by Maureen McAllister
Who will stand out as this year’s corporate heroes? Strong contenders are those quality assurance managers who help their companies demonstrate compliance with requirements of the Sarbanes-Oxley Act of 2002. Among its financial oversight and whistle-blowing provisions, the statute requires publicly traded companies to institute internal controls that help ensure that financial data are accurate and credible. A company’s management must attest to the appropriateness of these controls and acknowledge any material weaknesses that might affect the financial data presented. It also puts the burden on independent auditors who audit these organizations, so that incorrect or misleading information is not passed along to the public. Given the pivotal role quality assurance departments play in shepherding their firms through the ISO 9001 or ISO 14001 registration process, they are the obvious ones to help marshall existing activities in support of SOx compliance. They can help avoid unnecessary SOx “overhead” and costly duplication of effort because many ISO 9001 registration activities provide objective evidence of sound internal controls--controls related to financial data.
ISO 9001-based quality management systems provide evidence--via procedures, methods, audits, and records--that transactions and reviews are conducted according to plan. Such systems also help identify and manage various risks that can negatively affect a company’s financial position and related financial reports. The data required to maintain registration to ISO 9001 or ISO 14001 can offer valuable evidence in support of SOx compliance--but only if quality managers, chief financial officers and others in management realize the connection.
SOx compliance requires top management of publicly traded companies to develop, and report on, internal controls. Management must review and analyze accounting figures and operational data for irregularities, and assess the systems and controls that generate these figures and data. Management must state whether any material weaknesses exist in the data and systems that might compromise the organization’s financial statements.
SOx section 404 imposes specific requirements for internal controls and procedures surrounding financial reporting. An organization’s top management is responsible for assessing the effectiveness of these controls and procedures. Other requirements also apply; section 302, for example, states that compliance reporting must include information of a nonfinancial nature that would “… provide investors with a materially accurate and complete picture” of the operation. The Public Company Accounting Oversight Board has broad new powers to enforce SOx requirements, and companies that must meet these significant new responsibilities are searching for effective compliance tools.
Enforcing SOx compliance typically means implementing procedures and controls so that financial and other data have credibility--a process monitored by management. Operational audits often are used as additional verification. In contrast to financial audits, operational audits focus on day-to-day activities and ensure that planned methods and disciplines are effective. Management will have greater confidence in financial data, as well as risk and/or materiality assessments, if the activities that generate this information are done according to procedure.
For larger organizations, SOx compliance means “rolling up” through the corporate chain attestations from individual divisions and operations. Top management will seek not only attestations from divisional managers but also documented proof about the attestations and underlying controls.
ISO 9001 and ISO 14001 are natural vehicles to help achieve and sustain SOx compliance. To understand the connection between ISO standards and SOx requirements, we’ll look at the macro-level similarities and some examples. (See figure below.)
The most obvious common feature between SOx and ISO systems is the extent of management responsibility and involvement. Both require top management’s active involvement in their firms’ systems and procedures. For SOx compliance, this means ensuring accurate and complete financial data reporting; for ISO 9001 and similar standards, it means ensuring that management systems meet customer, regulatory and other requirements. In all cases, the level and intensity of management involvement provides the foundation for compliance.
There are five components for assessing internal controls as required by the statute’s section 404. These are identified in the Internal Control-Integrated Framework report developed by the Treadway Commission’s Committee of Sponsoring Organizations (see www.cpa2biz.com). The components are:
Information and communications
Compliance to ISO standards contributes, in some measure, to all five components of internal controls. For example, ISO 9001 emphasizes the importance of clearly understanding and communicating customer and regulatory requirements, and ensuring that this information is shared by everyone involved in meeting those requirements. ISO 9001 also emphasizes monitoring product, processes and environmental controls. Risk assessment is a factor for both ISO 9001 and ISO 14001 compliance. For ISO 9001, planning for the quality system and the products it produces necessarily involves risk assessment. For ISO 14001, an organization must specifically identify environmental aspects and proactively minimize potential risks. In addition, the control environment is directly affected by ISO standards. The culture that contributes to ISO compliance also lends credibility to SOx’s section 404 assessments and attestations.
The specific ISO requirements that best support SOx compliance vary. Management and accounting professionals must consider their individual business circumstances to determine if and how ISO requirements can help support SOx compliance--and, perhaps, vice versa.
ISO 9001 focuses on meeting customer requirements and the processes enabling that. It defines, monitors and ensures that these processes operate effectively. Regulatory, internal and other requirements related to the products and services offered must also be met. If the processes are effectively executed according to management’s plan, then it’s more likely they’ll meet all requirements. Management periodically reviews performance data and results to help ensure that the quality management system achieves its objectives.
ISO 14001 focuses on pollution prevention and compliance with regulatory requirements. Although it appears more narrowly focused than ISO 9001, ISO 14001 includes the broader community, shareholders and others whose interests and concerns must be considered. An organization must identify environmental impacts through a planning process that includes monitoring and controlling the most critical effects.
There are many parallel requirements in ISO 9001 and ISO 14001. These requirements focus on the procedures and controls appropriate for an ISO 9001 or ISO 14001-compliant system. Here we’ll consider some specific similarities. Because self-checkups are an inherent part of compliance with ISO standards and SOx, we also give examples of internal audit questions, the answers to which can provide evidence for ISO standards and SOx compliance.
Planning. ISO 9001 requires planning at both the business level (section 5.4) and product level (sections 7.1, 7.2 and 7.3). ISO 14001 requires planning activities that include identifying environmental impacts and related regulatory requirements, establishing improvement goals and developing plans for achieving them (section 4.3). The planning process and its results provide evidence of a controlled environment in which duties and responsibilities are defined, and results compared against plans and projections.
