11/6/2016

QualityDigestMagazine

November6,2016

Curs
Implementare
ISO9001

AdvancesinLargeScale
Assembly
SixSigmaatNational
Semiconductor

Teinvatamsa
implementeziISO
9001:2015introfirma

LeveragingYourISO
9001Systemfor
SarbanesOxley
Compliance

rqmcert.ro

OutorIn:TheChallenge
ofCalibration
Management
DesignforSixSigma
Demystified
2005SixSigmaServices
Directory

byMaureenMcAllister

Whowillstandoutasthisyearscorporateheroes?Strongcontendersarethosequalityassurancemanagers
whohelptheircompaniesdemonstratecompliancewithrequirementsoftheSarbanesOxleyActof2002.Among
itsfinancialoversightandwhistleblowingprovisions,thestatuterequirespubliclytradedcompaniestoinstitute
internalcontrolsthathelpensurethatfinancialdataareaccurateandcredible.Acompanysmanagementmust
attesttotheappropriatenessofthesecontrolsandacknowledgeanymaterialweaknessesthatmightaffectthe
financialdatapresented.Italsoputstheburdenonindependentauditorswhoaudittheseorganizations,sothat
incorrectormisleadinginformationisnotpassedalongtothepublic.Giventhepivotalrolequalityassurance
departmentsplayinshepherdingtheirfirmsthroughtheISO9001orISO14001registrationprocess,theyare
theobviousonestohelpmarshallexistingactivitiesinsupportofSOxcompliance.Theycanhelpavoid
unnecessarySOxoverheadandcostlyduplicationofeffortbecausemanyISO9001registrationactivities
provideobjectiveevidenceofsoundinternalcontrolscontrolsrelatedtofinancialdata.
ISO9001basedqualitymanagementsystemsprovideevidenceviaprocedures,methods,audits,andrecords
thattransactionsandreviewsareconductedaccordingtoplan.Suchsystemsalsohelpidentifyandmanage
variousrisksthatcannegativelyaffectacompanysfinancialpositionandrelatedfinancialreports.Thedata
requiredtomaintainregistrationtoISO9001orISO14001canoffervaluableevidenceinsupportofSOx
compliancebutonlyifqualitymanagers,chieffinancialofficersandothersinmanagementrealizethe
connection.

SOxrequirements
SOxcompliancerequirestopmanagementofpubliclytradedcompaniestodevelop,andreporton,internal
controls.Managementmustreviewandanalyzeaccountingfiguresandoperationaldataforirregularities,and
assessthesystemsandcontrolsthatgeneratethesefiguresanddata.Managementmuststatewhetherany
materialweaknessesexistinthedataandsystemsthatmightcompromisetheorganizationsfinancial
statements.
SOxsection404imposesspecificrequirementsforinternalcontrolsandproceduressurroundingfinancial
reporting.Anorganizationstopmanagementisresponsibleforassessingtheeffectivenessofthesecontrolsand
procedures.Otherrequirementsalsoapplysection302,forexample,statesthatcompliancereportingmust
includeinformationofanonfinancialnaturethatwouldprovideinvestorswithamateriallyaccurateand
completepictureoftheoperation.ThePublicCompanyAccountingOversightBoardhasbroadnewpowersto
enforceSOxrequirements,andcompaniesthatmustmeetthesesignificantnewresponsibilitiesaresearchingfor
effectivecompliancetools.
EnforcingSOxcompliancetypicallymeansimplementingproceduresandcontrolssothatfinancialandotherdata
havecredibilityaprocessmonitoredbymanagement.Operationalauditsoftenareusedasadditional
verification.Incontrasttofinancialaudits,operationalauditsfocusondaytodayactivitiesandensurethat
plannedmethodsanddisciplinesareeffective.Managementwillhavegreaterconfidenceinfinancialdata,aswell
asriskand/ormaterialityassessments,iftheactivitiesthatgeneratethisinformationaredoneaccordingto
procedure.
Forlargerorganizations,SOxcompliancemeansrollingupthroughthecorporatechainattestationsfrom
individualdivisionsandoperations.Topmanagementwillseeknotonlyattestationsfromdivisionalmanagersbut
alsodocumentedproofabouttheattestationsandunderlyingcontrols.
ISO9001andISO14001arenaturalvehiclestohelpachieveandsustainSOxcompliance.Tounderstandthe
connectionbetweenISOstandardsandSOxrequirements,welllookatthemacrolevelsimilaritiesandsome
examples.(Seefigurebelow.)

