Integrating Sarbanes-Oxley Act Internal Controls Auditing into an ISO9001:2008 Quality Management System

by Dexter Hansen

There are a number of professions that use flowcharting.  The list below includes various books on flowcharting as well as some on internal auditing.

Flowcharting Help Page List of Recommended QMS-SOX, Auditing & Flowcharting Books
Competitive Advantage: Linked Management Systems by Sandford Liebesman, Ph.D., ASQ Fellow Paperback

Designing and Writing Message-Based Audit Reports (IIA Handbook Series) by Sally F Cutler Paperback

Sarbanes-Oxley and the New Internal Auditing Rules [DOWNLOAD: ADOBE READER] by Robert R. Moeller  PDF download e-book

Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud by Scott Green Hardcover or e-book download (Adobe Reader)

How to Comply with Sarbanes-Oxley Section 404 : Assessing the Effectiveness of Internal Control by Michael Ramos Hardcover

The Internal Auditing Pocket Guide by J. P. Russell; Published 2002; Spiral-bound

Flow Chart Symbols and Their Use in Micographics Paperback / Published 1987

Mapping Work Processes by Dianne Galloway  Paperback Spiral edition (July 1994) Amer Society for Quality

Essentials of Flowcharting - Michel H. Boillot; Paperback

Business Process Improvement Workbook : Documentation, Analysis, Design, and Management of Business Process Improvement; H. James Harrington, et al

Process Mastering: How to Establish and Document the Best Known Way to Do a Job; Ray W. Wilson(Preface), Paul Harsin

Automatic flowcharters

Patient Flow Chart Manual, 1980  Patient Ca / Published 1980

Systematic Electronic Troubleshooting : A Flowchart Approach - James Perozzo; Paperback

The Basics of Process Mapping -- Robert Damelio; Paperback

Process Mapping : How to Reengineer Your Business Processes -- V. Daniel Hunt; Hardcover

Software Engineering : A Practitioner's Approach - Roger S. Pressman; Hardcover

Systematic Electronic Troubleshooting : A Flowchart Approach James Perozzo / Paperback / Published 1989

From Flowchart to Program Published 1985

From Flowchart to Program Richard G. Todd / Published 1985

Microprocessor Logic Design : The Flowchart Method Nick Tredennick / Published 1987

Microprocessor logic design : the flowchart method Nick Tredennick

Patient Care Flowchart Manual Steven Alexander / Published 1988

Patient Care Flowchart Manual : Emergency Medicine Published 1984

Patient Care Flowchart Manual : Pediatrics Published 1984

Structured Cobol : Flowchart Gary B. Shelly, et al / Published 1988

Learn Visio 5.0 : For Users of Visio Technical and Visio Professional Ralph Grabowski / Paperback / Published 1998

Visio 4 for Everyone : Including Visio 4 Techinical  Ralph Grabowski / Paperback / Published 1996

Learn Visio 5.0 for the Advanced User Ralph Grabowski / Paperback / Published 1998 (Not Yet Published -- On Order)

Visio 4 : Drawing Has Never Been Easier! Barrie Sosinsky / Paperback / Published 1995
(Publisher Out Of Stock)

The Visio Idea Book/Book and Disk Debbie Walkowski / Published 1994

Didn't find your book?  Type in the name of the author, title or subject to search the selections.

Search: logo
Enter keywords...

Flowcharting Help Page List of Recommended Quality System Implementation Books

ISO 9000 Documentation, Quality Manual and 32 Operational Procedures (AQA ISO 9000 Series) by Jack Kanholm. Paperback

ISO 9000 In Our Company, Self-Study Course for Personnel (AQA ISO 9000 Series) by Jack Kanholm. Mass Market Paperback

ISO 9000 Requirements, 72 Requirements Checklist and Compliance Guide (AQA ISO 9000 Series) by Jack Kanholm. Hardcover

Iso 9000 Quality System : Department by Department Implementation for the Certification Audit -- Jack Kanholm; Hardcover. 

ISO 9000: 2000 (DIS) New Requirements, 28 Requirements Checklist and Compliance Guide -- Jack Kanholm; Paperback. 

