I welcome your comments on the table and any experiences you’ve had linking quality or environmental management to financial management. These experiences can be with respect to SOX or with respect to your normal business activities.

Sandy Liebesman, sandfordl@msn.com

Background: The Internal Control Framework consists of five interrelated and equally important components. Monitoring is one of the five IC components. Internal control systems (IC) exist to help organizations meet their goals and objectives. Organizations need a mechanism for assessing the quality of their internal control systems’ performance over time. That mechanism is monitoring. Monitoring is effective when it leads to the identification and correction of control weaknesses before they materially affect the achievement of the organization’s objectives.  Monitoring is a cost-effective approach to providing timely information about the continued effectiveness of an internal control system. As such, effective monitoring should be a net benefit to organizations and their stakeholders.

The scope of COSO “monitoring” maps to ISO 9001 Quality Management System Clauses

• 5.6 Management Review,
• 8.2 Monitoring and measurement, and
• 8.4 Analysis of data.

Now is a good time for the quality managers, engineers, and auditors to visit your finance / accounting organization to offer a jointly review of this document and to decide how your QMS can better support SOX Internal Controls.

SEC expects the new auditing standard, in combination with the Commission's new management guidance will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity.

AS5 improvements include:

• is less prescriptive
• makes the audit scalable - so it can change to fit the size and complexity of any company
• directs auditors to focus on what matters most - and eliminates unnecessary procedures from the audit
• includes a principles-based approach to determining when and to what extent the auditor can use the work of others

Using the above SEC guidance, now is the time for quality managers, engineers, and auditors, to offer their expertise in revising and auditing their companies internal controls from operations into accounting / finance and IT. 

• 214 chief executive officers and presidents;
  
• 53 chief financial officers;
  
• 23 corporate counsels or attorneys; and
  
• 129 vice presidents
  

• securities fraud,
  
• insider trading,
  
• market manipulation,
  
• obstruction of justice,
  
• false statements,
  
• stock option backdating,
  
• conspiracy,
  
• money laundering,
  
• wire fraud, and
  
• violations of the Foreign Corrupt Practices Act [which required Internal Controls]
  

• Interpretive Guidance: Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934.
  
• Final rule: Amendments to Rules Regarding Management’s Report on Internal Control over Financial Reporting. 
  
• Proposed Rule-Request for Additional Comment: Definition of Significant Deficiency." 
  
• SEC Requests Additional Comments on PCAOB Auditing Standard No. 5: The SEC recently requested additional comments about specific areas of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements. The comment period ends July 12. 

The new 98 page external auditing standard AS5 is principles-based, more risk-based and scalable, and designed to increase the likelihood that material weaknesses in internal control will be found before they result in material misstatement of a company's financial statements, and, at the same time, eliminate procedures that are unnecessary, and use the “work of others”.

PCAOB dropped the proposed AS6 on using the work of others and is retaining the existing 8 page AU sec. 322, "The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements" 

The quality auditing professionals will appreciate AS5 as it allows the external auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision. AS5 mentions 30x “work of others” 30 times, "operations" 16 times, and "IT 22 times; thus AS5 brings Operations, Quality, and IT into focus that can allow companies to rely more on existing resources, while reducing external expenses.

The SEC Commissioners provided direction to SEC and PCAOB staff was to

• improve Sarbanes-Oxley implementation,
• ease Smaller Company burdens,
• focus effort on 'What Truly Matters', the integrity of the financial statements

Specific direction was given to PCAOB on the replacement auditing standard to following a principles-based approach to determining when and to what extent the auditor can use the work of others.  The ASQ comments also stressed the capability of quality managers, engineers, and auditors to produce accurate and unbiased company records that can be used by both internally the top management and its board of directors and the externally by the financial auditors. When the auditors use the work of others the result is both time and money are saved for public companies. The challenge to companies is whether to hire consultants or to train their staff to created useful records.

Regarding SEC’s Proposed Rule: Management's Report on Internal Control Over Financial Reporting, ASQ comments are on http://www.sec.gov/comments/s7-24-06/s72406.shtml

Regarding PCAOB’s Proposed Auditing Standard – An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements, ASQ comments are on http://www.pcaob.org/Rules/Docket_021/Comments/all.pdf

Background on these proposed rules and standards can be on previous blog entries.

• Two auditing standards replace AS2 - proposal by PCAOB
• SEC proposed guidance to Management on their report on Internal Controls over Financial Reporting
• AS2 proposed changes by PCAOB
  

• SOX and related reforms have produced much more reliable corporate financial statements, which investors rely on when deciding whether to buy or sell shares
• Testing internal financial controls could drive gains in corporate productivity and profits, according to Duncan W. Richardson, chief equity investment officer at Eaton Vance Management
• Executives appear to have a firmer grasp of costs when they talk about operating margins.  Even not-so-good management teams have good controls now, and that leads to an ability to cut costs, according to Richardson
• Annual reports for 2006 will now contain reconciliations to any nonstandard or "pro forma" numbers that companies use to try to spin their results, according to Donald J. Peters, a portfolio manager at T. Rowe Price Group
• Beefed-up disclosure requirements result in companies now deliver numbers with fewer adjustments for unusual charges and write-offs, which in the past have been used to make earnings look better, according to Thomson Financial's Earnings Purity Index

Quality and Environmental Managers can leverage improved information quality and controls into their operations to have an impact on the corporate entity.

