April 11, 2008

Table Comparing COSO and ISO 9001

The COSO Guidance consists of five elements: (1) Internal Control Environment, (2) Information and communication, (3) Risk Assessment, (4) Monitoring, and (5) Control Activities. I published in the September 2005 Quality Progress, the following article comparing the COSO guidance with ISO 9001:2000: “Mitigate SOX Risk with ISO 9001 and 14001,” Standards Outlook, Quality Progress, September 2005, 91-93. Recently I expanded the table in the article to include specific items in each COSO element. The new table below shows a clearer link between the COSO elements and ISO 9001:2000 requirements.

 

 

Table Comparing COSO Guidance with ISO 9001:2000 Requirements

COSO model  for SOX

ISO 9000
Clause
1. Internal Control Environment
4.1
Quality management system
*Foundation for all other COSO elements.
*Does the organization do things right?
*Does the organization do the right things and maintain a high degree of integrity in its dealings?
*Few complaints alleging misconduct are received from customers or others.
*Competence of personnel maintained.
*Effective management style or “Tone at the Top” maintained.
5.3
Quality policy
5.4.1
Quality objectives
5.5.3
Internal communication
6.1
Provision of Resources
6.2.2
Employee competence
7.1
Planning Product Realization
8.1
Planning Measurement, Analysis and Improvement
2. Information and communication
4.2.3
Control of Documents
*Information captured and communicated enabling people to carry out their responsibilities.
*Reports used to run and control the business.
*Information about external events, activities and conditions for making informed business decisions.
* How is information identified, captured, and communicated? Does it flow across the organization?
* Do employees understand their roles in the control process?
* Are there processes in place to address employee, supplier, and customer concerns in a timely manner?
4.2.4
Control of Records
5.1
Top management communication
5.5.3
Internal Communication
7.2
Customer Requirements
7.2.3
Customer communication
7.4
Purchasing
7.4.2
Supplier communication
3. Risk Assessment
5.4.1
Measurable Objectives
* Establishment of objectives, linked at different levels and internally consistent.
* Identification, analysis and management of risks to achieving objectives.
* Mechanisms to deal with change and the risks relevant to change.
* Effective Risk Assessment requires:
  • Definition of the objectives.
  • Determination of the compatibility of the objectives.
  • Identification of risks to achieving the objectives.
  • Determination of risks associated with change.
  • Judgment as to which risks are critical.
  • Determination of actions to mitigate risks starting with the critical ones.
5.6
Management Review
7.2
Contract Review
7.4.3
Supplier Data
8.2.1
Customer Satisfaction Data
8.2.2
Internal audit
8.2.3
Monitoring and measurement of processes
8.2.4
Monitoring and measurement of products
8.4
Data Analysis to demonstrate QMS suitability & effectiveness
8.5.1
Continual Improvement
8.5.2
Corrective Action
8.5.3
Preventive Action
14001,4.3.1
Environmental Aspects and Identification of Significant Aspects.
4. Monitoring
5.4..1
Measurable Objectives
* A process that assesses the quality of the system's performance over time through separate evaluations and/or ongoing monitoring activities
* Key tools include internal auditing, management and supervision of operations and actions of personnel performing their duties.
* Management is responsible for implementation.
* Auditors must drill down to “root causes,” follow audit trails and identify significant deficiencies and material weaknesses.
5.6
Management Review
8.2.1
Customer Satisfaction Data
8.2.3
Monitoring and measurement of processes
8.2.4
Monitoring and measurement of products
8.4
Analysis of data
8.5.1
Continual improvement
5. Control Activities
5.6 and 14001,4.6
Management Review
* Policies and procedures that help ensure management directives are carried out, including approvals, verifications, the security of assets, authorizations, reconciliations, and the segregation of duties.
* Timely actions taken to address risks to the achievement of the entity's objectives, exceptions and information that requires follow-up.
* Control activities are based on objectives, risks and what appears to be effective.
* Control activities are put in place for significant plans and programs such as the management of supplier products and outsourced services.
8.3
Control of Nonconforming Product
8.5.2
Corrective Action
8.5.3
Preventive Action
14001,4.4.7
Emergency Preparedness & Response
!4001,4.5.3
Nonconformity, Corrective Action and Preventive Action

 

I welcome your comments on the table and any experiences you’ve had linking quality or environmental management to financial management. These experiences can be with respect to SOX or with respect to your normal business activities.

