Corporate corruption and investor fraud in recent years have put the spotlight on how public companies report their financial results. The Sarbanes-Oxley (SOx) Act of 2002 now requires publicly traded companies to review and report on their internal controls over financial data in the hope that added attention will help prevent and detect weaknesses. These additional reviews are time-consuming and expensive. Some larger companies already have been through this internal controls assessment and auditing process (referred to as Section 404 compliance) and have complained bitterly about the added burden. Smaller companies are required to comply by 2007 and may feel an even greater expense pinch, given their lower revenues. Clearly, senior management everywhere is looking for ways to fulfill this responsibility in a cost-effective manner. That’s where your quality management system (QMS) can be a real asset.
A QMS such as ISO 9001 can provide objective evidence that an organization is operating with the proper controls, policies, procedures and practices. ISO 9001 gives attention to the operational controls--such as booking customer orders, purchasing raw materials, fulfilling orders, and handling customer returns and complaints--that help ensure customer requirements are met. Those same operational controls are the foundation for much of the organization’s financial data (e.g., inventory, revenue, customer credits and/or allowances). Even ISO 9001’s requirements related to job duties, responsibilities and communications throughout the company contribute to the “control environment” that’s so important for the credibility of financial information.
The article “Leveraging Your ISO 9001 System for
Sarbanes-Oxley Compliance” (Quality Digest, February 2005) introduced some of the linkages between ISO 9001 controls and the related operational controls that directly affect financial data. The five key aspects of internal control identified by the accounting community--control environment, risk assessment, control activities, information and communications, and monitoring--align with various operational controls in an ISO 9001 system.
This alignment is a good jumping-off place for using your QMS in support of SOx compliance.
Since its implementation, Section 404 of SOx has received a lot of publicity, not all of it good. In brief, Section 404 requires that management and the public accounting firm that audits the financial statements of a public company perform reviews of internal controls. Both assessments are meant to ensure the reliability of published financial statements by carefully scrutinizing the controls under which those figures were generated. If the controls are properly designed to prevent and detect inaccuracies (including fraud) and are operating effectively, the resulting financial data should be sound.
Although this review seems straightforward, it has resulted in thousands of additional hours of work and millions of extra dollars in cost for many companies. The Securities and Exchange Commission, responsible for implementing SOx, has heard the outcry. In particular, smaller companies have sought relief from the SEC. These companies (which make up 80 percent of all publicly traded companies but only 6 percent of market capitalization in the United States) complained loudly that Section 404 compliance would be too heavy a burden. The SEC is responding with a report due out this month that should help small businesses cope with Section 404 requirements.
The December 2005 preliminary report, issued by one of the SEC’s subcommittees offers relief to microcap (i.e., very small companies with annual revenues less than $125 million) and small public companies (i.e., those with less than $250 million in annual revenue). One recommendation exempts microcap companies from Section 404 compliance if the company meets certain corporate governance standards. Another recommendation requires small public companies to comply with the management assessment of internal controls under Section 404 but allows them to forego (or curtail) the costly public accounting-firm audit of internal controls. Other disclosure and governance requirements still apply. (See www.sec.gov for specifics and additional conditions.)
Whether or not the SEC accepts the above recommendations, using ISO 9001 requirements might be a cost-effective and value-added way to meet the Section 404 requirement for management assessment of internal controls. It’s also possible to document ISO 9001 evidence of internal controls in such a way that public accounting auditors would be more willing to accept that evidence, rather than perform the same auditing and testing themselves, which is another potential cost savings. Certainly, ISO 9001 documentation could take on additional importance if there’s no separate accounting firm audit of internal controls--one more great reason to use your QMS in this way.
ISO 9001 internal auditing is a good way for a company to connect its QMS with SOx Section 404 activities. There are many other places where these two sets of requirements overlap, but we’ll focus on internal auditing.
