IN THIS ISSUE
Become a Superhero by Identifying Sarbanes-Oxley Compliance Waste in Your Organization's Program
Not able to jump buildings in a single bound? Can't outrun a speeding train? Suspect you're not immortal? That's okay. These aren't requirements to become a waste-identifying superhero for your organization's Sarbanes-Oxley compliance program.
PRESIDENT AND CEO
LEAN SOX INC.
A clever and proactive protagonist joins an internal audit team to identify and prioritize the removal of waste, creating a leaner internal control compliance program. Using a structured control self-assessment (CSA) approach combined with the valuable techniques provided below, CSA practitioners or internal auditors and the operating staff will collaborate like never before to rid an organization of compliance program waste.
An auditing superhero's mandate is to recommend and deliver quantifiable improvement initiatives. This article provides those interested in becoming a superhero the means to identify the five vilest villains of waste by using a "Most Wanted" list. And, because every superhero needs a super power (i.e., the power of hindsight), you'll also learn about a secret weapon that will provide efficiency metrics to baseline what life was like before your arrival. The following steps have been laid out to guide you on your way to being heralded as the organization's "enforcer of efficiency" who identifies and battles the villains of waste.
STEP 1: CALCULATE A BASELINE USING THE EFFICIENCY CALCULATOR — A MUST-HAVE SECRET WEAPON
Efficiency is found when an organization achieves its objectives in the shortest amount of time, with the least amount of investment, and without compromising its quality or compliance efforts. The efficiency calculator establishes a baseline metric necessary to calculate the waste oozing from a U.S. Sarbanes-Oxley Act of 2002 compliance program. Because every superhero needs a super power, the calculator is a significant source of influence in the eradication of waste and a success metric to validate that improvement initiatives have been achieved. The efficiency calculator compliments the CSA practitioner's and internal auditor's objectives to assess controls, while still providing reasonable assurance that all business objectives will be met and promoting a significantly leaner compliance program.
To create a baseline metric, two values must be obtained. The first is the quantity of Sarbanes-Oxley-related risks identified in an organization's financial reporting process. Even the most experienced CSA practitioner or internal auditor can have difficulty finding this number, as organizations often lose track of risks while focusing on controls. Perseverance by the superhero should prevail, although creating the baseline metric may require a manual count of documented risks.
The second value required is the quantity of internal controls. This number is more easily calculated because internal controls are over-documented in narratives, spreadsheets, and process maps most of the time. For example, an accurate count of controls can be achieved by understanding that one control could be considered a key and a lock, whereas a key and lock combined with a security guard would be two controls. Multiple controls strung together with sequential steps are often mistaken as one control, when in fact, several controls exist. To ensure precision in creating this secret weapon, every control must be counted separately.
With the risk and control quantities now counted and calculated, the efficiency calculator can be constructed to create a risk-to-control ratio. To create this ratio, divide the number of risks by the number of controls (e.g., risk ¸ control = X). For example, a company with 100 risks and 400 controls would create a ratio of 1:4. This means that for every one risk, there are approximately four controls.
What does this mean to CSA practitioners or internal auditors with a passion for waste elimination? This superhero knows that the efficiency ratio should be as close to 1:1 as possible. Anything over 1:2 means waste is flourishing in an organization's program, and improvement is imperative.
STEP 2: RIGHT THE WRONGS
The evidence of waste can include high-audit costs, costly remediation projects, high-resource costs, and loss of opportunity. Each of these pain points requires recommendations for improvements and a compliance delivery that is leaner, faster, and cheaper.
To right the wrongs, the "guardian of good" needs to identify these painful areas by searching for where waste hides. According to a 2004 survey conducted by Financial Executives International, an association for chief financial officers and other senior finance executives, Sarbanes-Oxley compliance waste is partially responsible for the cost of compliance being 62 percent more than originally expected. So, where is the waste hiding? The following "Most Wanted" list can help the superhero locate these villains by describing five areas of waste that organizations must battle:
Controls (e.g., an excessive number of controls or more than required; controls written in a complex manner; controls not described relative to specific financial reporting risks).
Risks (e.g., risks not assessed for both the severity and probability of occurrence).
Documentation (e.g., lengthy and complex documentation).
Test plans (e.g., recreating or revising tests that fail to produce evidence).
Evidence management (e.g., evidence that is not easily retrieved).
To make and sustain an impact, our superhero-in-training should validate how many of these villains are hiding in the organization, thereby identifying where streamlining opportunities exist. The cost of resources, time, and effort to eradicate each villain must be compared to the same costs associated with allowing the villain to remain, and the superhero should assign a higher priority to those villains who would show the greatest return.
