Mitigate SOX Risk With ISO 9001 and 14001
by Sandford Liebesman
The CEO and CFO of your company face risks every day. Of course, there are always the financial and competitive risks. But now, because of the Sarbanes-Oxley Act (SOX), those officers must certify their company’s financial statements and the effectiveness of the system of internal controls mandated by the act each year.
In the past, top executives could claim ignorance of their organizations’ operational failures. This no longer holds. Now lack of knowledge of problems is not an excuse, and top management is now risking civil and criminal penalties.1
In October 2003, the SOX-Q/E Team was formed to identify how ISO 9001:20002 and ISO 14001:19963 can be used to reduce the risk CEOs, CFOs and the members of boards of directors face when attempting to comply with SOX. In fact, any comprehensive quality management system (QMS) and environmental management system (EMS), such as the Malcolm Baldrige National Quality Award criteria, can be used in place of the ISO standards.
SOX mandates a system of internal controls to manage risk in an organization. A system published by the Committee of Sponsoring Organi-zations of the Treadway Commission (COSO) in 1992 provides the basis for internal controls used by many organizations.4 This system is the foundation for good governance that preceded SOX. There are five components of the COSO internal controls:
- Control environment.
- Information and communication.
- Risk management.
- Control activities.
A comparison of these components of
COSO internal controls with re-quirements of ISO 9001 and ISO 14001 is enlightening
(see Table 1, p. 92).
The control environment must set the tone of an organization and form the foundation of the guidelines that provide discipline and structure. It includes the way management assigns authority and responsibility and how it organizes and develops its people.
ISO 9001 and ISO 14001 require identification of an organization’s processes and their sequence and interaction and the definition of quality and environmental policies. Further, ISO 9001 requires the establishment of quality objectives, and ISO 14001 requires definition of environmental objectives and targets. Both standards also require control of documents and records and say personnel must be “competent based on education, training, skills and experience.”
Information and Communication
To satisfy COSO, information must be identified, captured and communicated so people can carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously.
ISO 9001 and ISO 14001 are used to enhance the decision making process and manage the operations through information and communication within the organization. Both standards require communication with customers and suppliers.
Risks must be identified, analyzed and managed. Key inputs are internally consistent corporate objectives linked at different levels. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
The data obtained in ISO 9001 as a result of process and product measurements can be used in risk assessment and continual improvement. ISO 9001 requires analysis of these data, turning them into information that can be used to identify risks to the organization. The standard also requires trend analysis, which is a good predictor of developing problems. These activities are all reviewed by top management in the management review process.
ISO 14001 requires identification of environmental aspects that can interact with the environment and the operations and activities associated with significant aspects. Again, we have an early warning tool that can be used to identify impending risk.
Monitoring requires assessing the quality of system performance over time. This is done through periodic assessments and continual monitoring of processes. Monitoring covers regular management and supervisory activities and includes review of other actions personnel take in performing their duties.
ISO 9001 requires monitoring and measuring processes and products. The raw data obtained may provide the first warnings of impending problems. Another monitoring activity, measurement and analysis of customer satisfaction in ISO 9001, is also a tool for early warning of organizational concerns. Implementing ISO 9001 turns these data into information. ISO 14001 requires monitoring and measurement of key characteristics of operations and activities that may result in significant environmental impacts.
Control activities are the actions taken to address risk and achieve the objectives of the corporation. Control activities occur throughout the organization, at all levels and in all functions.
In ISO 9001, the key to controlling the health of an organization is the improvement loop. As part of the loop, ISO 9001 requires documented procedures to define corrective and preventive actions. Both activities provide methodologies to manage or eliminate risks to the organization. One source of corrective actions is the requirement to implement a documented procedure for internal audits and provide follow-up activities through corrective actions.
ISO 14001 requires taking corrective and preventive actions to mitigate impacts and reduce environmental risk. In addition, ISO 14001 requires management of nonconformances by taking corrective and preventive actions to reduce impacts. For both EMSs and QMSs, the result is improved alignment of the organization with basic corporate objectives.
Top management asserts control of risk through the management review process in ISO 9001 and ISO 14001. Review meetings are used to pull together the key bits of information and actions used to set the direction of the organization and to implement risk reduction activities.
Auditing To Add Value
The main goal of internal audits is to provide top management and the board of directors with an accurate understanding of the organization’s financial and operational status. Combining QMS and EMS tools with the financial auditing functions and procedures will result in more effective audits and increase the understanding of the material nonfinancial information of the organization.5
Two of the many values of ISO 9001 and ISO 14001 are the process approach and continual improvement. Many organizations extend the process approach to a set of process audits, which is an effective means of evaluating the status of the organization and managing the risks it faces.
Prevent Instead of Correct
Three goals of corporate governance are management of risk, effective process management and continual improvement of company performance. Boards of directors should move corporate mentality from correcting problems to preventing them. QMS and EMS practitioners must make their capabilities known to top management. We suggest developing an elevator speech such as the following:
I am familiar with the Sarbanes-Oxley Act and the need to better identify and manage risk. Quality and environmental management systems are tools that can help with risk management. Our processes link directly to the system of internal controls mandated by the act. I’d like the opportunity to show you how I can help.
Be at the table when the internal financial auditors develop their reports for top management and the board of directors. You’ll be able to help your organization reduce risk, expand information for top management decisions and satisfy the requirements of SOX.
REFERENCES AND NOTES
- The penalties can be as large as $5 million and 20 years in jail.
- ISO 9001:2000: Quality Management Systems—Requirements, International Organiza-tion for Standardization, 2000.
- ISO 14001:2004: Environmental Management Systems—Requirements With Guidance for Use, International Organization for Standardization, 2004.
- Internal Control—Integrated Framework, Evaluation Tools, the Committee of Sponsoring Organizations of the Treadway Commission, September 1992.
- As defined by the Securities and Exchange Commission, disclosure controls and procedures apply to material financial and nonfinancial information required to be included in public reports: Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, third edition, Frequently Asked Questions Regarding Section 404, Protivity, p. 11, www.protivity.com.
SANDFORD LIEBESMAN has more than 30 years’ experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia) and is currently a quality management system consultant with the Kohl Group and an auditor with KEMA Registered Quality. He is the author of TL 9000, Release 3.0: A Guide To Measuring Excellence in Telecommunications, second edition, and Using ISO 9000 To Improve Business Processes. Liebesman is a member of ISO Technical Committee 176 and the ANSI Z-1 Committee on Quality Assurance. He is certified by RABQSA as an ISO 9000 lead auditor.