ISO 9001 Internal Audit and SOX Management Testing Integrati 1624



  • Hi,
    Does anyone have experience with integrating SOX Management Testing with their ISO 9001 Internal Audit program? There is a lot of synergy between the two disciplines and it doesn’t make sense to manage the testing/audits as separate processes. I would like to hear if anyone combined the two and how it worked out for them.
    Thank you in advance,
    Nick A.



  • I haven’t combined the 2 because SOx often requires a little more focus on the Financial reporting side of things.
    i would agree, however, that there are similarities…



  • I haven’t combined the 2 because SOx often requires a little more focus on the Financial reporting side of things.
    i would agree, however, that there are similarities…
    Yes, you’re right, but it shouldn’t matter (as far as ISO is concerned)where the focus is. A SOX Key Control is mapped to an ISO process, and it’s time to do an ISO process audit, the questions or checklist should include the questions used for that key control that were asked during the management testing of that key control. Not everything in that process will be a key control, but for those that are have to be identified so the proper sample size is collected based on the frequency of activity for that key control. I’m just having a hard time coordinating the ISO Internal Audit schedule so that it satisfies SOX management testing. If anyone is interested and wants to take this offline to discuss further, I’d be happy to set something up. Then we can post what we come up with in this forum so that others in the same environment can take advantage of it if they wish.



  • I agree.
    I think that with some planning and thought to documentation you should be able to combine both activities into one project. Of course you will have things that you do for SOX and not for ISO and vice-versa and you may have different rigour for different purposes (in which case use the most rigorous) but if you have visibility in the documentation on why you are executing a specific task than this should not cause a problem.



  • Well said Denis ‘…in which case use the most rigorous…’ is a good way of putting it. I’m going to use that phrase next time I need to. (BTW, great quote you have)



  • What is SOX Management Testing? An alternative methode of ISO 9001?
    Do you know advantages and disadvantages of them?
    What should we use?


Log in to reply