Mandatory Examinations or Audits of Quality Control Assurance Systems

In Brief

Examinations or audits of an organization’s quality control assurance system (QCAS) are not presently required, despite the fact that defective products or services represent a major risk for any business. Defects can have a detrimental impact on a company’s finances; for example, Takata Corporation went bankrupt as a result of its defective airbags. The authors argue that standards should require public companies to have periodic examinations or audits of their QCASs, illustrating how the Committee of Sponsoring Organizations (COSO) Internal Control 2013 framework can be used as a guideline to develop QCAS examination or audit procedures for an organization. They also discuss how COSO’s guidance on enterprise risk management can be integrated into a QCAS examination or audit.

***

Companies are not presently required to examine or audit their quality control assurance systems (QCAS) in order to reduce the chance of defective, and sometimes dangerous, products or services from being sold to their customers. A QCAS, as defined by Frank J. Fabozzi, Pamela Peterson Drake, and Ralph S. Polimeni in The Complete CFO Handbook, is a system that provides constant feedback to management for decision making in order to “assure optimum product quality” (John Wiley & Sons, Inc., 2008). Product (or service) defects can, and often do, result in a detrimental impact on a company’s financial position. According to AU-C section 200, “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards,” the ultimate objective of the financial statement audit is to protect users of the financial statements, such as investors and creditors. Defective products resulting from ineffective or insufficiently adequate quality controls over the manufacturing process can result in a company’s financial demise. Service defects, such as in healthcare, can result in devastating consequences as well.

Potential Impact of an Ineffective QCAS

According to Burke and Polimeni, “an ineffective quality control assurance system directly impacts the organization’s assets. Excessive rework costs and spoiled units lead to higher costs and inefficient use of an organization’s resources” (“What CPAs Need to Know About Quality Control Assurance Systems,” The CPA Journal, January 2012, http://bit.ly/37kiP7L). For example, hardline (e.g., toys, sporting equipment, furniture) recalls for the European Union and the United States for Q4 2018 have increased 10% and 26% respectively over Q3 2018 (SGS Group Management SA, “Product Recall Trends in Hardlines: Q4 2018,” Feb. 1, 2019, http://bit.ly/2SCJc3j). The Exhibit depicts which categories of hardline products had the highest number of recalls in Q4 2018.

Torrent Pharmaceuticals has been recalling batches of its losartan blood pressure medication for containing unacceptable levels of a probable human carcinogen [“Torrent Pharmaceuticals Limited Expands Voluntary Nationwide Recall of Losartan Potassium Tablets, USP,” Food and Drug Administration (FDA) website, Jan. 3, 2019, http://bit.ly/2SOUhib]. The Class Action Reporter indicates that the company is now facing a class action lawsuit from customers (“Torrent Pharma: Sanders Sues over Contaminated Generic Losartan,” Feb. 6, 2019, http://bit.ly/2Hdx2Zz). The FDA also reports that Tris Pharma recalled some of its baby ibuprofen because it may have higher than acceptable levels of ibuprofen (“Tris Pharma Issues Voluntary Nationwide Recall of Infants’ Ibuprofen Concentrated Oral Suspension, USP (NSAID) 50 mg per 1.25 mL, Due to Potential Higher Concentrations of Ibuprofen,” Dec. 5, 2018, http://bit.ly/38k8kTk).

In 2016, Samsung recalled 1 million of its Galaxy Note 7 phones because of a battery defect that could result in fires. Later, approximately 1.5 million of its replacement phones were found to have the same defect and were also recalled, ultimately leading to the discontinuation of the model (Paul Mozer and Su-Hyun Lee, “Samsung to Recall 2.5 Million Galaxy Note 7s over Battery Fires,” New York Times, Sept. 2, 2016, https://nyti.ms/2SFBllT). According to Risk Management, total losses were estimated to be over $5 billion (Morgan O’Rourke, “Year in Risk 2016,” Dec. 1, 2016, http://bit.ly/2Hh3slO).

