How useful is the COSO framework?

  • Thread starter Jens Kristiansen
  • Start date
J

Jens Kristiansen

#1
In continuance of my thread from yesterday:D

How useful is the COSO framework? (internal control – integrated framework) actually? And can we use ISO standards to support the COSO framework?

We are two research students (Msc. BPM) from the Aarhus School of Business (Denmark) who are focusing a large research project on the topic of integrating QMS such as ISO 9001, EFQM and MBNQA with SOX, specifically section 404, with the general aim of expediting compliance.

We are corresponding with a large European company stock listed on the NYSE, which has provided us with information pertaining to the implementation of SOX. Due to the support of the COSO framework by the SEC, this European company deemed it pertinent to apply, and mention the use of the COSO framework in their annual reporting requirements.

In their efforts to comply with section 404 they claim to have focused upwards of 90% of their time, effort and money on one specific section of the COSO framework, namely control activities with respect to financial reporting. According to Sanford Leibesman, the ISO 9001:2000 clauses that support or overlap with this part of the COSO framework are; Clauses 5.6.1, 5.6.2, 5.6.3, 8.5.2 and 8.5.3.

We by no means wish to insult Mr. Liebesman’s research and knowledge of this area, but when taking our “insider information” into consideration, it would seems somewhat utopian to rely on five ISO clauses to cover the information needs which apparently constitute over 90% of the costs involved in compliance with section 404.

We are supporters of Mr. Liebesman’s ideas, and the European company in question could be an isolated case. We would therefore appreciate any feedback or comments on the above mentioned.
 
Elsmar Forum Sponsor

RoxaneB

Super Moderator
Super Moderator
#2
For what it's worth, many of us question the "usefullness" of ISO 9001, as well. As with any standard/guideline/framework, an organization will benefit from it only if they wish to address the spirit of the document versus addressing the black ink on white paper.

If I recall, the structure of COSO can be broken down into 5 main areas:
  • Control information
  • Information and communication
  • Risk assessment
  • Monitoring
  • Control activitives

These can be rearranged to align with the Plan-Do-Check-Act methodology which also aligns with ISO 9001.

For a company wishing to integrate separate systems (i.e., quality, environment, health & safety, financial, etc.) into one Business Management System, seeing this alignment will assist them in streamline their process controls and any associated documentation.

At a glance, I see the overlaps as such (and this is my first go-thru, so please keep that in mind):

1. Control Environment - ISO 9001 4.1 / 5.1 / 5.4
2. Information and Communication - ISO 9001 4.2.3 / 4.2.4 / 5.5.3 / 7.2.3 / 7.3.1 / 7.3.2 / 7.3.3
3. Risk Assessment - ISO 9001 7.3.4 / 7.3.5 / 7.3.6 / 7.3.7 / 8.3 / 8.4 / 8.5.2 / 8.5.3
4. Monitoring - ISO 9001 8.1 / 8.2
5. Control Activities - 5.5.1 / 5.5.2 / 5.6 / 8.5.1

You'll notice that I have placed corrective and preventive action in Risk Assessment. In my opinion, the financial abnormality has occurred (or potentially might occur) and the organization will need to evaluate the level of risk to it in order to take appropriate actions.

I am curious as to why you believe that expending 90% of the costs in control activities is "utopian". Keep in mind that to keep a system under control, means that you are ensuring its stability. This will cost money. Ask the company what it would cost them if the system was not stable and financial errors and abnormalities are occurring.
 
J

Jens Kristiansen

#3
I am curious as to why you believe that expending 90% of the costs in control activities is "utopian". Keep in mind that to keep a system under control, means that you are ensuring its stability. This will cost money. Ask the company what it would cost them if the system was not stable and financial errors and abnormalities are occurring
Let me try to clarify:

As we stated it is not utopian to believe that 90% of the costs involved in compliance with section 404 can be attributed to COSO element 5 (control activities), but rather that 90% can be credited to control activities with respect to financial reporting, and that the demand for information related thereto can be satisfied by five ISO clauses.

Liebesmans “holistic approach” with equal focus on all elements of the COSO framework is very interesting but hard to justify if 90% of the costs can be credited to only one of the relationships between COSO three objectives (operations, financial reporting and compliance) and five Components/Elements.

Our problem is that, we as students of business performance management face the challenge of explaining and convincing financial auditors that quality tools can be used to satisfy their financial audit needs. In our experience financial auditors don’t necessary understand the level of detail involved in ISO certification, nor do they understand that ISO is more then just production and product specifications.


That being said, we do, to some degree, understand the financial auditors concern. Once ISO has assisted in clarifying what a processes is and the how to conduct internal controls its usefulness tapers of somewhat. Financial auditors have a need for financial details that cannot necessarily be found in ISO 9001:2000. Or can they!?

