United States: Using Internal Auditing to Mitigate Risk from the Sarbanes-Oxley Law

Introduction

What keeps your CEO up at night? It’s risk!! What are some of these risks? Of course there are always the financial and competitive risks. But now, because of the Sarbanes-Oxley Act (SOX), the CEOs and CFOs of public companies must certify their company’s financial statements. Also, each year they must certify the effectiveness of the system of internal controls mandated by the Act. In the past, top management could claim ignorance of their organizations’ operational failures. This no longer holds. Lack of knowledge of problems is not an excuse. And, top management is now risking civil and criminal penalties.

In October 2003, Paul Palmes¹ and I wrote an article for Quality Progress² describing how quality and environmental management systems (QMS/EMS) can help top management maintain effective corporate governance and satisfy the requirements of SOX.³ Since then, the SOX-Q/E Team has been formed to identify how ISO 9001:2000⁴ and ISO 14001:1996⁵ can be used to reduce the risk that CEOs, CFOs and the Board of Directors face when complying with SOX. Note that any comprehensive quality and environmental management system such as the Malcolm Baldrige Award criteria can be used in place of the ISO standards.

Our review of SOX identified the fact that Top management needs to obtain better information about the effectiveness of their organizations. The Act mandates a system of internal controls to provide management of risk in the organization. A system developed by the COSO Committee in 1985⁶ provides the basis for internal controls used by many organizations.⁷ This system is the foundation for good governance which preceded SOX.

There are five components to the COSO set of internal controls:

• Control environment: Sets the tone of an organization and is the foundation of the other components.

• Information and Communication: Provides the information needed for people to carry out their responsibilities.

• Risk management: Provides methods of identifying and managing the organization’s risks.

• Monitoring: Provides assessment of the organization’s internal control performance over time.

• Control Activities: Consists of the processes needed to carry out the management’s directives.

Let us compare these components of COSO internal controls⁸ with clauses of ISO 9001 and ISO 14001.

Control Environment

For COSO, the control environment is the foundation of the guidelines which provide discipline and structure. It includes the way management assigns authority and responsibility, and organizes and develops its people.

For QMS/EMS, ISO 9001 and ISO 14001 require identification of an organization’s processes, their sequence and interaction and the definition of quality and environmental policies. Further, ISO 9001 requires the establishment of quality objectives and ISO 14001 requires definition of environmental objectives and targets. Both standards require control of documents and records. Both standards require that personnel be "competent based on education, training, skills and experience."

Information and Communication

To satisfy COSO, information must be identified, captured and communicated so that people can carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously.

QMS/EMS ISO 9001 and ISO 14001 are used to enhance the decision making process through information and communication within the organization. Both standards require communication with customers and suppliers.

Risk Management

For COSO, risks must be identified, analyzed and managed. Key inputs are corporate objectives linked at different levels and internally consistent. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

The data obtained in ISO 9001 as a result of process and product measurements can be used in risk assessment and continual improvement. ISO 9001 requires analysis of this data, turning it into information that can be used to identify risks to the organization. The standard requires trend analysis which is a good predictor of developing problems. These activities are all reviewed by top management in the management review process.

ISO 14001 requires identification of environmental aspects which can interact with the environment and in addition the standard requires identification of significant aspects and the operations and activities associated with these aspects. Again, we have an early warning tool that can be used to identify impending risk.

Monitoring

In the COSO guidelines, monitoring requires assessing the quality of system performance over time. This is done through continuous monitoring of processes and periodic assessments. It includes regular management and supervisory activities, and other actions personnel take in performing their duties.

ISO 9001 requires monitoring and measurement of processes and products. The raw data obtained here may provide the first warnings of impending problems. Another monitoring activity, measurement and analysis of customer satisfaction in ISO 9001 is also a tool for early warning of organizational concerns. Implementing ISO 9001 turns this data into information. ISO 14001 requires monitoring and measurement of key characteristics of operations and activities that may result in significant environmental impacts.

Control Activities

The COSO control activities are the actions taken to address risk and achieve the objectives of the corporation. Control activities occur throughout the organization, at all levels and in all functions.

