March 31, 2005
Statement for the SEC Roundtable Meeting April 13, 2005, Regarding Sarbanes-Oxley Section 404 Compliance
Cost-effective implementation of Sarbanes-Oxley demands that an organization utilize its EXISTING systems, procedures, and data to demonstrate compliance.and NOT be forced to overlay additional controls and undergo duplicative auditing unless a deficiency is found.
Today, tens of thousands of US companies are registered to international standards that require high levels of internal control over operations. Many of the same components of internal control identified by COSO are reflected in standards like ISO 9001, ISO/TS 16949, and the like. Organizations registered to these standards have existing objective evidence of internal controls that directly and indirectly impact financial data. This evidence should factor prominently into both intra-company compliance activities and public accounting firm audits.
We encourage the PCAOB to launch a systematic evaluation of how ISO 9001 and similar standards provide evidence of SOx compliance.....evidence that should be accepted in lieu of costly additional activities. The components of an ISO system, including a formal corrective action process, internal auditing, third party surveillance audits, Top Management review and approval, measurement, and monitoring of progress on business metrics lend credibility and transparency to this evidence. There is a straightforward mapping of ISO requirements and evidence versus the components of internal control and risk management as identified by COSO.
Common sense and cost concerns dictate that we utilize ISO compliance activities, to the greatest extent possible, to save time/money and avoid costly redundancies in the implementation of SOx section 404.