Sarbanes-Oxley

Quality Managers working with a robust Quality Management System (QMS) can the support the financial / accounting / auditing compliance organizations within their companies to meet the intent of Sarbanes-Oxley (SOX) by training the financial / accounting / auditing departments to share or reuse the basic ISO 9001 elements.

The six required-as-documented ISO 9001:2000 Quality Management elements are the groundwork for many of the Internal Control - Integrated Framework, 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

4.2.2    Documentation

Most of the financial processes and controls occur in the key business processes which  already documented by the Quality Management System

4.2.4    Records

Records must be retained for compliance with SOX audits.

Quality records contain much of the non-financial information that is a significant input to SOX compliance.

8.2.2    Internal Audit

Internal financial audits must be planned, conducted, and recorded for compliance with SOX audits, as the internal financial audits provide tope executives and Board of Directors Audit Committee with status of the internal control structure

While the financial system and its controls can be complex, most of all the auditing activities are compliance testing, which does not require CPA certification. With minimal instruction and oversight, compliance testing could be performed by trained internal quality auditor.

8.3       Control of Non-Conforming Product

The main output of the financial / accounting process is accurate financial results. Errors need to be identified and controlled as “Non-Conforming Product” to prevent its unintended use or delivery. Errors are symptoms of weak internal controls. The results of internal financial audits, most notably hard findings expressed as Material Weaknesses, are should be managed with this element and the following clause 8.5.2: 

8.5.2    Corrective Action

From both errors and audit findings, actions are required to eliminate the cause of nonconformities in order to prevent recurrence. This actions of identification, root cause identification, corrective action planning and monitoring, and verification of effectiveness would demonstrate a highly controlled and transparent methodology of corporate governance.

8.5.3    Preventive Action

Risks should be considered and controls designed and introduced to eliminate the causes of potential nonconformities in order to prevent their occurrence. This clause and the following 5.6 are the basis to risk assessment and management, which correlates to COSO component “Risk Assessment”

5.6       Management Review

Compliance to SOX section 404 requires a series of management reviews and assessment of the effectiveness of the internal control structure for financial reporting

Compliance to SOX section 302 requires management disclosure to the external financial auditor and the Audit Committee, on all significant deficiencies and any material weaknesses in internal controls

Conclusion: 

Most companies, in the rush to SOX compliance, have bypassed the Quality and Environmental Management System infrastructure and tools.  These 6 basic elements represent a helping hand to the financial / accounting / auditing groups in their organization.