Sarbanes-Oxley

Sarbanes-Oxley (SOX) toughest requirement is Section 404 “Internal Controls”. The SEC decided that COSO guidance on Internal Controls was a good yard stick for companies to use or to improve on. COSO then went on to define Enterprise Risk Management (ERM). Why, because internal controls have a lot to do with RISKS. 
ISO 9001 helps management build good products with minimal quality RISKS,
ISO 14001 includes environmental RISK management. 

As the IT department normally runs both operations and financial systems, then the IT risks also need to be managed. A well-managed IT departments can use:

• ISO 9001:2000 “Quality Management System - Requirements”
• ISO 27001:2005 (BS 7799) "Information Security Management - Specification With Guidance for Use"
• CobiT 2005 "Control Objectives for Information and related Technology"
• SEI CMMI-SW 2002 “Capability Maturity Model Integrated – Software Engineering”

So your management system needs to have enterprise coverage for SOX and depth to include all departments related to finances, including the IT department. This management system should include risk management for all types of risks: quality, environmental, security, fraud, etc.

Posted by John Walz at 03:03 PM | Permalink | Comments (0)

While SOX requirements are being pushed down to the small companies listed on stock exchanges, many unlisted companies seem happy with financial "business as usual".

Now if your small and unlisted company has a quality management system with quality objectives of growth, then at some point the management will have “public” decisions to make:

• raise public funds,
• become listed on a stock exchange,
• become acquired by a larger company

In these public cases, your company's financial records and controls will be scrutinized for accuracy and transparency. This is where the Sarbanes-Oxley (SOX) discipline is required.  

Why not start today with accurate and transparent operational records for the finance and accounting departments to summarize for top management and the board of directors?

Posted by John Walz at 10:59 AM | Permalink | Comments (2)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published for comment its draft of guidance for smaller public companies on using its framework to address the Sarbanes-Oxley (SOX) internal control provisions. This 207-page guidance is related to Securities and Exchange Commission’s September decision to delay the effective date of SOX Section 404 by another year for smaller public companies. The conclusion is there are no shortcuts for small businesses ($200 million in revenue or less) to complying with the Sarbanes-Oxley Section 404 internals control. Amazing the developing committee found many attributes and sub-attributes within the five COSO components and elevated them to 26 principles and 105 attributes. As you know ISO 9000 has only eight principles.

My negative comments include:

• The flawed approach focuses only on one of the three COSO Integrated Framework objectives: reliability of financial reporting.  This narrow focus will result in frustrated external auditors and additional company expense for actions that are not value-added. By ignoring the important COSO objective: Effectiveness and efficiency of Operations, this document’s approach is to “do extra” and not integrate financial reporting into the operations.

• The document is too prescriptive and verbose as it specifies too many principles, which are neither foundational, nor fundamental essences. The main document content of 122 pages is larger than the 1992 COSO Internal Control-Integrated Framework of 92 pages and this document has a much narrower scope. This confusion will result in larger company expense for external financial consultants.

• Operations management can understand Internal Controls from the 1992 COSO document. This document feels like a teacher (PwC) teaching them how to pass the test.

Your comments are welcomed on http://www.ic.coso.org/ until 15-Jan-06.

Posted by John Walz at 12:44 AM | Permalink | Comments (1)

The common theme between SOX and QMS/EMS is managing risks: financial, quality, and environmental. The last two blog's covered risk management as defined by ISO 9001/9004 quality management, and ISO 14001/14004 environmental management. Also were references to 1 ½ pages in ISO 10006 guidelines for quality management in projects. This blog reveals Risk management in other standards. Two standards on software life cycles have one page definitions of Risk Management phases:

IEEE/EIA 12207.2-1997 Software Life Cycle Processes Annex L

• Risk planning
• Risk identification
• Risk analysis
• Risk mitigation
• Risk tracking and control

And ISO/IEC 16085:2004 (Previously IEEE Std. 1540-2001) Software Life Cycle Processes—Risk Management

• Plan and implement risk management
• Manage the project risk profile
• Perform risk analysis
• Perform risk monitoring
• Perform risk treatment
• Evaluate the risk management process

The details are provided by the Project Management Institute who is the steward of the Project Management Body of Knowledge (PMBOK). Their PMBOK 2004 Third Edition has 22 pages in Chapter 11 Project Risk Management processes to manage project risk. The six processes are:

• Risk Management Planning—deciding how to approach and plan the risk management activities for a project.
• Risk Identification—determining which risks might affect the project and documenting their characteristics.
• Qualitative Risk Analysis—performing a qualitative analysis of risks and conditions to prioritize their effects on project objectives.
• Quantitative Risk Analysis—measuring the probability and consequences of risks and estimating their implications for project objectives.
• Risk Response Planning—developing procedures and techniques to enhance opportunities and reduce threats to the project’s objectives.
• Risk Monitoring and Control—monitoring residual risks, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project life cycle.

These standards represent the best practices for quality / environmental mangers, and business process owners to work in the risk management processes to manage risks: financial, quality, and environmental.

Posted by John Walz at 01:44 PM | Permalink | Comments (0)

For organizations with an effective working ISO 9001 management system, ISO 9004 provides guidance on performance improvements to specific organizational needs.  There are nine clauses with guidance on managing risks:

5.1 Management Commitment : Management consideration should be given to identifying and managing risks, and exploiting performance improvement opportunities,

5.4.2 Quality management system planning: Inputs for effective and efficient planning include related risk assessment and mitigation data.

5.6.3 Management Review output: Review outputs to enhance efficiency include loss prevention and mitigation plans for identified risks.

6.3 Infrastructure: The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties.

7.1 Planning of product realization: An operating plan should be defined to manage the processes, including identification, assessment and mitigation of risk. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in processes. The results should be used to define and implement preventive actions to mitigate identified risks.

7.3.1 Design and development planning: Management has the responsibility to ensure that steps are taken to identify and mitigate potential risk to the users of the products and processes of the organization. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in products or processes. The results of the assessment should be used to define and implement preventive actions to mitigate the identified risks.

7.4.1 Purchasing process: To ensure the effective and efficient performance of the organization, management should ensure that purchasing processes consider identification and mitigation of risks associated with the purchased product.

7.5.3 Identification and traceability: The need for identification and traceability may arise from mitigation of identified risks.

8.5.3 Preventive action: Planning for loss prevention should be systematic and based on data, such as use of risk analysis tools such as fault mode and effects analysis.

This ISO 9004 guidance is aligned with ISO 10006:2003 Quality management systems — Guidelines for quality management in projects section 7.7 Risk-related processes clauses:

• Risk identification
• Risk assessment
• Risk treatment
• Risk control

Posted by John Walz at 12:26 PM | Permalink | Comments (0)