How ISO 9001 and Support Sarbanes-Oxley Compliance. By Sandford Liebesman

Similar documents
Internal Audit Charter and operating standards

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

Audit Committee Charter

FINANCIAL SERVICES FLASH REPORT

Training - Quality Manual

Risk Management Policy AGL Energy Limited

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

17 Construction environmental management plan (CEMP)

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Chapter 7 Business Continuity and Risk Management

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Professional Leaders/Specialists

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Change Management Process

Sources of Federal Government and Employee Information

BIBH Duty Statements and Governance chart reviewed and approved April BIBH Executive Governance & Management Arrangements

How To Write An Ehsms Training, Awareness And Competency Procedure

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES

CONTRACTORS GUIDE TO DEVELOPING AN ENVIRONMENTAL PROGRAM

KERRY ROGERS, DIRECTOR OF CORPORATE SERVICES/COMPANY SECRETARY

International Community & Management Certifications

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Most Recently Amended: December 8, 2015

Business Continuity Management Policy

Information Technology Services. University of Maine System. Version December 20, 2012

Business Plan

POSITION NUMBER: LOCATION: Vancouver. DATE: February 2009

JOB DESCRIPTION FORM

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Chief Finance and Operations Officer IfM Education and Consultancy Services (IfM ECS)

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

FY 2014 Senior Level (SL) and Scientific or Professional (ST) Performance Appraisal System Opening Guidance

E-Business Strategies For a Cmpany s Bard

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

The Town of Fort Frances

Licensed Practical Nurse (LPN) Role and Scope Course

OFFICIAL JOB SPECIFICATION. Network Services Analyst. Network Services Team Manager

Waitemata District Health Board, 15 Shea Terrace, Takapuna

Environment Protection Authority

Applying Governance to Data Center Migration Projects

CDC UNIFIED PROCESS PRACTICES GUIDE

Fraud Prevention Techniques for Higher Education

Presentation: The Demise of SAS 70 - What s Next?

Standardization or Harmonization? You need Both

Job Classification Details Department Job Function Job Family Job Title Job Code Salary Level

Strategic Goal 2. Timely, Accurate, and Responsive Customer Service U.S. OFFICE OF PERSONNEL MANAGEMENT RECRUIT, RETAIN, AND HONOR

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Oakland Unified School District Impact Assessment Performance Management in Action

FINANCE SCRUTINY SUB-COMMITTEE

The Whole of Government Approach: Models and Tools for EGOV Strategy & Alignment

Health Stream Portfolio (e.g. Mental health, drug & alcohol) and Contract of Employment

Roles and Responsibilities - Accounting and Financial Reporting. Index

Office of the Superintendent of Financial Institutions. Internal Audit Report. Human Resources Performance Management.

Issuing of qualifications and statement of attainment Policy and Procedures Version: 5.0 Last Modified: 12 February 2015

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

If the CAP is acceptable, the serious deficiency determination for the provider is temporarily deferred.

JOB DESCRIPTION FORM

Safety and Operational Risk Update. Mark Bly Executive Vice President, S &OR

IRCA Briefing note: ISO/FDIS 19011:2011 Guidelines for auditing management systems

Risk Management Strategy 2014/2016

Basics of Supply Chain Management

STANDARDISATION IN E-ARCHIVING

NEW YORK STATE DEPARTMENT OF HEALTH BUREAU OF DENTAL HEALTH SCHOOL-BASED HEALTH CENTER DENTAL PROGRAM PERFORMANCE EFFECTIVENESS REVIEW TOOL (PERT)

Online Learning Portal best practices guide

ATTACHMENT U THIRD PARTY AUDITOR/CONSULTANT QUALIFICATION GUIDELINE

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

Identifying and Using Leadership Competencies to Grow Leaders in Higher Education

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Process Improvement Center of Excellence Service Proposal Recommendation. Operational Oversight Committee Report Submission

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Business Continuity Management Systems Foundation Training Course

Key Steps for Organizations in Responding to Privacy Breaches

Occupational Health Services Manager Stanford University Occupational Health Center

