Contemplating Six Sigma and Internal Control

For my first blog at iSixSigma, I would like to contemplate disciplines that are slow to embrace Six Sigma but need it most: internal control and enterprise risk management. Passage of the Sarbanes Oxley Act of 2002 thrust these domains into the limelight. The Committee of Sponsoring Organizations (COSO) defines enterprise risk management as follows:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

COSO’s definition and several internal control concepts evoke quality: risk management is quality management; risk appetite sounds like fault tolerance; reasonable assurance regarding achievement of objectives depends on satisfying expectations of customers and regulators.

Language is a barrier to Six Sigma penetrating internal control disciplines. Ask a focus group of CPAs to explain the link between defects per unit and risk of misstatement, and many will scratch their heads. Risk of misstatement — inherent or residual risk of events giving rise to a significant or material misstatement of financial results — becomes heady as soon as discussion turns to assertions, materiality, control objectives, fraud considerations and methods of reaching conclusions (e.g., probability, belief-function theory, fuzzy logic). Translated into practice, Six Sigma can be a powerful tool for internal control practices: business process management and DMAIC are a systematic way to baseline and improve internal controls over financial reporting, compliance and operations. Co-evolution of these disciplines needs to occur, as managers strive for systematic thinking, discipline and cost savings in their Sarbanes Oxley programs.

Handpicked Content:   iSixSigma Live! Seattle Video

Integration of Six Sigma, internal control and enterprise risk management disciplines will progress over time. Six Sigma deployment in finance, accounting and compliance functions is young relative to manufacturing and operations. Internal control disciplines are just passing through the first two years of Sarbanes Oxley compliance. Using voice of the customer to drive compliance monitoring, measurement of control effects and testing of key controls will become mainstream.Your thoughts, experiences and knowledge sharing are encouraged.

Comments 4

  1. Nishanth Nottath

    Cant agree more with Charles. Being a Chartered Accountant with Black belt certification, I can fully vouch for the thought direction proposed by Charles. Controls sector in finance is an extremely grey area, especially as risks are like extremely fluid goalposts – they keep shifting even before you yet get to touch the ball. Unlike a rigid measure in manufacturing or process oriented services, quantification and characterisation of risk hardly has any universal common denominator – it is highly subjective and dependant on individual organisations and personnel. In my opinion, pushing thoughts and actions towards standardisation of risk evaluation and measurement are probably the key to widespread use and appreciation of Six Sigma in this field. Maybe BASEL 2 is a good start.

  2. Ian Hord

    As a risk manager and ex consultant, we have always struggled to measure the effectiveness of risk management. Often I am only able to measure a good loss prevention programme when nothing happens! ie no insurance claims or lost time injuries. We then get the question, are we spending too much on risk management?

    Financial risk management is easy. There are loads of numbers to play with. On the more subjective issues such as strategic risk, property protection and liability, things get muddy. Issues like culture and perception get in the way.

    One of the best standards that could be applied to 6 sigma would be the Australian Standard 4360. It is a simple process with a review loop, a little like 6 sigma.


  3. Charles

    Ian and Nishanth – thank you for the comments! I read Australian Standard 4360; you’re right, it’s simple and has a similar logic. The reference is appreciated.

  4. McInnis

    As a CPA in the US learning about Lean Six Sigma (black belt), I would have to disagree and say that Lean Six Sigma training is totally lacking in describing the financial importance of internal control policies and procedures and the consequences for lack of compliance financially and with respect to financial controls, regulatory agencies, shareholders, creditors, etc. There are also controls designed to reduce the likelihood of certain risks, especially those with potential for litigation and accusations of negligence and gross negligence. In Six Sigma, these types of controls are not mentioned when evaluating processes. Organizations weave internal control procedures into regular procedures that most of the time “owners of the process” are not necessarily aware of or can fully grasp their purpose or importance. If you ask a “process owner” what steps they believe does not “add value” to the customer, those would be the first to go. Although Six Sigma deals with major business processes, it does not list financial / accounting / risk management units as potential major stakeholders when developing a project charters to revamp processes. There is also a Six Sigma “word usage” barrier, because it utilizes old manufacturing terms to describe everything, it uses statistical instead of business terminology and uses awkward descriptions based on Japanese language translations instead of utilizing normal business terminology that would foster better communication. As to the “link of the defects per unit to the risk of misstatement on the financial statement” question – that would be a loaded question to a CPA. First, in Six Sigma, the term “defect” is used to describe any non-conformance, error, variation, etc. and that is not correct financially. If I viewed the question from a financial perspective (not Six Sigma speak), a defect per unit would imply that the business is producing defective products. Defective products would mean financial losses (wasted and unsold products, refunds, recalls, lost customers, etc.). They would also represent potential lawsuits with serious financial consequences due to litigation not to mention the financial consequences due to loss of goodwill and reputation which can financially take down an organization depending on the product, the defect, whether it is the result of negligence or gross negligence or the defect and type of injury, etc. The other issue is that it would represent a serious internal control violation, as it would mean that no controls were in place to prevent the production of defective units or that those in place are very weak or that certain employees have overridden the controls – all of which are serious internal control violations. Serious internal control violations impact the validity of all financial information on the financial statements, as the financial statements as only as financially reliable as the strength of the organization’s internal control system.

Leave a Reply