Fellow Quality Professionals,

Has any one tried to integrate components of Sarbanes-Oxley (SOX) with your existing QMS?

Or is it exclusively handled by Finance function?
(Potential Survey Question for this forum)

We are currently looking into the possibility of integration. SOX involve requirements (regulations), testing procedure, test control effectiveness, mistake proofing (detection, prevention) root cause and corrective action, etc. Many similarities exists even in terms
of 7.2 Customer related processes and many more.

Surprisingly, I noticed, In the ISO9000 summit at SanFrancisco- March 22-23, Workshop1 also talks about this subject "The Sarbanes-Oxley Law: QMS & EMS Can Reduce the Risk!"
***Dead Link Removed***

Any experience; lessons learned that can be shared here?

Thanks,
Govind.

Has any one tried to integrate components of Sarbanes-Oxley (SOX) with your existing QMS?

Or is it exclusively handled by Finance function?
(Potential Survey Question for this forum)

From our perspective, this is primarily handled by our corporate Accounting function. We are just one of a few dozen manufacturing facilities within our company. We will be incorporating some procedures within our QMS; we will probably see the first new procedures in our system before this year is out.

Thusfar, our corporate Accounting function has trained only a handful of personnel at each of our manufacturing plants. The next phase will be to publish corporate policies which will then trickle down to each of our manufacturing plants and be incorporated locally as procedures.

I think a survey would be a great idea... We are just begining down this path and it will be interesting to see what others have done / are doing in response to these regulations.

From our perspective, this is primarily handled by our corporate Accounting function.

We will be incorporating some procedures within our QMS; we will probably see the first new procedures in our system before this year is out.

I think a survey would be a great idea... We are just begining down this path and it will be interesting to see what others have done / are doing in response to these regulations.

Groo3,
Even in our case the project is primarily handled by the corporate finance function.
We identified 18 processes for SOX implementation. But only planning to integrate 8 processes into existing QMS system.Rest 10 are pure financial, legal stuff. What I found interesting is the sampling qty for checking the objective evidence are very rigid for Sarbanes Oxley (SOX).
Hope to see more replies from other forum members.
Regards,
Govind.

Groo3,
Even in our case the project is primarily handled by the corporate finance function.
We identified 18 processes for SOX implementation. But only planning to integrate 8 processes into existing QMS system.Rest 10 are pure financial, legal stuff. What I found interesting is the sampling qty for checking the objective evidence are very rigid for Sarbanes Oxley (SOX).
Hope to see more replies from other forum members.
Regards,
Govind.I don't work for a public company, so my input is theoretical:
I spent time going over the act and reading some guidelines supplied by accounting companies.

Based on even such a cursory reading of the requirements, it seems to me the big bosses who ultimately have their necks on the line and have to sign off on financials ought to be spending some serious time and money putting together interdisciplinary teams (which include Quality professionals) to help them formulate, implement, audit, and evaluate policies and processes involved in all aspects of the organization to help the organization comply with this new Standard in the most efficient way possible.

Alas and alack, I think it will take some flashy headlines and "perp walks" of executives being hauled into court in handcuffs before top executives "get" the idea that this is not a program than can be foisted off to some midlevel clerk who is then starved of resources to implement the program.

In our Company, the QA Manager has been nominated as Project Coordinator for SOX and he will be responsible for collecting organizing and ensuring the process is done smoothly. The Leader of the Project would be CFO.

regards,
Quality-1

Quality-1,
I guess QA Manager has a team working on various processes? Knowing the magnitude of the effort,I will be surprised if this person is working all alone. Auditing many of these processes also require accounting/financial background. It is hard to find a combination of auditors with accounting background and ASQ CQA knowledge.
We are planning to get some basics on accounting to assist in this project.

As Wes mentioned in his reply, yes this project has very high visbility in our organization.:)-

Govind.

While the financial group took the lead (at the direction of corporate) QA was asked for and provided a lot of help.

We recommended the flow charting tool, gave finance a starting place with our QMS process flow charts and documentation.

It was nice to have someone outside quality understand the value of ISO 9000.

Does anyone think SOX is going to be an effective tool to stop companies from mistating their assets? I am skeptical.

Does anyone think SOX is going to be an effective tool to stop companies from mistating their assets? I am skeptical.
Most :yes: :yes: :yes: :yes: , but not all :nope: ... I am skeptical too.

While the financial group took the lead (at the direction of corporate) QA was asked for and provided a lot of help.

We recommended the flow charting tool, gave finance a starting place with our QMS process flow charts and documentation.

It was nice to have someone outside quality understand the value of ISO 9000.

Does anyone think SOX is going to be an effective tool to stop companies from mistating their assets? I am skeptical.