http://www.qualitydigest.com/feb05/articles/03_article.shtml

1/4

11/6/2016

QualityDigestMagazine

Managementinvolvement
ThemostobviouscommonfeaturebetweenSOxandISOsystemsistheextentofmanagementresponsibility
andinvolvement.Bothrequiretopmanagementsactiveinvolvementintheirfirmssystemsandprocedures.For
SOxcompliance,thismeansensuringaccurateandcompletefinancialdatareportingforISO9001andsimilar
standards,itmeansensuringthatmanagementsystemsmeetcustomer,regulatoryandotherrequirements.In
allcases,thelevelandintensityofmanagementinvolvementprovidesthefoundationforcompliance.
Therearefivecomponentsforassessinginternalcontrolsasrequiredbythestatutessection404.Theseare
identifiedintheInternalControlIntegratedFrameworkreportdevelopedbytheTreadwayCommissions
CommitteeofSponsoringOrganizations(seewww.cpa2biz.com).Thecomponentsare:
Controlenvironment
Riskassessment
Processcontrol
Informationandcommunications
Monitoring

CompliancetoISOstandardscontributes,insomemeasure,toallfivecomponentsofinternalcontrols.For
example,ISO9001emphasizestheimportanceofclearlyunderstandingandcommunicatingcustomerand
regulatoryrequirements,andensuringthatthisinformationissharedbyeveryoneinvolvedinmeetingthose
requirements.ISO9001alsoemphasizesmonitoringproduct,processesandenvironmentalcontrols.Risk
assessmentisafactorforbothISO9001andISO14001compliance.ForISO9001,planningforthequality
systemandtheproductsitproducesnecessarilyinvolvesriskassessment.ForISO14001,anorganizationmust
specificallyidentifyenvironmentalaspectsandproactivelyminimizepotentialrisks.Inaddition,thecontrol
environmentisdirectlyaffectedbyISOstandards.TheculturethatcontributestoISOcompliancealsolends
credibilitytoSOxssection404assessmentsandattestations.
ThespecificISOrequirementsthatbestsupportSOxcompliancevary.Managementandaccountingprofessionals
mustconsidertheirindividualbusinesscircumstancestodetermineifandhowISOrequirementscanhelp
supportSOxcomplianceand,perhaps,viceversa.
ISO9001focusesonmeetingcustomerrequirementsandtheprocessesenablingthat.Itdefines,monitorsand
ensuresthattheseprocessesoperateeffectively.Regulatory,internalandotherrequirementsrelatedtothe
productsandservicesofferedmustalsobemet.Iftheprocessesareeffectivelyexecutedaccordingto
managementsplan,thenitsmorelikelytheyllmeetallrequirements.Managementperiodicallyreviews
performancedataandresultstohelpensurethatthequalitymanagementsystemachievesitsobjectives.
ISO14001focusesonpollutionpreventionandcompliancewithregulatoryrequirements.Althoughitappears
morenarrowlyfocusedthanISO9001,ISO14001includesthebroadercommunity,shareholdersandothers
whoseinterestsandconcernsmustbeconsidered.Anorganizationmustidentifyenvironmentalimpactsthrough
aplanningprocessthatincludesmonitoringandcontrollingthemostcriticaleffects.

SOxcompliance
TherearemanyparallelrequirementsinISO9001andISO14001.Theserequirementsfocusontheprocedures
andcontrolsappropriateforanISO9001orISO14001compliantsystem.Herewellconsidersomespecific
similarities.BecauseselfcheckupsareaninherentpartofcompliancewithISOstandardsandSOx,wealsogive
examplesofinternalauditquestions,theanswerstowhichcanprovideevidenceforISOstandardsandSOx
compliance.
Planning.ISO9001requiresplanningatboththebusinesslevel(section5.4)andproductlevel(sections7.1,
7.2and7.3).ISO14001requiresplanningactivitiesthatincludeidentifyingenvironmentalimpactsandrelated
regulatoryrequirements,establishingimprovementgoalsanddevelopingplansforachievingthem(section4.3).
Theplanningprocessanditsresultsprovideevidenceofacontrolledenvironmentinwhichdutiesand
responsibilitiesaredefined,andresultscomparedagainstplansandprojections.
Monitoringandmeasuring.ISO9001section8.2.3requiresmonitoringand/ormeasuringkeybusiness
processes(e.g.,quotingcustomerrequirements,purchasingandsuppliermanagement,andmanufacturing).ISO
14001section4.5.1requiresmonitoringandmeasuringthecontrolsrelatedtosignificantenvironmentalimpacts.

