The importance of controls for pre-IPO, start-ups and investors
Thought leadership by Deepak Iyer, Risk & Internal Controls Expert and SafePaaS
Start-ups and pre-IPOs need money to operate and grow their business. Investors are expected to spend considerable time (and many do) evaluating the business before deciding whether to invest.
Despite this, a significant percentage of startups dissolve within 10 years. The number of companies considering getting listed and backing out is also relatively high. Heightened governance and regulation is one reason why companies choose not to get listed. This also, in effect, exposes the investor’s money to risks.
The FTX fiasco highlights another reason. FTX disintegrated overnight after it could not meet run-on deposits, leaving the company with an $8 billion hole in its accounts. The cryptocurrency exchange filed for bankruptcy on November 11, 2022. In FTX's bankruptcy proceeding, the company appointed restructuring CEO John Jay Ray III, who oversaw Enron's bankruptcy. In a hearing, Mr. Ray stated, "in my career, I have never seen such a complete failure of corporate controls and a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad to the concentration of control in the hands of a tiny group of inexperienced, unsophisticated, and potentially compromised individuals, this situation is unprecedented."
This highlights the risks in companies where regulation is yet to catch up. While most investors know that FTX is a part of the cryptocurrency industry, which is yet to be actively regulated, the extent of the failure of FTX does raise questions on management intent, the lack of effective governance, and poor risk management practices and ineffective controls that are in place at such companies.
What Risk and Control related information may have benefited the investors from exercising better control and judgment over how their money was utilized? Is relying on Auditors good enough anymore?
One thing is clear. Investors need to be more aware of how risks are managed and how effective some controls are, irrespective of the business size, as their investment is at stake.
What can be done about this and what is required?
Investors and Business managers need better insight and awareness of risk management. This does not mean unleashing more accountants and risk managers to add expensive solutions and costs to the business, increasing bureaucracy and slowing the business down.
A startup's governance and risk management challenges differ from that of a company preparing for its IPO. Therefore, what does a pragmatic approach look like? This blog focuses on the steps startups and pre-IPOs can consider in establishing a fit-for-purpose and pragmatic approach to achieving effective governance and risk management to reduce the chances of business failures.
"Organizations should take a fresh approach to risk management programs by proactively assessing their risk exposure and risk processes and by viewing effective risk management as an opportunity to increase competitive advantage instead of a barrier to growth and agility." Deepak Iyer
What is required?
Step 1: More awareness of Risk Management and Internal Control basics so that the investors can be equipped with the right knowledge to ask the right questions.
Step 2: Investing in the right tools that will enable Business Managers to identify, manage and report on risks.
Awareness: Risk Management and Internal Controls
Let us understand Risk and Internal Controls with the help of a globally understood topic:
What is a risk?
A risk is the possibility of something bad happening.
For example – The risk of catching COVID.
What is an Internal Control?
Internal controls are measures that can be taken to mitigate and/or effectively manage the risk and bring it down to acceptable levels. For example, below are some of the steps that that can be taken to mitigate the risk and its impact.
While risks are the same across the entire population, the internal controls chosen could be different for different people due to their circumstances, how it impacts them and their risk appetite. It is key to remember that the same applies for companies too. Different companies will choose different levels of internal controls to manage their risk.
How can investors look at risks?
Risks can be categorized in many ways. For ease of understanding and to keep it simple, we have categorized them broadly in the table below.
WHO IS RESPONSIBLE FOR MANAGING RISK
Typically, the board of directors
Strategic risk refers to the internal and external events that may make it difficult, or even impossible, for an organization to achieve their objectives and strategic goals. These risks can have severe consequences that impact organizations in the long term.
Financial and Accounting risk
Financial Risk Manager, CFO
These risks deal with financial risks, which include liquidity & cash flow, fraud prevention, accounting risks, bad debts, etc.
IT, Data and Access Risks
CIO, CTO (with the support of Data Protection Officer)
These ensure that IT systems are available and protected from cyber threats. Data is carefully managed, and access to this information on the company’s platform is regulated and restricted.
Regulatory, Compliance Risks
General Counsel including
These are aimed to ensure that
the company is operating
within legal and regulatory
It is key for investors to understand the various risks and the steps taken by the management to mitigate them.
What are the right tools and technology to help manage risk and protect your investment?
Depending upon the size and the nature, organizations need to invest in an appropriate Risk Management system that tackles the following risk categories.