The ISO 9000 Implementation Tool Kit : Forms, Checklists, Project Planning Tools, Transparency Masters;  This is a little more costly than the Jack Kanholm book, however, you don't have to create training materials.Vincent Zottola;

Flowcharting Help Page List of Other Recommended Quality Books

Quality Is Free : The Art of Making Quality Certain;Philip B. Crosby; Mass Market Paperback;

Quality Is Still Free : Making Quality Certain in Uncertain Times; Philip B. Crosby; Hardcover;

Quality Is Free : The Art of Making Quality Certain; Philip B Crosby;Hardcover; (Special Order)

A History of Managing for Quality : The Evolution, Trends, and Future Directions of Managing for Quality; J.M. Juran (Editor); Hardcover;

Juran on Leadership for Quality : An Executive Handbook; Joseph M. Juran; Hardcover;

Juran on Quality by Design : The New Steps for Planning Quality into Goods and Services; Joseph M. Juran; Hardcover;

Juran's Quality Control Handbook; Frank M. Gryna (Editor), J. M. Juran; Hardcover;

Quality Planning and Analysis : From Product Development Through Use (Industrial Engineering and Management Science); J.M. Juran, Frank M. Gryna; Hardcover;



Current Status


What's COSO?

The COSO Study

Implementation Plan

Integrating Sarbanes-Oxley Requirements Into A Quality Management System

The Internal Controls Auditor's Tasks

Learning the Requirements


Risk Assessment

What to Audit?

Use of Consultants


Internal Controls Audit Plan

Information Technology Computer Systems Audit Plan


The "Internal" Internal Controls Audit

The "External" Internal Controls Audit

Internal Controls Audit Report

Corrective and/or Preventive Action



This site is a short how-to on integrating the Sabanes-Oxley Act Internal Control Audit (a.k.a. SOX-404) into an ISO9001:2008 Quality System for those needing to meet the requirements of the Sarbanes-Oxley Act without having  to go through a public offering to pay for it.. This site explains what I did to find out about the requirements, integrated the requirements into Quality Management System (QMS) and implement the internal controls auditing function.  Since this is a recent requirement for Public Corporations, this many be of interest to those in similar circumstances. It should also be noted that an ISO9001 quality system has a lot of similarities to other standards such as ISO14001 and AS9101 and the integration into those systems should be the same. 

Things were going fine.  I had just passed my initial ISO9000:2000 (Now using the ISO9001:2008 amendment) audit after preparing everything to comply with the standard when I was asked to perform the Sarbanes-Oxley Act Internal Controls audits.  Since I had set up an anonymous "whistle blower" form that went the Board of Director's Audit Committee, I thought this might be a quick and easy thing or would it?  While I haven't had to work as an accountant, I have done a number of product costing activities. Besides managing some engineering, information technology and quality departments and a number of engineering programs and project, I also have a Masters of Business Administration so my boss thought I'd be a good fit.  Besides, in a smaller company, no one wants to hire an extra person to work a week or two every quarter.

Back to Index

Current Status

"Why would a CEO ask his Quality Assurance manager to be the person to ensure compliance with the Security and Exchange Commission's requirements"? The information below provided by an external accounting auditors to our Controller explained what needed to be done.  The following items below are relevant to understanding the current status:

  1. The Sarbanes-Oxley Act, a government law, requires companies to perform internal controls audits.
  2. While the government dictates that companies must perform these internal controls audits and that CEO's and CFO's must attest to their accountant's findings, the standard by which the company's are to audit their books has not yet been approved. The COSO framework appears to have the most support by the SEC.  
  3. Many large companies are integrating the Accounting and Financial procedures into their quality systems and auditing to the COSO framework.
  4. Internal controls audits deals with reviewing the practices, transactions, procedures and processes used to control the financial transactions and protecting a company's property and assets.
  5. The COSO framework has a number of similarities with the requirements of ISO9001:2008 such as the following:
    • The accounting procedures and processes need to be documented like the processes are for the ISO9001:2008 standard.  Flow charts or process maps are recommended. The COSO framework states that the company must have objectives and know how they are performing against them as well as what they would do if they didn't meet the requirements, again, similar to the ISO9001:2008 standard.
    • The COSO framework requires employees to be qualified and trained, again, similar to the ISO9001:2008 standard (This is the Human Resources, Customer Satisfaction and Training aspects).
  6. As with any type of auditing, there must also be auditor independence. It's a little hard to find an internal accounting auditor outside of the accounting department.
  7. Some external accounting auditor firm's preparation materials had a recommendation for those responsible for writing the procedures get the help of the Quality Assurance department since they were already familiar with "The Process Model" audit and how to write and flowchart procedures.
  8. The current COSO framework is not approved as the standard by the SEC, however, seems to be the framework most companies are using to comply with the legal requirements and the is currently available, by industry, at
  9. Section 404 of Sarbanes-Oxley requires public companies to verify that their financial-reporting systems have the proper controls, such as ensuring that revenue is recognized correctly. Senior executives must attest that these controls are in place for fiscal-reporting periods that conclude after Nov. 15, 2004. For companies with revenue of less than $75 million, the deadline is July 15, 2005.

    One caveat is that if the company's market capitalization is greater than $ 75 million, your external accounting auditing firm can require that your company complies by the November 15th deadline as well.

Back to Index


Since the SEC had not approved the audit framework, the companies that provide this type of training didn't know which framework to provide any guidance, much less train for.  Training will be something I will have to do at a later date, as does our company's Controller.  Sometimes, you just have to figure it out on your own and hope it's close enough. To that end, I found as much relevant information, both from the external auditor and places on the Internet.  The Institute of Internal Auditors has a great deal of information on the topic and is planning training.

Training is key to any implementation, however, this is a system and the big picture is not always readily apparent to those responsible for the implementation. While asked to help with the implementation, there were no invitations to any meetings with the external auditor since it was thought that to much time would be taken up asking questions and taking up some very expensive external auditor's time, not to mention that my time is also considered expensive. Only after the external consultants wanted to know about the IT systems was I involved.

This means that questions such as how extensive does the training for employees have to be go unanswered. Under the ISO9001 standard, the training means everyone. I assumed under SOA, the same applies, however, management at most companies don't want to do it unless their external auditor tells them they have do it. Again, this is related to cost.

The SOA implementation and auditing are divided into two different skill sets. The first is being able to understand the accounting side of the auditing (a.k.a. the COSO requirements) and the second is the Information Technology (IT) systems side (a.k.a. the COBIT® requirements). Both aspects require two different skill sets which could be a problem for smaller companies, though technically, the information is in the COSO and COBIT® frameworks and can be pulled out of them as well as other information on auditing or if you have an understanding of standards.

Back to Index

What's COSO?

Due to accounting problems, the National Commission on Fraudulent Financial Reporting that was created in 1985.  This is also known as the Treadway Commission. They made a number of recommendations that directly addressed internal controls. A task force, under the auspices of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission conducted a review of internal control literature. The results recommended that COSO undertake a project to provide practical, broadly accepted criteria for establishing internal controls and evaluating their effectiveness.

Back to Index

The COSO Study

The COSO study concluded that internal controls consist of five interrelated components (''Internal Control - Integrated Framework", Committee of Sponsoring Organizations of the Treadway Commission, September 1992). These components are:

  1. Control Environment - The control environment sets the tone of an organization and influences the control consciousness of its members. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people.

  2. Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of operating objectives. Risk assessment is the identification and analysis of risks relevant to the achievement of objectives. This forms a basis for determining how the risks should be managed. Because of ongoing changes in economic, regulatory, and operating conditions, mechanisms are needed to identify and deal with the special risks associated with change.

  3. Control Activities - Control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity's objectives. Control activities operate throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

  4. Information and Communication - Pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operations, financial, and compliance-related information, that makes it possible to run and control an operation. Such systems deal with both internally generated data, as well as information about external events, activities, and conditions.
    • Effective communication must flow down, across, and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must have a means of communicating significant information upstream. (There also needs to be effective communication with external parties, such as taxpayers, other agencies, suppliers, and government regulators.)

  5. Monitoring - Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported to the upper operational hierarchy.

The current COSO draft framework has been available for public review and is downloadable as a PDF file and explains the above in more detail.