http://www.qualitydigest.com/feb05/articles/03_article.shtml

2/4

11/6/2016

QualityDigestMagazine
BecauseoftheattentionandvisibilityofperformancemeasuresinanISO9001orISO14001compliantsystem,
costsandotherrelateddataaccumulatedunderitaremorelikelytobeaccurateandcomplete.
Businesstransactions.ISO9001compliancedemandsthatessentialbusinesstransactions(e.g.,customer
orderreviews,purchasing,receiptsanddisbursementsofinventory)arecontrolled.Thesetransactionalcontrols
arebasicinaSOxcompliantenvironment.ISO9001section7.4requiresareviewofpurchasingdatapriorto
supplierissuance.Typically,thismeansthatsignoffsorotherapprovalmethodshelpensurethattheproper
items,correctlypriced,areorderedfromqualifiedsuppliers.ISO14001section4.4.6crequiresthatpurchased
goodsandservicesbecontrolledfromanenvironmentalcomplianceperspective.
Documentcontrol.Documentcontrolrequirementscanhelpprovideevidenceofanadequatecontrol
environmentthroughoutthebusiness.ISO9001section4.2.3requiresthatanorganizationdefinehowstandard
operatingproceduresandcontrolinstructionsareproperlyauthorized,issuedandrevised.Currentdocuments
mustalsobemaintainedattheappropriatepointsofuseandaccessibletothoseperformingworkand
accumulatingdata.ISO14001section4.4.5hassimilarrequirements.
Recordkeeping.Records(i.e.,evidencethatrequiredactivitiesarebeingperformedandtheirresults)mustbe
kept.Specificcontrolsaredocumentedinaprocedurethatdefinesmethodsofrecordidentification,storage,
protection,retrieval,retentionanddisposition.Thisprocedureshouldincludesafeguards(e.g.,passwords,
backupandothersecurityroutines)forelectronicrecords.
(SeeISO9001section4.2.4andISO14001section4.5.3.)Recordcontrolrequirementsmakeitmorelikelythat
resultingdataareretained,safeguardedagainstunauthorizedchangesandavailablewhenneeded.
Policyandobjectives.AcompanyregisteredtoISO9001orISO14001mustdefineitspolicyandobjectives
relativetoquality(ISO9001)and/ortheenvironment(ISO14001).Inaddition,managementisresponsiblefor
communicatingtheseobjectivesthroughouttheorganizationsothatindividualemployeesareawareofhowtheir
dutiesaffecttheobjectivesandthemetricswithintheircontrol.(SeeISO9001sections5.3,5.4.1and5.5.3,and
ISO14001sections4.3.3and4.4.3.)Creatingacultureofcommunicationandinformationsharingsupportsthe
notionofcontrol.Employeeswhoareawareoftheirresponsibilitiesrelativetobusinessandenvironmental
objectivescanmoreappropriatelyreportdataandconcernstotopmanagement.
Managementreview.Topmanagementisalsoresponsibleforperiodicallyassessingthesystemseffectiveness.
Thisreviewisafactbasedassessmentthatincludestheresultsofoperatingcontrolsystems,suchasprocess
performancemonitoring,correctiveactionandinternalaudits.Thisactivitycouldbeexpandedtoincludefinancial
controlissues.Evenwithoutthese,internalauditresultsmightindicateiftransactionalweaknessesexist.(See
ISO9001section5.6.1andISO14001section4.6.)
Effectofchanges.CompaniesregisteredtoISO9001orISO14001mustconsciouslyconsiderandevaluatethe
effectofchangesontheirqualityand/orenvironmentalsystems.(SeeISO9001section5.4.2andISO14001
sections4.3.4and4.6.)Thisisspecificallyatopmanagementresponsibility.Itemssuchaspending
environmentallitigationorkeypersonnelchangeswouldbelogicaltopicsformanagementreviewanddisclosure,
ifmaterial.
Correctiveaction.ISO9001orISO14001compliantcompaniesarerequiredtomaintainformalcorrectiveand
preventiveactionsystems,i.e.,structuredproblemsolvingmethodsthatemphasizerootcauseanalysisand
preventingproblemoccurrenceorrecurrence.(SeeISO9001sections8.5.2and8.5.3,andISO14001section
4.5.2.)Anydeficienciesdiscovered(e.g.,aninternalauditnonconformanceorcustomercomplaint)are
addressedusingthesesystemsandincludemanagementoversightthroughreview.
Internalauditing.InternalauditingisanimportantpartofcomplianceunderbothISO9001andISO14001.
Thisisnotfinancialauditing,norisitconcernedwithinternalcontrolsoverfinancialdata.Internalauditing
focusesonhoweffectiveprocessesareinachievingplannedresults,consistentwithallrequirements.Itinvolves
reviewingtransactionsandprocesses,includinghowcustomerordersarereviewedandprocessed,and
measuressuchasthecostofpoorquality(e.g.,costsassociatedwithgoodsreturnedfromcustomers,scrapand
rework)thatcanandshouldtietofinancialdata.ISOstandardsauditsaddresssuchperformancemetrics,issues
relatedtothecontrolenvironment(i.e.,theextenttowhichproceduresarebeingfollowedandrecordskept)and
communicationandinformation.Thisinformationcanbeusedtoassesstheoverallcontrolenvironment.
Internalauditorscantaudittheirownactivities,buttheyusuallybringadifferentperspectivewhenauditing
outsidetheirownareasofresponsibility.Thiscontributestoimpartialityandcanprovidesupportforthirdparty
auditresults.
ThislistofISOstandardsrequirementsisntexhaustive.Thereareothers(e.g.,controllingnonconforming
productsuchasscrapandrework)thatmaybeimportantinagivenorganization.Thesetypesofcontrolscan
affectdatathatenduponincomestatementsasexpenses,oronbalancesheetsasinventoryvaluation.

