Sarbanes-Oxley

Quality Managers working with a robust Quality Management System (QMS) can the support the financial / accounting / auditing compliance organizations within their companies to meet the intent of Sarbanes-Oxley (SOX). One approach is to train and deploy all ISO 9001 processes into the financial / accounting / auditing departments as most ISO clauses map into the SOX COSO Internal Control Components.

The expansion of the robust QMS into finance / accounting departments brings financial and operations closer together and has several benefits:

• Reuses existing QMS rigor and methods to manage  finance / accounting departments
• Allows greater specificity and frequency for financial analysis and reporting 
• Makes available economic information for product and process improvement (e.g. Six Sigma)
• Makes available economic information for decision making and priority setting

As financial / accounting / auditing departments learn about the COSO Internal Control – Integrated Framework, they will understand the important rationale of integrated operations, financial reporting, and regulation compliance.  The robust QMS can support the integrated internal control framework, when extending into financial / accounting / auditing departments.

The ASQ SOX Workshop explains many of these implementation and alignment details.  One workshop document is the two-way mapping of ISO 9001 and ISO 14001 clauses into the components of the COSO Internal Control – Integrated Framework.  The coverage is remarkable.

Due to regulatory boundaries, neither SEC nor PCAOB provide guidance documents for the internal financial auditors. So when PCAOB published the Accounting Standard 2 (AS2) for the external financial auditors (e.g. the big four), many financial / accounting / auditing departments went off in a mistaken direction of “duplication”.  Just as many quality departments and their internal quality auditors originally strived to duplicate the activities of external Registrar quality auditors, with little value added, the internal financial auditors also duplicate the activities of external financial auditors. In fact some companies Board of Directors Audit committee hired expensive financial consultants to duplicate the internal financial auditors work. These “duplication” activities resulted in little value and much frustration as company operations were audited three times for their first SOX reporting period.

Managers and directors of quality management systems interested in their synergy with SOX and the financial / accounting / auditing compliance organizations within their companies need not look much farther than their own primary processes to find “connective tissue” and cost savings opportunities in the approach above.

Posted by John Walz at 12:35 PM | Permalink | Comments (8)

Quality Managers working with a robust Quality Management System (QMS) can the support the financial / accounting / auditing compliance organizations within their companies to meet the intent of Sarbanes-Oxley (SOX) by training the financial / accounting / auditing departments to share or reuse the basic ISO 9001 elements.

The six required-as-documented ISO 9001:2000 Quality Management elements are the groundwork for many of the Internal Control - Integrated Framework, 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

4.2.2    Documentation

Most of the financial processes and controls occur in the key business processes which  already documented by the Quality Management System

4.2.4    Records

Records must be retained for compliance with SOX audits.

Quality records contain much of the non-financial information that is a significant input to SOX compliance.

8.2.2    Internal Audit

Internal financial audits must be planned, conducted, and recorded for compliance with SOX audits, as the internal financial audits provide tope executives and Board of Directors Audit Committee with status of the internal control structure

While the financial system and its controls can be complex, most of all the auditing activities are compliance testing, which does not require CPA certification. With minimal instruction and oversight, compliance testing could be performed by trained internal quality auditor.

8.3       Control of Non-Conforming Product

The main output of the financial / accounting process is accurate financial results. Errors need to be identified and controlled as “Non-Conforming Product” to prevent its unintended use or delivery. Errors are symptoms of weak internal controls. The results of internal financial audits, most notably hard findings expressed as Material Weaknesses, are should be managed with this element and the following clause 8.5.2: 

8.5.2    Corrective Action

From both errors and audit findings, actions are required to eliminate the cause of nonconformities in order to prevent recurrence. This actions of identification, root cause identification, corrective action planning and monitoring, and verification of effectiveness would demonstrate a highly controlled and transparent methodology of corporate governance.

8.5.3    Preventive Action

Risks should be considered and controls designed and introduced to eliminate the causes of potential nonconformities in order to prevent their occurrence. This clause and the following 5.6 are the basis to risk assessment and management, which correlates to COSO component “Risk Assessment”

5.6       Management Review

Compliance to SOX section 404 requires a series of management reviews and assessment of the effectiveness of the internal control structure for financial reporting

Compliance to SOX section 302 requires management disclosure to the external financial auditor and the Audit Committee, on all significant deficiencies and any material weaknesses in internal controls

Conclusion: 

Most companies, in the rush to SOX compliance, have bypassed the Quality and Environmental Management System infrastructure and tools.  These 6 basic elements represent a helping hand to the financial / accounting / auditing groups in their organization.

Posted by John Walz at 09:56 AM | Permalink | Comments (2)