• Direct the auditor to the most important controls and emphasize the importance of risk assessment;
  
• Revise the definitions of significant deficiency and material weakness, as well as the "strong indicators" of a material weakness;
  
• Clarify the role of materiality, including interim materiality, in the audit;
  
• Remove the requirement to evaluate management's process;
  
• Permit consideration of knowledge obtained during previous audits;
  
• Direct the auditor to tailor the audit to reflect the attributes of smaller and less complex companies;
  
• Refocus the multi-location testing requirements on risk rather than coverage; and
  
• Recalibrate the walkthrough requirement.

Proposed Auditing Standard - Considering and Using the Work of Others. Whose intent is:

• Allow the auditor to use the work of others, and not just internal audit, for both the internal control audit and the financial statement audit, eliminating a barrier to integration of the two audits;
  
• Encourage greater use of the work of others by requiring auditors to evaluate whether and how to use the work of others to reduce their testing;
  
• Require the auditor to understand the relevant activities of others and determine how the results of that work may affect the audit;
  
• Provide a single framework for using the work of others based on the auditor's evaluation of the combined competence and objectivity of others and the subject matter being tested; and
  
• Eliminate the principal evidence provision previously included in AS No. 2.

The second standard is 20 pages long and will help guide the internal financial, quality, and environmental auditors to provide audit evidence useful to the external auditor who is using the first standard, and thus reduce the overall cost of the SOX 404 audit.

A. The Evaluation Process

1. Identifying Financial Reporting Risks and Controls
2. Evaluating Evidence of the Operating Effectiveness of ICoFR
3. Multiple Location Considerations

B. Reporting Considerations

1. Evaluation of Control Deficiencies
2. Expression of Assessment of Effectiveness of ICoFR by Management and the Registered Public Accounting Firm
3. Disclosures about Material Weaknesses
4. Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICoFR
5. Inability to Assess Certain Aspects of ICoFR

The proposed SEC Rule states that, although there are many different ways to conduct an evaluation of the effectiveness of ICoFR to meet the SOX rule, an evaluation conducted in accordance with the  (above) SEC interpretive guidance would satisfy the annual management evaluation required by those rules.

SEC requests and encourages any interested parties to submit comments on the proposed interpretive guidance by 26-Feb-07. I expect ASQ will contribute comments on behalf of its members.  As the proposed guidance and rule will make it easier for quality and environmental managers, engineering, and auditors to assist their management in assessing ICoFR.

1. Focus the Internal Control Audit on the Most Important Matters
2. Eliminate Procedures that Are Unnecessary to Achieve the Intended Benefits
3. Incorporate Guidance on Efficiency
4. Provide Explicit and Practical Guidance on Scaling the Audit to Fit the Size and Complexity of the Company
5. A Simplified Standard

These same goals are also relevant and reasonable for quality and environmental auditors using ISO 19011.

Another Sen. Dodd comment: “Sarbanes-Oxley had gone far to promote better corporate governance and transparency. I’ve always felt that the most important thing you have to worry about is investor confidence. I have no obligation whatsoever to guarantee that you’re going to make sure that you are going to make money on your investment. But I feel a very strong obligation that you didn’t lose it because the system broke down. That to me is going to be very important when I listen to these arguments.”

This author is in agreement with the Senator comments as I believe both SEC & PCAOB can revise their Rules and Guidance to influence companies and auditors behavior change towards the spirit of the SOX law.  From a company’s Operations point of view, who would not want better transparency and stability and the competence in the system.

·         Expanding notions of Quality Assurance into Quality Management

·         Alignment of ISO 9001 to Internal Control by COSO

Jeff pointed out that while SEC has been focused on the external audit community (including the Big Four), with the result that their interpretation and rules, including AS2, are the problem for business. The SEC is missing the boat by not including experts from Risk Management, Quality Management, and IT. SEC has just announced a meeting on Dec 13^th to review industry comments on Management Reports on ICoFR.

IMA is trying to influence the SEC to move attention to company management who are in the best position to build good and reliable business processes with appropriate business and financial controls. The SEC objective should be to build in quality, rather than test in quality. The IMA focus includes a Residual Risk (RR) approach which is more operational than strictly financial.  RR requires data analysis and quality improvement tools for management review and actions. RR tools include self-assessments which are needed to balance the formal auditing techniques.

Jeff & Sal will have other discussions on joint activities such as marketing, conferences, webinars, and certification.

The forty plus attendees had the advantage of picking and choosing their preferred combination of 1, 2, or all 3 tracks.  The web enabled service allowed the twelve speakers to broadcast and answer attendee’s questions both in real-time and at the end with live discussions.  The benefit to the speakers is their presentations can be replayed to other audiences. Of course the real benefit was the attendee’s reduce conference fees and lack of travel expenses.

This new type of educational interaction is important for newly formed networks and forums that lack a dedicated set of experienced volunteers who normally manage face-to-face ASQ conferences.