In ISO 9001, the key to controlling the health of an organization is the "improvement loop." As part of the loop, ISO 9001 requires documented procedures to define corrective and preventive actions. Both tools provide methodologies to manage or eliminate risks to the organization. One source of corrective actions is the requirement to implement a documented procedure for internal audits and provide follow-up activities through corrective action

ISO 14001 requires taking corrective and preventive actions to mitigate impacts and reduce environmental risk. In addition, ISO 14001 requires management of non-conformances, taking actions to reduce impacts using corrective and preventive actions. For both environmental and quality management systems, the result is improved alignment of the organization with basic corporate objectives.

Top management asserts control of risk through the management review process in ISO 9001 and ISO 14001. These meetings are used to pull together the key bits of information and actions that are used to set the direction of the organization and to implement risk reduction activities.

Auditing to Add Value

The main goal of internal audits is to provide Top Management and the Board of Directors with an accurate understanding of the organization’s financial and operational status. Combining QMS/EMS "tools" with the financial auditing function and procedures will result in more effective audits and increase the understanding of the material non-financial information of the organization.⁹

Two of the many values of ISO 9001 and ISO 14001 are the process approach and continual improvement. Many organizations extend the process approach to a set of process audits which result in an effective means of evaluating the status of the organization and managing the risks that they face.

The Audit Team Tasks.

First of all, the controller should determine the risks to the organization based on five characteristics:

• The size of the major accounts,

• The. Number of transactions,

• Risk as a percentage of revenue,

• The value of assets and

• The likelihood of occurrence.

The results can then be used to determine the internal controls audit plan and checklists. If the organization is process based, the audit will consist of a set of individual process audits that cover the key functions used in their operations. .Some specific audit activities that should be considered by the team are as follows:

• The accounting and operations systems are based on the risk.analysis,

• The "tone" of the company by interviews of top management and a cross section of the organization,

• A review of the financial statements

• Auditing the information in the computer system.

The audit team should go through each process and procedure to determine

• What can go wrong,

• The risks involved,

• That responsibilities are correctly identified,

• That duties are adequately separated so that the person who validates payment of invoices isn’t the one who writes the check,

Finally, the audit team should test a sample of the processes and procedures. The testing process consists of randomly picking transactions for different days to see if they were done correctly. Look for triggers and the processes followed when they occur. An alternate method of testing is to use a practice data base or "sandbox" to print forms and reports which verify that transactions are done correctly. Also the sandbox can be used to assure that data is stored correctly.

Conclusions

Three goals of corporate governance are management of risk, effective process management and continual improvement of company performance. Quality and environmental management systems such as ISO 9001:2000 and ISO 14001:1996 are excellent tools for accomplishing these objectives. The board should move the corporate mentality from correcting problems to preventing them. Accomplishing these goals will provide an excellent step toward satisfying the Sarbanes-Oxley Act.

Quality and environmental system practitioners must make their capabilities known to top management. We suggest developing an elevator speech such as the following:

"Sir, I am familiar with the Sarbanes-Oxley Act and the need to better identify and manage risk. Quality and Environmental Management Systems are tools that can help with risk management. Our processes link directly to the system of internal controls mandated by the Act. I’d like the opportunity to show you how we can help."

I’ve made the case for quality and environmental people "to be at the table" when the internal financial auditors develop their reports to top management and the Board of Directors. The goals are risk reduction, expanded information for top management decisions and help in satisfying the requirements of the Sarbanes-Oxley Act.

Attachment 1

COSO Components of Internal Control

ISO 9001/14001 Management System Requirements

Control Environment - The core of any business is its people - their individual attributes, including integrity, ethical values and competence - and the environment in which they operate. They are the engine that drives the entity and the foundation of which everything rests.

