Sarbanes-Oxley

Quality Managers working with a robust Quality Management System (QMS) can the support the financial / accounting / auditing compliance organizations within their companies to meet the intent of Sarbanes-Oxley (SOX).

There are several approaches:

1. Train the financial / accounting / auditing departments to reuse the basic ISO 9001 processes
   
2. Train and deploy all ISO 9001 processes into the financial / accounting / auditing departments as most ISO clauses map into the SOX COSO Components
3. Extend the management system to cover all the business and financial risks and controls; covering both the financial / accounting / auditing departments and the key business processes up the enterprise level
   
4. Extend the management system to cover all the business and financial risks and controls; covering both the financial / accounting / auditing / Information Technology (IT) departments and the key business processes up the enterprise level
   
5. Redesign the management system to an Integrated Management System (IMS)
   
6. Redesign the management system to include Enterprise Risk Management (ERM) systems

Managers and directors of quality management systems interested in their synergy with SOX and the financial / accounting / auditing compliance organizations within their companies need not look much farther than their own primary processes to find “connective tissue” and cost savings opportunities in approach #1 above: reuse the basic ISO 9001 processes.  The six required-as-documented ISO 9001:2000 Quality Management elements are the groundwork for many of the COSO internal controls referred to under the general heading of the “Control Environment.”  These 6 elements represent a helping hand to the financial / accounting / auditing groups in their organization are 4.2.2 Documentation, 8.2.2 Internal Audit, 8.3 Control of Non-Conforming Product, 8.5.2 Corrective Action, 4.2.4 Records, 8.5.3 Preventive Action, and 5.6 Management Review.

John Walz

Posted by John Walz at 01:48 PM | Permalink | Comments (0)

For the last three years, corporate America has invested over $30 billion in understanding and implementing the Security Exchange Commission (SEC) rules on Sarbanes-Oxley Act of 2002 (SOX).  Most of the effort was in two sections: 302 and 404 which cover the company’s “internal controls”.  SEC references internal controls to the 1992 COSO guidance report “Internal Controls – Integrated Framework”.

In an October 2003 article of Quality Progress magazine two ASQ members and contributors to the ISO standard, Sandy Liebesman and Paul Palmes proposed that ISO 9000 or ISO 14000 auditors are well equipped to lead a SOX compliance investigation. This assertion has been followed up with

• many presentations at ASQ conferences,
• Workshops,
• a Webinar,
• SOX Network,
• Sep2005 ASQ conference Beyond Compliance to Sarbanes-Oxley: Financial Benefits from Integrating Your Management Systems
  where Sandy Liebesman, Paul Palmes, Donna Spencer, and myself were the program managers.

This blog will continue the dialog with quality practitioners and hopefully their company executives on how the quality practitioners can work with their finance and accounting peers to implement and assess their SOX compliance.

I believe these quality practitioners make up three parts of ASQ membership:

• Quality Managers,
• Quality Engineers, and
• Quality Auditors

Future blog entries will strive to serve these groups.

John Walz

Posted by John Walz at 03:50 PM | Permalink | Comments (7)