Back to Index

Implementation Plan

What has to happen next?  Since I don't work in the Finance or Accounting departments, I didn't have to write the Accounting Processes and Internal Controls Procedures, though I did do a document review on the initial draft to assist the accounting department.  The documentation for the specific accounting procedures task fell on the Controller as his task was to determine where the risks were based on size of the accounts, the number number of transaction, risks as percent of revenue and value of the assets.  

It's better to have the people that actually perform the functions create the procedures.  The procedures and policies need to be carefully tailored for the company.  The use of screen shots with in the procedures is now common for most quality system procedures.  

One thing that the external auditors will do is want to go through the process, though focus will be primarily on the controls, the transactions and what happens if something goes wrong. I other words, the auditors are looking at the controls within the company and not necessarily whether the numbers add up correctly since that aspect is what the regular audit does.  

It is also recommended to create flowcharts for the processes.  Identifying the process owners, documents created and the internal controls for the system on the flowchart are also recommended.  This makes it easier for the internal controls auditor to follow the process and makes it easier for the external auditors to follow.  It also saves possibly having the external auditor to create a flowchart - that you pay for having it done).

My job was to integrate the COSO framework requirements into the quality system documentation and to audit.    Since a number of procedures were common as were the records being created, there was a good start.  Only the accounting and finance procedures needed to be integrated into the Quality Managment System and they were already partially there.

Back to Index

Integrating Sarbanes-Oxley Requirements Into A Quality Management System

In reviewing the COSO requirements I noticed that COSO had a number of similarities to an ISO9001:2000 quality system.  The easiest item any Quality Auditor can relate to is probably auditing, however, the financial areas have not had to be integrated into any process approach structure until now so you will need to highlight the similarities so they will see where the quality system can be used to leverage the Sarbanes-Oxley (SOX)  implementation.

Using the 5 five key COSO elements - Control Environment, Information & Communication; Risk Assessment & Monitoring and Control Activities, I modified my quality system procedures so that they could be used for both the quality system and the financial system.

  1. Control Environment

    The Control Environment is the foundation of the guidelines.  This element is suppose to provide discipline and structure. It also includes the way management assigns authority and responsibility, and organizes and develops its people.  This also includes a communications requirement.

    Since the ISO9001 standard also requires a communications requirement, this was one of the easiest requirements to meet.  We had already included the financial policies and procedures in our things that are communicated, so now the SOX items are part of the agenda.

    Since ISO9001 requires that all require identification of an organization’s processes, their sequence and interaction and the definition of quality policies and objectives. ISO9001 also requires control of documents and records as well as requires that personnel be competent based on education, training, skills and experience.

    For this aspect, I modified the scope my quality records and document control procedures to include the financial procedures and records.  I also modified the quality system training procedure to include training that was given as to meet SOX requirements.  Since our system already had a performance appraisal procedure and we maintain resumes on everyone in HR, we covered a good part of this element.  

    Since most of the procedures were already documented, we add some the accounting procedures aspects to some of the quality systems procedures to highlight the financial transactions and/or controls and wrote a standalone accounting / financial procedure to cover the rest of the needed items.

    Since standard training is given as part of the quality system, now when training employees, they are informed that it is and ISO9001 and SOX requirement.

  2. Risk Assessment

    For COSO, identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with related objectives that may be affected and are assessed on both an inherent and a residual basis.  Assessment considers both risk likelihood and impact. A range of possible results may be associated with a potential event, and management needs to consider them together. The areas that relate to risk within the ISO9001 quality system are internal audit and management review.  For these aspects, I modified the procedure's scopes and wrote caveats into the internal auditing and reporting procedures that made the procedures dual purpose.

  3. Control Activities

    COSO's control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity's objectives.  ISO9001 requires corrective and preventive actions, the determination of causes or potential causes of nonconformities (a.k.a. as risks), evaluating the need for action, determining and implement the actions needed, review the actions taken and actions taken must be recorded.  For this aspect I modified the scope of my corrective and preventive action procedure to allow my system to be used to report, log and monitor my SOX significant and/or material deficiencies. I also added some definitions and caveats on handling financial items requiring corrective action.

