Transcription
AdaptingSix Sigma to Help Tamethe SOX 404 ComplianceBeastB Y P AU L E. J U R A S , CMA, CPA; D A L E R. M A RT I N ;ublic companies have been wrestling with output errors, excessive cycle times, cumbersomeprocesses, and out-of-control costs over the pastthree years. Sounds like problems unique tomanufacturing, doesn’t it? In two separate surveys, manypublic companies recently identified these same issueswhen trying to address Sarbanes-Oxley (SOX) Section404 compliance requirements. The solution may be SixSigma, a technique that grew out of manufacturing.The challenge to address SOX began when Congresspassed the Sarbanes-Oxley Act in 2002 to help restoreinvestor confidence in public companies’ financial reporting. SOX 404 requires management of public companiesto issue an annual assessment of internal control effec-P36S T R AT E G I C F I N A N C EIMarch 2007ANDG E O R G E R. A L D H I Z E R , III, CPAtiveness over financial reporting. External auditors mustattest to the accuracy of management’s internal controlassessment in conjunction with their audit of thecompany’s financial statements.Looking back, SOX 404 implementation was a nightmare for the larger public companies first required tocomply with the regulation. In addition to skyrocketingexternal audit fees, it required a massive investment inmanagement time and resources. In spite of these investments, the 2005 Ernst & Young study “Emerging Trendsin Internal Controls” indicated that about 14% of thesecompanies reported ineffective internal controls in theform of one or more material weaknesses during 2005.The sheer volume of recently reported internal control
Business ProcessesANNUAL CONFERENCE TOPICcost-efficient process that still fully adheres to SarbanesOxley regulations.weaknesses and earnings restatements suggests that companies need more effective control structures to ensuremore reliable financial disclosures. The problem is likelyto expand as smaller public companies begin to complywith SOX 404 testing and disclosure requirements inearly 2008.Although eliminating internal control failure defects isimportant, you can’t ignore process efficiency. Over thelast two years, much attention has been directed towardthe increased cost of the external audit process, butrecent surveys indicate that most companies’ internalSOX 404 costs (including outside consultant fees) haveexceeded their external audit fees. These surveys alsoindicate that most companies won’t experience a significant decline in SOX 404 compliance costs in the nearfuture. So even though most companies felt they gainedvaluable operational insights in 2004 and 2005, themajority continue to wrestle with how to implement aThe Six Sigma process may enable management to tamethe compliance beast through enhancing the efficiencyand effectiveness of business processes and related controls. Motorola created Six Sigma in 1987, and, sincethen, countless other organizations have employed it.Most accountants have probably heard of Six Sigmabecause it has often been touted as one of the most powerful tools for achieving significant quality improvement.This description leads many to think of it as a techniquefor manufacturing environments, but Six Sigma emphasizes process control that service environments have usedeffectively in recent years. Companies have even used SixSigma to control costs in financial reporting and manyother functional areas where a company needs a continuous process and desires continuous improvement.A sustainable approach to SOX 404 requires a transition in both form and function from a one-time projectapproach to a mode in which compliance is a wellcontrolled process that’s integrated into a company’sdaily operations. This transition is crucial since topmanagement must now certify quarterly and annualfinancial reports under SOX Section 302 and thus exposethemselves to potential criminal penalties if materialfraud is subsequently discovered within these statements.Effective internal controls over financial reporting canreduce this fraud risk. Companies must recognize andproactively address the impact of changes in their business processes, such as changes due to new systemimplementations. These changes may create opportunities for new control lapses that may impact their abilityto sustain SOX compliance or hinder actual operations.A successful approach will require a focused, definedprogram designed to operate year after year as a naturalpart of the business.The transition from a project to a process mode won’toccur without forethought and a structured approach toMarch 2007IS T R AT E G I C F I N A N C EILLUSTRATION: SUSAN LEVAN/ARTVILLETAMING THE SOX COMPLIANCE BEAST37
Table 1:Seven-Step Six Sigma Process Related to SOX ComplianceSEVEN-STEP PROCESSEXECUTIONRELATING EXECUTION TO SOX COMPLIANCE1. Top management commitmentProvide clear communication of why thecompany is using Six Sigma and what thebusiness goals are.The requirement to sign off on the effectiveness of controls should result in anenhanced level of commitment to developeffective processes.2. Identify appropriate processesStart with the desired output to satisfy thecustomer (internal or external), and workbackward to identify the steps and processes involved.Use tools such as a fraud map to identifycritical business processes with the highestrisk of fraud.3. Establish teamsEstablish teams with a cross-functional setof employees who have significant connections with the identified process.Include process owners who are heldaccountable for control effectiveness withintheir business units.4. Provide appropriate trainingProvide the right tools and measures for theorganization’s