The Institute of Internal Auditors has published “Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners”.

The Guide incorporates guidance from the U.S. Securities and Exchange Commission, the Public Company Accounting Oversight Board, The Institute of Internal Auditors, and the real-world experience and insight of practicing internal auditors.

The Guide focuses on how costs can be minimized without impairing the effectiveness of your internal controls. It also discusses the interplay between the requirements of Section 404 and those of Section 302, which requires annual and quarterly certifications by the chief executive officer and chief financial officer that include assessments of the internal controls.

Internal control is broadly defined as a process designed to provide reasonable assurance regarding the achievement of objectives. The Guide notes that an internal control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance to management and the board regarding achievement of an entity’s objectives.

Management has a great deal of latitude in describing the condition of its internal controls. The only formal requirement is that they don't assess the controls as effective when there is a material weakness. The assessment should clearly describe management’s opinion.

What is the true condition of the system of internal control at the end of the year? Is it sufficiently robust to provide reasonable assurance that material errors will either be prevented or detected? The investor should be able to read the assessment and understand whether the company has adequate controls to run the business and report the results.

To download a free copy of the Guide, go to this IIA Web Page.

The processes of a quality management system need to be established, implemented, controlled, and improved for an organization to consistently deliver products and services that satisfy its customers. To ensure this happens, each process should have an owner named.

To understand the term "process owner", lets begin with the definition of a process. A Process is a set of interrelated or interacting activities which transforms inputs into outputs. The inputs of a process are the outputs from other processes. And, processes are planned and carried out under controlled conditions to add value.

A Process Owner is a person who is given the responsibility and authority for managing a particular process. Most organizations find it useful to appoint individual process owners and define their responsibilities as ensuring the implementation, maintenance, and improvement of their specific process and its interactions with other processes.

It should be noted, however, that ISO 9001:2000 does not specifically require the appointment of "process owners" (see FAQ 027, April 2004).

Process owners take an organization-wide view of their processes. They may not truly "own" the process in that some of the people who are involved in carrying out the process may not report to them. Instead, the owner is responsible for the design of the process, in other words, how it is carried out, how it interacts with other processes, and how it is measured. And, this responsibility is an ongoing task.

Process owners have responsibility for their specific process, end-to-end. However, as stated earlier, this does not mean that all the staff involved in a process actually report to the process owner. Process owners usually have responsibility for most steps in the process and are able to influence other key areas outside their direct organizational control.

Process owners should ensure the following activities are completed:

• Define a process that can be easily subjected to audit
• Describe its links and interactions with other processes
• Identify its documentation and training requirements
• Issue and maintain any procedures and instructions
• Implement processes consistent with the quality policy
• Make available necessary resources and information
• Operate and control an effective and efficient process
• Resolve any problems and prevent their recurrence
• Communicate process changes to the process users
• Define and manage interfaces with other processes
• Communicate input requirements to internal suppliers
• Meet the output requirements of internal customers
• Analyze performance data and set quality objectives
• Track progress against process performance targets
• Communicate with process users to identify issues
• Identify risks and opportunities with current process
• Investigate and propose process improvements

Process owners can use the Plan-Do-Check-Act methodology to improve their processes: 1) planning what to do and how to do it, 2) doing what was planned, 3) checking the results to see if things happened according to plan, and 4) acting to improve the process the next cycle.

In summary, a Process Owner is the person immediately accountable for creating, sustaining, and improving a particular process, as well as, being responsible for the outcomes of the process.

A process owner is usually someone in management, not a team or committee. You need a single point of contact that is accountable for the overall process. Of course, the process owner may establish a process leader and team to help set up, operate, and support the process.

What are the benefits of having an ISO 9001-based quality management system? Lets begin by looking at the benefits to your employees and the organization:

Employee Benefits

To successfully implement and maintain a quality management system, employees need to understand its value to them. The better they understand what’s in it for them personally, and how the organization also benefits, the more receptive they will be to the changes and work involved to make it happen.

Employees benefit from the improved internal communication and top management support. Conformity with ISO 9001 means suitable and well maintained equipment, along with the training needed to perform their jobs.

Procedures and instructions, where necessary, will be available to guide them in their activities. Employees will have a better understanding of their role in the system and their contributions to meeting objectives. This sense of order and control will carry over into clean and well-organized work areas.

Since the organization will want to continually improve the system, employees will be encouraged to report problems and suggest improvements. As a result, they will be more satisfied and committed to the business.

Organization Benefits

The result of a conforming quality management system will be better planned and coordinated activities. Any problems affecting product quality are identified and effective solutions are implemented.

Using the plan-do-check-act approach will lead to more efficient and effective processes and more productive employees. Higher quality products are delivered to more satisfied customers.

As a result of your ISO 9001-based system and its well-defined policies, procedures, and information, the organization will be better managed for success.

And the story only gets better, because your organization and its quality management system will be continually improved.

Perceived Disadvantages

Although we have been discussing the very real benefits of an ISO 9001-based system, you should be prepared to deal with its perceived disadvantages.

1. Difficult to implement; need a consultant

ISO 9001 is just a collection of good, common-sense business rules. The difficulty factor depends on the state of your current management system.