Rosie,
Yes, We are also using the Flow charting methods similar to QMS approach.
You said it is nice to have someone outside quality understand the value of ISO 9000. :agree1:
Not only that, since SOX is a regulation, Implementation is not a choice, it is a requirement! Once the ISO 9000 is integrated with SOX, there is an opportunity for ISO9000 to also get Senior Management attention more often that it does, now.
Hence in every angle, integration is mutually beneficial to QMS functions and Finance.
You said"Does anyone think SOX is going to be an effective tool to stop companies from mistating their assets? " :nope:
I have my views on this:
1. Regulations like SOX will reduce the probability of occurence. But will not bring down to "0" incidents.
2. Even if the SOX -QMS integration is well documented, if the implementation is not well done or the feedback system is not effective, still the mistakes continue to happen.
3. Organization's culture is also to be closely looked at while implementing any new system. If culturally organization is not ready, or reluctant for a change, implementations still will not be successful.

Govind.

This can be handled by Quality as well.But the finance is the best fit for this. They may have confidential documents for their department and as per BS7799 CIA needs to be taken here.

If MR is a powerful person then QA can take up SOX as well

Our organization has assigned "assessors" and "reviewers" from all pertinent departments to conduct their own samples and audits of processes covered under the SOX requirements. The samples and results are then entered into a database so that, people like me who are reviewers, can go in and "verify" that the sample was sufficient and the results match SOX, QMS and internal procedural requirements.

There are specifically 4 areas that overlap with my Internal Audit duties. They are:

·1 Vendor Evaluation/Set-up
·2 Monitoring of Vendors
·3 Vendor Corrective Action
·4 Purchases of Direct Materials

EXAMPLE OF #4 - Review purchase requisition and order approval/authorization procedures for direct materials through performing the following:

1. Inquire of appropriate personnel or examine recorded minutes to verify that SOP Meetings are conducted monthly and the Master Production Schedule is developed and approved as a result of the meeting. Examine 2 monthly Master Production Schedules created during the review quarter and validate that MRP adjustments within SAP were as a result of the Schedule. Ensure only appropriate employees have the authorization within SAP to upload the Master Production Schedule into MRP and it can only be modified by the appropriate individuals for approved changes.

2. Select a sample of 15 invoices greater than $20,000 for direct materials during the review quarter (AP may have to obtain from the system depending upon SAP transaction authorizations) and trace back to the PO filed in the Purchasing area. Ensure that the PO was signed-off/approved by the Purchasing Manager and/or higher-level sign-off/approval exists depending on established authorization limits.

There are other activities that were specifically identified under the 1994 version of the ISO 9001 standard, but now the purchasing section has been significantly streamlined. I plan on eliminating my internal audit and auditing the database results for my objective evidence along with interviewing the process assesor.


Does that help?

Any one else working on QMS, Sarbanes Oxley (SOX) integration? any new updates from the previous contributors? How is your integration process so far? Have you included SOX requirements into ISO 9001 audit checklists?
Thanks,

Govind.

Any one else working on QMS, Sarbanes Oxley (SOX) integration? any new updates from the previous contributors? How is your integration process so far? Have you included SOX requirements into ISO 9001 audit checklists?
Thanks,

Govind.

The SOX integration is actually going quite smoothly. I feel that we can use the SOX RCTS database system to meet our needs for internal auditing of the purchasing function in toto! As a reviewer, I can review the activities taken by all SOX trained assessors and evaluate the effectiveness and challenge if it does not meet minimum standards. Overall, it should be helpful. E-mail me at Scott.Bickley@igt.com or call at 775-448-1065 to discuss in more detail.

Scott,
Thanks for your support. I will contact you to exchange ideas. Try not to mention personal information like email address, phone # on the posting. This posting may come up in the Google search and you will start to get SPAM messages, calls from internet/tele marketing people.
We can use the PM, email services offered by the forum to continue any offline discussion.
Regards,
Govind.

I have started to incorporate our Accounting and Administrative functions into our Quality System, because of the new SOX requirements.

We are a small medical device company so we are still identifying the risks, but I am working on a draft of an audit checklist, and we have started to create flow diagrams to help us identify the risks.

I have found some interesting helpful information on the net. Check out:
http://www.erm.coso.org/Coso/coserm.nsf/frmWebCOSOExecSum?OpenForm
http://www.flowhelp.com/sox-404/

I am not sure if I can post links or not...but these sites both have some good info on them.

I would love to have a group to talk with as we move forward in this process. So far its been lonely, I have called around to various businesses locally and very few have ever heard of incorporating SOX and Quality. Most seem to keep QA and Accounting completly seperate. For us it seems so logical. We are simply bringing Accounting into our control environment.

I have always advocated using Quality tools to monitor ALL the operations of an organization with a view toward improvement.

My only concern is maintaining adequate controls over what is private information to the organization and what is open to 2nd and 3rd party auditors other than public accounting firms.

Whereas a CPA firm routinely has access to payroll records, leases, purchase orders, and the like, normally we do not grant such access to 2nd and 3rd party auditors from customers and Registrars. It is simple to maintain the barriers when the Systems are separate. Perhaps not so simple when the Systems are combined.

In the same manner as organizations dealing in top secret work for governments shield the secrets from the 3rd party auditors (even government auditors without secret clearance), each organization needs to examine the parts of its system which would be too sensitive to allow open access and limit access to certain categories of outsiders.