Takata Corporation was subject to between $10 billion and $50 billion of liabilities from the recalls and lawsuits resulting from manufacturing defective airbags that could explode upon impact, dispersing fatal metal shrapnel into the bodies of passengers (Naomi Tajitsu, “What Next for Airbag Maker Takata after Bankruptcy Filing?” Reuters Business News, June 26, 2017, https://reut.rs/2OLrDx3). These dangerous explosions were the result of a chemical used to cause the airbags to explode during a car accident. Consumer Reports explained that the chemical was used without a drying agent, which results in the dispersion of hot shrapnel if exposed to certain environmental conditions such as high humidity (“Takata Airbag Recall: Everything You Need to Know,” Mar. 29, 2019, http://bit.ly/31Immvw). This product defect has already resulted in the deaths of at least 24 people worldwide and more than 300 injuries, as reported by the National Highway Traffic Safety Administration (NHTSA). Consumer Reports (2019) further indicates that defective airbag recalls are expected to total 38 million vehicles in the United States, making it the largest automobile recall in the United States. In June 2017, Takata Corporation filed for bankruptcy in the United States and Japan (Jie Ma, Emi Nobuhiro, and Masatsuga Horie, “How a Billionaire Family Fell from Grace after the Takata Airbag Scandal,” Bloomberg, June 28, 2017, https://bloom.bg/2HhhbsR).

Finally, Kobe Steel, one of Japan’s largest aluminum and steel producers and a major supplier to automobile manufacturers, admitted in October 2017 that it falsified quality control records for shipments of significant amounts of metal (Sean McLaine, “Kobe Steel Finds More Products Shipped with Quality Issues,” Wall Street Journal, Oct. 20, 2017, https://on.wsj.com/37ks5c1). The documents were tampered with to make it look as if the products conformed to customer specifications when they did not. In addition, the company admitted that it did not perform all of the required quality testing of its products from November 2015 to September 2017, and that employees and management attempted to conceal evidence of falsified quality data during an investigation.

Clearly, based on the above examples, problems with QCASs (or lack thereof) are pervasive and affect many industries. Aside from the immediate financial costs related to defective units, a company’s reputation can be quickly and easily damaged as a result of inferior quality. As indicated by Sridhar Ramamoorti, Dorsey L. Baskin, Barry Epstein, and James Wanserski, reputational damage can occur quickly as a result of “social media and the 24-hour news cycle” (“Managing Risk at the Speed of Change,” The CPA Journal, June 2017, http://bit.ly/2OGj2f5).

As noted by Joel Lanz (“Enterprise Technology Risk in a New COSO ERM World,” The CPA Journal, June 2018, http://bit.ly/3bwyNz2), companies “accept that to achieve business objectives and strategies, they must have an online presence and leverage technology to drive efficient and competitive service delivery strategies. These same technologies, however, can also cause significant damage to an entity’s reputation and lead to lawsuits.”

The lack of an effective QCAS can damage a company’s reputation, affect its bottom line, and result in material financial consequences to investors and creditors as well as personal injury to consumers.

Responsibility for Examination or Audits of QCASs

The International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors (IIA), state that internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management; however, there are no specific standards that relate to the company’s quality control, only the quality control of the internal audit function. Internal auditors are mainly employed by companies to evaluate policies and procedures that may not include a QCAS examination. External auditors are presently not required to review a QCAS as part of their regular audit.

The authors argue that standards should be established for public companies to require periodic examinations or audits of their QCAS. Ideally, external auditors should issue an opinion in conjunction with work performed by the internal auditors or corporate compliance officer (CCO). This can be accomplished as part of the independent financial statement audit, or as part of an “agreed-upon procedures engagement” whereby the external auditor can tailor a work program of procedures examining the QCAS in accordance with the AICPA’s AT section 201, “Agreed-Upon Procedures Engagements” (http://bit.ly/2OL8Ule). The agreed-upon procedures should be directed at the quality control assurances in place. Voluntarily engaging a CPA to audit the company’s financial statements conveys a message to its customers that it values quality products or services and is socially responsible.

External auditors can work in tandem with the internal auditors and CCOs, and—after applying appropriate due diligence—use the work of these individuals to complete the examination of a QCAS. Internal auditors are permitted and often used by external auditors in an annual external audit. The requirements for their use are straightforward; they are not to be assigned any work that requires judgment or decisions commonly reserved for the external auditors responsible for the audit, and the external auditors must agree to take responsibility for their work. Therefore, precedent already exists for internal and external auditors to work together.

An alternate scenario would be for companies to simply require their internal auditors to examine QCASs without requiring an external audit (assuming, of course, that they employ internal auditors). An external audit takes it one step further, however, by providing assurance to the public that the company is managing the quality of its products or services. Furthermore, internal auditors can collaborate with CCOs to assess the risk of inferior products or services and make recommendations to the audit committee or management on how to address any issues. For example, CCOs may initially establish policies necessary to adhere to governmental safety standards (e.g., for an amusement park ride or disposal of medical waste), and internal auditors can examine the procedures and adherence to those standards to provide assurance that the standards are being followed.