cultural environment, andteach team members how to use them.Provide training on SOX requirements, keybusiness process controls, and the analyticaltools that can be used to manage theprocess.5. Develop action plan with clear goalsDefine the project’s scope, purpose, andexpected benefit, including any project milestones; then map the process to clearlydefine outputs, inputs, and needed processresources.The team should develop action plans andgoals that are consistent with the objectivesestablished by the CICO to ensurecompliance with SOX 404.6. Measure and communicate resultsTeams apply the appropriate analytical toolsto identify the root causes of the problemsand then suggest new processes or changesto existing processes to eliminate the rootcauses.The CICO should be aware of all processchanges, should be the central location forreporting all control testing exceptions, andshould provide consistent guidelines toevaluate their relative magnitude.7. Implement change, and continuouslymonitor the processSelect and implement process changes toreduce the variability of resource demands;then implement measures to help ensurethat eliminated problems don’t return.The CICO should develop standards forapproving all process changes, and the CICOand the process owners should alsodetermine efficient remediation approachesto reduce the likelihood of similar controlweaknesses in the future.implementation. Embedding compliance firmly intoongoing operations will require an organizational structure with clear accountability, an efficient operatingstructure, and an effective monitoring system to measurethe results. This approach will enable companies to buildupon what was done in previous years to help makeprocesses more efficient in future years. We’ll explain howyou can integrate an effective SOX 404 compliance planinto normal business operations using Six Sigma.RELATING SIX SIGMA TO SOX 404 COMPLIANCESOX 404 requires companies to identify errors in datageneration or weaknesses in internal control processes.38S T R AT E G I C F I N A N C EIMarch 2007When problems or defects are found, remediation is necessary. Usually the defects are associated with variationsin prescribed business processes. One Six Sigma goal is tostandardize processes, thereby reducing defects that aprocess generates. In effect, this means companies shouldrarely, if ever, incur a defect. As a result, you should see asubstantial reduction in remediation costs and anincrease in confidence in those attesting to the effectiveness of the company’s internal controls.A 2005 KPMG tax department survey of its clientsindicated that the tremendous increase in compliancework was making it more difficult for clients to meetreporting deadlines. This suggests that companies must
streamline underlying business processes to decrease theircycle time. A process improvement methodology, Six Sigma focuses on reducing the variation within businessprocesses and providing a framework for improving theprocess by empowering employees to redesign workflowsfor optimal outcomes, efficiencies, and savings. It uses ateam approach to introduce and incorporate various analytical tools into the organization to improve performance through better control of resource utilization(costs) and increased customer satisfaction.There’s no economic rationale for performing processes that aren’t related to increased customer satisfaction. Ina SOX 404 environment, the customers are not only theregulators, reporting agencies, and investors, but they arealso external auditors who must attest to the accuracy ofmanagement’s internal control assessment. Six Sigma usesthe voice of the customer and objective data, rather thananecdotal opinions, to improve business processes andeliminate steps or entire processes that don’t support thisobjective.ADAPTING SIX SIGMAWhile the Six Sigma process has a widely accepted framework, adaptations are necessary to apply it to a serviceenvironment. We offer a seven-step approach to maximize Six Sigma’s implementation, which includes:1. Obtain top management commitment,2. Identify appropriate processes,3. Establish teams,4. Provide appropriate training,5. Develop an action plan with clear goals,6. Measure and communicate results, and7. Implement changes and monitor to ensure improvements continue.Now let’s discuss how you can embed the Six Sigmaseven-step approach into normal business operations. Abrief description of the seven steps and their relationshipto SOX compliance appears in Table 1.Top Management Commitment. Top management wasshocked at the multibillion-dollar cost of initial compliance with SOX 404. But these compliance costs aren’tlikely to decline unless you identify creative solutions.Admittedly, a successful Six Sigma adoption will requireadditional resources and a sustained long-term commitment to training the various project team members in SixSigma methodology. In the long run, however, it shouldcost less to prevent compliance defects than to correct thedefects through appropriate remediation.Unless your company’s CEO and CFO are committedto Six Sigma, it won’t succeed. Top management mustserve as a change agent by eliminating whatever obstaclesto change arise. Change often brings uncertainty, whichmay lead to resistance, and resistance to change is onemajor obstacle to Six Sigma success. Top managementalso needs to stir things up and communicate a sense ofurgency. Companies that have successfully implemented aSix Sigma program have done so because they have madeit a significant priority. An effective way to demonstratethat Six Sigma is a priority is to designate a chief internalcontrol officer (CICO) who will own SOX 404 