to create and assess the internal control system. In addition, external auditors are charged with auditing the system and reporting that it's effective, with no material misstatements.
Subsection 404 requires a system of internal control. Most organizations use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) guidance to satisfy this requirement. The COSO was created during the 1980s in response to the insider trading scandals of that period. Five leading professional accounting societies are members of COSO, which continues to provide guidance on financial management.
COSO published the Integrated Framework and Evaluation Tools in 1992. The framework consists of three objectives and five elements. A compliant system of internal control will ensure that organizations achieve the three COSO objectives:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations
The controls must be preventive and corrective, and provide a mechanism for managing risk.
There are five elements of COSO:
• Control environment
• Information and communication
• Risk assessment
• Monitoring
• Control activities
ISO 9001, itself an internal control system, is well-suited to address the COSO elements. In fact, your existing ISO 9001 QMS can easily be expanded to provide the type of documentation and oversight required by COSO, or provide a stable platform of processes and procedures outlining how COSO elements should be addressed. Keep in mind that SOX does not have a particular document structure in mind to use as proof of compliance. COSO is simply a recommended structure that works, and its elements are easily covered by your existing QMS. However, there are some key parts of the COSO guidance that are not covered by an ISO 9001 system. Examples are fraud detection and prevention, management of financial control and reporting processes, controls to prevent material misstatements in the company's financial reports, and processes to ensure segregation of duties. In a sense, linking COSO and an ISO 9001 QMS goes a long way to solving the issue of structuring the COSO internal control system, but there are specific COSO activities that must be added.
The COSO control environment element is the foundation for all other COSO elements and provides discipline and structure in the organization. Likewise, ISO 9001 contains requirements for the process approach, multiple planning activities, developing a quality policy, measurable objectives, internal communication, and employee competence. The ISO 9001 requirements provide a basic structure of a management system that can serve as a foundation for the COSO guidance.
The COSO information and communication element requires that pertinent information be identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities.
ISO 9001 supports the information and communication clauses by controlling documents and records. These clauses stabilize the procedures for handling information that will be used in the COSO internal control system. ISO 9001 also defines communication requirements for all three stakeholders: the organization, its customers, and its suppliers.
The COSO risk-assessment element requires the identification and analysis of relevant risks to achieving objectives, and the basis for determining how the risks should be managed.
ISO 9001 supports risk assessment by developing measurable objectives. Next, there's the review of customer requirements, which often identifies high-risk elements that can affect an organization's ability to serve its customers. ISO 9001 also requires the organization to monitor and measure its products and processes and provide these data for analysis. Other inputs are customer satisfaction and supplier data. A key part of the analysis is identifying trends used to specify opportunities for corrective and preventive action, and that serve as inputs to management review. Applied to COSO, your ISO 9001-based systems can be used to document financial objectives as they relate to stakeholders.
The COSO monitoring element requires a process that assesses the quality of the system's performance over time. A key tool used by organizations to do this is internal auditing.
ISO 9001's support of monitoring is closely related to its support of COSO's risk-assessment element. It includes defining measurable objectives, monitoring and measuring products, data analysis, and internal auditing. Just as it can include processes and procedures for monitoring a manufacturing process, an ISO 9001 QMS can include the necessary information for monitoring a company's financial processes. This information can in turn be used to support COSO requirements.
The COSO control activities element consists of policies and procedures that help ensure that management directives are carried out. Control activities help ensure that necessary actions are taken to address risks to the organization's objectives.
ISO 9001's support of COSO's control activities centers on the management review process. There are requirements for documented procedures to control nonconforming product as well as corrective and preventive action processes. Expanding the role of ISO 9001 management review will greatly strengthen the ability to carry out management directives related to company financial information.
After studying ISO 9001 support of SOX, the ASQ SOX team observed opportunities for linking all management systems within an organization. The feedback we received from organizations was that independent management systems often result in duplicated effort, unnecessary complexity, and higher cost of operations. This is due to the silo effect from management systems not communicating with each other. The SOX team proceeded to define a series of eight actions for linking the management systems.
