From the Trenches
Changes coming for two widely used standards
by Sandford Liebesman
I’m a committee member for two very different standards—ISO 9001 and the COSO internal control guidance document used by financial organizations that must comply with the requirements of the Sarbanes-Oxley Act (SOX).1 While these documents don’t have a lot in common, one thing they share is the need to update the current version.
COSO is a management system that was originally developed for internal control over operations and compliance to external financial reporting requirements. COSO consists of five elements used to manage systems of internal control:
- Control environment. The set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives.
- Control activities. The actions established through policies and procedures that help ensure management’s directives are used to mitigate risks to the organization’s objectives.
- Information and communication. Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives.
- Monitoring activities. Ongoing evaluations, separate evaluations or some combination of the two are used to ascertain whether the five components of internal control are present and functioning.
The COSO Internal Control—Integrated Framework revision updates the 1992 framework in the areas of technology, globalization, governance, and the integration of controls with risk and other areas. In addition, the revised framework articulates specific principles and attributes in the original five components to enable a more effective system of internal control.
This is in contrast to the more extensive set of changes proposed for the revision of ISO 9001. COSO’s five framework components from 1992 remain structurally intact, reflecting the timeless nature of the document’s internal control framework.
Something to report
The framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting.2 Other updates and enhancements to the framework help the user address changes in business and operating environments, including:
- Expectations for governance oversight.
- Globalization of markets and operations.
- Changes and greater complexity in the industry.
- Demands and complexities in laws, rules, regulations and standards.
- Expectations for competencies and accountabilities.
- Use and reliance on evolving technologies.
- Expectations related to preventing and detecting fraud.
The main addition is the inclusion of principles for each of the elements. They represent the fundamental concepts associated with each. A total of 17 principles were added, with each individual element having between two and four principles. For example, the principles associated with risk assessment are:
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes them as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
Jeff Thomson, president and CEO of the Institute of Management Accountants (IMA), asked me to serve on the COSO team as the quality management representative. The following are some of the inputs I provided:
- Objectives must be measurable.
- Measurable objectives are preconditions to risk assessment.
- Definitions of risk appetite and risk tolerance should be included.
- Internal control reports should include production quality.
- Communication with customers and suppliers is extremely important.
- Internal reports should include marketing, sales, quality and employee satisfaction.3
The exposure draft of the proposed framework is available for public viewing at www.coso.org and www.ic.coso.org until the final framework is issued during the first quarter of 2013. A second document under development is "Internal Control over External Financial Reporting Approaches and Examples." This document, as well as related ones, should help organizations employ the new COSO documents and tools.
ISO 9001’s makeover
A revision of ISO 9001:2008 was considered by the U.S. Technical Advisory Group (TAG) at a meeting in August 2012. ISO Technical Committee (TC) 176 requires the revision to follow the basic structure defined in Guide 83.
The first three sections are the same as ISO 9001:2008: scope, normative references, and terms and definitions.4 But clauses four through 10 are decidedly different:
- Context of the organization—scope and
expectations for the management system.
- Determine external and internal issues of the organization.
- Understand the needs and expectations of interested parties.
- Determine the scope of the quality management system (QMS).
implement, maintain and continually improve the QMS.
- Leadership—management commitment, policy, roles,
responsibilities and authorities.
management to demonstrate leadership and commitment by:
- Ensuring policies and objectives are established.
- Ensuring the QMS requirements are integrated into the business processes.
- Ensuring resources are available.
- Promoting continual improvement.
- Establish quality policy that provides a framework for setting quality objectives.
management shall ensure assignment of roles and responsibilities.
- Top management to demonstrate leadership and commitment by:
- Planning—risks and opportunities, objectives and
- Ensure the QMS can achieve intended outcomes, prevent or reduce undesired effects, and achieve continual improvement.
quality objectives are consistent with quality policy, measurable,
communicated, monitored and updated.
- Support—resources, competence, awareness,
communication and documented information.
- The organization shall provide the infrastructure, including buildings, workspaces, utilities, process equipment and supporting services.
- Ensure competence of individuals based on education, training or experience.
- Ensure awareness of quality policy, benefits of improved quality performance and implications of not conforming to management system requirements.
updating and controlling documented information.
- Operation—operational planning and control.
- Planning of product realization.
- Requirements related to product.
- Customer communication.
- Design and development processes.
- Control and validation of production and service provision.
- Identification and traceability.
- Care of customer property.
- Preservation of
- Performance evaluation—monitoring,
measurement, analysis, evaluation, internal audits and management review.
- Measure customer satisfaction.
- Monitor and measurement of processes and product.
of monitoring and measurement equipment.
- Improvement—nonconformities, corrective action and continual improvement.
- Information relating to conformity to requirements and customer satisfaction.
- Characteristics and trends.
- Opportunities for preventive action.
- Information concerning
- Analysis of data.
Moving things around
So, what does this mean? The changes include many elements that are in the current standard, but in different places. There are more than 1 million organizations worldwide registered to ISO 9001 and another million estimated users. They will need help—in most cases, lots of help—moving to the new structure. In the next few years, ASQ will help develop tools to support the changes.
The ISO 9001 revision is in its early stages, and several suggestions should be considered. First, the process model should include the following requirements for each process:
- Identify a process owner.
- Identify all inputs and outputs, customers and suppliers (external and internal), constraints on the process and resources used.
In addition, outsourcing should be included under supply chain management, the level of control should depend on the risk management process in use, and the definition of product also should cover service.
There also are several future concepts that should be considered. The U.S. TAG to TC 176 was asked to consider this list of 20 concepts, the most important of which are in bold:
- Financial resources of the organization.
- Time, speed, agility and related aspects.
- Quality management principles and leadership.
- Alignment with business management practices.
- Inclusion of risk-based thinking approach.
- Life cycle management.
- Plan, source, make and deliver.
- Focus on product conformance.
- Process results and effectiveness.
- Clarification and differentiation of the multiple customers of an organization.
- Process innovation.
- Maintenance of infrastructure.
- Process management.
- Knowledge management.
- Quality tools.
- Structure of QMS and relationship with management system standards work.
- Impact of technology and changes in information management.
- People involvement.5
Comparing the standards
The revision process for COSO is scheduled for completion two years ahead of the ISO 9001 revision. This is because COSO has not changed its basic structure but has expanded the supporting material while adding the definition of 17 important principles.
ISO 9001 is being revised based on the requirements of the ISO Technical Management Board Joint Technical Coordination Group. This has resulted in a major change to the structure of ISO 9001, ISO 14001 and other ISO standards.
The ISO 9001 change will take a lot longer to accomplish than the COSO revision. But both revisions are necessary, and their applications need not occur at the same time.
- COSO stands for the Committee of Supporting Organizations. The document was published in 1992. The Securities and Exchange Commission recommends the COSO guidance for compliance to the requirements of SOX.
- This material is from the COSO Internal Control—Integrated Framework Executive Summary from September 2012.
- For more details, see my previous column, "Revised Thinking," Quality Progress, April 2012, pp. 61-63.
- This structure also is being applied to the 2015 revision of ISO 14001. For more detailed coverage of the new structure, see Susan L.K. Briggs’ article, "(Re)visionary Thinking," Quality Progress, September 2012, pp. 24-29.
- For a detailed description of the five bolded future concepts, see my column, "Revisionist History," Quality Progress, March 2011, pp. 64-66.
Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, following more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an ASQ fellow and past chair of the Electronics and Communications Division. Liebesman also is a member of ISO Technical Committee 176 and the ANSI Z-1 committee on quality assurance.