« How to reuse the basic ISO 9001 elements to support SOX implementation | Main | SOX Section 404 Compliance: From Project to Sustainability »

Expanding Quality Management System to support SOX implementation

Quality Managers working with a robust Quality Management System (QMS) can the support the financial / accounting / auditing compliance organizations within their companies to meet the intent of Sarbanes-Oxley (SOX). One approach is to train and deploy all ISO 9001 processes into the financial / accounting / auditing departments as most ISO clauses map into the SOX COSO Internal Control Components.

The expansion of the robust QMS into finance / accounting departments brings financial and operations closer together and has several benefits:

  • Reuses existing QMS rigor and methods to manage  finance / accounting departments
  • Allows greater specificity and frequency for financial analysis and reporting 
  • Makes available economic information for product and process improvement (e.g. Six Sigma)
  • Makes available economic information for decision making and priority setting

As financial / accounting / auditing departments learn about the COSO Internal Control – Integrated Framework, they will understand the important rationale of integrated operations, financial reporting, and regulation compliance.  The robust QMS can support the integrated internal control framework, when extending into financial / accounting / auditing departments.

The ASQ SOX Workshop explains many of these implementation and alignment details.  One workshop document is the two-way mapping of ISO 9001 and ISO 14001 clauses into the components of the COSO Internal Control – Integrated Framework.  The coverage is remarkable.

Due to regulatory boundaries, neither SEC nor PCAOB provide guidance documents for the internal financial auditors. So when PCAOB published the Accounting Standard 2 (AS2) for the external financial auditors (e.g. the big four), many financial / accounting / auditing departments went off in a mistaken direction of “duplication”.  Just as many quality departments and their internal quality auditors originally strived to duplicate the activities of external Registrar quality auditors, with little value added, the internal financial auditors also duplicate the activities of external financial auditors. In fact some companies Board of Directors Audit committee hired expensive financial consultants to duplicate the internal financial auditors work. These “duplication” activities resulted in little value and much frustration as company operations were audited three times for their first SOX reporting period.

Managers and directors of quality management systems interested in their synergy with SOX and the financial / accounting / auditing compliance organizations within their companies need not look much farther than their own primary processes to find “connective tissue” and cost savings opportunities in the approach above.

Posted by John Walz on November 17, 2005 12:35 PM |

Email this entry to:


Your email address:


Message (optional):




Comments

Even thought it is quite true that there are similarities between COSO and ISO, don't expect the financial executives (including CFOs and Audit Committees) to jump up and down in welcoming Quality Professionals in helping them with the SOX tasks.

First, there frequently is little understanding from the financial executives what ISO incorporates and they may not be interested in being exposed to ISO.

Second, the prospect of using quality auditors to audit financial records and financial processes may be met with resistance. If you can overcome this resistance, then you must train the quality auditor in financial jargon and concepts.

That being said, there is significant opportunity for improvement in the SOX arena with ISO principles. I have been doing this for some time. While the concept of documenting a process is 2nd nature to a quality professional, it may not be for financial personnel.

However, it is reasonable for an organization to completely separate the SOX and ISO. They have different objectives, ISO being customer satisfaction and SOX being financial record-keeping. You certainly wouldn't want to risk findings in an ISO audit because you have an incorrect Accounting procedure and wouldn't want to risk findings in an Accounting audit because of an improper calibration!

Posted by: David Cassard | November 21, 2005 04:29 PM

I tend to agree with David. I have some experience with SOx here in Australia, via global companies who need to report back to USA.

In some more leading companies, they embrace the concept of "The Management System", with singular or integrated compliance to ISO 9001, 14001, or other requirements, built into the system. Also, there are often a host of legal/regulatory compliance or reporting requirements, and often these similarly need to be integrated into the management system.

ISO 9001 flags this at clause 5.1a, and ISO 14001 similarly picks it up.

So, what is surely needed is a comprehensive management system covering all risk-identified processes & functions.

Integrated into this is the compliance management system. In Australia there is a standard for this (AS 3806) which explains how to incorporate such requirements into your management system. Find it at http://www.standards.com.au.
Software can be a useful way to manage these kinds of complex requirements. We produce such a product (Advent ManageR Risk & Compliance Management Softeware). You can get more information at http://www.adventmanager.com.au/

Posted by: Jeff Ryall | November 22, 2005 09:16 PM

David, thanks for your comments. I have related comments:

Many CEO and CFO are looking for help with the SOX tasks:
- High costs are driving alternatives to external financial consultants
- Many companies are staffing up their Internal Financial Audit (IFA) department or outsourcing the work
- IFA may want to share the financial control testing drudgery with others in the company.

