I’m a committee member for two very different standards—ISO 9001 and the COSO internal control guidance document used to comply with the requirements of the Sarbanes-Oxley Act (SOX).1 While these documents cover different activities in an organization, they share a need to update the current versions.
COSO is a management system that was originally developed in the 1980s in response to the savings and loan scandal. It is used for internal control over operations and compliance to external financial reporting requirements. COSO consists of five elements used to manage systems of internal control:
- Control environment. The set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives.
- Control activities. The actions established through policies and procedures that help ensure management’s directives are used to mitigate risks to the organization’s objectives.
- Information and communication. Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives.
- Monitoring activities. Ongoing evaluations, separate evaluations or some combination of the two are used to ascertain whether the five components of internal control are present and functioning.
The COSO Internal Control—Integrated Framework remains structurally intact while updating the 1992 framework in the areas of technology, globalization, governance, and the integration of controls with risk. The revised framework also specifies principles and attributes that enable a more effective system of internal control.
The revision of ISO 9001contains a more extensive set of structural changes than COSO. The number of major clauses is increased from eight to ten to be consistent with the structure of similar ISO standards.
COSO Framework Enhancement
The COSO framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting.2 Other updates help the user address changes in business and operating environments which include:
- Expectations for governance oversight.
- Globalization of markets and operations.
- Changes and greater complexity in the industry.
- Demands and complexities in laws, rules, regulations and standards.
- Expectations for competencies and accountabilities.
- Use and reliance on evolving technologies.
- Expectations related to preventing and detecting fraud.
In addition the revision includes the addition of 17 principles that represent the fundamental concepts associated with a system of internal control. For example, the principles associated with risk assessment are:
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes them as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
Jeff Thomson, president and CEO of the Institute of Management Accountants (IMA), asked me to serve on the COSO team as the quality management representative. The following are some of the inputs I provided:
- Objectives must be measurable.
- Measurable objectives are preconditions to risk assessment.
- Definitions of risk appetite and risk tolerance should be included.
- Internal control reports should include production quality.
- Communication with customers and suppliers is extremely important.
- Internal reports should include marketing, sales, quality and employee satisfaction.3
The exposure draft of the proposed framework is available for public viewing at www.coso.org and www.ic.coso.org until the final framework is issued during the first quarter of 2013. A second document designed to help organizations employ the new COSO documents and tools is the “Internal Control over External Financial Reporting Approaches and Examples.”
ISO 9001’s Makeover
The revision of ISO 9001:2008 was considered by the U.S. Technical Advisory Group (TAG) at a meeting in August 2012. ISO Technical Committee (TC) 176 requires the revision to follow the basic structure defined in Guide 83.
The first three sections are the same as ISO 9001:2008: scope, normative references, and terms and definitions.4 But clauses four through 10 are decidedly different:
Clause 4: “Context of the organization” requires determination of the external and internal issues of the organization including:
- Understanding the needs and expectations of interested parties,
- Determining the scope of the quality management system (QMS), and
- Establishing, implementing, maintaining and continually improving the QMS.
Clause 5: “Leadership” requires that top management ensure that:
- Policies and objectives are established and integrated into the business processes
- Required resources are available,
- Continual improvement is promoted,
- Quality objectives are set, and
- Roles and responsibilities are set.
Clause 6: “Planning” covers risk management, opportunities, objectives and plans. The QMS must ensure that
- It can achieve intended outcomes,
- Prevent or reduce undesired effects,
- Achieve continual improvement and
- The quality objectives are (1) consistent with quality policy, (2) measurable and (3)communicated, monitored and updated.
Clause 7: “Support” includes resources, competence, awareness, communication and documented information. The organization must
- Provide the infrastructure, including buildings, workspaces, utilities, equipment and supporting services,
- Ensure competence of individuals based on education, training or experience,
- Ensure awareness of the quality policy, benefits of improved quality performance and implications of not conforming to management system requirements, and
- Create, update and control documented information.
