The Role of Sarbanes-Oxley and ISO 9001 in Corporate Management This page intentionally left blank The Role of Sarbanes-Oxley and ISO 9001 in Corporate Management A Plan for Integration of Governance and Operations WILLIAM A. STIMSON McFarland & Company, Inc., Publishers Jefferson, North Carolina, and London LIBRARYOFCONGRESSCATALOGUING-IN-PUBLICATIONDATA Stimson, William A. The role of Sarbanes-Oxley and ISO 9001in corporate management : a plan for integration of governance and operations / William A. Stimson. p. cm. Includes bibliographical references and index. ISBN 978-0-7864-6657-3 softcover : 50# alkaline paper 1. Corporate governance—United States. 2. Production management—United States. 3. Quality control— Standards—United States. 4. Corporate governance— Law and legislation—United States. 5. ISO 9001 Standard. 6. United States. Sarbanes-Oxley Act of 2002. I. Title. HD2741.S777 2012 658.4'013—dc23 2011040289 BRITISHLIBRARYCATALOGUINGDATAAREAVAILABLE © 2012 William A. Stimson. All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, i ncluding photocopying or recording, or by any information storage and retrieval system, without p ermission in writing from the publisher. Cover image © 2012 Ricardo Alvarez. Front cover design by Bernadette Skok ([email protected]) Manufactured in the United States of America McFarland & Company, Inc., Publishers Box 6¡¡, Je›erson, North Carolina 28640 www.mcfarlandpub.com To the families of Leonard Moss of Aurora, Illinois, and of Antoine Fauret of Saintonge, France: If only they had known each other! This page intentionally left blank T C ABLE OF ONTENTS Preface 1 1. Goodwill 13 2. Ethics in Business 16 3. Product and Service Liability 30 4. Contracts, Specifications, and Standards 40 5. Management Systems 51 6. Strategic Operations Management 64 7. The Sarbanes-Oxley Act 75 8. Managing Risk 90 9. Sarbanes-Oxley and Governance 100 10. ISO 9001 Framework for Sarbanes-Oxley 109 11. The Materiality of Operations 118 12. ISO 9001 Matched to SOX 132 13. The Governance System 151 14. Process Liability in Operations 167 15. Conclusions and Recommendations 188 Chapter Notes 201 Bibliography 211 Index 217 vii This page intentionally left blank P REFACE In the year 2000, American industry witnessed large scale and wide- spread theft of investment money. Millions of dollars disappeared into private portfolios, much of it legally. These events contributed to a col- lapse of the stock market and a furor among American investors and workers. Thousands of persons lost everything—their investment, their retirement funds, their savings for college education—everything their families had depended on for the future. In 2008, this shameful history was repeated with an even greater magnitude of scandal and financial loss. Although these disasters seem to be discrete events, they are really the extremes of a continuity of cor- porate mismanagement across the spectrum of business activity. For example, they are connected by the Ford-Firestone fiasco in the early part of the decade that resulted in loss of life, hundreds of millions of dollars in liability lawsuits and billions more in recall costs. They are connected again by the more than 1,300 corporate fraud judgments obtained by the Corporate Fraud Task Force of the United States Depart- ment of Justice (DOJ) during the decade.1 And they continue today as evidenced by the Toyota Motor Company’s recall of more than two mil- lion vehicles with possible serious mechanical defects. All of these events are complex, but it seems clear that there is a common thread of mismanagement at the highest level. This has increased the federal government’s interest in corporate governance and has resulted in the Sarbanes-Oxley Act of 2002. This book is about corporate governance, specifically the relation- ship between the board of directors (the Board), responsible for gover- nance, and corporate operations, responsible for getting things done. The book is an outgrowth of my work over ten years as a forensic systems engineer with the U.S. Department of Justice and of my 28 years as a production auditor and consultant on production management. In this 1