QMSs and EMSs Support Financial Management Systems
by Sandford Liebesman
The Sarbanes-Oxley Act (SOX) was adopted in 2002 in response to scandals, such as the ones at Enron and WorldCom, and other misuse of corporate resources. In 2003, Paul Palmes and I started an effort to integrate quality and environmental managements systems (QMSs and EMSs) with financial management systems.
Quality Progress published an article in which we challenged the quality community to get involved with our efforts.1 Since then a team has been formed called the SOX_Q/E team (the SOX team) to support the integration effort.
The SOX team has presented three workshops and has three more scheduled. We have also conducted a webinar, a two-day conference in Philadelphia and a case study conference call. Interest has picked up in the quality community, and we have contacted personnel in the Institute of Internal Auditors and the Amer-ican Institute of Certified Public Accountants.
In September 2005, QP published my standards column describing the relationship between ISO 9001 and ISO 14001 and the basic internal control tool, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) guidance document.2, 3 COSO is used to satisfy the key requirement in section 404 of SOX that the organization have an effective system of internal control.
Key Sections of SOX
Besides 404, there are a number of sections of SOX that can be supported by ISO 9001 and ISO 14001. The key ones are described below.
Title 1 sets up the Public Company Accounting Oversight Board (PCAOB). Section 103 of Title 1 describes the responsibilities of the PCAOB: to register public accounting firms, establish auditing standards, inspect accounting firms, conduct investigations and disciplinary proceedings and impose appropriate sanctions, and enforce compliance with the act.
Section 302 indicates corporate responsibility
for certifying financial reports. This includes 10K quarterly
financial reports and annual reports. CEOs and CFOs must
certify the accuracy of financial reports and the effectiveness of disclosure controls and procedures.
Section 404 requires management of public companies to assess the effectiveness of the internal controls. The external auditor must audit the internal controls in addition to the financial statements. This is where the majority of cost to the firm occurs, because the external auditors require extensive documentation as part of their audits.
Section 409 requires real-time disclosures to the public of events that might have a material effect on the financial condition or operations of the company. It is intended to protect investors in real time. Since these events will most likely occur in the operations of the organization, QMSs and EMSs are well positioned to support this section.
Section 802 provides criminal penalties and fines for altering documents. It also requires accountants to maintain their audit records for five years. This requirement has caused IT organizations to develop tools to protect data from unauthorized changes.
Section 806 requires protection for whistle blowers from threats, suspension, discharge, demotion and other punishments for providing information about questionable company actions.
Section 906 states the requirements for certifying periodic reports and provides criminal penalties up to $5 million and 20 years in jail for false certifications.
Case Study Questionnaire
It was clear to the SOX team that QMSs and EMSs can provide help to satisfy more than just section 404. To obtain information on this support, the team developed a questionnaire that was completed by eight case study organizations.
- Otter Tail Corp., an energy and healthcare provider and manufacturing conglomerate.
- Nordham Group, an aerospace supplier.
- Intrado Inc., a provider of 911 services.
- StonCor, a leading corrosion protection company.
- Communication Test Design Inc., a leading telecommunication equipment repair company.
- International Gaming Technology, a supplier of services and equipment to casinos.
- Linear Technologies, a manufacturer of high performance analog integrated circuits.
- NVE Corp., a manufacturer of magnetic integrated circuits.
The questionnaire consisted of five key areas in which these organizations’ QMSs can support internal financial auditors (IFAs) in compliance to SOX:
- Supporting financial operations and controls.
- Training the IFAs to use quality tools.
- Supporting the risk management process.
- Supporting the auditing process.
- Developing business process measures.
Detailed results are shown in Table 1. Here are
Supporting financial operations and controls. The participants identified value adding improvements and reduction in the cost of operations. They also identified nonvalue adding activities and costs that were eliminated by the organizations.
The QMS was a source of early identification of risks and corrective and preventive actions that help the bottom line. It supported financial processes such as bids, settlements, mergers and acquisitions and revenue recognition. Processes familiar to QMS and EMS managers, such as shipping, receiving, dealing with nonconforming product, inventory control and customer focus were sources of valuable inputs to SOX compliance.