Organization Design Specialist

7/25/14 FAIRFAX COUNTY PUBLIC SCHOOLS SUPPORT EMPLOYEE PERFORMANCE ASSESSMENT HANDBOOK

Enterprise Risk Management Framework

OE PROJECT MANAGEMENT GLOSSARY

High Level Meeting on National Drought Policy (HMNDP) CICG, Geneva March 2013

A Walk on the Human Performance Side Part I

ERISA Compliance FAQs: Fiduciary Responsibilities

Outsourcing arrangements

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days

Major capital investment in councils. Good practice checklist for project managers

NHVAS Mass Management Spot Check Checklist

Job Profile Data & Reporting Analyst (Grant Fund)

Gravesham Borough Council

VACANCY. SENIOR MANAGER: SPECIAL PROJECTS AND STAKEHOLDER MANAGEMENT x1 3 YEAR CONTRACT (WITH A POSSIBILITY OF BEING EXTENDED TO 5 YEARS) JOB LEVEL: 5

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Creating an Ethical Culture and Protecting Your Bottom Line:

STARplex Fitness Centre Manager

Career opportunity [Agile Coach]

Transcription:

Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide Hw ISO 9001 and 14001 Supprt Sarbanes-Oxley Cmpliance By Sandfrd Liebesman Intrductin In September 2005, I published an article in Quality prgress entitled Mitigate SOX Risk with ISO 9001 and 14001 1. This paper is an extensin f that article. In Octber 2003 the SOX-Q/E Team was frmed t identify hw ISO 9001:2000 2 and ISO 14001:1996 3 can be used t reduce the risk that CEOs, CFOs and the Bard f Directrs face when cmplying with SOX. Nte that any cmprehensive quality and envirnmental management system such as the Malclm Baldrige Award criteria can be used in place f the ISO standards. SOX mandates a system f internal cntrls t manage risk in the rganizatin. A system published by the COSO Cmmittee 4 in 1992 5 prvides the basis fr internal cntrls used by many rganizatins. This system is the fundatin fr gd gvernance which preceded SOX. There are five cmpnents f the COSO internal cntrls: Cntrl envirnment Infrmatin and Cmmunicatin Risk management Mnitring Cntrl Activities Let us cmpare these cmpnents f COSO internal cntrls with requirements f ISO 9001 and ISO 14001. Cntrl Envirnment The cntrl envirnment must set the tne f an rganizatin and frm the fundatin f the guidelines which prvide discipline and structure. It includes the way management assigns authrity and respnsibility, and rganizes and develps its peple. ISO 9001 and ISO 14001 require identificatin f an rganizatin s prcesses, their sequence and interactin and the definitin f quality and envirnmental plicies. Further, ISO 9001 requires the establishment f quality bjectives and ISO 14001 requires definitin f envirnmental bjectives and targets. They als require cntrl f dcuments and recrds. Bth standards state that persnnel must be cmpetent based n educatin, training, skills and experience. Infrmatin and Cmmunicatin T satisfy COSO, infrmatin must be identified, captured and cmmunicated s that peple can carry ut their respnsibilities. Effective cmmunicatin als must ccur in a brader sense, flwing dwn, acrss and up the rganizatin. All persnnel must receive a clear message frm tp management that cntrl respnsibilities must be taken seriusly. www.cmc-changemanagement.cm (877) 268-2440 Page 1

Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide ISO 9001 and ISO 14001 are used t enhance the decisin making prcess and manage the peratins thrugh infrmatin and cmmunicatin within the rganizatin. Bth standards require cmmunicatin with custmers and suppliers. Risk Management Risks must be identified, analyzed and managed. Key inputs are crprate bjectives linked at different levels and internally cnsistent. Because ecnmic, industry, regulatry and perating cnditins will cntinue t change, mechanisms are needed t identify and deal with the special risks assciated with change. The data btained in ISO 9001 as a result f prcess and prduct measurements can be used in risk assessment and cntinual imprvement. ISO 9001 requires analysis f this data, turning it int infrmatin that can be used t identify risks t the rganizatin. The standard requires trend analysis which is a gd predictr f develping prblems. These activities are all reviewed by tp management in the management review prcess. ISO 14001 requires identificatin f envirnmental aspects which can interact with the envirnment. In additin the standard requires identificatin f significant aspects and the peratins and activities assciated with these aspects. Again, we have an early warning tl that can be used t identify impending risk. Mnitring Mnitring requires assessing the quality f system perfrmance ver time. This is dne thrugh peridic assessments and cntinual mnitring f prcesses. Mnitring includes regular management and supervisry activities, and review f ther actins persnnel take in perfrming their duties. ISO 9001 requires mnitring and measurement f prcesses and prducts. The raw data btained may prvide the first warnings f impending prblems. Anther mnitring activity, measurement and analysis f custmer satisfactin in ISO 9001 is als a tl fr early warning f rganizatinal cncerns. Implementing ISO 9001 turns this data int infrmatin. ISO 14001 requires mnitring and measurement f key characteristics f peratins and activities that may result in significant envirnmental impacts. Cntrl Activities Cntrl activities are the actins taken t address risk and achieve the bjectives f the crpratin. Cntrl activities ccur thrughut the rganizatin, at all levels and in all functins. In ISO 9001, the key t cntrlling the health f an rganizatin is the imprvement lp. As part f the lp, ISO 9001 requires dcumented prcedures t define crrective and preventive actins. Bth tls prvide methdlgies t manage r eliminate risks t the rganizatin. One surce f crrective actins is the requirement t implement a dcumented prcedure fr internal audits and t prvide fllw-up activities thrugh crrective actins. ISO 14001 requires taking crrective and preventive actins t mitigate impacts and reduce envirnmental risk. In additin, ISO 14001 requires management f nn-cnfrmances, taking actins t reduce impacts using crrective and preventive actins. Fr bth envirnmental and quality management systems, the result is imprved alignment f the rganizatin with basic crprate bjectives. www.cmc-changemanagement.cm (877) 268-2440 Page 2

Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide Tp management asserts cntrl f risk thrugh the management review prcess in ISO 9001 and ISO 14001. These meetings are used t pull tgether the key bits f infrmatin and actins that are used t set the directin f the rganizatin and t implement risk reductin activities. Auditing t Add Value The main gal f internal audits is t prvide Tp Management and the Bard f Directrs with an accurate understanding f the rganizatin s financial and peratinal status. Cmbining QMS/EMS tls with the financial auditing functin and prcedures will result in mre effective audits and increase the understanding f the material nn-financial infrmatin f the rganizatin. 6 Tw f the many values f ISO 9001 and ISO 14001 are the prcess apprach and cntinual imprvement. Many rganizatins extend the prcess apprach t a set f prcess audits which result in an effective means f evaluating the status f the rganizatin and managing the risks that they face. Cnclusins Three gals f crprate gvernance are management f risk, effective prcess management and cntinual imprvement f cmpany perfrmance. Quality and envirnmental management systems such as ISO 9001:2000 and ISO 14001:2004 are excellent tls fr accmplishing these bjectives. The bard shuld mve the crprate mentality frm crrecting prblems t preventing them. Accmplishing these gals will prvide an excellent step tward satisfying the Sarbanes-Oxley Act. I ve made the case fr quality and envirnmental peple t be at the table when the internal financial auditrs develp their reprts t tp management and the Bard f Directrs. The gals are risk reductin, expanded infrmatin fr tp management decisins and help in satisfying the requirements f the Sarbanes-Oxley Act. Table 1 cntains a descriptin f the COSO guidance and the crrespnding ISO 9001 clauses. COSO mdel fr SOX ISO 9001 Clause 1. Internal Cntrl Envirnment 4.1 Quality management system 5.3 Quality plicy 5.4.1 Quality bjectives 5.5.3 Internal cmmunicatin 6.1 Prvisin f Resurces 6.2.2 Emplyee cmpetence 7.1 Planning Prduct Realizatin *Fundatin fr all ther COSO elements. *Des the rganizatin d things right? *Des the rganizatin d the right things and maintain a high degree f integrity in its dealings? *Few cmplaints alleging miscnduct are received frm custmers r thers. *Cmpetence f persnnel maintained. *Effective management style r Tne at the Tp maintained. 8.1 Planning Measurement, Analysis and Imprvement 2. Infrmatin and cmmunicatin 4.2.3 Cntrl f Dcuments *Infrmatin captured and cmmunicated enabling peple t carry ut their respnsibilities. *Reprts used t run and cntrl the business. 7.2 Custmer Requirements 4.2.4 Cntrl f Recrds 5.1 Tp management cmmunicatin 5.5.3 Internal Cmmunicatin www.cmc-changemanagement.cm (877) 268-2440 Page 3

Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide *Infrmatin abut external events, activities and cnditins fr making infrmed business decisins. * Hw is infrmatin identified, captured, and cmmunicated? Des it flw acrss the rganizatin? * D emplyees understand their rles in the cntrl prcess? * Are there prcesses in place t address emplyee, supplier, and custmer cncerns in a timely manner? 7.2.3 Custmer cmmunicatin 7.4 Purchasing 7.4.2 Supplier cmmunicatin 3. Risk Assessment 5.4.1 Measurable Objectives * Establishment f bjectives, linked at different levels and internally cnsistent. * Identificatin, analysis and management f risks t achieving bjectives. * Mechanisms t deal with change and the risks relevant t change. * Effective Risk Assessment requires: Definitin f the bjectives. Determinatin f the cmpatibility f the bjectives. Identificatin f risks t achieving the bjectives. Determinatin f risks assciated with change. Judgment as t which risks are critical. Determinatin f actins t mitigate risks starting with the critical nes. 5.6 Management Review 7.2 Cntract Review 7.4.3 Supplier Data 8.2.1 Custmer Satisfactin Data 8.2.2 Internal audit 8.2.3 Mnitring and measurement f prcesses 8.2.4 Mnitring and measurement f prducts 8.4 Data Analysis t demnstrate QMS suitability & effectiveness 8.5.1 Cntinual Imprvement 8.5.2 Crrective Actin 8.5.3 Preventive Actin 14001,4.3.1 Envirnmental Aspects and Identificatin f Significant Aspects. 4. Mnitring 5.4..1 Measurable Objectives * A prcess that assesses the quality f the 5.6 Management Review system's perfrmance ver time thrugh 8.2.1 Custmer Satisfactin Data separate evaluatins and/r nging mnitring activities 8.2.3 Mnitring and measurement f prcesses * Key tls include internal auditing, management and supervisin f peratins and 8.2.4 Mnitring and measurement f prducts actins f persnnel perfrming their duties. * Management is respnsible fr implementatin. * Auditrs must drill dwn t rt causes, fllw audit trails and identify significant 8.4 8.5.1 Analysis f data Cntinual imprvement deficiencies and material weaknesses. 5. Cntrl Activities 5.6 and Management Review * Plicies and prcedures that help ensure management directives are carried ut, including apprvals, verificatins, the security f assets, authrizatins, recnciliatins, and the segregatin f duties. 14001,4.6 8.3 Cntrl f Nncnfrming Prduct 8.5.2 Crrective Actin 8.5.3 Preventive Actin 14001,4.4.7 Emergency Preparedness & Respnse www.cmc-changemanagement.cm (877) 268-2440 Page 4

Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide * Timely actins taken t address risks t the achievement f the entity's bjectives, exceptins and infrmatin that requires fllwup. * Cntrl activities are based n bjectives, risks and what appears t be effective. * Cntrl activities are put in place fr significant plans and prgrams such as the management f supplier prducts and utsurced services. Abut The Authr 14001,4.5.3 Nncnfrmity, Crrective Actin and Preventive Actin Sandfrd Liebesman, Ph.D., is a senir prfessinal recgnized as a leading expert n internatinal quality standards, ISO 9001 and TL 9000 assessments, business excellence mdels, risk mitigatin based n quality management systems and the Sarbanes-Oxley Act. He is an ASQ Fellw and Chairman f the ASQ Electrnics and Cmmunicatins Divisin. Dr. Liebesman is als a senir cnsultant fr Change Management Cnsulting, Inc. He may be reached at sliebesman@cmc-changemanagement.cm. 1 Sandfrd Liebesman, QMS and EMS Supprt Financial Management Systems, Quality Prgress, September 2005, 83-85. 2 The Internatinal Organizatin fr Standardizatin, ISO 9001:2000: Quality Management Systems Requirements, Geneva, Switzerland, 2000. 3 The Internatinal Organizatin fr Standardizatin, ISO 14001:2004: Envirnmental Management Systems Requirements with Guidance fr Use, Geneva, Switzerland, 2004. 4 COSO: The Cmmittee f Spnsring Organizatins f the Treadway Cmmissin. 5 Internal Cntrl Integrated Framewrk, Evaluatin Tls, the Cmmittee f Spnsring Organizatins f the Treadway Cmmissin., September 1992. 6 The SEC stated that senir fficers must certify that material nn-financial infrmatin is als included in the quarterly and annual reprts. www.cmc-changemanagement.cm (877) 268-2440 Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information