Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide Hw ISO 9001 and 14001 Supprt Sarbanes-Oxley Cmpliance By Sandfrd Liebesman Intrductin In September 2005, I published an article in Quality prgress entitled Mitigate SOX Risk with ISO 9001 and 14001 1. This paper is an extensin f that article. In Octber 2003 the SOX-Q/E Team was frmed t identify hw ISO 9001:2000 2 and ISO 14001:1996 3 can be used t reduce the risk that CEOs, CFOs and the Bard f Directrs face when cmplying with SOX. Nte that any cmprehensive quality and envirnmental management system such as the Malclm Baldrige Award criteria can be used in place f the ISO standards. SOX mandates a system f internal cntrls t manage risk in the rganizatin. A system published by the COSO Cmmittee 4 in 1992 5 prvides the basis fr internal cntrls used by many rganizatins. This system is the fundatin fr gd gvernance which preceded SOX. There are five cmpnents f the COSO internal cntrls: Cntrl envirnment Infrmatin and Cmmunicatin Risk management Mnitring Cntrl Activities Let us cmpare these cmpnents f COSO internal cntrls with requirements f ISO 9001 and ISO 14001. Cntrl Envirnment The cntrl envirnment must set the tne f an rganizatin and frm the fundatin f the guidelines which prvide discipline and structure. It includes the way management assigns authrity and respnsibility, and rganizes and develps its peple. ISO 9001 and ISO 14001 require identificatin f an rganizatin s prcesses, their sequence and interactin and the definitin f quality and envirnmental plicies. Further, ISO 9001 requires the establishment f quality bjectives and ISO 14001 requires definitin f envirnmental bjectives and targets. They als require cntrl f dcuments and recrds. Bth standards state that persnnel must be cmpetent based n educatin, training, skills and experience. Infrmatin and Cmmunicatin T satisfy COSO, infrmatin must be identified, captured and cmmunicated s that peple can carry ut their respnsibilities. Effective cmmunicatin als must ccur in a brader sense, flwing dwn, acrss and up the rganizatin. All persnnel must receive a clear message frm tp management that cntrl respnsibilities must be taken seriusly. www.cmc-changemanagement.cm (877) 268-2440 Page 1
Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide ISO 9001 and ISO 14001 are used t enhance the decisin making prcess and manage the peratins thrugh infrmatin and cmmunicatin within the rganizatin. Bth standards require cmmunicatin with custmers and suppliers. Risk Management Risks must be identified, analyzed and managed. Key inputs are crprate bjectives linked at different levels and internally cnsistent. Because ecnmic, industry, regulatry and perating cnditins will cntinue t change, mechanisms are needed t identify and deal with the special risks assciated with change. The data btained in ISO 9001 as a result f prcess and prduct measurements can be used in risk assessment and cntinual imprvement. ISO 9001 requires analysis f this data, turning it int infrmatin that can be used t identify risks t the rganizatin. The standard requires trend analysis which is a gd predictr f develping prblems. These activities are all reviewed by tp management in the management review prcess. ISO 14001 requires identificatin f envirnmental aspects which can interact with the envirnment. In additin the standard requires identificatin f significant aspects and the peratins and activities assciated with these aspects. Again, we have an early warning tl that can be used t identify impending risk. Mnitring Mnitring requires assessing the quality f system perfrmance ver time. This is dne thrugh peridic assessments and cntinual mnitring f prcesses. Mnitring includes regular management and supervisry activities, and review f ther actins persnnel take in perfrming their duties. ISO 9001 requires mnitring and measurement f prcesses and prducts. The raw data btained may prvide the first warnings f impending prblems. Anther mnitring activity, measurement and analysis f custmer satisfactin in ISO 9001 is als a tl fr early warning f rganizatinal cncerns. Implementing ISO 