compliance processes and champion using Six Sigma to bettercontrol these required compliance costs.Top management can delegate to someone the responsibility to oversee and execute individual projects butcan’t delegate away ultimate responsibility for Six Sigma.Consequently, they must broadly publicize the Six Sigmainitiative and also tie it to a vision. Management, perhapsthrough the CICO, must look into the future and visualize what they want the results of their compliancefocused business processes to be. The vision and relatedexpectations should be realistic, and management mustbe prepared to follow through on this vision, which mayinclude some organizational changes.Identify Appropriate Processes. Identifying high-riskprocesses that need to be controlled is critical to maximizing Six Sigma’s benefits. Because of a lack of previoustesting, many companies in 2004 and early 2005 attempted to document and test as many processes and locationsas possible and used the limited time near year-end toremediate any control weaknesses. Unfortunately, management didn’t use a top-down, risk-based approach toidentify appropriate processes for detail testing.In future years, companies should employ a top-downapproach that initially focuses on strong entity-level controls to reduce the amount of required business processtesting, partly because it may reduce the risk of management override of the controls. Examples of entity-levelcontrols include an effective control environment andcorporate antifraud program.A risk-based approach to identifying high-risk businessprocesses that are ripe for fraud may reduce the overallscope of testing required to comply with SOX 404. Workshops for all levels of management, internal audit, andcorporate security can help these groups brainstormabout the business processes with the highest and lowestfraud risk. A fraud map, like the one in Figure 1, is anMarch 2007IS T R AT E G I C F I N A N C E39
MANAGEABLECRITICALFigure 1:LEVEL OF FRAUD RISKWITHIN PROCESSESexample of an attention-directing tool for identifyingprocesses related to SOX compliance. Within a single display, the fraud map plots not only the fraud risks withinbusiness processes but also the extent of mitigating controls over these risks. Business processes with criticalfraud risks plotted in the first and second quarters shouldreceive more attention than business processes with manageable fraud risks plotted in the third and fourth quarters of the graph.The fraud map also highlights manageable risks thatare overcontrolled (third quarter) and critical risks thatare undercontrolled (second quarter). A more productiveuse of scarce resources would involve eliminating unnecessary control procedures within manageable risks andredirecting these resources to critical risk areas.Fraud Map2ND QUARTER1ST QUARTERCRITICAL RISKSCRITICAL RISKS(FEW CONTROLS)(EXTENSIVE CONTROLS)4TH QUARTER3RD QUARTERMANAGEABLE RISKSMANAGEABLE RISKS(FEW CONTROLS)(EXTENSIVE CONTROLS)FEWEXTENSIVEEXTENT OF INTERNAL CONTROLSEstablish Teams. A critical aspect of ensuring Six Sigmasuccess is providing compliance team members with sufficient authority to streamline identified processes andeliminate control deviations instead of feeling like abystander. Yet in the first year of SOX 404 compliance, theinternal audit department and outside consultants conducted documentation and detailed testing of internalcontrols almost exclusively. Unfortunately, outside consultants are extremely expensive, and the extensive use ofscarce internal audit resources doesn’t allow them to conduct value-added operational audits.Compliance teams should include process owners whoare accountable for the ongoing effectiveness of internalcontrols within their business unit. Specifically, theyshould own supporting process documentation anddetailed control testing as well as identify process changesthat may result in modifications to process documentation and detailed control testing.Teams shouldn’t be composed of members from a single functional specialty. All processes require inputs andprovide outputs, so you should consider suppliers andcustomers (internal and external) when you establish ateam. You can train control specialists, a select group ofprocess-level employees, to extensively support the business process owners with updating documentation, executing test plans, and evaluating test results. Allemployees, particularly operational and financial, shouldobtain updated job descriptions that include detailedSOX 404 compliance responsibilities.Provide Appropriate Training. Each organization shoulddevelop in-house process and control expertise. Achieving this goal will significantly reduce the need for costly40S T R AT E G I C F I N A N C EIMarch 2007consultants and should free up internal audit resources torefocus on performing other value-added activities. Tohelp develop this expertise and create an environment ofbusiness process and control ownership, team membersshould obtain training in selecting and using CICOapproved tools necessary for their project.You should gear the training toward the teams’ needs soyou don’t overburden members and to minimize trainingtime and costs. The CICO should develop and provideguidance related to the level of detail to be included within business process flowcharts, narratives, etc. Thisapproach will allow ongoing training that uses standardized process documentation tools and techniques.Develop Action Plan with Clear Goals. Remember, aprocess exists to provide an output. If project teams focustoo much attention on how the process operates, they maylose sight of its real end goal. This focus may result inresources being directed away from the primary objective.Thus, while you should empower teams to take action, topmanagement must oversee project goals. This oversightrole can help reduce power struggles that may developbetween project teams and also help ensure that actionplans are consistent with the clearly defined SOX 404compliance objectives the CICO establishes. For example,the CICO may set an objective to replace manual controlswith more efficient and effective automated controlsembedded within enterprise resource planning (ERP) systems. In other circumstances, the CICO may encourageteam members to determine ways to streamline existingmanual processes and controls.If the goals and priorities aren’t clear, people may mis-