Costs of Quality Control Assurance Systems

Companies must also manage the quality of their products and services to be competitive in the consumer marketplace. Global supply chains also necessitate a reliance on product quality. To enhance and ensure quality, companies should have an appropriate, cost-effective QCAS. The costs incurred to make sure products or services are in conformance with specifications are referred to as quality costs. Fabozzi et al. (2008) explain that these costs are often classified in one of four categories:

• Prevention costs: costs associated with averting defects such as worker training and quality incentives
• Appraisal costs: costs of assessing or testing products or services to make sure they conform with the quality standards before they are delivered to customers
• Internal failure costs: costs that result when the company detects a failure before being sold to customers. Examples include costs to repair and rework defective products.
• External failure costs: costs that result when the defect or lack in quality is discovered after being sold to the customer. Examples include the cost of repairing products or correcting a provided service, public relations activities to protect the company’s image, and the costs of litigation.

ISO Certification

The International Organization for Standardization (ISO) is the world’s leading creator of international quality standards. Many manufacturers obtain ISO 9001 certification to provide customers with assurance that their products and services are of high quality. ISO 9001:2015 establishes certification requirements for a quality management system. It was developed based on seven quality management principles, such as having a customer focus and continuous improvement process, and “helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits” (“ISO 9000 Family—Quality Management,” ISO website, http://bit.ly/2Hf8yPF). An independent body must audit the company seeking certification; however, certification does not require that the audit include a review of the QCAS. In addition, ISO does not get involved with certifying companies; if a company wants to be certified, it needs to hire an outside certification body, although that body does not need to be accredited (“Certification,” ISO website, http://bit.ly/2ShL5n3). Also, once certified, the ISO recommends, but does not require, that the company’s QCAS be audited (“ISO 9000 Family—Quality Management”). It is therefore not surprising that many companies still have numerous product or service defects, even though they are ISO certified.

Design of a QCAS

One approach to designing the audit or work program for a QCAS would be to follow the Committee of Sponsoring Organizations’ (COSO) 2013 framework, which established the requirements for an effective internal control system. COSO’s Internal Control—Integrated Framework is widely recognized by the accounting profession as a key framework “for designing, implementing, and conducting internal controls and assessing their effectiveness. The majority of publicly traded companies in the United States rely on the framework” (Jill D’Aquila, “COSO’s Internal Control—Integrated Framework,” The CPA Journal, October 2013, http://bit.ly/2SjKstt). According to the Internal Control Framework, there are five internal control principles (formerly referred to as components) that “provide clarity for the user in designing and implementing systems of internal control and understanding requirements for effective internal control” (Executive Summary, 2013, http://bit.ly/2uG5NUG). The principles are as follows:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring.

Below is an overview of these principles and examples of how they can be applied to designing an examination or audit program for a QCAS.

Control Environment

The tone at the top has a “pervasive impact on the overall system of internal control” (COSO 2013) and is therefore critical to the effectiveness of a QCAS. A company that has good internal controls has the following attributes:

• The control environment demonstrates a commitment to integrity and ethical values.
• The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
• Management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
• The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with its objectives.
• The organization holds individuals accountable for their internal control responsibilities in the pursuit of its objectives.

For example, quality policy may be dictated either by management or the government. Therefore, tone at the top is important to examine when evaluating the QCAS. Unethical or indifferent attitudes at the top could lead to ineffective implementation of a QCAS. For example, one step could be to ascertain that management fully supports the organization’s quality control objectives and monitors the correct implementation of the QCAS. This step can be accomplished by interviewing employees who are directly involved in the QCAS.

Risk Assessment

COSO principles in this category state that the organization—

• specifies objectives with sufficient clarity to enable the identification and assessment of risks related to them,
• identifies risks across the entity and analyzes them as a basis for determining how the risks should be managed,
• considers the potential for fraud in assessing risks, and
• identifies and assesses changes that could significantly affect the system of internal control.

In addition to incorporating the above risk principles into the design of a QCAS, companies should consider also integrating COSO’s 2017 Enterprise Risk Management—Integrated Framework, developed to help companies manage risk. The ERM Framework does not replace the Internal Control Framework, which is “viable and suitable for designing, implementing, conducting, and assessing internal control, and for consequent reporting” (COSO, Enterprise Risk Management—Integrating with Strategy and Performance, Volumes I and II, June 2017). The ERM Framework emphasizes the “importance of considering risk in both the strategy-setting process and in driving performance.”