CFOs normally have little understanding on what ISO incorporates:
- The burden is on the Quality Manager / Director to communicate their robust management system to their top executives, including CFO & CIO. If they have a minimal ISO 9001 registration then it is probably a NO-GO.

Financial & IFA department resistance to help from quality:
- To overcome resistance, First, keep the IFA in charge of their audit team with IQA members
- Next, train the quality auditor in financial jargon and concepts
- Next, redefine the 'financial processes' into the key business processes, which are scattered with financial controls; these key business processes should be shared by both IFA & IQA

Don't separate the SOX and ISO:
- Top executives have to manage all risks: financial, quality, environmental, security, occupational health & safety, etc. They and the Board Audit Committee need a balanced picture what are the company risks and their future potential.
- Many companies have learned how to integrate QMS (customers) & EMS (local Gov't); the next step is to integrate the financials (SEC). The benefits are better risk management and directed Quality Improvement projects based on financial impact.

ISO audit findings - Registration risks:
- All audits findings, whether financial or quality, need to be addressed. Robust management systems know how to correct audit issues. Today, un-addressed financial issues have a much larger impact than quality issues on company reputation. External ISO 9001 auditors will focus mostly on operations, while external financial audits will follow SEC Audit Standards on financial reporting.

Posted by: John Walz | November 28, 2005 01:54 PM

Jeff Ryall,
I agree with you that we need to help companies having a robust QMS / EMS systems move to the "The Management System", with singular or integrated compliance to ISO 9001, 14001, or other requirements built into the system. Also include the host of legal / regulatory compliance or reporting requirements, as often these similarly need to be integrated into the management system.

Posted by: John Walz | November 29, 2005 01:37 PM

In the name of complexity and exactness we've done great harm to common sense and sound business practices. In one of John's replies above he simply states that SOX and ISO be combined as both are risk management (RM) tools - the added implication being that more effective RM is favorable to top management. The classic dividing points between the Finance and Quality disciplines amounts to little more than the claims each side makes to maintain any trade barrier. Each side has yet to realize the operational and financial gain that integration will yield. Until then, we'll argue about the arcane, mostly to maintain our separate disciplines.

Of course, and in time, those who pay our salaries will one day impose the obvious on both factions in the name of efficiency and ROI. Now, if I were a betting man, I'd not put my money on today's QA professional. The call for integrated RM will come from the boardroom, and as things stand today, the CFO's will be first to respond, not the CQM's.

How many more years will pass until we actually are "training the quality auditor - and quality professionals in general - in financial jargon and concepts?" What's preventing us from doing this? Isn't ASQ's current celebrity cause entitled the "Economic Case for Quality?" (ECQ)

Just for a minute, let's assume that all the CEO's in the country actually embrace this premise and seek greater input and relevance from the average quality practitioner over then next two years. Will our peers be prepared for the level of discourse and financial awareness that the average CEO finds in other board members and members of his finance committee?

Let me be blunt: Without financial training, the current ECQ might well prove to be a huge burden on the rank and file, exposed as neophytes and found wanting by their leadership.

David C., respectfully, I couldn't disagree more when you claim not to want to see finance and quality intermingled as described... Either the accounting procedure or the calibration problem could well be an organization's undoing. I could care less who finds it or in whose report it finds the light of day; unacceptable risk is still unacceptable risk.

Posted by: Paul Palmes | November 30, 2005 07:55 PM

Would not reporting all of a companies internal Supplier returns be a violation of Sarbes-Oxley? Example: A company returns 10000 pieces back to a sister plant for bad quality-unusable, but only reports 1000 on internal metrics.

Posted by: Mark Adams | December 5, 2005 06:41 AM

Mark,
SOX law affects the company at the enterprise level. Companies using Six Sigma and Lean methods to aggressively track and reduce their cost of quality (COQ), may have a COQ line item in their financial reporting. If internal divisions accurately report COQ separately, then the enterprise roll-up can result in an accurate financial report. If a division hides part of their COQ in another expense line item, then enterprise financial report maybe misleading to the financial analysts.

Posted by: John Walz | December 9, 2005 02:51 PM

A running theme in the posting and the comments appears to be education -- people have to be trained on the appropriate mechanisms and practices for compliance in their quality systems. One opportunity to improve the knowledge level is through the conference at Quality Expo Detroit in June (www.qualitydetroit.com), which will include several ASQ-sponsored sessions. For anyone who wants to benefit from the practical expertise of those who have "been there and done it", this might a conference event worth checking out.

Posted by: Jerry Kardas | January 30, 2006 01:52 PM

Post a comment