The financial bean counters in my organization have started worrying about the Sarbanes Oxley Act (SOX) and are causing me some grief in the Quality System.
Basically, they believe SOX requires very detailed procedures covering all parts of the business that has anything to do with money, or the possibility of mislaying it. Consequently, my simple flow charts describing, for example, Goods In have been rejected and I'm expected to add detail to a ridiculous extent including every computer screen used and what data is entered.
Does any other Cover have experience of implementing SOX and linking its requirements to the documented quality system? Are our people over-reacting?
Any information would be gratefully received.

You don't need to link to the quality system, nor do you need detailed procedures. Your flow charts are sufficient as long as when you perform your internal SOX audits you can show compliance to the requirements. I'm sure that there are those who think SOX and the QMS should be integrated, but I do not.

Question...

If you're in the UK how does SOX effect you?

I may be missing something :confused:

SOX applies to publicly traded companies which fall under the US Securities and Exchange rules. Some foreign corporations are traded on US markets and certainly some American corporations have operations in other countries.

You're quite right, Wes. My employer is a multinational with shares listed in New York.

ASQ has a public forum devoted to SOX (http://www.asq.org/discussionBoards/forum.jspa?forumID=54)
moderated by John Walz, a fellow ASQ member of mine from a sister Section to the west (Fox Valley) who introduced me to the world of TL9000.

There is also an association of internal auditors
http://www.theiia.org/ which my CPA daughter belongs to and which may have some resources to help you clarify what other organizations do to comply with SOX.

Gotcha, thanks.............

We have two entirely separate document groups for the QMS and SOX. I have not looked closely enough at the SOX documentation to know how much detail they went into....but I made sure that the Finance people did not reference the QMS documentation and that the QMS documentation does not reference the SOX.
In my opinion, linking the two might lead to confusion during audits. The auditor (SOX or QMS, either one) may be tempted to cross over into territory that he should not be concerned with, depending on whatever the scope of his audit is. I think that the only thing you need to be concerned about is making sure that there are no contradictions between the two, in the areas where they come close to addressing the same process (as in your example).

For those of us who have and wish to continue to have a Business Management System, SOX does not pose a problem. The requirements are addressed and/or will be addressed at the suitable level be it at the BMS manual or at lower-level documentation. If there we end up with SOX-specific documentation, it will stall under the control of our Document Control process. The identification, maintenance, disposal, etc. of records will fall under Record Control and so on.

Should there be some specific and/or uniquire requirement for SOX that does fit in with an existing component of our BMS, we address it in a suitable manner. Should there be a requirement that flies in the face of our BMS, and we wish to follow the SOX requirment, a NOTE will be made in the process documentation indicating the process that SOX items follow.

Doesn't strike me as that much of an issue.

For those of us who have and wish to continue to have a Business Management System, SOX does not pose a problem. The requirements are addressed and/or will be addressed at the suitable level be it at the BMS manual or at lower-level documentation. If there we end up with SOX-specific documentation, it will stall under the control of our Document Control process. The identification, maintenance, disposal, etc. of records will fall under Record Control and so on.

Should there be some specific and/or uniquire requirement for SOX that does fit in with an existing component of our BMS, we address it in a suitable manner. Should there be a requirement that flies in the face of our BMS, and we wish to follow the SOX requirment, a NOTE will be made in the process documentation indicating the process that SOX items follow.

Doesn't strike me as that much of an issue.Roxane, if your company is not traded on a US exchange, you are not affected.

Roxane, if your company is not traded on a US exchange, you are not affected.

We are. The reason for my grammatical tenses was that our Financial Department has not yet put things into the doc control system yet (but they do have plans to do so). Naturally, how they wish to do this, when they wish to do and what they wish to update has not yet been communicated to me.;)

We are. The reason for my grammatical tenses was that our Financial Department has not yet put things into the doc control system yet (but they do have plans to do so). Naturally, how they wish to do this, when they wish to do and what they wish to update has not yet been communicated to me.;)You're gonna love it!

Hi,
Basically from my previous company I've heard this Sarbanes Oxley. We are a TS16949 Certified company. I just would like to know, how this SOX would affect us? Was this a requirement for our finance dept? :confused: Please enlighten me.

Best regards,
Raffy

The short answer is that SOX is a financial reporting requirement ONLY for publicly traded companies which have the shares of their company traded in the United States and thus subject to the United States Security and Exchange Commission.

If you look at some of the ads surrounding this thread, you will see opportunities to download much more information on this subject IF your company is publicly traded in the United States - otherwise, there is no reason to concern yourself except as idle curiosity.