ISO 9001:

4.1 QMS General Requirements
5.3 Quality Policy
5.4.1 Quality Objectives
5.4.2 Quality Management System Planning
5.5.3 Internal Communication
6.1 Provision of Resources
7.1 Planning Product Realization
8.1 Planning Measurement, Analysis & Improvement

ISO 14001

4.1 EMS General Requirements
4.2 Environmental Policy
4.3.3 Environmental objectives, targets & Programs
4.4.3 Communication
4.4.1 Resources, Roles, Responsibilities & Authority
4.4.6 Operational Control

Information and Communication - Surrounding these activities are information and communication systems. These enable the entity's people to capture and exchange the information needed to conduct, manage and control its operations

ISO 9001

4.2.1 Document Requirements (General)
4.2.2 Quality Manual
4.2.3 Control of Documents
4.2.4 Control of Records
5.1 Management Commitment
5.5.3 Internal Communication
7.2.3 Customer Communication
7.4.2 Purchasing Information

ISO 14001

4.2 Environmental Policy
4.4.1 Resources, Roles, Responsibilities and Authority
4.4.3 Communication
4.4.4 Documentation
4.4.5 Control of Documents
4.4.6 Operational Control
4.5.4 Control of Records

Risk Assessment - The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze and manage related risks.

ISO 9001

7.2.2 Review of Requirements Related to the Product
8.2.3 Monitoring & Measurement of Processes
8.2.4 Monitoring & Measurement of Product
8.4 Analysis of data

ISO 14001

4.3.1 Environmental Aspects
4.4.6 Operational Control (Significant aspects)
4.5.1 Monitoring & Measurement
4.5.2 Evaluation of Compliance

Monitoring - The entire process must be monitored and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.

ISO 9001

8.2.2 Internal Audit
8.2.1 Customer Satisfaction
8.2.3 Monitoring & Measurement of Processes
8.2.4 Monitoring & Measurement of Product
8.4 Analysis of data
8.5.1 Continual Improvement
5.6 Management Review
5.6.1 General
5.6.2 Review Input
5.6.3 Review Output

ISO 14001

4.2 Environmental Policy (for Continual Improvement)
4.3.3 Objectives, Targets and Programs (for Continual Improvement)
4.5.5 Internal Audit
4.5.2 Evaluation of Compliance
4.5.1 Monitoring & Measurement
4.6 Management Review

Control Activities - Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks to achievement of the entity's objectives are effectively carried out.

ISO 9001

8.5.2 Corrective Action
8.5.3 Preventive Action
5.6 Management Review
5.6.1 Management Review (General)
5.6.2 Review Input
5.6.3 Review Output
8.3 Control of Nonconforming Product

ISO 14001

4.4.7 Emergency Preparedness Response
4.5.3 Nonconformance and Corrective and Preventive Action
4.6 Management Review

Attachment 2

References and Web Sites

References

• HR 3763, the Sarbanes-Oxley Act of 2002, July 24, 2002.

• Sandford Liebesman, "Effective Corporate Governance Using Quality and Environmental Management Systems," presented at the American Society for Quality Annual Quality Congress, Toronto, Canada, May 24, 2004.

• Sandford Liebesman,"The Sarbanes-Oxley Law: Reducing the Risk," Presented at the North Jersey ASQ Spring Quality Conference 2004, April 15, 2004.

• Sandford Liebesman, Paul Palmes & John Walz, "The Impact of SOX and QMS/EMS on Corporate Governance," The Informed Outlook. May 2004.

• Sandford Liebesman, Paul Palmes & John Walz, "Use Management Tools to Mitigate Risk from SOX," The Informed Outlook, January 2004, 2, 13-22.

• Sandford Liebesman, "Using Quality & Environmental Tools to Mitigate the Risk from the Sarbanes-Oxley Law,." presented at the Philadelphia Chapter of ASQ, November 19, 2003.

• Sandford Liebesman & Paul Palmes, "Quality’s Path to the Boardroom," with Paul Palmes, Quality Progress, October 2003, 41-43.

• "IT Control Objectives for Sarbanes-Oxley," Information Systems Audit and Control Association ,www.isaca.org.

• Greg Hutchins, Value Added Auditing, Quality Plus Engineering, Portland, OR.

