Index
Introduction
Current Status
Training
What's COSO?
The COSO Study
Implementation Plan
Integrating Sarbanes-Oxley Requirements Into A Quality Management System
The Internal Controls Auditor's Tasks
Learning the Requirements
Tone
Risk Assessment
What to Audit?
Use of Consultants
Testing
Internal Controls Audit Plan
Information Technology Computer Systems Audit Plan
Checklists
The "Internal" Internal Controls Audit
The "External" Internal Controls Audit
Internal Controls Audit Report
Corrective and/or Preventive Action
Summary

Introduction
This site is a short how-to on integrating the Sabanes-Oxley Act Internal Control Audit (a.k.a. SOX-404) into an ISO9001:2008 Quality System for those needing to meet the requirements of the Sarbanes-Oxley Act without having to go through a public offering to pay for it.. This site explains what I did to find out about the requirements, integrated the requirements into Quality Management System (QMS) and implement the internal controls auditing function. Since this is a recent requirement for Public Corporations, this many be of interest to those in similar circumstances. It should also be noted that an ISO9001 quality system has a lot of similarities to other standards such as ISO14001 and AS9101 and the integration into those systems should be the same.
Things were going fine. I had just passed my initial ISO9000:2000 (Now using the ISO9001:2008 amendment) audit after preparing everything to comply with the standard when I was asked to perform the Sarbanes-Oxley Act Internal Controls audits. Since I had set up an anonymous "whistle blower" form that went the Board of Director's Audit Committee, I thought this might be a quick and easy thing or would it? While I haven't had to work as an accountant, I have done a number of product costing activities. Besides managing some engineering, information technology and quality departments and a number of engineering programs and project, I also have a Masters of Business Administration so my boss thought I'd be a good fit. Besides, in a smaller company, no one wants to hire an extra person to work a week or two every quarter.
Back to Index
Current Status
"Why would a CEO ask his Quality Assurance manager to be the person to ensure compliance with the Security and Exchange Commission's requirements"? The information below provided by an external accounting auditors to our Controller explained what needed to be done. The following items below are relevant to understanding the current status: 1. The Sarbanes-Oxley Act, a government law, requires companies to perform internal controls audits. 2. While the government dictates that companies must perform these internal controls audits and that CEO's and CFO's must attest to their accountant's findings, the standard by which the company's are to audit their books has not yet been approved. The COSO framework appears to have the most support by the SEC. 3. Many large companies are integrating the Accounting and Financial procedures into their quality systems and auditing to the COSO framework. 4. Internal controls audits deals with reviewing the practices, transactions, procedures and processes used to control the financial transactions and protecting a company's property and assets. 5. The COSO framework has a number of similarities with the requirements of ISO9001:2008 such as the following: * The accounting procedures and processes need to be documented like the processes are for the ISO9001:2008 standard. Flow charts or process maps are recommended. The COSO framework states that the company must have objectives and know how they are performing against them as well as what they would do if they didn't meet the requirements, again, similar to the ISO9001:2008 standard. * The COSO framework requires employees to be qualified and trained, again, similar to the ISO9001:2008 standard (This is the Human Resources, Customer