understand the project’s purpose. Clear goals will helpyou define ways to eliminate defects and establish costreduction targets.Measure and Communicate Results. Management mustremember that a process may be executed efficiently butstill result in internal control deviations. It’s also possibleto have a process that generates no control violations butis executed inefficiently. Such a process would still be outof control. The goal is to measure the inputs, tasks, andoutputs to identify inefficiencies and deviations.It’s also important that you measure the right criticalelements. Erroneous measures that don’t capture the keyitems of interest will waste time and money. For example,hours of training may be an appropriate measure of commitment to training and education, but it isn’t an objective, quantitative measure of quality or qualityimprovement.Once you collect the measures, the CICO should be thecentral location for reporting all control process defects(e.g., control exceptions and process inefficiencies) toensure that consistent guidelines are applied in evaluatingthe relative magnitude of each defect. As process ownersgain more experience and comfort with Six Sigma concepts, you can identify best practices, and the CICO cancall regular meetings to share this information across allprocess owners.Implement Change, and Continuously Monitor theProcess. Minimizing variations within a business processcan help decrease inefficiencies and the occurrence of control violations. Because process inefficiencies may occur atthe point of interaction between two or more departments,corrective action may require changes within a singledepartment’s boundaries or across multiple departmentboundaries. Be warned, however, that any change to aprocess can present the opportunity for new inefficienciesand control lapses. The CICO, therefore, should developstandards for the ongoing development and approval ofboth minor and major process changes and be informed ofany significant changes to business processes.The CICO also should work closely with process owners to determine the most efficient remediation approachto reduce the likelihood of regressing to the way it hasalways been done. He or she should follow this agreedupon remediation approach with progress reports and thestatus of control retesting by process owners. The mosteffective means for implementing changes will be throughemployees’ annual performance evaluations. Specifically,all employees, especially process owners, should be heldaccountable for the efficient execution of processes whilecomplying with all related controls within their businessunits or departments. The higher the number and magnitude of control remediations per period, the lower theevaluated performance should be for a given metric.COST-EFFECTIVE COMPLIANCEThe SOX 404 compliance process has expanded publiccompanies’ reporting responsibilities and increased theworkloads of management and staff. Companies recognize the need to monitor and control changing businessprocesses and their related internal controls as a part ofsustaining SOX 404 compliance. Now they know it isn’t aone-time project and cost but a required business processthey must sustain. That’s why companies must find waysto become more effective and efficient, and Six Sigmashould help.This systematic methodology can help get and keepprocesses under control so management can comply withSOX 404 reporting requirements more cost effectively. Yetmanagement should keep in mind that Six Sigma is atool, and, like any tool, it’s most effective when you use itproperly. The long-term improvements in process efficiencies and employee buy-in should significantly reducethe cost of SOX 404 compliance and should result in farfewer publicly reported internal control material weaknesses. The money spent on reducing the root causes ofoperational inefficiencies should benefit the company formany years. Paul E. Juras, Ph.D., CMA, CPA, is an associate professor ofaccountancy in the Calloway School of Business at WakeForest University. You can reach him at (336) 758-4836 andJuras@wfu.edu.Dale R. Martin, DBA, is the Wayne Calloway Professor ofAccountancy at Wake Forest University. You can reach Daleat (336) 758-5784 and Martin@wfu.edu.George R. Aldhizer, III, Ph.D., CIA, CPA, CFE, is an associate professor of accountancy and the PricewaterhouseCoopers Professor for Academic Excellence at Wake ForestUniversity. You can contact him at (336) 758-5778 andAldhizgr@wfu.edu.SOX, Six Sigma, and business processes are topics atIMA’s Annual Conference June 16-20.For details, visit www.imaconference.org.March 2007IS T R AT E G I C F I N A N C E41
to SOX compliance appears in Table 1. Top Management Commitment.Top management was shocked at the multibillion-dollar cost of initial compli-ance with SOX 404. But these compliance costs aren't likely to decline unless you identify creative solutions. Admittedly, a successful Six Sigma adoption will require