    Since the ISO9001 quality system procedures have controls in place, the purchasing, receiving inspection, shipping & receiving and material control procedures were modified as these controls were already documented within them.  Another item of note is that if a company uses an Enterprise Resource Planning (ERP) software, a number of controls are already embedded into the software that is  use is integrated into the procedures.  It should be noted that if Information Technology (IT) controls are used, your IT procedures need to be well documented and tested (See the Information Technology Computer Systems Audit Area section below on COBIT®).

    Another benefit could be an improved alignment of functions and tasks with the organization’s objectives.  Improvement in the effectiveness & predictive nature of the controls could also occur.

  4. Information and Communications

    With COSO , pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. In comparison, ISO 9001 is structured to enhance the relevance and reliability of information and include the Quality Manual, documented quality policy & objectives, An ISO quality system has specific documented procedures and records, documents needed to ensure the effective planning, operation, and control of its processes.

    The quality system documentation forms the basis for creating objective evidence required during an audit. The tasks and evidence for the quality system are also usable for the SOX financial controls system. Specifically, ISO requirements provides internal communication, customer communication, supplier communication and top management communication, as well as covers statutory and regulatory requirements which compare to the COSO information and communications requirement.

  5. Monitoring

    COSO states that internal control systems need to be monitored, separate evaluations or both. The ISO9001 quality system provides verification of purchased products, monitor and measure processes, monitor and measure products, monitoring & measurement of customer satisfaction.  ISO9001 also provides analysis of customer satisfaction, product, process and supplier data.  

    Not a lot of changes to the quality system procedures were actually needed, however, it should be pointed out that the continuous improvement aspect of ISO9001 to improve the effectiveness of the quality management system through the use of:the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review provide the basis to accomplish the monitoring ad already in place in a company that has a quality system  Another point to note is that the ISO9001 aspects can provide an early warning system for financial controls.

    It was pointed out to me that everyone needs to talk the same language at management reviews.  The metrics used within the quality system may need to be changed to some market value metric based on income or operating expenses (e.g. Cost of Quality) to keep everyone using the same metrics for management reviews.

The Internal Controls Auditor's Tasks   

To find out the requirement, execute the audit and write report, I had to do the following:

  1. Learn and determine the requirements.
  2. Determine the "Tone" of the company.
  3. Determine whether the "Risk" Assessment appeared to reflect reality.
  4. Determine what to audit.
  5. Determine how to test the procedures, processes and data .
  6. Determine how to audit the information in the computer system.
  7. Create an an Internal Controls Audit Plan.
  8. Create Audit Checklists for the Internal Controls for the Accounting and Financial Procedures and Information Systems.
  9. Audit to the plan and checklists. Note: Use your judgment concerning the COSO framework and try to avoid a "one size fits all" mentality.
  10. Review your checklists / notes and write the Internal Controls Audit Report.

Back to Index

Learning the Requirements

Reviewed the available data from the external public accountant on the internal controls.  In my case, it was Ernst & Young.  The following are the links to the materials provided by the external auditor:

There was a Internal Controls Guide for Management's Assessment PDF available for Ernst & Young, however, they have recently pulled it from thier web site.  This document was provided to thier customers and may still be available to them.  A more abreviated guide is available as a PDF from Virginia Tech at Internal Control Guide for Managers.

Back to Index


One of the first things was to determine the "tone" of the company.  Tone refers to what the climate for the executives and employees of the company.  This can be determined by interviews to find out the answers or having a survey filled out.  There are two prevalent surveys that I ran across. 1.) The El Paso Survey and 2.) the ALLTEL Control and Risk Self-Assessment Process.  I chose the ALLTEL Survey because it helped me understand whether the risk assessment by the Controller was accurate as well as helped determine the "tone" of the company.  The  ALLTEL survey was also shorter than the El Paso Survey and I thought more understandable for employees of a small company.

I decided to create a form using the ALLTEL Survey and dumped the data to a flat file so I could manipulate it.  I then had the employees take the intranet on-line survey.