• Enterprise Risk Management – Integrated Framework; Executive Summary Framework, The Committee of Sponsoring Organizations of the Treadway Commission, 2004

• Enterprise Risk Management – Integrated Framework; Application Techniques, The Committee of Sponsoring Organizations of the Treadway Commission, 2004

• Scott Green, Manager’s Guide to the Sarbanes-Oxley Act, John Wiley & Sons,Inc., 2004.

• Guy P. Lander, What is Sarbanes-Oxley?, McGraw-Hill, 2004.

• Frequently Asked Questions Regarding Section 404, Protivity, July 2003.

• Guide to Sarbanes-Oxley: IT Risks and Controls, Protivity, December 2003.

• Thomas Industries Inc. "Evaluation of Internal Controls at the Entity Level for the Year Ending 12/31/04."

• "Buyer Beware: More companies than ever have experience with outsourcing. So why are deals still failing?", CFO on Line Magazine, CFO.com, December 2004.

• "James W. DeLoach, "Building Enterprise Risk Management on the foundation Laid by Sarbanes-Oxley," Protivity, Inc., 2003.

• "COSO ERM Integrated Framework," slide presentation downloaded from www.COSO.com.

• "About SAS 70", Downloaded from www.sas70.com (SAS 70 is used to audit outsourcing service organizations.)

• George R. Aldhizer iii and James D. Cashell, "Customer Relationship Management: Risks and Controls, Internal Auditor, December 2004, 52-58.

Web Sites

COSO Homepage
http://www.coso.org

COSO Integrated Framework
http://www.coso.org/publications/executive_summary_integrated_framework.htm

Revenue Recognition
http://www.revenuerecognition.com/article.cfm/3468589

CFO.COM On line magazine
http://www.CFO.COM

Corporate Governance
http://www.corpgov.net/index.htm

The Corporate Library
http://www.thecorporatelibrary.com/

The Institute of Internal Auditors
http://www.theiia.org/iia/index.cfm

Protiviti (Consulting and good printed material on SOX)
http://www.protiviti.com/

Open Compliance and Ethics Group
http://www.oceg.org/

Jefferson Wells (Consulting on SOX)
http://www.jeffersonwells.com/Inet/

Dexter Hansen Home page (Good reference Material)
http://home.att.net/~dexter.a.hansen/index.HTML

Federal Reserve Board of Governors
http://www.federalreserve.gov/

The American Institute of Certified Public Accountants
http://www.aicpa.org/sarbanes/index.asp

Information Systems Audit and Control Association (Information Technology:CobIT)
www.isaca.org

Chief Information Officers
www.cio.com

The American Society for Quality
www.asq.org

The International Organization for Standardization
www.iso.org

Enhanced Business Reporting Consortium
www.ebrconsortium.org

Iron Mountain: Records management and storage
www.ironmountain.com

CSRWire: Corporate Social Responsibility
www.cswire.com

SAS 70: Auditing Standard (SAS) No. 70, Service Organizations
www.sas70.com

Footnotes

1. I’d like to acknowledge the valuable inputs provided for this paper by Paul Palmes, the Northern Pipe subsidiary of the OtterTail Corporation and Donna Spencer, the Nordam Group.

2. "Quality’s Path to the Boardroom," with Paul Palmes, Quality Progress, October 2003, 41-43.

3. The U. S. House of Representative, Sarbanes-Oxley Act of 2002, July 24, 2002 (9:07 PM).

4. The International Organization for Standardization, ISO 9001:2000: Quality Management Systems – Requirements, Geneva, Switzerland, 2000.

5. The International Organization for Standardization, ISO 14001:2004: Environmental Management Systems -- Requirements with Guidance for use, Geneva Switzerland, 2004.

6. COSO: The Committee of Sponsoring Organizations of the Treadway Commission.

7. Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, Frequently Asked Questions Regarding Section 404, Protivity, www.protivity.com.

8. Internal Control – Integrated Framework Executive Summary, Product 99009, ^{http://www.aicpa.org. The material on COSO internal control is abstracted from this on-line document.}

9. The SEC stated that senior officers must certify that material non-financial information is included in the quarterly and annual reports.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.