9001 turns this data int infrmatin. ISO 14001 requires mnitring and measurement f key characteristics f peratins and activities that may result in significant envirnmental impacts. Cntrl Activities Cntrl activities are the actins taken t address risk and achieve the bjectives f the crpratin. Cntrl activities ccur thrughut the rganizatin, at all levels and in all functins. In ISO 9001, the key t cntrlling the health f an rganizatin is the imprvement lp. As part f the lp, ISO 9001 requires dcumented prcedures t define crrective and preventive actins. Bth tls prvide methdlgies t manage r eliminate risks t the rganizatin. One surce f crrective actins is the requirement t implement a dcumented prcedure fr internal audits and t prvide fllw-up activities thrugh crrective actins. ISO 14001 requires taking crrective and preventive actins t mitigate impacts and reduce envirnmental risk. In additin, ISO 14001 requires management f nn-cnfrmances, taking actins t reduce impacts using crrective and preventive actins. Fr bth envirnmental and quality management systems, the result is imprved alignment f the rganizatin with basic crprate bjectives. www.cmc-changemanagement.cm (877) 268-2440 Page 2
Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide Tp management asserts cntrl f risk thrugh the management review prcess in ISO 9001 and ISO 14001. These meetings are used t pull tgether the key bits f infrmatin and actins that are used t set the directin f the rganizatin and t implement risk reductin activities. Auditing t Add Value The main gal f internal audits is t prvide Tp Management and the Bard f Directrs with an accurate understanding f the rganizatin s financial and peratinal status. Cmbining QMS/EMS tls with the financial auditing functin and prcedures will result in mre effective audits and increase the understanding f the material nn-financial infrmatin f the rganizatin. 6 Tw f the many values f ISO 9001 and ISO 14001 are the prcess apprach and cntinual imprvement. Many rganizatins extend the prcess apprach t a set f prcess audits which result in an effective means f evaluating the status f the rganizatin and managing the risks that they face. Cnclusins Three gals f crprate gvernance are management f risk, effective prcess management and cntinual imprvement f cmpany perfrmance. Quality and envirnmental management systems such as ISO 9001:2000 and ISO 14001:2004 are excellent tls fr accmplishing these bjectives. The bard shuld mve the crprate mentality frm crrecting prblems t preventing them. Accmplishing these gals will prvide an excellent step tward satisfying the Sarbanes-Oxley Act. I ve made the case fr quality and envirnmental peple t be at the table when the internal financial auditrs develp their reprts t tp management and the Bard f Directrs. The gals are risk reductin, expanded infrmatin fr tp management decisins and help in satisfying the requirements f the Sarbanes-Oxley Act. Table 1 cntains a descriptin f the COSO guidance and the crrespnding ISO 9001 clauses. COSO mdel fr SOX ISO 9001 Clause 1. Internal Cntrl Envirnment 4.1 Quality management system 5.3 Quality plicy 5.4.1 Quality bjectives 5.5.3 Internal cmmunicatin 6.1 Prvisin f Resurces 6.2.2 Emplyee cmpetence 7.1 Planning Prduct Realizatin *Fundatin fr all ther COSO elements. *Des the rganizatin d things right? *Des the rganizatin d the right things and maintain a high degree f integrity in its dealings? *Few cmplaints alleging miscnduct are received frm custmers r thers. *Cmpetence f persnnel maintained. *Effective management style r Tne at the Tp maintained. 8.1 Planning Measurement, Analysis and Imprvement 2. Infrmatin and cmmunicatin 4.2.3 Cntrl f Dcuments *Infrmatin captured and cmmunicated enabling peple t carry ut their respnsibilities. *Reprts used t run and cntrl the business. 7.2 Custmer Requirements 4.2.4 Cntrl f Recrds 5.1 Tp management cmmunicatin 5.5.3 Internal Cmmunicatin www.cmc-changemanagement.cm (877) 268-2440 Page 3
Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide *Infrmatin abut external events, activities and cnditins fr making infrmed business decisins. * Hw is infrmatin identified, captured, and cmmunicated? Des it flw acrss the rganizatin? * D emplyees understand their rles in the cntrl prcess? * Are there prcesses in place t address emplyee, supplier, and custmer cncerns in a timely manner? 7.2.3 Custmer cmmunicatin 7.4 Purchasing 7.4.2 Supplier cmmunicatin 3. Risk Assessment 5.4.1 Measurable Objectives * Establishment f bjectives, linked at different levels and internally cnsistent. * Identificatin, analysis and management f risks t achieving bjectives. * Mechanisms t deal with change and the risks relevant t change. * Effective Risk Assessment requires: Definitin f the bjectives. Determinatin f the cmpatibility f the bjectives. Identificatin f risks t achieving the bjectives. Determinatin f risks assciated with change. Judgment as t which risks are critical. Determinatin f actins t mitigate risks starting with the critical nes. 5.6 Management Review 7.2 Cntract Review 7.4.3 Supplier Data 8.2.1 Custmer Satisfactin Data 8.2.2 Internal audit 8.2.3 Mnitring and measurement f prcesses 8.2.4 Mnitring and measurement f prducts 8.4 Data Analysis t demnstrate QMS suitability & effectiveness 8.5.1 Cntinual Imprvement 8.5.2 Crrective Actin 8.5.3 Preventive Actin 14001,4.3.1 Envirnmental Aspects and Identificatin f Significant Aspects. 4. Mnitring 5.4..1 Measurable Objectives * A prcess that assesses the quality f the 5.6 Management Review system's perfrmance ver time thrugh 8.2.1 Custmer Satisfactin Data separate evaluatins and/r nging mnitring activities 8.2.3 Mnitring and measurement f prcesses * Key tls include internal auditing, management and supervisin f peratins and 8.2.4 Mnitring and measurement f prducts actins f persnnel perfrming their duties. * Management is respnsible fr implementatin. * Auditrs must drill dwn t rt causes, fllw audit trails and identify significant 8.4 8.5.1 Analysis f data Cntinual imprvement deficiencies and material weaknesses. 5. Cntrl Activities 5.6 and Management Review * Plicies and prcedures that help ensure management directives are carried ut, including apprvals, verificatins, the security f assets, authrizatins, recnciliatins, and the segregatin f duties. 14001,4.6 8.3 Cntrl f Nncnfrming Prduct 8.5.2 Crrective Actin 8.5.3 Preventive Actin 14001,4.4.7 Emergency Preparedness & Respnse www.cmc-changemanagement.cm (877) 268-2440 Page 4
Change Management Cnsulting, Inc. Transfrming Businesses Wrldwide * Timely actins taken t address risks t the achievement f the entity's bjectives, exceptins and infrmatin that requires fllwup. * Cntrl activities are based n bjectives, risks and what appears t be effective. * Cntrl activities are put in place fr significant plans and prgrams such as the management f supplier prducts and utsurced services. Abut The Authr 14001,4.5.3 Nncnfrmity, Crrective Actin and Preventive Actin Sandfrd Liebesman, Ph.D., is a senir prfessinal recgnized as a leading expert n internatinal quality standards, ISO 9001 and TL 9000 assessments, business excellence mdels, risk mitigatin based n quality management systems and the Sarbanes-Oxley Act. He is an ASQ Fellw and Chairman f the ASQ Electrnics and Cmmunicatins Divisin. Dr. Liebesman is als a senir cnsultant fr Change Management Cnsulting, Inc. He may be reached at sliebesman@cmc-changemanagement.cm. 1 Sandfrd Liebesman, QMS and EMS Supprt Financial Management Systems, Quality Prgress, September 2005, 83-85. 2 The Internatinal Organizatin fr Standardizatin, ISO 9001:2000: Quality Management Systems Requirements, Geneva, Switzerland, 2000. 3 The Internatinal Organizatin fr Standardizatin, ISO 14001:2004: Envirnmental Management Systems Requirements with Guidance fr Use, Geneva, Switzerland, 2004. 4 COSO: The Cmmittee f Spnsring Organizatins f the Treadway Cmmissin. 5 Internal Cntrl Integrated Framewrk, Evaluatin Tls, the Cmmittee f Spnsring Organizatins f the Treadway Cmmissin., September 1992. 6 The SEC stated that senir fficers must certify that material nn-financial infrmatin is als included in the quarterly and annual reprts. www.cmc-changemanagement.cm (877) 268-2440 Page 5