You mention that you have placed 8.5.2 and 8.5.3 in risk assessment, but by placing 8.5.1 under control activities they are represented there as well. (8.5.1 includes both corrective and preventive actions.) Moreover 8.5.1 includes clause 5.6

The advantage of ISO 9001:2000 is its anal approach to documentation, which at the same time is one of its must fundamental links to section 404. What we are search for are ISO clauses that are detailed enough to satisfy the financial reporting demands.

We believed we have found some clauses but are interested in hearing what others think with regards to this subject. On a different subject…… any thoughts on linking ISO to SOX by using Jurans Cost of Quality approach (another of Liebesmans suggestions if we remember correctly).

Thank you for your input.:thanx:
 
B

Bulksupplier

#4
If you are building a system to meet both SOx and ISO 9001 then the COSO Framework is useful - it is recognised by SOx auditors from the 'Big 4', whereas ISO 9001 doesn't cut much ice with them.

We have integrated SOx requirements into our quality system by adding the SOx Narratives alongside the Quality Manual, and adding specific SOx evidence (records) to the procedures. This has proven useful in support of 'alternate controls' used to avoid recruiting an army of people for 'segregation of duties' and process-numbing bureaucracy for 'management controls'.

We recently got our SOx 'sign-off', so our approach looks to have been successful.
 

RoxaneB

Super Moderator
Super Moderator
#5
The traditional approach to Cost of Quality has two main categories for costs, each with their own two sub-categories:
  • Costs of Control
    • Prevention Costs
    • Appraisal Costs
  • Costs of Failure of Control
    • Internal Failure Costs
    • External Failure Costs

Typically, your Prevention and Appraisal Costs equate to quality planning, setting of objectives, data analysis and reporting, improvement programs, inspections, testing and audits. All functions which could, if I understand Mr. Liebesman's approach, would fall under COSO's Control Activities.

Total quality costs will obviously vary from company to company and industry to industry.
  • Internal Failures = 25% - 40%
  • External Failures = 20% - 40%
  • Appraisal = 10% - 50%
  • Prevention = 0.5% - 5%

    However, in theory, as the Costs of Control go up, the Costs of Failure of Control should go down.

    Why do you believe that the financial auditors do not understand the alignment of the ISO 9001 requirements to COSO? I recommend removing the use of the word ISO from your explanation. I further recommend that wherever the "quality" appears, replace it with financial and replace "customer" with "stakeholder" or "shareholder". Often times, you must speak the 'language' of the audience.

    Financial auditors are number-crunchers (and balancers). The concept of (product) quality often eludes them. Speak in terms of $$$ and they may warm up to your explanations.

    You will not find financial details in ISO 9001. The scope of that document is on product quality and meeting customer requirements. The problem is defining your product and who your customer is. A product can be a service, including accounting and financial services. The customer could be the shareholders, suppliers, community, employee or the actual recipient/user of the product.

    Because people read ISO 9001 so darn literally, they often fail to recognize that ISO 9001 can be applied to processes off of the shop-floor. My organization has removed the word "quality" and replaced it with "business". We have a business management system which addreses the needs of all our Stakeholders in the areas of safety, environment, quality, financial, cost, delivery and morale. Our controls also address these areas. Back in 1998, we used ISO 9001 as the foundation for this approach. Now we use Plan-Do-Check-Act as that is the common thread between all of the requirements in documents like ISO 9001, ISO 14001, OHSAS 18001, ISRS, SOX, etc.

    I can appreciate your statment that 8.5.2 and 8.5.3 are captured under 8.5.1...and to some degree, I agree with you. However, we look at 8.5.2 and 8.5.3 as more "here and now" situations...issues which must be resolved as immediately as possible. Continual improvement tends to focus on the overall processes and we associate forecasted cost savings/reductions with these projects.

    The ISO 9001 clauses, as far as I am concerned, meet the needs of SOX, if only people open their minds to the wording. Taken to literally, no, it will not meet the needs. If you consider finance/accounting as a process, you have a wonderful document which will greatly assist an organization in meeting the needs of Sarbanes-Oxley.
 