Back to Index

Risk Assessment

The ALLTEL Survey was used to see if there were any issues related to the "Tone" or with the activities that were being performed within the company relative to control and risks.  I also followed up by trying to determine the frequency of the transactions and whether there were enough high dollar activities to determine if any were actually material.

Besides the "Tone" assessment, the Controller typically also creates a risk assessment for the external auditors to review.  This should also be reviewed as part of the internal audit to ensure that the areas being audited are material.

Back to Index

What to Audit?

Since I was using this audit as a baseline I chose to audit all the aspects for the accounting system rather than just focusing on the high risk items.  This included reviewing the financial statements and going through each process and procedure to find out what could go wrong, if the responsibilities were identified correctly and that the duties were adequately segregated (e.g. So the same person who validates payment of invoices isn't the same person who writes the check).  In order to ensure that our company was on track, the CEO decided to hire some consultants to ensure we were on track.  One of the first thinks that the consultants said was that the SOA internal controls auditor from the external accounting firm would not be looking at whether the numbers all added up.  That was the regular external auditors job.  The Internal Controls Auditor is looking at and testing controls.

Back to Index

Use of Consultants

Consultants can be an expense that your company may not wat to pick up.  If this is the case, hopefully, you've made an investment in some good training.  Why would your company want to use consultants?  At this point, there still is a lot of gray area concerning he SOA implementation and consultants, while not always the lowest cost solution, can clear up the fog.  

Another factor is that Controller's and/or CEO's do not want to have problems or finding from their external accounting auditors. A bad audit report could send the price of a company's stock down and open Senior Management up to law suits from investors. This is a real concern and is causing company's to go with third party consultants to assist in the SOA compliance effort. These consultants can be very expensive and at this time, have a seller's market because unlike ISO9001 audits, there is a somewhat lack of standardization on pre-assessments since there isn't a one size fits all approach, nor are there necessarily standardized approaches for large, medium and/or small companies.

After meeting the consultants for our implementation, I've observed the following:

Consultants tend to want to start from square one (i.e. want to treat every client as someone who has no knowledge of what the requirements are and what to set everything up as an implementation

  • Consultants can sometimes give conflicting statements from the external accounting audits which may create problems down the road until they've discussed the requirements with your External Accounting Auditor.  

    An example was flow charts for all accounting processes. The external auditors didn't really want to look at them and stated that they didn't really need them. This conflicts with the external accounting auditors SOA expert who stated we should have flow charts or process maps for the processes. Mixed signals like this may create problems down the road due to selective hearing on the part of some SOA implementation team members.

  • Of the consultants and external auditors I have met, not that many appear to be really well versed in both the COSO and COBIT® requirements.  This causes both the consultants and external auditors to have at least two auditors. Even fewer accounting auditors and consultants are aware of the ISO9001 or ISO14000 standards.

  • Pre-assessments are not standardized for the different types of companies. Consultants are being used as go between's.

    Consultants work with the third party auditors (as go between's) to try to determine the expectations and they are able to do the pre-assessment. This makes compliance more expensive for companies. Having been through pre-assessments with two different ISO Quality Management System Registrar's, ISO9001 pre-assessments appear to be more standardized from my observations.  

  • The external accounting auditor's do not have a good understanding of what the requirements actually are or what a "Process Audit" is. While accounting auditors originally helped quality auditors set up QMS auditing, the QMS auditing process has changed since the ISO9001:1984 standard as it was originally implemented.

  • At this point, I have also heard that a number of larger external accounting firms are dropping smaller companies so they can focus on SOA compliance for their larger customers.

    Smaller companies are still required to comply which is leaving them no alternative but to try to obtain help from consultants or potentially have problems with their implementation. Since smaller companies have a later compliance date, they are not being audited at this time or are done on a catch as catch can basis.

At the time of implementation, we had an opinion from the consultant's that we have no material findings and found that we had done an excellent job in implementing the requirements for the financial and information technology aspects and in preparing for the audit. I believe that integrating the SOX requirements into the Quality System has saved our company money and proved to be the right combination of resources to meet the compliance objective. There may be tangible benefits for going through the process, however, because we have an existing Quality System, it's difficult to identify and quantity what these benefits are.  Improvements I noticed that could have been made our implementation is in the collection and organization of the working papers and "evidence" of compliance. The method used to organize the working papers by the consultants was very meticulous and made it easier for the external auditor to follow than my original approach.