Wes, hope you don't mind, I used your info and entered it in the Cove's Wiki.

Also see Sarbanes Oxley Act - SOX in the wiki (http://elsmar.com/wiki/index.php/Sarbanes_Oxley_Act) (in progress).

The short answer is that SOX is a financial reporting requirement ONLY for publicly traded companies which have the shares of their company traded in the United States and thus subject to the United States Security and Exchange Commission.

On the other hand, if your small and unlisted company has a quality management system with quality objectives of growth, then at some point the management will have “public” decisions to make
. raise public funds,
. become listed on a stock exchange,
. become acquired by a larger company
In these public cases, your company's financial records and controls will be scrutinized for accuracy and transparency. This is where the Sarbanes-Oxley (SOX) discipline is required.
Why not start today with accurate and transparent operational records for the finance and accounting departments to summarize for top management and the board of directors?

I am about to try to integrate the 2 in the QMS for my company. I do agree with a lot of what has been said in the pro of merging the stds and in the cons of doing so.

To summarize a bit

CONS
Merging both can:

increase confusion during audit
REALLY frighten the Finance and Quality guys and will require some education
lead to a bad SOX implementation and also bad QMS design (and that is where I am looking forward to see a more flexible QMS but the coming revision should deal with it.... somewhere btw 2008 and 2010...)


PROS
Merging both will:

make a lot of sense in the systemic process approach
considerably improve the updating process
save a lot of time
help the six sigma initiatives
improve the leadership because of the roles and responsibilities that have to be defined AND applied with DISCIPLINE.


Forget about the QMS, forget about SOX. What does make sense? Having a clear process structure, well defined with appropriate controls and measurements. In Six Sigma, you need to have the current process, you need to have sound measurements, and you should be able to control.
Do we make a distinction between Finance and the shop floor? No (otherwise you've understood nothing about six sigma) They are processes with inputs and outputs and they have risks and you should have controls to cover them. SOX risks are not only in the Finance department. They are in almost all the functions, on many different processes.

Now if you want to describe twice how you define the processes in your company, how you control and measure them, that is your choice, but it makes sense to have one document that just says this is our process design framework with:

the process itself (flowchart+narrative with RACI/description step by step/controls/KPI/...)
SOX RCM linked to the process (flowchart and narrative)
QMS Control plan (the classic control plan)
Audits for both RCM and QMS Control plan
Measurements (strategic planning that flows down to procedure level. Six Sigma Y=f(X) basic tool)


And I don't see what in the QMS will be an issue in doing that. And if you struggle, feel free to add a section. After all, you won't suffer from being better than the simple QMS requirements.

Hi,

I am just new on this forum...

I tried to search regarding SOX compliance as how it could be integrated to QMS and found this thread. Although my question may not be directly related to the topic being discussed in this thread....My initial question so far is that, if we are certified to ISO 9001:2000 and implementing the SOX at the same time - do we need to mention that our company is also implementing controls for SOX compliance in our Quality Manual? Because as I could classify it- SOX may be under the regulatory compliance that our company should be compliant with (since our mother company is publicly listed in New You Stock Exchange). Thus, does it makes sense that we mention it in our Quality Manual?

Please advise... Thanks!!!

It depends, if you have to be registered in ISO9001 (because this is not mandatory, not all companies are) then SOX controls come under the QMS in theory. In reality, ISO9001 auditors are not supposed to validate that the company is in compliance with all the regulatory norms and laws. You can't ask an ISO9001 auditor to be a SOX expert or have expertise in any other specific domain.

If you are running a QMS, the knowledge management part of it (document control) can be used to link business processes with the SOX requirements by providing a standard framework.

I would probably not mention SOX in the Quality Manual (or Business Policy Manual) and it is not a requirement of the standard. If you want to mention it you can. I would rather create a procedure or a guideline document which would set a framework to maintain the SOX compliance on your site. Hope it helps.

Thus, does it makes sense that we mention it in our Quality Manual?

If it makes sense, and marries with your integration aims, I'd do it. It helps people understand the 'whole system'. If, for example, one of the objectives of your system is to comply with all relevant legislation etc., then it would include SOX where relevant. See RC Beyette's excellent post earlier in this thread.

PS: Yes, SOX affects some companies in Australia - has to do with that 'if listed on the NY Stock Exchange'. I believe all of the large banks here (for example) had to; some companies here have head offices in the US, etc.

Thanks neocorsten and JaneB - it is indeed very helpful to know the opinions of others...

I would probably end up recommending it to my boss to include it in our Quality Manual.