Clause 8: “Operation” covers planning and control. This includes:
- Planning of product realization,
- Requirements related to product,
- Customer communication,
- Design and development processes,
- Purchasing,
- Control and validation of production and service provision,
- Identification and traceability,
- Care of customer property, and
- Preservation of product.
Clause 9: “Performance evaluation” includes monitoring, measurement, analysis, evaluation, internal audits and management review. The organization must
- Measure customer satisfaction,
- Monitor and measure the processes and products, and
- Control the monitoring and measurement equipment.
Clause 10; “Improvement” covers nonconformities, corrective action, continual improvement and analysis of the following data:
- Conformity to requirements,
- Customer satisfaction,
- Characteristics and trends,
- Opportunities for preventive action, and
- Supplier data.
Moving Things Around
So, what does this mean? The changes include many elements that are in the current standard, but in different places. There are more than 1 million organizations worldwide registered to ISO 9001 and another million estimated users. They will need lots of help moving to the new structure. In the next few years, ASQ will develop tools to support the changes.
The ISO 9001 revision is in its early stages, and several suggestions should be considered. First, the process model should include the following requirements for each process:
- Identify a process owner.
- Identify all inputs and outputs, customers and suppliers (external and internal), constraints on the process and resources used.
In addition, outsourcing should be included under supply chain management, the level of control should depend on the risk management process in use, and the definition of product also should also cover service.
There also are several future concepts that should be considered. The U.S. TAG to TC 176 was asked to consider this list of 20 concepts. The six I think are most important are shown in bold:
- The organization’s financial resources,
- Communication,
- Time, speed, agility and related aspects,
- Quality management principles and leadership,
- Alignment with business management practices,
- Inclusion of risk-based thinking approach,
- Life cycle management,
- Plan, source, make and deliver,
- Focus on product conformance,
- Process results and effectiveness,
- Clarification and differentiation of the multiple customers of an organization,
- Process innovation,
- Maintenance of infrastructure,
- Process management,
- Knowledge management,
- Competence,
- Quality tools,
- Structure of QMS and relationship with other management system standards,
- Impact of technology and changes in information management, and
- People involvement.5
Comparing the Standards
The revision process for COSO is scheduled for completion two years ahead of the ISO 9001 revision. This is because COSO has not changed its basic structure but has expanded the supporting material while adding 17 important principles.
ISO 9001 is being revised based on the requirements of the ISO Technical Management Board Joint Technical Coordination Group. This has resulted in major changes to the structure of ISO 9001, ISO 14001 and other ISO standards.
Both standards focus on risk management. One of the five COSO elements is risk and in ISO 9001, the planning clause includes risk management. Also, four of the seventeen COSO principles have to do with risk.
The ISO 9001 changes will take a lot longer to accomplish. Both revisions are necessary, and their applications need not occur at the same time. I will remain a member of both teams and will report on status from time to time in CERM Risk Insights.
Notes
- COSO stands for the Committee of Supporting Organizations. The document was published in 1992 in response to the savings and loan crisis of the 1980s and 1990s. The Securities and Exchange Commission recommends the COSO guidance for compliance to the requirements of SOX.
- This material is from the COSO Internal Control—Integrated Framework Executive Summary, September 2012.
- For more details, see my Standards Column, “Revised Thinking” Quality Progress, April 2012, pp. 61-63.
- This structure also is being applied to the 2015 revision of ISO 14001. For more detailed coverage of the new structure, see Susan L.K. Briggs’ article, “(Re) visionary Thinking ” Quality Progress, September 2012, pp. 24-29.
- For a detailed description of the five bolded future concepts, see my column, “Revisionist History,” Quality Progress, March 2011, pp. 64-66.
BIO. Dr. Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, has had more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an ASQ fellow and past chair of the Electronics and Communications Division. Dr. Liebesman is a member of ISO Technical Committee 176, the ANSI Z-1 committee on quality assurance and the Institute of Management Accountants Integrated Framework Refresh Panel (COSO Panel). His recent book, Competitive Advantage: Linked Management Systems, is aimed at breaking down the silos between quality, finance, IT and environmental management systems.