Back to Index


Testing refers to either running or reviewing transactions to see if they were done correctly.  I randomly pick transactions for different days and followed the process though to see if the transactions were done correctly, looked for items that would trigger if something happened and if there were any, looked for some evidence to see that the procedure was actually being followed when triggering items occurred.  Another method is to generate correct and wrong entries using a "sandbox" (a.k.a. a practice database) and printing out the forms and reports to verify the transactions and data.
The testing needs to be documented in a test plan.  It was recommended to put the test plan into a matrix and identify the controls, what can go wrong during the tests, tests done on the controls, the sample size, the justification for the sample size and the results.

The testing, as well as the audit, is to look for significant or material findings relating to the controls.

Back to Index

Internal Controls Audit Plan

As most Quality Assurance auditors are aware, creating a plan with a schedule is a requirement for any successful audit.  My plan was to run the Internal Controls audit concurrently with my quarterly internal ISO9001:2000 audit since there are a number of areas that have procedures and records that co-inside with the COSO framework. I covered the areas of the COSO Framework as well as  to audit the overall general accounting practices, the internal controls and do a detailed process audit on the individual accounting processes and procedures. I included my audit objectives, scope and activities for the audit.  I also audited the information technology computer systems as an area to audit.

Back to Index

Information Technology Computer Systems Audit Area

Since computer systems are now the essence of most companies processes, things that become important are whether the computer system software has been verified and validated prior to implementation. One key item is to ensure that the software is verified for it's intended use. Once the verification criteria is determined, the idea is to verify that the software is functioning as stated, that the data integrity imported into the system is correct.

A key point is to ensure that you have documented that the system is verified and validated. Since management is to control the implementation for financial software and subsequent changes (i.e. show change control) so use of a software change control system (or a document change control system) to show that management is controlling the changes adds validity to the system as well as is a key item to look for on the internal controls audit.

A good source of information on what should be looked at by the internal controls auditor for the information technology aspect can be located on the IT Governance Institute web site at and it's associate, the Information Systems Audit and Control Association's web site at  

While the SEC has not stated a specific standard to use, that the use of the COBIT® (Control Objectives for Information and related Technology is a good starting point. See the downloads at for a complimentary copy of the COBIT® framework.  One of the areas that needed additional effort to comply with the Sarbanes-Oxley and Cobit® framework for my company was in the information technology area.  The security aspect for the computer systems needed to be documented, training provided and evidence of training retained.

Back to Index


To perform the audit, I found some general and internal controls checklists that I modified that were at a college web site and then creating my own detailed checklists pertaining the procedures. Ultimately, few checklists are going to be able to reflect a complicated decision process that a company must consider, and they are really poor at reflecting what happens the a day or so after the list was filled out.

Things in common include requirements for document control/documentation of processes, auditing to the "process model" management objectives, shipping and handling of product & finished goods, purchasing procedures, records requirements, monitoring, human resources requirements for communications, competence (can be Performance Evaluations) and  training.   

I also found an information technology checklist from a was from a major IT company.  Information technology requirements for the COSO framework are similar to the both the document control and infrastructure requirements for the ISO9001:2000 standard. I tailored the IT checklist  using the COBIT® framework to fit our much smaller company to audit the computer systems.  The general headings and items to be covered applied, however, with an IT staff of one, there are some things that will not apply for your business. To ensure completeness, in my opinion, it is easier to take a more extensive checklist and tailor it to the procedures being audited.  Another element in doing this correctly is in selecting the appropriate sample sizes (e.g. a daily activity would use a 25 transaction sample, a monthly would use 10).

Back to Index

The  "Internal" Internal Controls Audit

Perform the audit checking the following:

  • Tone, integrity and ethics of top management as well as the employees.
  • Accounting and financial data, processes, procedures, document control & records. I performed this concurrently with my ISO9001 audit since a number of the procedures that cover the required procedures such as inventory/material control, shipping and handling of product & finished goods, purchasing procedures and human resources (communications competence and training) are common to both standards.
  • Information systems / network computer security and how well the assets of the company are secured.