Thread starter Similar threads Forum Replies Date
T MDR Guidance Book - Useful for MDR transition? EU Medical Device Regulations 1
B Useful guidance documents for standards Other ISO and International Standards and European Regulations 2
M Harmonized EN 60601 Z Annexes are Not Useful IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Sidney Vianna Are the TC 176 Documents on Risk Based Thinking useful to you? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
A Is MSA useful to prove a Measurement System after Relocation? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
T Are GRE words useful in American daily life? Coffee Break and Water Cooler Discussions 19
S Medical Device Regulations Worldwide - Useful Whitepaper Other Medical Device Regulations World-Wide 3
S Is ISO 50001 Certification useful for an Auto Components Manufacturer? Sustainability, Green Initiatives and Ecology 7
C Internal Auditing - How to make it useful? Internal Auditing 36
M Some useful information about the latest PPAP version - PPAP 4th edition APQP and PPAP 1
Q Use As Is, Repair, Rework - Useful when categorizing? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
R What is a Z Value/Factor and where is it most useful? Statistical Analysis Tools, Techniques and SPC 4
Antonio Vieira Quality Councils - Do they still exist? Are they useful? Philosophy, Gurus, Innovation and Evolution 5
M Useful Air Quality Tool for Livestock - US Air Quality Site Assesment Tool Sustainability, Green Initiatives and Ecology 2
Mikilk B-GMP Audit (Anvisa Brazil) - Checklist in English or other useful documents wanted Other Medical Device Regulations World-Wide 6
AnaMariaVR2 What online communities are useful to your career? Career and Occupation Discussions 12
R Is it useful to adapt PFMEA's with nonconformances? FMEA and Control Plans 4
I Is IEC/TR 80002-1 Risk Management useful? Software Quality Assurance 2
S Sharing information on useful web sites Book, Video, Blog and Web Site Reviews and Recommendations 30
Q ISO 9001 Standard: Useful to Certify a Soccer Club? Examples... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 45
Howard Atkins ISO 3591 - Sensory analysis - Wine tasting glass - At last a useful ISO standard Other ISO and International Standards and European Regulations 1
A Wouldn't it be useful......... ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 27
S Internal Audits not performed - Useful data from internal audit schedule Internal Auditing 31
Z What useful Process Performance Metrics can you recommend? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S Are Pp and Ppk more useful than Cp and Cpk as a benchmark for further studies? Statistical Analysis Tools, Techniques and SPC 1
S Getting the Right Things Done - A useful way to apply Pareto analysis The Reading Room 1
ScottK What is the useful life for a good 0-1" digital micrometer? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
M Is SPC (Statistical Process Control) useful? Statistical Analysis Tools, Techniques and SPC 72
M Is ISO 9001 training provided useful? Training - Internal, External, Online and Distance Learning 14
M Thermocouple/Furnace Gage R&R - I have yet to find a useful method Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 8
M 8D problem solving useful only in "cause unknown" situations Nonconformance and Corrective Action 20
L Useful Foreign Languages - Which 'foreign' language would you choose? Career and Occupation Discussions 54
A Is it really useful to implement EN 9100 in small companies (3 people)? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
A Need help with creating useful, interesting and good internal web site about QMS!!! After Work and Weekend Discussion Topics 5
W Useful PC software utilities let's share some info? After Work and Weekend Discussion Topics 20
Q How useful is the ISTO Certificate - International Standardized Testing Organization ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Sidney Vianna A useful Guide to communicate the value of your EMS to external stakeholders Miscellaneous Environmental Standards and EMS Related Discussions 1
D Which designation is most useful? Design and Development of Products and Processes 0
C Useful Link (Dti) Department of Trade and Industry (UK) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Useful Support Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
G I need a way to measure PPM that will provide a useful tool for benchmarking Benchmarking 9
D Introductory Statistics - Websites that I hope you'll find useful Statistical Analysis Tools, Techniques and SPC 2
S How to Implement COSO 2017 Framework Various Other Specifications, Standards, and related Requirements 0
K ISO 13485 section 5.3 Quality Policy - No framework for establishing and reviewing quality objectives ISO 13485:2016 - Medical Device Quality Management Systems 2
M Informational EU – MANUAL ON BORDERLINE AND CLASSIFICATION IN THE COMMUNITY REGULATORY FRAMEWORK FOR MEDICAL DEVICES Version 1.22 (05-2019) Medical Device and FDA Regulations and Standards News 2
M Informational USFDA – Review framework for artificial intelligence-based medical devices Medical Device and FDA Regulations and Standards News 1
M APQC PCF (Process Classification Framework) and ISO 9001 - Processes Based Approach ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Medical Device News Manual On Borderline And Classification In The Community Regulatory Framework For Medical Devices Medical Device and FDA Regulations and Standards News 0
M Medical Device News Team-NB publishes a press release regarding the designation process in the framework of the IVDR regulation – Regulation (EU) 2017/746 Medical Device and FDA Regulations and Standards News 0
M Medical Device News TGA Consultation: Changes to a number of definitions and the scope of the medical device regulatory framework in Australia Medical Device and FDA Regulations and Standards News 0

Similar threads

Top Bottom