Table Comparing COSO and ISO 9001
The COSO Guidance consists of five elements: (1) Internal Control Environment, (2) Information and communication, (3) Risk Assessment, (4) Monitoring, and (5) Control Activities. I published in the September 2005 Quality Progress, the following article comparing the COSO guidance with ISO 9001:2000: “Mitigate SOX Risk with ISO 9001 and 14001,” Standards Outlook, Quality Progress, September 2005, 91-93. Recently I expanded the table in the article to include specific items in each COSO element. The new table below shows a clearer link between the COSO elements and ISO 9001:2000 requirements.
Table Comparing COSO Guidance with ISO 9001:2000 Requirements
COSO model for SOX | ISO 9000 | Clause |
| 1. Internal Control Environment | 4.1 | Quality management system |
| *Foundation for all other COSO elements. *Does the organization do things right? *Does the organization do the right things and maintain a high degree of integrity in its dealings? *Few complaints alleging misconduct are received from customers or others. *Competence of personnel maintained. *Effective management style or “Tone at the Top” maintained. | 5.3 | Quality policy |
| 5.4.1 | Quality objectives | |
| 5.5.3 | Internal communication | |
| 6.1 | Provision of Resources | |
| 6.2.2 | Employee competence | |
| 7.1 | Planning Product Realization | |
| 8.1 | Planning Measurement, Analysis and Improvement | |
| 2. Information and communication | 4.2.3 | Control of Documents |
| *Information captured and communicated enabling people to carry out their responsibilities. *Reports used to run and control the business. *Information about external events, activities and conditions for making informed business decisions. * How is information identified, captured, and communicated? Does it flow across the organization? * Do employees understand their roles in the control process? * Are there processes in place to address employee, supplier, and customer concerns in a timely manner? | 4.2.4 | Control of Records |
| 5.1 | Top management communication | |
| 5.5.3 | Internal Communication | |
| 7.2 | Customer Requirements | |
| 7.2.3 | Customer communication | |
| 7.4 | Purchasing | |
| 7.4.2 | Supplier communication | |
| 3. Risk Assessment | 5.4.1 | Measurable Objectives |
| * Establishment of objectives, linked at different levels and internally consistent. * Identification, analysis and management of risks to achieving objectives. * Mechanisms to deal with change and the risks relevant to change. * Effective Risk Assessment requires:
| 5.6 | Management Review |
| 7.2 | Contract Review | |
| 7.4.3 | Supplier Data | |
| 8.2.1 | Customer Satisfaction Data | |
| 8.2.2 | Internal audit | |
| 8.2.3 | Monitoring and measurement of processes | |
| 8.2.4 | Monitoring and measurement of products | |
| 8.4 | Data Analysis to demonstrate QMS suitability & effectiveness | |
| 8.5.1 | Continual Improvement | |
| 8.5.2 | Corrective Action | |
| 8.5.3 | Preventive Action | |
| 14001,4.3.1 | Environmental Aspects and Identification of Significant Aspects. | |
| 4. Monitoring | 5.4..1 | Measurable Objectives |
| * A process that assesses the quality of the system's performance over time through separate evaluations and/or ongoing monitoring activities * Key tools include internal auditing, management and supervision of operations and actions of personnel performing their duties. * Management is responsible for implementation. * Auditors must drill down to “root causes,” follow audit trails and identify significant deficiencies and material weaknesses. | 5.6 | Management Review |
| 8.2.1 | Customer Satisfaction Data | |
| 8.2.3 | Monitoring and measurement of processes | |
| 8.2.4 | Monitoring and measurement of products | |
| 8.4 | Analysis of data | |
| 8.5.1 | Continual improvement | |
| 5. Control Activities | 5.6 and 14001,4.6 | Management Review |
| * Policies and procedures that help ensure management directives are carried out, including approvals, verifications, the security of assets, authorizations, reconciliations, and the segregation of duties. * Timely actions taken to address risks to the achievement of the entity's objectives, exceptions and information that requires follow-up. * Control activities are based on objectives, risks and what appears to be effective. * Control activities are put in place for significant plans and programs such as the management of supplier products and outsourced services. | 8.3 | Control of Nonconforming Product |
| 8.5.2 | Corrective Action | |
| 8.5.3 | Preventive Action | |
| 14001,4.4.7 | Emergency Preparedness & Response | |
| !4001,4.5.3 | Nonconformity, Corrective Action and Preventive Action |
I welcome your comments on the table and any experiences you’ve had linking quality or environmental management to financial management. These experiences can be with respect to SOX or with respect to your normal business activities.
Sandy Liebesman, sandfordl@msn.com
Comments
In a process-based management system any set of new requirements is seen as a set of new processes or controls to add to existing processes. Policies may also be affected but the complexity is the integration of the new processes and controls with the management system. ISO 9001 is designed to put us beyond comparing standards with regulations, rather to integrate any set of new or changed requirements from customers, other system standards or regulators as I have described above. It would be better to break-down SOX into a list of new processes and controls for integration into management systems that truly conform to the process-based management systems specification ISO 9001.
Posted by: John Broomfield | April 11, 2008 07:52 PM
I look for training course regarding internal control
Posted by: Yahia El Sadig Sulieman | June 21, 2008 04:22 AM