Public and private companies are subject to different regulatory requirements relating to their financial and operational disclosures, including to whom the disclosures are provided and the level of detail they should contain. Nevertheless, any business can benefit from having transparent financial and operational information available for decision-making and reporting to stakeholders.
As the owner, executive, or investor of a private company, what can you do to increase your certainty about the information coming to you from across the enterprise?
Whether your company is venture-backed, funded by private equity investors, or a family business, internal controls are an important part of the answer as you grow. They can be an integral part of operations that can help mitigate risks and add business value.
It’s important to note that effective internal controls don’t need to be complicated. They should be designed to address the particular risks your company may face, and the specific information needs of management. Their performance should be consistent and repeatable. When they are a natural part of the process, they are likely to operate more effectively if they have been designed with the related risk in mind.
A thoughtful risk assessment can help you identify which critical processes might be susceptible to errors and create quantitatively and qualitatively significant risks for your company. Essentially, a risk assessment helps you critically think about and answer questions such as:
- Who are my stakeholders?
- What are our key business risks?
- What information can help us manage identified risks?
- How susceptible to error is the information we currently have, and how can that affect strategic decisions and governance obligations?
- What resources do we need to address these risks?
Once you’ve identified and prioritized potential risks, it’s important to understand the nature and extent of your company’s exposure. That means analyzing related processes and identifying gaps or weaknesses that can lead to potential problems.
Designing and implementing internal controls is a multistep process. After performing a risk assessment and identifying specific areas of risk, you should try to gain a clear picture of “what could go wrong” in each area—a prerequisite to understanding your company’s risks and designing effective internal controls. Once risks or risk areas have been identified, categorized, and prioritized, it’s important to consider what type of internal controls could best mitigate those risks—i.e., preventive or detective, manual or automated.
As you implement the controls, don’t underestimate the importance of clear and detailed documentation. Control owners—those people responsible for performing the control activities—will only be effective if they have a clear understanding of the process related to the control and the internal control design itself.
With documented controls in place, it’s time to close the loop on the controls environment by developing an effective monitoring program that can help you sustain, monitor, and rationalize the controls over time.
An important aspect of a system of internal controls is determining how to sustain their effectiveness and, optimally, improve them over time.
It may be tempting to jump right in and start reviewing controls. However, it’s important first to consider the following questions:
- Who will be on the monitoring team?
- What is expected of team members?
- How will control deficiencies be defined and identified?
Your monitoring program should clearly define expectations for when and how deficiencies are identified, as well as an escalation process that enables the monitoring team to address them effectively and in a timely manner.
As your company grows, its business and operating models may change, mergers or acquisitions may be undertaken, market conditions may shift, and new product opportunities may arise. It’s important to step back periodically and assess whether you’ve identified all material applicable risks to your company, analyzed your controls so they are effective and mitigate the risks they were designed to address, and evaluated your monitoring program to incorporate any updates.
This is how a thoughtful and nimble internal control framework, focused on key risks, can provide a mechanism to support the strategic direction of your company. It can help generate sustainable value by providing business insights and validate the data used to develop financial reports. It can even help make your company more competitive and attractive to suitors in the future, depending on your strategic objectives.