Back to Index

The "External" Internal Controls Audit

As our external auditor laid out what would happen during the audit.  The approach is similar to an ISO9001:2000 process audit, however, the documents reviewed relate to the internal controls, what can go wrong, how they are mitigated to reduce risk, what testing was done on the system, to include sample sizes and results as well as evidence to show that you are meeting the requirements.

The following is a generic outline of the Management Documents

  1. Narrative of Process
  2. Flowchart(s)
  3. Risk Control Matrix
  4. Gap logs
  5. Test Plan with justification of sample sizes, etc.

    The narrative should include information on the IT system, new users, super users, terminated users, transferred users and unauthorized users. Besides those users, evidence of periodic reviews of user, as well as discussing administrative users.  It was also noted that Excel spread sheets can be audited, though it's somewhat dependent upon their complexity and impact on financial reporting.

    The IT portion of the audit covers network security, physical security, logical security to include firewalls and physical security.  Change management and the approval process will also be covered and include data backup/recovery, 3rd party services, incident management and any job scheduling done on the IT Systems.

Back to Index

Internal Controls Audit Report

The final task is to write the audit report.  Items I included in the report were outlined as followed:

  • Background / Introduction
  • Audit Objectives and Scope
  • Overall Risk Exposure Rating
  • Audit Conclusion Regarding System Of Internal Control
  • Audit Comments
  • Major Areas of Opportunity
  • Reporting:Activities

The report is typically distributed the President, CFO, Controller and the Board of Director's Audit Committee.

Back to Index

Corrective and/or Preventive Action

The COSO framework, like ISO9001:2008 has the a number of aspects in common including ensuring that human resources are competent which means even the internal controls auditor needs a job description. Fortunately, my ISO system has them so it wasn't to hard to write another. Another similarity is the customer satisfaction element and is looking for some form of corrective action system as well.  Since an ISO9001:2008 system already has a corrective and preventive action system, no need to reinvent the wheel.  Just put the noncompliances and preventive actions for the accounting and finance issues as well. In the case of the SOA audits, findings are termed as significant or material.

Back to Index


While having an additional responsibility put upon a quality auditor may not seem to make a lot of sense to the uninitiated, after becoming familiar with the COSO framework, it is possible to plan and do the audit. The initial emphasis would be to get the procedures and processes documented.  If they can be integrated into your existing Quality and Document Control systems without a lot of difficulty if you have a good Quality Managment System (QMS) to work with.  

For those needing help with other areas relating to aspects needed to implement the Internal Controls Audit function, visit other related web sites by the author as follows:

Flowcharting Help Page at  

Job Descriptions Help Page at

Performance Appraisal Tips Help Page at

Program Management Tips at

Total Quality Management (TQM) Tutorial/Help Page at

Procedure / Process Writing Tips at

American Society for Quality

The American Society for Quality (ASQ) also has a SOX forum and discussion board with additional information and contacts:

ASQ SOX Forum Community is at

ASQ SOX Discussion Board at

ASQ SOX Blog at

Recommended Reading:

Competitive Advantage: Linked Management Systems by Sandford Liebesman, Ph.D., ASQ Fellow Paperback

For those intersted in integrating the requirements of Sarbanes-Oxley into thier company, I recommend the latest book by Sandford Liebesman.

Sandford is someone who I've known and had regular contact with for several years. He is a highly recognized author with expertise on quality and management systems. His book goes into detail on the information on this web site and covers integrating other management systems into a quality system.  A summary as a PDF is linked "here".  What others are saying about this book are in a PDF flyer and is linked "here".

COBIT® is a registered trademark of the Information Systems Audit and Control Association.

 Back to Index

For those who would like other information published by Dexter Hansen without ads in downloadable MSWord, MS PowerPoint or Adobe PDF files, click here to go to the WebStore.

Dexter Hansen

SmartDraw logo
English   German

12,700 job Descriptions

If you have questions or comments relating to this information, please click here to email the author.

Copyright ©   Dexter A. Hansen