The Missing Link
The case for connecting quality, finance departments
by Sandford Liebesman
In most organizations, quality and finance behave like independent silos, resulting in excessive costs and unhappy customers and investors.1 But quality managers must understand finance and how quality can affect the bottom line, and financial managers must know how quality can improve results.
While writing my new book,2 it became clear that organizations that link quality and finance are better positioned to improve their bottom lines, and ISO 9001:2008 is the best tool for communicating the capabilities of effective quality management systems (QMS).
First things first
One chapter of the book includes two questionnaires issued to organizations that linked their management systems to finance and used to gather information about their strategies. The first questionnaire (see Online Table 1) focused on interaction between quality management and internal financial auditors (IFAs) in support of five key areas:
1. Supporting business process operations. The participants identified value-adding improvements and reductions in operational costs, as well as nonvalue-adding activities and costs that were subsequently eliminated.
The activities supported financial processes, such as bids, settlements, mergers, acquisitions and revenue recognition. Processes familiar to QMS and environmental management system managers—such as shipping, receiving, nonconforming product, inventory control and customer focus—were sources of valuable inputs to Sarbanes-Oxley Act (SOX) compliance.
2. Training IFAs to use quality tools. The quality and HR organizations provided training to financial personnel in process structure, mapping business processes to the system of internal controls, and measuring and auditing these processes. Part of the training effort consisted of identifying the steps in the product or service realization process.
3. Supporting the risk management process. Quality personnel helped plan the risk management process. This included early identification of risks and operational nonconformities, plus their corrections. The QMS was a means of identifying risk, and corrective and preventive actions (CAPAs) that helped the bottom line. Regular internal audits provided valuable information in early risk identification. Management review was extended to include risk management.
4. Supporting the auditing process. Quality management led a focus on process audits and the use of risk management indicators. Key elements of the auditing process were identification of nonconformities, determination of root causes, identification of corrective actions (CA) and documentation of CA verifications.
The audit results were used to support testing of internal controls and validation of product and process performance measures. Results strengthened alignment of marketing and sales. Some organizations consolidated the audit reports sent to their boards of directors.
5. Developing business process measures. A key requirement of ISO 9001—measurable objectives—was instituted and used in process and product or service improvement. Objectives are an important part of the ISO 9001 improvement process, which also includes the quality policy, audit results, analysis of data, CAPA and management review. An effective improvement process can provide evidence of what the financial auditors call "tone at the top."
On second thought
The second questionnaire (see Online Table 2) gathered information on direct links between management systems through key shared quality procedures. This was used to gather feedback from six organizations that linked their management systems.
In one organization, creating and testing financial processes were part of an improvement process. By eliminating redundant items in the financial and quality processes, the organizations freed up time for performing value-adding activities. This resulted in streamlined financial reporting and review activities.
Another organization spent a lot of time analyzing its shipping process. Data from shipping were a direct input into accounts receivable and revenue recognition. Another organization confirmed that outputs from the customer service and order processes were adequate and effective for the needs of the finance department.
There were several inputs related to risk management. In one organization, risk management was driven through the product realization process and was product focused. Contract review was important because it focused on financial risk. Nonconformance issues were documented and placed in the CA system, aiding early risk identification.
Every step in the product realization process creates a transaction. One participant’s advice was to identify and create controls for each critical point in each process.
Some advice on auditing came from one organization that formerly had audited each division’s financial controls separately. In the past, the same errors had been made in each division. Now, the organization audits by process, following processes from division to division.
Other auditing suggestions were to cross-train quality and financial auditors. Internal financial auditors learned operational controls, which resulted in opportunities to improve the bottom line. They also met a major goal: ISO 9001 and SOX tests of controls were verified in one audit.
ISO 9001 clauses were paired with guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and financial checklists were developed to audit COSO guidance. Training was provided for measuring and auditing internal controls. This included how to link findings to internal control, thus ensuring compliance to requirements and data security. Both sets of auditors were trained in process audits. This enabled the effective auditing of processes across divisions.
Linking quality and financial management systems and their associated audits is an opportunity for quality professionals to provide value to top management and boards of directors. It’s also an opportunity for quality and financial professionals to learn about the other’s activities and language, and the benefits of working together.
The survey of the six organizations revealed six areas worth examining:
1. ISO 9001 processes. All six organizations are registered to ISO 9001:2008. Five use the ISO 9001 document control procedure, and four use the ISO 9001 records control procedures for all management systems. The largest organization has separate document control and records control procedures for each division. The smallest organization has a separate record control system for finance.
Five organizations use the ISO 9001:2008 preventive action, CA and internal audit procedures for all management systems. The largest organization has separate procedures for each division. Four use a combined management review process, but the smallest and largest have separate management reviews for quality and finance.
2. Risk management. All of the organizations have a risk management process. The largest organization is the only one that does not use risk tolerance definitions, while the smallest one sets risk limits and goals as its definition of risk tolerance.
The risk management tools most often cited were the risk level matrix, risk control matrix, failure mode and effects analysis, and management review. Three organizations either use or are implementing enterprise risk management procedures.
3. Key controls. The number of key controls varies from 19 for the smallest organization to 186 for the largest. Examples of these controls are accounts receivable, accounts payable, payroll, inventory, internal auditing, CAPA and IT controls. The organizations track inventory variances of raw materials and finished goods.
4. IT controls. All six organizations have formal systems of IT controls, including access control, records, transactions, journal entries, document control and internal IT audits. Two organizations use control objectives for information and related technology as a basis for their IT controls.
5. SOX compliance. Four organizations are SOX compliant, but the other two, as private companies, are not required to comply with SOX and have no plans to do so. The SOX compliance effort in two organizations is led by the director of corporate compliance and the quality corporate auditor, while the CFO is the leader in the other two organizations. The SOX audit team varies in makeup and is generally led by quality personnel.
6. Cost reduction. The cost of SOX compliance was reduced year after year, with the two smallest organizations cutting their costs by 50% after the third year. The cost of compliance in the third year for the two smallest organizations was $22,000 and $60,000, respectively. The other organizations declined to provide cost information.
Key changes made during years two and three contributed to improvements in the four public companies:
- Better control of computer access.
- Tighter controls and more audit activity.
- Increased effectiveness due to learning and improved process definitions.
- Improved internal auditor understanding of the requirements.
- Combining of accounts receivable and revenue recognition into one process.
- Better-defined processes.
- Improved understanding of
competence, awareness and training.
A little understanding
Linking financial and quality management gives financial a better understanding of operations and provides a measure of the status and effectiveness of an organization. QMS support helps control business risk, provides added resources for internal auditing, helps reduce the cost of compliance and improves corporate governance. Linking gives quality managers a better understanding of finance and how quality can affect the bottom line.
The result is a culture change from management by fear to management by cooperation and mutual respect.
- Sandford Liebesman, "Down With Silos," Quality Progress, September 2008, pp. 64-67.
- Sandford Liebesman, Competitive Advantage: Linked Management Systems, Paton Press LLC, 2011.
Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, following more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is a fellow of ASQ and past chair of the Electronics and Communications Division, is a member of ISO technical committee 176 and the ANSI Z-1 committee on quality assurance.