Monitoring and measuring. ISO 9001 section 8.2.3 requires monitoring and/or measuring key business processes (e.g., quoting customer requirements, purchasing and supplier management, and manufacturing). ISO 14001 section 4.5.1 requires monitoring and measuring the controls related to significant environmental impacts. Because of the attention and visibility of performance measures in an ISO 9001 or ISO 14001-compliant system, costs and other related data accumulated under it are more likely to be accurate and complete.
Business transactions. ISO 9001 compliance demands that essential business transactions (e.g., customer order reviews, purchasing, receipts and disbursements of inventory) are controlled. These transactional controls are basic in a SOx-compliant environment. ISO 9001 section 7.4 requires a review of purchasing data prior to supplier issuance. Typically, this means that sign-offs or other approval methods help ensure that the proper items, correctly priced, are ordered from qualified suppliers. ISO 14001 section 4.4.6-c requires that purchased goods and services be controlled from an environmental-compliance perspective.
Document control. Document control requirements can help provide evidence of an adequate control environment throughout the business. ISO 9001 section 4.2.3 requires that an organization define how standard operating procedures and control instructions are properly authorized, issued and revised. Current documents must also be maintained at the appropriate points of use and accessible to those performing work and accumulating data. ISO 14001 section 4.4.5 has similar requirements.
Record keeping. Records (i.e., evidence that required activities are being performed and their results) must be kept. Specific controls are documented in a procedure that defines methods of record identification, storage, protection, retrieval, retention and disposition. This procedure should include safeguards (e.g., passwords, backup and other security routines) for electronic records.
(See ISO 9001 section 4.2.4 and ISO 14001 section 4.5.3.) Record control requirements make it more likely that resulting data are retained, safeguarded against unauthorized changes and available when needed.
Policy and objectives. A company registered to ISO 9001 or ISO 14001 must define its policy and objectives relative to quality (ISO 9001) and/or the environment (ISO 14001). In addition, management is responsible for communicating these objectives throughout the organization so that individual employees are aware of how their duties affect the objectives and the metrics within their control. (See ISO 9001 sections 5.3, 5.4.1 and 5.5.3, and ISO 14001 sections 4.3.3 and 4.4.3.) Creating a culture of communication and information-sharing supports the notion of control. Employees who are aware of their responsibilities relative to business and environmental objectives can more appropriately report data and concerns to top management.
Management review. Top management is also responsible for periodically assessing the system’s effectiveness. This review is a fact-based assessment that includes the results of operating control systems, such as process performance monitoring, corrective action and internal audits. This activity could be expanded to include financial control issues. Even without these, internal audit results might indicate if transactional weaknesses exist. (See ISO 9001 section 5.6.1 and ISO 14001 section 4.6.)
Effect of changes. Companies registered to ISO 9001 or ISO 14001 must consciously consider and evaluate the effect of changes on their quality and/or environmental systems. (See ISO 9001 section 5.4.2 and ISO 14001 sections 4.3.4 and 4.6.) This is specifically a top management responsibility. Items such as pending environmental litigation or key personnel changes would be logical topics for management review and disclosure, if material.
Corrective action. ISO 9001 or ISO 14001-compliant companies are required to maintain formal corrective and preventive action systems, i.e., structured problem-solving methods that emphasize root cause analysis and preventing problem occurrence or recurrence. (See ISO 9001 sections 8.5.2 and 8.5.3, and ISO 14001 section 4.5.2.) Any deficiencies discovered (e.g., an internal audit nonconformance or customer complaint) are addressed using these systems and include management oversight through review.
Internal auditing. Internal auditing is an important part of compliance under both ISO 9001 and ISO 14001. This is not financial auditing, nor is it concerned with internal controls over financial data. Internal auditing focuses on how effective processes are in achieving planned results, consistent with all requirements. It involves reviewing transactions and processes, including how customer orders are reviewed and processed, and measures such as the cost of poor quality (e.g., costs associated with goods returned from customers, scrap and rework) that can and should tie to financial data. ISO standards audits address such performance metrics, issues related to the control environment (i.e., the extent to which procedures are being followed and records kept) and communication and information. This information can be used to assess the overall control environment.
Internal auditors can’t audit their own activities, but they usually bring a different perspective when auditing outside their own areas of responsibility. This contributes to impartiality and can provide support for third-party audit results.
This list of ISO standards requirements isn’t exhaustive. There are others (e.g., controlling nonconforming product such as scrap and rework) that may be important in a given organization. These types of controls can affect data that end up on income statements as expenses, or on balance sheets as inventory valuation.
Registration to an ISO standard doesn’t make a firm SOx-compliant. ISO 9001 and ISO 14001 are not financially focused. However, their systems, procedures and practices offer a ready-made platform to help demonstrate SOx compliance. ISO standards provide a vehicle for ongoing risk assessment and management. Their internal auditing requirements back up these procedures and assessments with cross checks that ensure proper practices are actually being followed. These standards can put some real teeth into SOx-required attestations about internal controls.
Maureen McAllister is a CPA and consulting engineer with McAllister Consulting LLC, located in suburban Chicago. Her consulting practice focuses on compliance as well as aligning and integrating compliance activities with other business priorities (e.g., lean manufacturing, supply chain management, etc.). She gratefully acknowledges the assistance of Christopher Knowles, Gary LaPorta and John Straebel in preparing this article. Contact McAllister at www.mcallister-consulting.com, www.ISOx.org or (630) 377-7300. ISOx is a registered service mark of McAllister Consulting LLC.