Risk Management

Who’s Controlling the Controller?

While debate goes on over internal control requirements for public companies of all sizes, private companies face control risks that range from ove...
Helen ShawAugust 28, 2006

One of the greatest sources of controversy in the business world in recent months has been whether small public companies are capable of maintaining the level of internal controls prescribed by section 404 of the Sarbanes-Oxley Act.

But even as that debate rages on, say experts, private companies — which are not subject to Sarbanes-Oxley — face serious threats as a result of poor internal controls. And the smaller their staffs, and the fewer their resources, the greater the risks.

For instance, during one audit of a small company, Ken Goldmann, a partner in J.H. Cohn’s SEC practice, realized that a controller had decided — independently — that the company would not pay its payroll taxes. “The company was short some cash and he felt it was more important to pay accounts payable when they were due than to pay the IRS,” recalls Goldmann. Such a situation poses not only the threat of a regulatory backlash, but also personal liability for the firm’s owner.

“If employees believe the tone at the top is missing or senior executives are playing fast and loose, they will be more likely to think they can engage [in unethical behavior] and will be more reluctant to come forward if they see abuse,” adds John Carney, a partner at law firm Baker Hostetler.

Indeed, a recent paper by PricewaterhouseCooopers says that a poor control environment is the greatest risk a private company can face. Without a clear “tone at the top,” demonstrated by management’s integrity and concern for the business, the report notes, such companies are likely to lack efforts to promote ethical behavior, a written code of conduct, an ethics hot line, or an advisory board in an oversight role.

Of course, for very small companies, the lack of an ethics hotline might seem like an acceptable risk to take. But other risks, such as the dangers inherent in the near ubiquitous use of Excel spreadsheets, are more threatening. Controls over spreadsheets are extremely weak in small companies, says Goldmann. Most companies rely upon such programs, and studies have noted that the more complex the spreadsheet, the more likely it is to contain errors.

In one case, a management review of financial reports before it filed its tax returns and finalized its financial statements spared the company from a spreadsheet error of about $500,000, said Goldmann. The error stemmed from the spreadsheet that priced inventory per piece rather than per 100 pieces. If management had not caught the error, the company would have overstated inventory and income to its banks and investors, overpaid its taxes, and management would have been convinced the company was more profitable than it was.

And while that example is more suggestive of a mistake than a control failure, a lack of controls over transactions can result in inappropriate recording of revenue, theft of inventory and cash, and excess inventory purchases, among other hazards. For instance, companies with inventory that is immediately marketable or consumable, such as electronic products, are likely to experience employee theft problems if the internal control environment isn’t sufficient, says Goldmann.

Effective internal controls in a private company, regardless of whether it intends to go public someday, also can reduce borrowing costs and improve the chances that a prospective business partner will pay a premium for the company. They also help firms comply with the highly regulated business environment, said Carney. A recent increase in the complexity of laws concerning taxes, money laundering, bribery and other areas could expose a company to criminal prosecution and a loss of reputation, Carney notes.

Fortunately, there is some help for small, private companies, and it comes from their publicly traded counterparts. The concerns voiced by small public-companies over the cost of compliance with the Sarbanes-Oxley Act, particularly the provision that requires executive certification of internal control effectiveness, prompted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to release new guidance for smaller companies. The guidance aims to provide a cost-effective approach to assessing controls over financial reporting in response to a small-company outcry against the cost of compliance with the Sarbanes-Oxley Act.

The new COSO guidance, Goldmann says, “is meant for smaller public companies, but it is certainly applicable to the small, private company as well.” All companies, including the one with the wayward controller, may want to take note.