A Closer Look
Of the five villains, the most frequent offenders are found in controls. Why? The reason is misguidance given to management earlier in the process when interpreting Sarbanes-Oxley requirements. At that time, the perception of quantity, rather than quality, was considered a greater source of confidence in internal control over risks in financial reporting.
The second most frequent offenders are found in risks. Many organizations subjectively evaluate the severity of risks. This subjective evaluation is weakened further by the use of ambiguous terms, such as high, medium, and low. In addition, the probability of occurrence sometimes is overlooked during the evaluation process. Often, risks ranked with a high severity were managed by newly implemented, costly internal controls. In actuality, their probability of occurrence was very low to rare, which did not justify the control investment. By establishing qualitative definitions and rankings for each level of severity and occurrence, the "guardian of goodness" can make an actionable risk ranking that is understood by all.
With both control and risk waste now identified in an organization, the auditing superhero must prioritize these opportunities to achieve efficiency. To do this effectively, the cost of waste needs to be calculated to estimate the biggest return on investment. There are numerous costing-model tools that provide a quantifiable dollar savings. For example, to calculate control waste, evaluate the approximate costs of maintaining a control year-over-year. This cost-of-waste exercise provides a quantifiable estimated savings that can be used to prioritize waste reduction opportunities. Although there are many costs associated with waste, conservative estimates are best to remain a credible "enforcer of efficiency."
The superhero-in-training will revel in the downstream impact found in eliminating waste in risk and control. Further savings are easily seen in the final three waste-generators — documentation, test plans, and evidence — which cannot hide behind the obesity of a wasteful Sarbanes-Oxley compliance program once the two largest generators are streamlined. In a direct correlation with reducing waste and lowering the quantity of risks and controls, documentation revised to support this smaller population provides the benefit of being more economical. In a similar fashion, test plans and evidence gathering are reduced in resources, effort, and time.
STEP 3: ERADICATE WASTE THROUGH IMPROVEMENT INITIATIVES
With management reports providing quarterly updates on the reduction of operating costs, the perfect solution to eradicating waste is to carve out 12-week waste-reduction goals to fit within that schedule. The "dependable champion" must first set a goal that improves on a baseline ratio, established in Step 1, by an achievable target. Many organizations should strive to achieve a one-control to one-risk ratio. However, this may be too much to accomplish in a 12-week period. By creating a manageable target goal, improvement initiatives can be accomplished easily. Furthermore, by reviewing progress each quarter and redefining goals, our superhero can work continuously to achieve the ideal ratio.
Superheroes who understand the value of gaining management's buy-in recognize that it's easier to achieve when exciting initiatives are accompanied by quantifiable cost savings. CSA practitioners and internal auditors can start by validating the estimate outlined in Step 2. When cost savings and waste costs are reported together, the initiative becomes even more powerful.
Knowing that the biggest offender of waste is control, the superhero can focus on achieving his or her first targeted ratio by:
Associating controls to risks (e.g., what use is a control — like the relationship between a key and a lock — if it is not associated with the risk of unauthorized access?)
Identifying areas of overcompensation (e.g., are 10 controls really necessary to manage a single associated risk?)
Weeding out weaker controls, leaving the strongest to neutralize or minimize the risk.
The combat of evil waste should not compromise the integrity of an organization's compliance program. Metrics justifying a leaner Sarbanes-Oxley compliance program may be required to provide assurance to auditors that does not reflect increasing risks to financial reporting. Measuring the strength of the control in a similar manner to the risk assessment methods mentioned in Step 2 will help create a qualitative metric to justify a dramatic reduction in controls.
SUPERHERO'S STREAMLINING EFFORTS SAVE THE DAY
The need for superhero-style CSA practitioners and internal auditors has never been stronger. There is a common desire to "make it better" within organizations struggling with the high costs and distraction to comply with Sarbanes-Oxley. Armed with a CSA certification and the delivery of insightful recommendations, a CSA practitioner or internal auditor can make substantial improvements to the current standards. Even the most demure individual will seem larger than life when seen shrinking mammoth-sized Sarbanes-Oxley compliance programs. CSA practitioners and internal auditors may look like everyone else, but inside each Clark Kent-persona lurks a creative champion who will strive to provide clarity where chaos exists.
Susan Smith is a leader in applying Lean/Six Sigma techniques to internal control compliance programs and the founder of Lean SOX Inc., a global provider of LITEC® tools and methods. Smith specializes in creating qualitative arguments for organizations seeking to justify their audits for a dramatically leaner Sarbanes-Oxley compliance program.