In 2004, a small and relatively young technology company (7,500 employees and an annual revenue of $2 billion) implemented the Public Company Accounting Reform and Investor Protection Act of 2002, or what is usually referred to as the Sarbanes-Oxley Act (SOX). In an effort to be fully compliant the company identified and initiated more than 300 new and existing audit points.
The initial plan for controlling the audit points was to establish a group 30 or more auditors who would be responsible for checking whether “signature verifications” exist for each control point. The auditors would work with the “owner” of each control point to obtain the necessary documentation.
Since the company did not have 30 internal auditors they could use to staff the group, management decided to use a few of its own staff and then hired an external consulting firm to fill the remaining positions. Part of the plan was that the external consultants would be phased out over time. The company estimated that the internal staff on the audit group would need to spend no more than 25 to 50 percent of their time monitoring the control points. The expectation was that they would spend the remainder of their time acting as project managers for improvement projects.
A Year Later: Not Much Progress
A year later, nothing had gone according to plan. During 2005, the audit group was still under development and the company was still shelling out big dollars for external consultants. Internally, many of the owners of the control points were struggling because they had so much data and documentation to organize.
In an attempt to solve the problem, the company launched a Six Sigma DMAIC project sponsored by the director of finance to improve the SOX audit process. The team included several internal auditors, control owners and external audit support (consultants). The objective of the group was to improve the quality of the SOX compliance while reducing the cost. Estimated financial benefit could be up to $2 million (the cost of paying the external consulting firm to do the work that the company had wanted to accomplish through an internal audit group) plus what was expected to be significant time savings.
Going into the project, the team evaluated the key issues that were driving the company’s inability to support the SOX implementation as it currently existed. The team also mapped out several control points. The top issues that came from the customer feedback and mapping included:
1. Excessive number of manual controls.
2. Lack of tie in between the control points and the day to day work.
3. Redundancy of the control points.
4. Inability of control point to effectively measure targeted process.
Addressing the Problems with DMAIC Project
Figure below, for example, shows a schematic of a typical problem. The process depicted has three identified “control points,” each requiring signature verification by a manager. But in essence, Point A and Point B verification were redundant to Point C verification which essentially duplicated the verifications at Points A and B. But since all three were identified as control points, all three had to be audited.
The team developed a three-phase plan to address the key issues, a summarized in the table below.
Multi-Generation Project Plan | |||
 |
Generation 1 |
Generation 2 |
Generation 3 |
Vision | > Remove redundant controls | > Build controls into day-to-day work | > Automate controls that were open to automation |
Process Generation |
> Identify and evaluate all SOX controls currently in place > Review processes including controls for redundancy and best control point |
> Embed control points into the day-to-day work of the process > Make them standard operating procedure |
> Automate as many control points as possible to help mistake proof and relieve work load from control owner |
Platforms/ Technology |
> Identify and modify all spreadsheets, databases and other documentation for managing current process | > To be determined | > Electronic control where possible > Target 90% or greater automation |
The phasing of the plan was critical in that it addressed not only the technical aspects of control management and implementation, but also the change management aspect of teaching control owners how to own and respond to the control point. In addition, it minimized the cost and risk of over-automation or automation of unnecessary control points.
Agreement on the plan and its stages by the project team, senior management and control owners was critical because of the nature of the project and the environment of the organization. Control owners had been trying to manage the control points manually for almost two years at this point in the project. These individuals were technologically savvy and were capable of automating current control points on their own. If they did so outside of the course of the project, that would likely mean additional work for the team and additional unnecessary cost accrued by the organization. However, patience also would be required on the stakeholders’ part because of the volume of controls and processes that would need to be reviewed and evaluated. The team would not be able to address all of the processes and controls prior to the next annual SOX audit.
Only Partial Buy-in from Senior Management
Unfortunately, the team was able to achieve only partial buy-in by senior management and control owners. After much discussion between the project sponsor, Master Black Belt and director of continuous improvement, they agreed to press forward with the objective of addressing areas with the largest number of control points first to demonstrate success and hopefully build greater support. The basis of this decision was two fold:
- First was the fact that the Six Sigma initiative was very new in the organization and the director of continuous improvement felt that it could be a high profile success that had positive impact across the company. Success in this project could drive buy-in for future projects and the fact that it touched many potential sponsors was just an added benefit.