 

Sandy Liebesman, sandfordl@msn.com

Posted by John Walz at | Comments (1) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

September 27, 2007

Guidance on Monitoring Internal Control Systems

COSO drafted their Discussion Document on Guidance on Monitoring Internal Control Systems This 52 pages document is available for your review and comments before 31-Oct-07. This guidance elaborates on the 1992 Internal Control —Integrated Framework by COSO.

Background: The Internal Control Framework consists of five interrelated and equally important components. Monitoring is one of the five IC components. Internal control systems (IC) exist to help organizations meet their goals and objectives. Organizations need a mechanism for assessing the quality of their internal control systems’ performance over time. That mechanism is monitoring. Monitoring is effective when it leads to the identification and correction of control weaknesses before they materially affect the achievement of the organization’s objectives.  Monitoring is a cost-effective approach to providing timely information about the continued effectiveness of an internal control system. As such, effective monitoring should be a net benefit to organizations and their stakeholders.

The scope of COSO “monitoring” maps to ISO 9001 Quality Management System Clauses

  • 5.6 Management Review,
  • 8.2 Monitoring and measurement, and
  • 8.4 Analysis of data.

Now is a good time for the quality managers, engineers, and auditors to visit your finance / accounting organization to offer a jointly review of this document and to decide how your QMS can better support SOX Internal Controls.

Posted by John Walz at | Comments (1) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

July 26, 2007

PCAOB’s new Audit Standard (AS5) for Internal Control over Financial Reporting is Approved by the SEC

AS5, Audit of Internal Control over Financial Reporting (ICoFR) that is integrated with an Audit of Financial Statements, was approved today by the Securities and Exchange Commission on 25-Jul-07 and replaces the PCAOB’s previous internal control auditing standard, AS2. SEC registered audit firms are required to use the new standard for all audits of internal control for clients whose fiscal years ending on or after 15-Nov-07.

SEC expects the new auditing standard, in combination with the Commission's new management guidance will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity.

AS5 improvements include:

  • is less prescriptive
  • makes the audit scalable - so it can change to fit the size and complexity of any company
  • directs auditors to focus on what matters most - and eliminates unnecessary procedures from the audit
  • includes a principles-based approach to determining when and to what extent the auditor can use the work of others

Using the above SEC guidance, now is the time for quality managers, engineers, and auditors, to offer their expertise in revising and auditing their companies internal controls from operations into accounting / finance and IT. 

 

Posted by John Walz at | Comments (0) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

July 22, 2007

Five Years of Ensuring Corporate Integrity

U.S. President's Corporate Fraud Task Force put out a Fact Sheet: President’s Corporate Fraud Task Force Marks Five Years of Ensuring Corporate Integrity that states 1,236 total corporate fraud convictions to date, including:
  • 214 chief executive officers and presidents;
  • 53 chief financial officers;
  • 23 corporate counsels or attorneys; and
  • 129 vice presidents
More than 50 defendants have been charged under new securities-fraud provisions of Sarbanes-Oxley (SOX).
These corporate fraud charges brought over the five years have included
  • securities fraud,
  • insider trading,
  • market manipulation,
  • obstruction of justice,
  • false statements,
  • stock option backdating,
  • conspiracy,
  • money laundering,
  • wire fraud, and
  • violations of the Foreign Corrupt Practices Act [which required Internal Controls]
Implementing SOX 404 / 302 internal controls creates transparency between top, middle, and lower management levels and across organizational units. SOX whistle-blower provision allows knowledgable employees to safely challenge financial reporting misinformation within the corporation.  When allegations are not addressed, these employees can alert the SEC to investigate. SEC passes corporate fraud specifics to the Department of Justice to investigate and prosecute.