A practical way to begin is with your existing ISO 9001 internal audit program. Using the similarities and parallels between ISO 9001 and SOx requirements, expand existing ISO 9001 audits to include more auditing of operational controls and their related financial activities. Undoubtedly you’ll need the assistance of your accounting manager, financial internal auditor and others who’ve been involved with financial-based audits. They’ll know the significant financial accounts, related assertions and control objectives that should be audited and tested.
This expanded ISO 9001 or integrated-audit approach to Section 404 compliance can be as expansive or as limited as management’s comfort level dictates. Typically, it involves an ISO 9001 audit of a particular process (e.g., the materials management process) involving related ISO 9001 requirements (e.g., ISO 9001, “Section 7.4--Purchasing”). The accounting profession often uses the “walk-through” approach, which is similar to when an ISO 9001 auditor starts with a customer event (e.g., a quotation), and follows that flow of activity all the way through to product shipping. During an integrated audit, the auditing would continue forward into invoicing and the application of cash received to the open receivable; then backward, examining the controls over customer master setup, commercial terms, credit limits and other, more financially oriented controls. Even if your QMS audits aren’t presently structured in this way, you might want to try this approach. The financial people may also want you to incorporate formal sample-size testing of certain transactions (e.g., samples of customer orders booked, inventory transactions, etc.).
As an example, suppose you’re auditing ISO 9001, “Section 7.4--Purchasing” in one or several of your defined processes. A typical walk-through sequence
• Purchase requirements definition
• Request for quotes from potential suppliers
• Controls over supplier selection
• Vendor master setup and controls
• Item master setup and controls
• Purchase order approval and placement
• Acknowledgement activity
• Revision and/or update of purchase orders
• Purchased materials receipt
• Supplier performance evaluation
• Approvals to pay
• Payment--application of cash and relieving the payable
As you audit the process, you’ll audit both internal controls and Section 7.4 requirements, along with other ISO 9001 requirements that apply (e.g., “Section 4.2.3--Document control,” “Section 4.2.4--Records control” and “Section 6.2--Employee competency”).
The financial people might ask you to look at these related transactions for adherence to applicable policies and procedures. Most companies had accounting processes and procedures in place long before they had ISO 9001 systems.
Keep in mind that the control objectives related to financial accounts and assertions parallel the ISO 9001 “shalls.” Your financial people should identify these control objectives. For example, if the raw materials inventory account is to be accurately valued, then items received must be booked at the correct quantity and value. The financial manager might ask you to verify the receiving activities as usual, but perhaps with increased auditing of the actual data entry from the receiving tickets or weigh tags, as well as the training and competency of those generating, reviewing and entering this information.
One way to help your ISO 9001 internal auditors execute an integrated audit is to provide some sample audit questions. This gives them a better sense of how to carry their normal QMS auditing farther to reach the financial transactions related to the ISO 9001 operational controls. These audit questions should also help auditors stay focused on the five aspects of internal control as they relate to the topics and/or the process of being audited.
The sample audit questions below are identified with specific sections of ISO 9001.
Sections 7.1, 7.3, 5.4.2--Planning
• At the product planning level, do the planning data (e.g., feasibility reviews, project milestones, failure mode and effects analysis) show that risks are being assessed as new products and production processes are being planned? Are risks with direct financial implications (e.g., regulatory safety issues, effect on cost of goods sold) being carried over into business planning and budgeting activities?
• At the business level, does management identify anticipated changes in products, processes and key personnel in a way that minimizes the risk associated with a major change (e.g., a change in CAD/CAM software that could affect research and development expenses and, ultimately, production costs)?
• Look at a sampling (specify sample size for each category) of purchase orders for raw materials, subcontracted services and capital equipment. Look for evidence that those purchase orders were issued to approved and/or qualified suppliers. Ensure the vendor master information was entered with the proper approvals and purchase amount limits. Look for evidence of an adequacy review of purchase information, including information of a commercial nature such as terms and freight on board (FOB). Look for approval or signatures by authorized parties and trace back the authorization to a policy, electronic control, etc.