I imagine that "summaries" and "reports" might be made available to outside auditors, rather than original records. This way, the concept of control of records is conveyed without revealing the information contained within the records.

Before everyone jumps in with remarks on the integrity of Registrars, please remember the bulk of field auditors are contract employees, not full-time employees, and current recruiting of those auditors focuses on technical competence, not on security clearance.

Since SOX is so new, most publicly traded organizations are still feeling their way through the maze.

Wes, I agree. This is something that our CFO is very concerned about. We are working on ways around those fears.

Just as you said. We are using lists, and summary's that he signs. Behind those lists and summary's we have the data, but its kept protected from outside auditors etc.

They know they do not have rights to see that data specifically. If they ask for it to provide proof of control in a specific area, I will just give them a summary signed by our CFO. That is our plan anyway. That is how I have handled privledged information that the FDA has asked for in the past and I have not had a problem yet.

Well, at last some activity in this thread :)
I found some SOX deadline details from this webpage. Can someone validate?
http://www.computerweekly.com/articles/article.asp?liArticleID=132965


I also thought this SOX survey Webpage link will be useful for Covers:
http://www.gain2.org/sox4jwsum.htm

Quality Progress Publication (For members only)
Quality's Path To the Boardroom
http://www.asq.org/data/subscriptions/qp/2003/1003/qp1003liebesman.pdf

Regards,
Govind.

Not sure about the deadline, I have heard the same thing from our accounting group. However we are a small business and have a little more time than the larger firms. Our implementation plan has us compliant by next summers financial audit.

Here is some other good info I thought I would share:

http://www.pcaobus.org/rules/release-20040308-1.pdf

Has any one tried to integrate components of Sarbanes-Oxley (SOX) with your existing QMS? I just returned from a Users Conference for our QMS Software.

One of the ideas was to expand the use of the QMS software to include more than just "quality".

Here is how they suggested a QMS system could be used to help with SOX.

There are several quality software suites on the market with these capabilities or modules.

Other ideas demonstratred were


TREAD Act
OH&S
ISO 14001 Environmental
Sales Management
The QMS suite was shown to be able to cover these issues.

I think this shows that ISO/QS/TS is actually a Business Management System, of which Quality is a subset (or possibly just an Output).

I like this idea...Quality is the result of doing things that make business sense.

Hope this helps

Caster

Thanks to all for sharing those information.

ASQ Press new publication in the same subject:
What is Sarbanes-Oxley?
http://qualitypress.asq.org/perl/catalog.cgi?item=P1140
Manager's Guide to the Sarbanes-Oxley Act : Improving Internal Controls to Prevent Fraud
http://qualitypress.asq.org/perl/catalog.cgi?item=P1141
Regards,
Govind.

Well, at last some activity in this thread :)
I found some SOX deadline details from this webpage. Can someone validate?
http://www.computerweekly.com/articles/article.asp?liArticleID=132965


I also thought this SOX survey Webpage link will be useful for Covers:
http://www.gain2.org/sox4jwsum.htm

Quality Progress Publication (For members only)
Quality's Path To the Boardroom
http://www.asq.org/data/subscriptions/qp/2003/1003/qp1003liebesman.pdf

Regards,
Govind.

Hello Govind,

Just an update here, we are using the RCTS tool from D & T. The upfront work has been a comprehensive flowchart and controls documentation that is now in the signature approval process so that it will be made a controlled document within our QMS - HOORAY! We have completed the first assessment and review testing cycle and it went pretty smooth.

If any gaps are identified within the RCTS system, they MUST be addressed and resolved - closed loop and simple. The Corporate Audit dept. owns this process, however, we have provided input to the point that we are able to allow this process to meet our Clause 7.4 requirements (80%) for ISO purposes. We (the Quality Dept.) are also reviewers within the system so we take an active part and have access to the audit data.

Another change is that the Corp. Auditors are now the assessors, not the department personnel. We have a surveillance audit in January 2005, so I'll let you know what our registrar thinks of the system as well. In my opinion, the registrar should only be auditing the purchasing aspect of the system, not the purely financial pieces such as A/P, A/R, etc. even though technically they have customer impact. While I agree this should be included in the QMS, traditional thinking in most companies does not so for now they are separate. Hope this helps!

Just one more thought - this program is best left to the Accounting gurus with regard to the content and controls function. As has been mentioned in this string, the CEO/CFO are held accountable at the end of the day, and unless you are a qualified accounting professional - be careful! Quality's role, in my opinion, is that of a contributor and reviewer and also to integrate this into the QMS, but not to drive/shape what this program contains in terms of technical subject matter.

Attached is a presentation by Huntsman Polyurethanes about using ISO 9001 and 14001 to support SOX compliance.

This workshop was presented at the Institute of Risk Management 2005 Forum. It does contain some mention to the company I work for (full disclosure;) )

Thanks for the presentation, Sidney! It's appreciated!