Posted by John Walz at | Comments (0) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

June 29, 2007

Guidance regarding Management's Report on Internal Control over Financial Reporting - SEC

SEC released its final interpretive guidance for management and related rule amendments, as well as a proposed rule seeking comment on the definition of “significant deficiency” with respect to the internal control reporting rules:

  • Interpretive Guidance: Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934.
  • Final rule: Amendments to Rules Regarding Management’s Report on Internal Control over Financial Reporting
  • Proposed Rule-Request for Additional Comment: Definition of Significant Deficiency." 
  • SEC Requests Additional Comments on PCAOB Auditing Standard No. 5: The SEC recently requested additional comments about specific areas of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements. The comment period ends July 12. 
The first document on Management's Report on Internal Control Over Financial Reporting  is most important to quality mangers, engineers, and auditors, as it shows where they can help management and finance department in the design, management, and auditing of internal controls. This promises to offer large cost savings from reduction of both external consultants and external auditing days.

Posted by John Walz at | Comments (0) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

May 27, 2007

PCAOB approve new auditing standard AS5

On 24-May-07, The Public Company Accounting Oversight Board (PCAOB) voted to adopt Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AS5) to replace the infamous and expensive larger 161 page Audit Standard No. 2.

The new 98 page external auditing standard AS5 is principles-based, more risk-based and scalable, and designed to increase the likelihood that material weaknesses in internal control will be found before they result in material misstatement of a company's financial statements, and, at the same time, eliminate procedures that are unnecessary, and use the “work of others”.

PCAOB dropped the proposed AS6 on using the work of others and is retaining the existing 8 page AU sec. 322, "The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements" 

The quality auditing professionals will appreciate AS5 as it allows the external auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision. AS5 mentions 30x “work of others” 30 times, "operations" 16 times, and "IT 22 times; thus AS5 brings Operations, Quality, and IT into focus that can allow companies to rely more on existing resources, while reducing external expenses.

Posted by John Walz at | Comments (0) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

April 05, 2007

SEC responds to public comments on proposed changes to Sarbanes-Oxley rules and standards

On 4-Apr-07, SEC Commissioners had an open meeting on the many public comments on the proposed changes to Sarbanes-Oxley (SOX) rules and auditing standards.  ASQ President, Ronald D. Atkinson, had sent to both the U.S. SEC and PCAOB the consolidated comments from ASQ Sarbanes-Oxley (SOX) experts.

The SEC Commissioners provided direction to SEC and PCAOB staff was to

  • improve Sarbanes-Oxley implementation,
  • ease Smaller Company burdens,
  • focus effort on 'What Truly Matters', the integrity of the financial statements

Specific direction was given to PCAOB on the replacement auditing standard to following a principles-based approach to determining when and to what extent the auditor can use the work of others.  The ASQ comments also stressed the capability of quality managers, engineers, and auditors to produce accurate and unbiased company records that can be used by both internally the top management and its board of directors and the externally by the financial auditors. When the auditors use the work of others the result is both time and money are saved for public companies. The challenge to companies is whether to hire consultants or to train their staff to created useful records.

Posted by John Walz at | Comments (1) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook

February 24, 2007

ASQ provides direction on proposed changes to Sarbanes-Oxley rules and standards

ASQ President, Ronald D. Atkinson, sent to both the U.S. SEC and PCAOB the consolidated comments from ASQ Sarbanes-Oxley (SOX) experts on 23-Feb-07. Mr. Atkinson noted that ASQ recognizes the importance of the Sarbanes-Oxley Act (SOX) to the global economy and the role it plays for investors by providing transparency in organizational finances. To this end, in 2004 ASQ instituted a new organization, the Sarbanes-Oxley (SOX) Community. The goal of this community is to provide dialogue in understanding the role quality and environmental management systems can play in supporting organizations’ compliance to the Act. A major part of the SOX Team effort has been to look for ways of “building quality” into the development of financial reports.

Regarding SEC’s Proposed Rule: Management's Report on Internal Control Over Financial Reporting, ASQ comments are on http://www.sec.gov/comments/s7-24-06/s72406.shtml

Regarding PCAOB’s Proposed Auditing Standard – An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements, ASQ comments are on http://www.pcaob.org/Rules/Docket_021/Comments/all.pdf

Background on these proposed rules and standards can be on previous blog entries.

Posted by John Walz at | Comments (0) | Send to a Friend

Social Bookmarking:
Digg, delicious, reddit, NewsVine, Furl, Fark, Google, Spurl, BlinkList, Simpy, StumbleUpon, BlogMarks, Facebook