2. Organization will resist the changes

If introduced properly, with clear explanations of how it will directly benefit them, your employees should become big supporters of the new system.

3. Expensive to implement and maintain

You can reduce costs by comprehensive planning and avoiding the urge to put more into the system than is required for certification. Improve from that base.

4. Significant disruption to your business

Make sure it is supported by top management as a high priority project and integral to the business; not a separate effort by the quality department.

5. Yields unwieldy, ineffective documents

Only write the essential documents. You can rely on trained, experienced employees to perform any undocumented processes.

6. Cumbersome controls and bureaucracy

Keep it simple. Only implement what the business really needs. It may actually make the organization a better place to work.

Certification Benefits

In addition to the previously covered benefits, having the actual certificate in hand provides additional benefits.

ISO 9001 is the international language of quality. Certification may help your organization gain expanded access to world markets.

Prospective customers may require certification as a prerequisite to bid on contracts. With the certificate in place, your organization will be ready.

The ISO 9001 certificate may differentiate your organization from others in the marketplace and provide a competitive advantage.

The certification mark recognizes a quality accomplishment that you continue to earn through successful surveillance audits. Display it with pride.

And, don’t underestimate the value of independent system assessments by well qualified professional auditors.

Due to its prevention focus, disciplined approach, and better controls, your organization may see an extra benefit of improved housekeeping and fewer accidents. As a result, you may qualify for lower insurance premiums.

Maintaining Benefits

Your organization will see some initial gains through the improved organizational focus and internal communications.

These improvements, and other benefits, will be solidified by an active internal audit program and strengthened through the management review process.

But, an organization can’t rest on its accomplishments. A quality management system will either improve or become less effective. The system will not stay in a steady state. You must listen to customers, meet objectives, stay conforming, and continually improve.

Unfortunately, most audits focus on the conformity of a process, not its true performance. This emphasis on meeting requirements is important, but evaluating how well a process is achieving its planned results is critical.

ISO 9001:2000 requires internal audits to determine not only if the quality management system conforms to planned arrangements, but also if it has been “effectively” implemented. ISO 9000:2005 defines effectiveness as the “extent to which planned activities are realized and planned results achieved”.

So, how do we audit the effectiveness of a process?

Start with the definition of a process. It is a set of interrelated or interacting activities which transform inputs into outputs. So, the purpose of a process, its reason for existing, is to use inputs provided by the prior process (its supplier) to produce the deliverables needed by the next process (its internal customer).

ISO 9001:2000 promotes the use of the “process approach” to systematically identify and manage the processes of a quality management system, particularly their interactions. As auditors, we need to do the same and view the system as a set of integrated processes.

To assess process results (effectiveness), we need to:

• Adopt the process approach for our audits
• Understand process interfaces and interactions
• Add value by looking at more than conformity
• Evaluate linked processes for “effectiveness”
• Verify the controls and identify process risks
• Compare performance to quality objectives
• Determine any opportunities for improvement
• Promote process view through audit methods

To assess the effectiveness of a process, we can’t rely solely on an audit of that process. We need to go downstream to see what the next process (internal customer) has to say about how well the process under audit is meeting their needs.

To enroll in an auditing course, go to one of the Internal Auditor or Lead Auditor course descriptions below:

ISO 9001 Internal Auditor
ISO 13485 Internal Auditor
ISO 14001 Internal Auditor
ISO/TS 16949 Internal Auditor
AS9100 Internal Auditor
ISO 27001 Internal Auditor

ISO 9001 Lead Auditor
ISO 9001 Lead Auditor (with emphasis on ISO 13485)
ISO 9001 Lead Auditor (with emphasis on ISO/TS 16949)
ISO 14001 Lead Auditor
AS9100 Lead Auditor
ISO 27001 Lead Auditor

There are five new technologies that appear to be the ones to watch this year according to Computerworld’s Vital Signs survey of 252 IT executives.

To start, 1) Server Virtualization has caught the eye of organizations that want to transition from multiple operating systems to a smaller number of strategic platforms. Such virtualization masks server resources and creates partitions known as environments. The end result is that new automated servers begin to manage themselves.

In the world of publishing, 2) Enterprise Content Management (ECM) systems are beginning to catch on, lowering the cost of printing and delivering paper materials. ECM works by allowing companies to manage the workflow of articles as they are reviewed, edited, published, and output in various formats.

3) Content Security programs, which come formatted to a company’s specific needs, are having an impact for employers who need to both protect sensitive information on their severs, and make sure no one is leaking out information.

4) Asset Management and 5) Business Process Management programs rounded out the list, with the former keeping track of a company’s hardware and other equipment, and the latter allowing offices to share access to records that would formally have been tracked in hardcopy files.

To read more, go to the Computerworld article.

ISO 9001:2000
Understanding ISO 9001:2000
Implementing ISO 9001:2000
Quality System Documentation
ISO 9001:2000 Internal Auditor
ISO 9001:2000 Lead Auditor

ISO 14001:2004
Understanding ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 17799 / ISO 27001
ISO 17799 - Understanding an ISMS
ISO 17799 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Discounts
Enroll and pay for an Atlanta class 30 days in advance and receive a 10% discount. Students at previous Atlanta classes receive a 20% discount on future Atlanta classes.

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2007 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com