Quality in the mix: teaming COSO-based internal controls with quality management tools can help mitigate Sarbanes-Oxley risks

Internal Auditor, Oct, 2005 by Sandford Liebesman

THE U.S. SARBANES-OXLEY Act of 2002 requires chief executive officers (CEOs) and chief financial officers to certify the effectiveness of their company's internal controls each year--or risk civil and criminal penalties for signing off on ineffective controls. However, focusing too narrowly on financial reporting controls may be a risk in itself. Operational failures--particularly in the quality and environmental areas--can lead to material financial misstatements.

Effective internal controls and quality initiatives work closely to manage such risks, according to the Internal Control-Integrated Framework developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). "The quest for quality is directly linked to how businesses are run, and how they are controlled," the framework states. "In fact, internal control not only is integrated with quality programs, it usually is critical to their success."

In 2003, four quality management professionals formed the SOX-Q/E Team, an independent initiative to identify how quality and environmental management systems (QMS/EMS) can be used to help reduce risk related to Sarbanes-Oxley. As models of effective QMS/EMS, the team selected two standards developed by the International Organization for Standardization (ISO); ISO 9001:2000, Quality Management Systems--Requirements, and ISO 14001:2004, Environmental Management Systems-Requirements With Guidance for Use. These standards are used by more than 100,000 organizations worldwide. Team members concluded that a good QMS/EMS can give senior management the information they need to maintain effective corporate governance and satisfy the Sarbanes-Oxley requirements. Comparing clauses of ISO 9001 and 14001 with COSO's internal control components suggests ways these quality standards can help reduce Sarbanes-Oxley risks.

CONTROL ENVIRONMENT The control environment provides discipline and structure and is the foundation of the COSO guidelines. Both ISO 9001 and 14001 include specifications that support the control environment and can help management set the tone at the top described by COSO. Both standards require senior management to provide evidence of its commitment to the development, implementation, and continual improvement of the QMS/EMS. They mandate that senior management define quality and environmental policies and ensure that responsibilities are communicated throughout the organization.

RISK MANAGEMENT COSO's internal control guidance states that risks must be identified, analyzed, and managed. Because economic, industry, regulatory, and operating conditions will change, mechanisms are needed to identify and deal with the special risks associated with these changes. The process and product measurements specified in ISO 9001 can be used in risk assessment and continual improvement based on established objectives and targets. ISO 9001 also directs organizations to analyze this data and perform trend analysis to help predict developing problems. To comply with ISO 14001, organizations must identify significant environmental aspects and the associated operations and activities. This can provide an early warning about impending risk that could result in financial misstatements.

CONTROL ACTIVITIES Control activities are the actions taken to address risk and achieve corporate objectives. In the COSO internal control framework, these activities occur throughout the organization at all levels and in all functions, and are the results of implementing the management system processes and policies. ISO 9001 mandates continual improvement of the organization supported by documented, stepwise processes to identify and manage potential risks to the management system. To meet the ISO 14001 standard, organizations are expected to take corrective and preventive actions to mitigate impacts and reduce environmental risk.

INFORMATION AND COMMUNICATION Information must be identified, captured, and communicated to allow people to perform their responsibilities, according to COSO. Effective communication also must occur in a broader sense, flowing down, across, and up the organization. Senior management should send a clear message to all personnel that control responsibilities must be taken seriously, the COSO guidance notes. Compliance with ISO 9001 and 14001 can enhance management's ability to make informed decisions by requiring communication within the organization and with customers and suppliers. The resulting material nonfinancial information can support Sarbanes-Oxley compliance and identify potential risks such as nonconforming product, inventory mismanagement, and excessive shipping costs. QMS/EMS risks may become financial risks if they are not dealt with when discovered.

MONITORING COSO's monitoring component requires organizations to assess the quality of system performance over time. This is done through continuous observation of activities and separate evaluations, and includes regular supervision of actions personnel take in performing their duties. ISO 9001 calls for internal audits and monitoring and measurement of processes and products to provide early warning of impending problems. To comply with ISO 14001, organizations must monitor and measure key characteristics that may have significant environmental impacts.