1. Reduce duplication of effort. Connect the ISO 9001 (or ISO 14001) and SOX management systems by using common processes to reduce duplication of effort. ISO 9001 provides a basic structure for connecting the management systems. The standard requires six documented procedures that can be used by the other management systems. These are document control, control of records, corrective action, preventive action, internal audit, and control of nonconforming product. In addition, ISO 9001 requires continual improvement, competence, awareness and training, and management review. Creating a common management review process is especially important for eliminating duplication of effort and increasing communication across the organization.
2. Implement a process approach. Implement the ISO 9001 process approach in all management systems. The process approach consists of the following activities:
• Identify financial, quality, and environmental processes.
• Determine the sequence and interaction of the processes.
• Ensure the effectiveness of each process.
• Ensure the availability of resources for each process.
• Monitor, measure, analyze, and continually improve each process.
• Identify an owner, inputs, outputs, resources, and constraints for each process.
• Identify financial controls for each process.
• Identify process activities based on plan-do-check-act.
3. Implement continual improvement. Implement continual improvement activities as defined in ISO 9001. Applying a continual improvement program to SOX and other management systems will lead to better bottom-line results.
The following will result in continual improvement of the COSO guidance:
• Use measurable objectives as improvement goals.
• Use internal audits to identify significant deficiencies in the internal controls.
• Analyze data to evaluate where continual improvement will be effective.
• Identify trends in data used for early risk identification.
• Use preventive and corrective actions to reduce risk.
• Conduct management reviews to determine status of the objectives and to set new goals.
4. Conduct joint audits. Joint audits will reduce the duplication of audit questions and provide an early assessment of operational risk. Note that financial auditors will gain a better understanding of operations, and quality auditors will get a better understanding of financials. A single report to the audit committee will give the members a better understanding of the organization's operations and an appreciation of the ISO 9001 management system.
5. Complete a SOX risk-assessment process . ISO 9001 contains requirements that support the SOX risk-assessment guidance. Start with the objectives, then identify and analyze the risks to achieving them. Identify key dependencies and significant controls, and establish clear responsibility and accountability. Next, determine how to manage the risks using corrective and preventive action. As part of these activities, the organization should develop a mechanism for dealing with change.
6. Improve corporate governance. There must be a separation of roles and responsibilities. The board of directors should oversee operations and ensure effective corporate governance. The CEO manages the operation of the business while management supports the CEO and manages the employees. Employees carry out the functions of the organization. Three goals of corporate governance are managing risk, managing processes effectively, and continually improving company performance. Quality and environmental management systems such as ISO 9001 and ISO 14001 are excellent tools for accomplishing these objectives. The board should move the corporate mentality from correcting problems to preventing them.
7. Clarify IT's role. Information technology plays a pivotal role in implementing all management systems. The IT department must manage and protect data as required by SOX subsections 802 and 1102. IT plays a major role in controlling documents and records, managing inventory, communicating in a multilocation organization, and communicating with customers and suppliers. These are all functions of a QMS such as ISO 9001 that also support compliance to SOX. In addition, the organization can ensure information security by implementing ISO/IEC 27001.
8. Link operations to SOX compliance. ISO 9001 and ISO 14001 provide added compliance resources that can reduce the amount of auditing time, eliminate duplication of effort, provide early identification of real-time disclosures, and support specific financial processes such as revenue recognition, purchasing, shipping, and inventory management. ISO 9001 provides a strong basis for managing these operations in an organization.
The quality and environmental management systems tools, procedures, reports, and audits are ready-made for use in SOX compliance. What's lacking is the ability to communicate with members of the financial organization. Few within the quality- or environmental-management communities understand financial statements, can communicate in financial languages, or know the requirements of SOX. Also, there's a need to understand how to audit for compliance to generally accepted accounting practices. These gaps need to be filled to effectively link quality and environmental management systems with the financial management system.
Sandford Liebesman, Ph.D., has more than 35 years of experience in quality at Bell Laboratories, Lucent Technologies, Bellcore, and KEMA Registered Quality. He is an ISO 9000 expert and is the lead author of the books TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications (Quality Press, 2002) and Using ISO 9000 to Improve Business Processes (AT&T Customer Information Center, 1994) . He is president of Sandford Quality Consulting LLC and is leading the ASQ SOX team in support of compliance to SOX.
|