- The second driver for the decision was that the finance director did have the manpower to drive this scale of analysis on his own and the CEO, CFO and many other directors were pushing for some kind of solution. Supporting the analysis as a Lean Six Sigma project provided the finance director with manpower and deniability should something politically contentious occur.
The Master Black Belt was not in full support of continuing the project at this time due to lack of support from stakeholders. Prior experience had indicated that buy-in by key stakeholders was critical to success and when it was missing it increased the risk of failure by greater than 50 percent.
Small Successes, but Project Ends in Failure
The project team did achieve success in a number of areas, primarily supply chain and order management focused processes. Through process maps, it identified the SOX control points and demonstrated the redundancy of audit work (like the three control points in the figure above). The team was then able to go in and either prove the value of a control point or redesign it to create value for the process owner. This encouraged team members to monitor the key control point (Point C versus Points A and B) because taking that action benefited the process owner and the process on a day-to-day basis.
However, the project did not have a successful ending. Speed was a continuing issue and both the control point owners and senior management continued to push for immediate automation…which is what happened in the end. Management decided that it was more important to automate the control points to reduce the work load of the control owners than go through the complete analysis.
Since only about only about half of the existing audit points could be automated – and only a fraction of control points were eliminated during the project – the time savings for the control point owners was minimal. In addition, when the auditors came around to do the control point check, the control owner now had to spend more time working with them because the auditor did not have access to many of the newly automated systems that the control point data resided in.
By 2006, the organization still had more than 250 SOX control points, the internal audit group had been disbanded, and the company was still paying more than $2 million annually to the external consulting firm for audit duties. In addition, the cost of automating the control points exceeded $500,000.
Key Learnings from a Project Failure
There are several ways in the failure outlined could have been avoided by the organization.
Lean Six Sigma is a methodology that is focused on understanding, improving and controlling processes. If the organization had taken the time at the front end of SOX implementation to look strategically at its key processes, understand them and identify what points needed to be controlled (all part of the Lean Six Sigma tool set) the company could have more effectively implemented SOX controls from the beginning. The DMAIC road map is designed to analyze and control processes and Kaizen events could have been conducted for each key process during which time the process would be mapped, control points identified and implemented without the redundancy experienced in this SOX implementation. In addition, the feasibility of automating the control point could have been evaluated at that time and actions taken to automate the control immediately if it was cost effective to do so. This would have avoided several years worth of frustration by managers and approximately $2 million annually in on-going cost. This is the best case scenario.
Alternately, moving forward from the point that the project team was involved, the team could have achieved success through support from top management. Had the finance director (project Sponsor) supported the team and gained advocacy from the CEO and CFO to enforce the need to delay automation until there was a true understanding of where controls needed to be located, the team would have had the time and backing to achieve the stated goals. Sponsorship is a critical aspect in any Lean Six Sigma project and does not end when a project is handed off to a Belt or team. Project Sponsors are responsible for breaking down barriers (or in this case putting them up) so that a team has the chance to be successful. The success of the team should be important to the project Sponsor because they have to live with the results, or lack there of, for projects that they sponsor. This is the second best scenario.
Canceling for Lack of Buy-in Best Course
Finally, lacking timing for the first scenario and the ability to gain buy in for the second the director of continuous improvement should have supported the recommendation of his Master Black Belt to cancel the project. Political issues aside, it is worse to work a project that is destined to fail than to cancel it before a lot of time and effort is put into it. That is especially true at the start of a deployment. In addition, the time and resources spent on the SOX project could have been better applied to other high profile issues achieving the targeted buy-in. Canceling a project because of lack of support, after all avenues to achieve support have been addressed, is not a failure – it is a success. It demonstrates that the team understands the critical nature of stakeholder buy-in for achieving organizational goals and that the organization understands that Lean Six Sigma resources are too valuable to waste on something that the company does not consider important enough to finish.