Discussion Boards
| Advanced Search

ASQ Discussion Boards » Public » Sarbanes-Oxley

Topic: SOX and Quality Audit
Replies: 3   Pages: 1   Last Post: Dec 15, 2005 7:08 AM by: Mark Kempf


Reply to this Topic Reply to this Topic
Search Discussion Board Search Discussion Board

Go Back Back to Topic List
Replies: 3
Mark Kempf

Posts: 92
SOX and Quality Audit
Posted: Nov 5, 2005 5:53 AM
  Click to reply to this topic Reply

Hello All,
My name is Mark Kempf. I'm Chair of the ASQ Quality Audit Division. FYI, the QAD has petioned the ASQ Board of Directors for a name change. We're awaiting approval, which I think is forthcoming, to change our name to the ASQ Audit Division.

The name change will be much more reflective of the disciplines associated with our membership, and I'm in hopes that it will draw interest from the SOX Community as well. We have invited Mr. John Walz to attend/present at our next annual conference, scheduled for October, 2006 in Reno, NV. Feel free to visit our discussion board, post messages, and submit questions. Thanks everyone.

Mark Kempf
Chair, ASQ Quality Audit Division


John Walz

Posts: 12
Re: SOX and Quality Audit
Posted: Nov 6, 2005 6:52 PM
  Click to reply to this topic Reply

Mark,

I congratulate you on your proposed division rename to Audit Division.
Since ISO 19011, Guidelines for quality and/or environmental management systems auditing came out in 2002, quality auditors have been involved in environmental audits.
Similarly, quality auditors have been helpful in the new ANSI/AIHA Z10-2005 Occupational Health and Safety Management Systems audits.
Another area where quality auditors have been involved is in IT security for both:
ISO/IEC 17799:2005, Information technology – Security techniques – Code of practice for information security management and
ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems (ISMS).
In our case studies for quality practitioners supporting the Sarbanes-Oxley Act of 2002 (SOX), we have found internal quality auditors assisting internal financial auditors to assess compliance to SOX.
So your audit division can help your quality auditor reach into environmental, OS&H, IT security, and SOX.

Thanks for the invitation to speak at your annual audit division conference, scheduled for October, 2006 in Reno, NV.

John Walz, www.asq.org/blog/sox


David Griffiths
Re: SOX and Quality Audit
Posted: Nov 16, 2005 5:42 AM
  Click to reply to this topic Reply

Mark,
I am a retired internal auditor, who retains an interest in the subject through my website and as a trustee of a UK charity.

Your proposed change of name raises several questions as it implies ASQ is venturing into much wider areas than I would understand by 'quality'. This is no bad thing, since internal auditing itself needs to question where its responsibilities start and finish. This is particularly true in the UK, where the reporting requirements require boards to consider the effectiveness of internal controls covering all risks, not just financial.

This leads me to my questions:
Is the ASQ definition of audit, in the 'Glossary', sufficient? It refers to ‘ensure compliance to requirements’, whereas modern auditing would check that the requirements themselves were sufficient. An alternative definition might be ‘provides an opinion as to whether risks are being managed to within the defined risk appetite’.

Which brings me to my second question: where does risk fit in? There is no definition in the glossary, although there is an ISO definition (http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf). I believe auditing and risk are inseparable and if the ‘ASQ Quality Audit Division’ is to widen its remit to become the ‘ASQ Audit Division’ it will need to put risk management at the forefront of its strategy. I may have missed them, but searches of the ASQ site don’t reveal any articles linking audit and risk management.

If you agree with me and want to read more, there is the COSO risk document. However this is long. A more succinct document is available from the UK Treasury, known as the orange book (http://www.hm-treasury.gov.uk./media/FE6/60/FE66035B-BCDC-D4B3-11057A7707D2521F.pdf ) it gives an introduction to risk management.

Am I being too controversial here?

David Griffiths
www.internalaudit.biz


Mark Kempf

Posts: 92
Re: SOX and Quality Audit
Posted: Dec 15, 2005 7:08 AM
  Click to reply to this topic Reply

Hello David, Mark Kempf here. I'm sorry this response has taken so long. My travel schedule is, in a word, onerous. Regards your question(s), please understand that I can only answer them with from an audit division point of view. I'd feel a bit uncomfortable answering on behalf of the Society.

We decided to change the division name, removing the word "quality" because there are several other disciplines practiced by our membership. For example (but not all inclusive), we have many member engaged in environmental auditing. The word quality seemed to be semantically limiting.

Incumbent upon the skilled auditor would be the use of methods geared to ensuring that the requirements themselves would be sufficient, and verify whether risks appropriately managed. For example, when I am auditing purchasing processes, I tend to review the methods used to qualify/re-qualify suppliers. Often I'll encounter approved supplier lists bearing more than one sole-source vendor. Quite the risk, I know you'll agree. However, depending on the industry/sector, this situation can be widespread. My follow-up questions, regarding managing that very real risk, are intended to get the auditing thinking about the consequences of problems with sole-source vendors. A disaster at the vendor's location could translate into a "hole" in the supply chain. I think its clear that you and I agree risk management is a key element associated with effective auditing, whatever the discipline.

I'm also in hopes that the Audit Division Membership stay on top of the Sarbanes-Oxley requirements. Certainly I am trying keep this in mind. My business partner and I often conduct contracted internal audits for enterprises that prefer to outsource that process. At least one of our Clients added SOX auditing to the internal quality audit (in this case TL 9000) purchase order authorizing our services. The Client sees real value (an oft overused phrase) in combining the two audits.

I'm going to read the Orange Book, and I thank you for the links.

Again David, thanks! Lets keep in touch. Feel free to post to the Audit Division Discussion Board. Here's the link:

http://www.asq.org/audit/discuss/index.html

Best Regards,
Mark Kempf
Chair, ASQ Audit Division


Go Back Back to Topic List

Point your RSS reader here for a feed of the latest messages in this threada