COSO’s ERM Framework defines “risk” as “the possibility that events will occur and affect the achievement of strategy and business objectives.” It defines “risk appetite” as “the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” The framework document sets out principles that can be followed to integrate enterprise risk management throughout an organization. The five principles laid out in the ERM Framework are as follows:

• Governance and culture. Governance sets the tone at the top, and thus can emphasize the value of enterprise risk management (ERM). Culture impacts decision making.
• Strategy and objective setting. ERM should be integrated throughout an organization’s strategic plan, including its business objectives. The entity “sets its risk appetite in conjunction with strategy setting. The business objectives allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities.”
• Performance. Risks are identified and their severity is assessed. Risks are priori-tized according to their severity and, considering the entity’s risk appetite, risk responses are implemented and a portfolio view of these risks is created.
• Review and revision. The entity’s performance is evaluated, and the ERM plan is reviewed and revised as necessary.
• Information, communication, and reporting. With the use of technology, management gathers information relevant to its ERM system; communicates that information throughout the organization, including to the board of directors; and then “reports on risk, culture, and performance” to stakeholders.

Control Activities

Principles incorporated into this component of COSO’s Internal Control Framework state that an organization should—

• select and develop control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels,
• select and develop general control activities over technology to support the achievement of objectives, and
• deploy control activities through policies that establish what is expected and procedures that put policies into action.

For example, the examination or audit should include a review of the required random inspection of the implementation of the quality control processes designed to ensure that the product or service conforms with design requirements. The segregation of duties should also be reviewed; one step might be to make sure that the inspector does not actually participate in manufacturing the products or providing the service. Another step might be to make sure that only appropriate personnel have access to the quality control records to prevent tampering. Providing a requirement and a process for examination will highlight the importance as well as encourage the entity to develop the procedures necessary for an effective QCAS. For an online retail company, a check should be made to see if a system is in place and operating effectively to make certain customers’ privacy is protected, such as a random check to ascertain that if a customer opts out of sharing personal information with third parties, this request is implemented.

Information and Communication

Principles incorporated into this component of COSO’s Internal Control Framework indicate that an organization should—

• obtain or generate and use relevant, quality information to support the functioning of internal control;
• internally communicate information, including objectives and responsibilities necessary to support the functioning of internal controls; and
• communicate with external parties regarding matters affecting the functioning of internal control.

CPAs should, for example, ascertain whether 1) the QCAS policies and processes are documented and properly communicated to appropriate personnel and 2) any changes in quality control goals and objectives are communicated to all appropriate personnel and incorporated into the quality control manual. In addition, it should be determined whether procedures are in place whereby a problem with quality would be properly communicated to the appropriate individuals.

Monitoring Activities

Principles incorporated into this component of COSO’s Internal Control Framework state that an organization should—

• select, develop, and perform ongoing or separate evaluations to ascertain whether the components of internal control are present and functioning; and
• evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

For example, a check should be made that upper management has an ongoing review process (which might include the internal audit process) implemented and documented to assess the effectiveness of its QCAS. The examination should check that deficiencies are corrected in a timely manner. For example, consider a quality control inspector of a manufacturing plant who occasionally helps the assembly operators manufacture the products. This can be viewed as a violation of segregation of duties and should be communicated to senior management so corrective actions can be taken to address the situation.

As an example relating to service, an internal quality control food inspector for a national restaurant chain should submit its reports to parties responsible for corrective action, where appropriate. The reviewer should check that these processes are in place and being followed, and can also incorporate objectives and processes associated with prevention, design, internal failure, and external failure. For example, are reasonable goals being established in the prevention area, or are they unrealistic, such as requiring zero defects when the company quality policy does not mandate zero defects? If an external auditor does the examination of the QCAS, an opinion regarding the QCAS should be issued, along with an opinion on the financial statements and internal controls.

Quality Matters

A QCAS should be in place and effectively functioning to ensure that products are manufactured or services are provided according to company specifications. Publicly traded companies should be required to have a periodic examination of their QCASs by either the external auditors, as part of the annual audit of financial statements, or as a separate agreed-upon procedures engagement in conjunction with internal auditors or corporate compliance officers. In the meantime, companies should require their internal auditors or CCOs to perform a risk assessment and engage in periodic examinations of their QCASs.