Training the IFAs to use quality tools. The quality and HR organizations provided training in process structure, mapping business processes to the system of internal controls and measuring and auditing these processes.
Part of the training effort consisted of identifying the steps in the product or service realization process. This helped expand the financial auditors’ view of the organizations’ operations. Some of the training was given via the organizations’ intranets, which were especially valuable to top management with time constraints.
Supporting the risk management process. Quality personnel helped plan the risk management process. This included early identification of risks and identification of operational nonconformities and their corrections.
Regular internal audits provided valuable information in early risk identification. The management re-view was extended to include risk management.
Supporting the auditing process. The quality management department or function led a focus on process audits and the use of risk management indicators. Key elements of the auditing process are identification of nonconformities, determining root causes, corrective actions (CA) and documentation of CA verifications.
The audit results supported testing of internal controls and validation of product and process performance measures. Results strengthened alignment of marketing and sales.
Some organizations consolidated their audit reports to their boards of directors.
Developing business process measures. A key requirement of ISO 9001, measurable objectives, was instituted and used in process and product (or service) improvement. Objectives are an important part of the ISO 9001 improvement process, which also includes the quality policy, audit results, corrective and preventive action and management review. An effective improvement process can provide evidence of what the financial auditors call “tone at the top.”
As part of the questionnaire, we asked the participants for general comments. These were very insightful and added another dimension to understanding the support provided by QMS and EMS personnel.
Creation and testing of the financial processes was part of an improvement process. By eliminating redundant items in the financial processes, significant time was freed up, allowing more time for performing value adding activities. This resulted in streamlining financial reporting and review activities.
One organization spent a lot of time analyzing the shipping process. Data from shipping was a direct input into accounts receivables and revenue recognition. Another organization confirmed that outputs from the customer service and order processes are adequate and effective for the needs of the finance department.
There were a number of inputs related to risk management. Risk management is driven through the product realization process and is product focused. Contract review is important because it focuses on financial risk. Nonconformance issues are documented and placed in the CA system. This is an aid to early identification of risk.
Every step in the product realization process creates a transaction. The advice from one participant was to make sure to identify critical points in each process. This will result in the creation of additional internal controls.
Some advice on auditing came from one organization that formerly had audited each division’s financial controls separately. In the past, the same errors were made in each division. Now the organization audits by process, following the processes from division to division.
Other suggestions on auditing were to cross train quality and financial auditors. IFAs learned operational controls, which resulted in opportunities to improve the bottom line. They also met a major goal: ISO 9001 and SOX tests in one audit.
A final piece of advice was to get a fixed price from the external auditor. This will result in the auditor’s not expanding the audit, reducing the time spent by the auditee organization and limiting the cost of the audit.
Our initial challenge still holds. The quality community needs to get involved in the SOX effort. It’s clear a QMS such as ISO 9001 can be integrated with the financial management system to provide compliance to SOX, improve the organization’s processes, support risk management and create a more effective and efficient internal auditing process.
This is an opportunity for quality professionals to provide value directly to top management and their organizations’ board. The opportunity should not be missed.
- Sandford Liebesman and Paul Palmes, “Quality’s Path to the Boardroom,” Quality Progress, October 2003, p. 41.
- Sandford Liebesman, “Mitigate Sox Risk With ISO 9001 and 14001,” Quality Progress, September 2005, p. 91.
- “Internal Control—Integrated Framework, Evaluation Tools,” Committee of Sponsoring Organizations of the Treadway Commission, September 1993.
SANDFORD LIEBESMAN has more than 30 years’ experience in quality at Bell Lucent (Telcordia) Laboratories, Technologies and Bellcore and is currently a quality management system consultant with the Kohl Group and an auditor with KEMA Registered Quality. He is the author of TL 9000, Release 3.0: A Guide To Measuring Excellence in Telecommuni-cations, second edition, and Using ISO 9000 To Improve Business Processes. Liebesman is a member of ISO Technical Committee 176 and the ANSI Z-1 Committee on Quality Assurance. He is certified by RABQSA as an ISO 9000 lead auditor.