•Walk these transactions through to accounts payable, vouching, payment, relief of accounts payable and handling of any associated debits (e.g., for product returned to a supplier).
Section 8.3--Nonconforming product
• Start with the documented ISO 9001 procedure for controlling defective or suspect goods. Ensure the procedure reflects controls in the corresponding accounting and/or financial standard operating procedure as it relates to generating debits, authorizations for scrapping, recovering money from recycling or scrap sales, controls over rework expense and writing off disposals.
• Track the flow of nonconforming product (NCP) produced in-house. Walk through the process from the moment the NCP was recognized as defective (or suspect) through the steps of review, disposition, and communications to others (e.g., accounting, purchasing, etc.) and actual disposition. Track both the physical steps and the related data entry. Do the data (e.g., discrepant material report, return material authorization, scrapping ticket and debit to supplier) show proper authorizations? Does the paper trail correspond to physical disposition? Are there appropriate adjustments out of inventory?
Sections 5.3, 5.4.1, 5.5.1, 5.5.3--Communications throughout the organization
Ask a variety of employees about the company policies and procedures, including their own job descriptions. Does each understand how his or her job relates to achieving policy and objectives? Is each aware of the procedures in his or her area? Are there communications avenues (e.g., a formal corrective action system) where departures from procedure or other discrepancies can be reported? Can these employees describe what they’re supposed to do if there is some problem that prevents them from properly completing their assigned tasks? In summary, does there seem to be a “control environment” where tasks are performed with the proper discipline?
Section 8.5.2--Corrective action
Review the written procedure on corrective action. Does the corrective action system span the breadth of the company and include all who should know of it (especially those outside of quality assurance)? Do appropriate events that trigger financial transactions (e.g., a credit to a customer for an overshipment) also trigger a review for possible internal corrective action (e.g., Why the overshipment? What happened in order entry, inventory or on the shipping dock to allow an overshipment?)
Section 4.1, 8.2.3--Monitoring and measurement of processes
Take each business process as described in your process and sequence interaction. Where appropriate, link each business process or measure to applicable financial monitoring and/or measurement. For example, if order fulfillment (i.e., the production and shipment of product to customers) is a process, look for ways the process is monitored to ensure that:
• Shipments leave on time (per customer request).
• Shipments trigger timely invoicing.
• Invoicing occurs only for items and/or quantities actually shipped.
• Methods for handling returned merchandise and/or rejected
goods are followed, including proper authorizations, credits
to customers, and debits to carriers for transit damage.
• Existing monitoring and measurement tools deliver
accurate signals to management about the performance
of this process, including activities with financial implications.
The audit findings feed into ISO 9001 management review. SOx Section 404 findings might go to the chief financial officer (CFO) first because the implications of deficiencies and weaknesses are different than with ISO 9001. The CFO will also address the various nonoperational controls and/or activities that are part of a SOx Section 404 review. The specifics of how integrated audit findings are handled will vary from one organization to the next.
The integrated audit approach can be the next step your company takes toward SOx Section 404 compliance. Most small businesses have until the first fiscal year ending after July 15, 2007, to show compliance with Section 404. However, that means the controls probably need to be in place in 2006, so now is the time to start maximizing the return on your ISO 9001 investment.
Maureen McAllister is a CPA and a consulting engineer with McAllister Consulting LLC, located in suburban Chicago. The firm’s clients range from major manufacturers to advertising, logistics and other service-sector firms. Typical consulting engagements include ISOx--their integrated ISO-SOx Section 404 audit program--ISO 9001, ISO/TS 16949, ISO 14001, ISO 18001, ISO 27001 and AS9001 preparation assistance; cost reduction; offshore sourcing; and lean manufacturing programs. Visit the company’s Web sites at www.ISOx.org or www.mcallister-consulting.com. ISOx is a registered service mark of McAllister Consulting LLC.