Risk is a subject prone to irrationality. We worry about mere possibilities. We ignore probabilities. We focus on perception. We ignore reality. Twenty percent of adults still smoke. Twenty percent of drivers still don’t wear seat belts. Two-thirds of the population is overweight/obese.
Risk is everywhere: market risks, operational risks, business risks, strategic risks, financial risks, environmental risks, etc. It’s too easy to think, “It’ll never happen to me” and ignore risks. Designing a solid risk management model requires attention to all risk areas.
You might think that the Sarbanes Oxley Act (SOX) only affects the executive level of an organization, but it’s very much a factor right down to the quality management offices on the production floor.
The Sarbanes Oxley Act (SOX) was passed in 2002 after many high profile corporate scandals, such as Enron. The law’s main goal was to improve the quality of financial reporting and increase investor confidence. Several aspects of SOX are similar to quality compliance in FDA, such as QSR and GMP. Boiled down to its basic elements, SOX shares a goal similar to that of quality management: continuous improvement of an organization.
SOX includes several articles concerning management responsibilities, and in particular, internal control. Implementing SOX involves (1) declaring management responsibility for establishing Internal controls which guarantee that accurate financial information is generated and communicated to executive management; (2) evaluation of the effectiveness of the internal controls and reporting their conclusions as to their efficacy within 90 days of issuance of financial reports; and (3) disclose to the company’s auditors and the audit committee of the board of directors all significant deficiencies in the design or operation of internal controls, and any fraud, whether or not material, that involves employees with a significant role in the internal controls.
Even though SOX is not required of private companies, SOX represents the “best practice” for avoiding fraud. Manufacturing companies are used to dealing with extensive regulatory requirements as part of daily operations. However, accounting departments have traditionally been under less scrutiny, especially with regard to FDA regulations. Recent experience with Part 11 provides a good base of understanding for SOX compliance issues. Rather than introducing a regulatory corporate culture from scratch, companies can build on existing regulatory structures. Many companies already seeking to centralize all compliance issues (FDA, HIPAA, OSHA) within a single interface should incorporate SOX into this framework.
For many regulated companies, keeping finance and operations under control while meeting SOX internal control requirements in a rapid growth and competitive environment can prove to be a challenge. SOX compliance increases administrative time and costs. There is an increase in the cost of IT support, both in terms of capital equipment and resources. Plus, with required auditor reviews of the effectiveness of internal control as required in Section 404, the company may incur additional auditing fees.
Is there a way to alleviate these issues and implement SOX as well as manage regulations and quality compliance? If you consider automating the SOX processes to address internal controls using the same quality compliance system, the answer is yes.
To be successful, the focus must be on the process — NOT the project — and procedures: creating, documenting, controlling/tracking, training others, communicating. The role of internal control over financial reporting is to support the integrity and reliability of the company’s external financial reporting processes.
ISO 9001:2000 Quality System has a lot of similarities to SOX requirements. Many companies consider this to be a “Quality Initiative” impacting the “Financial Organization”. The COSO Framework, the most popular framework adopted by most companies to tackle SOX requirements, is based on ISO 9001:2000. The steps are similar to setting up a quality plan:
- Identify staffing (internal/outsource/3rd party)
- Identify framework/methodology for evaluation such as COSO (i.e., guidelines like QSR, GMP)
- Define objectives/risks (goals)
- Record process narratives (requirements)
- Perform risk assessment (severity/probability)
- Identify controls (functional areas/systems)
- Document, Approve, Train
The real opportunity for the quality managers is in showing how the quality management system can help meet the key objectives of SOX, which is to improve corporate management and governance so financial statements represent a true state of the corporation. Aligning quality management with that of SOX requirements not only eases the burden of compliance, but also provides an organization with a model for continuous improvement.