Conclusion
RegistrationtoanISOstandarddoesntmakeafirmSOxcompliant.ISO9001andISO14001arenotfinancially
focused.However,theirsystems,proceduresandpracticesofferareadymadeplatformtohelpdemonstrate
SOxcompliance.ISOstandardsprovideavehicleforongoingriskassessmentandmanagement.Theirinternal
auditingrequirementsbackuptheseproceduresandassessmentswithcrosschecksthatensureproperpractices
areactuallybeingfollowed.ThesestandardscanputsomerealteethintoSOxrequiredattestationsabout
internalcontrols.

Abouttheauthor
MaureenMcAllisterisaCPAandconsultingengineerwithMcAllisterConsultingLLC,locatedinsuburbanChicago.
Herconsultingpracticefocusesoncomplianceaswellasaligningandintegratingcomplianceactivitieswithother
businesspriorities(e.g.,leanmanufacturing,supplychainmanagement,etc.).Shegratefullyacknowledgesthe
assistanceofChristopherKnowles,GaryLaPortaandJohnStraebelinpreparingthisarticle.ContactMcAllisterat
www.mcallisterconsulting.com,www.ISOx.orgor(630)3777300.ISOxisaregisteredservicemarkofMcAllister
ConsultingLLC.

Wevalueyourfeedback.
Tocommentonthisarticle,
notethearticletitle
andthenclickhere.

Navigation

Home|Search|Subscribe|Advertise|Resources|ISO9000Database|WebLinks|BackIssues|ContactUs

CurrentIssue

Home|Articles|Columnists|Departments|News|Software

http://www.qualitydigest.com/feb05/articles/03_article.shtml

3/4

11/6/2016

QualityDigestMagazine
Copyright2006QCIInternational.Allrightsreserved.
QualityDigestcanbereachedbyphoneat(530)8934095.
ContactusviaContactForm

http://www.qualitydigest.com/feb05/articles/03_article.shtml

4/4