1) Enterprise Risk management
2) Financial risk management
3) Access, IT & Data security Management (data security & fraud prevention)
4) Regulatory & Compliance risks
If you are a small startup, you may only need a spreadsheet to identify risks and manage them. Getting a qualified and experienced risk consultant to develop one for you that you can use to hold management accountable is recommeded.
However, if you are a slightly larger company considering an IPO at some point, read the next section.
How can SafePaaS address your pre-IPO needs?
1. Entity-level controls
Proactive Enterprise Risk Management (ERM)
Establish an ERM framework and monitor enterprise risk and KRIs to reduce the frequency and severity of losses. Act in real-time to perform root-cause analysis with ad-hoc reports, reduce process inconsistencies, and make better decisions by adding context to data from multiple sources. To proactively address enterprise risk, SafePaaS can:
- Use audit analytics and compliance monitoring with interactive dashboards and reports for real-time corrective action modeling and allow business managers to explore risk exposure ad hoc.
- SafePaaS audit, risk and compliance solutions monitor risk and controls in any ERP system to improve testing effectiveness and findings across the enterprise in a single integrated solution.
- The solution allows pre-IPO companies to establish a unified platform to efficiently manage enterprise-wide Audit, Risk, and Compliance processes. Executives, Business Process Owners, Internal Control Managers, and Auditors can improve their productivity by collaborating on key audit, risk and compliance tasks such as risk assessment, control activities, independent audit, remediation, and management certification. SafePaaS provides a role-based dashboard to ensure that management can make timely and accurate decisions based on complete insight to mitigate risk proactively.
- Implement risk assessment processes to meet your pre-IPO objectives while building your Risk library with processes, risks, and controls.
- Manage enterprise risk ratings like impact and likelihood that best describe your approach to risk evaluation.
- Manage Control Design based on the contextual framework to measure risk factors before controls (inherent), after controls (residual), or both.
Transform compliance "silos" with a single enterprise platform that delivers reduced testing time, standardized self-assessment, and management certification templates. To help ensure regulatory compliance, SafePaaS can:
- Integrate with ERP controls to streamline compliance with continuous monitoring. Management can easily update documentation and certify internal controls to comply with the most complex regulations, such as Sarbanes-Oxley (SOX).
- The solution can be configured to support various industry and regulatory frameworks such as AML, Basel II, COSO, COBIT, GDPR, FCPA, FISMA, FERC, HIPAA, NCR, OMB-123, OSHA, PCI DSS, and Solvency II.
Audit analytics & planning
The run-up to your first audit can be stressful, making preparation and testing of controls essential in the IPO process. To plan and prepare for your first audit, SafePaaS can:
- Transform audit management to a data-driven service by shifting repetitive tasks to intelligent audit bots that can free up time and eliminate errors.
- Replace time-consuming audit scripts with business objects based on metadata representing complex data structures of enterprise applications to prevent losses such as "duplicate payments" within minutes.
- Detect hidden risks in data such as "similar suppliers" using fuzzy rules where such errors slip through discrete logic.
- Substitute ineffective sampling methodology with non-linear pattern recognition in large data sets in real-time and at scale to identify complex risk events such as manual journal entries created and approved by the same user in the current fiscal year.
- Reduce risk exposure window by enabling closed-loop issue/remediation workflow with event-driven escalation hierarchy.
- Audit Planning enables you to schedule projects and resources, so there is a clear view of work assignments and tracking of audit testing in an annual plan.
- Web-based audit planning tool for small or large groups, allowing multiple plans to support enterprise audit objectives.
Segregation of duties (SoD) policy management
The complexity of enterprise applications has increased the risk of SoD control violations. All major audit firms are testing SoD controls and holding executives accountable for successful risk remediation. To mitigate SoD risk, SafePaaS can:
- Analyze SoD conflicts with a risk-based SoD analysis, including hundreds of SoD rules based on thousands of application functions in our rules repository.
- Rapidly reduce SoD risks and conflicts with a workflow-enabled process that includes process owners, application managers, IS security, and auditors.
- Eliminate false-positive filters to improve risk analysis and response.
2. Financial controls
Automated financial control monitoring
SafePaaS continuously monitors business activities within your enterprise applications with instant access to the most extensive catalog of automated application monitors covering major processes such as Procure-to-Pay, Order-to-Cash, Hire-to-Retire, Design-to-Ship, and Financial Record-to-Report. To ensure smooth business processes, SafePaaS can:
- Monitor ERP Configuration Controls to mitigate financial and operational risks by ensuring the accuracy and consistency of application configurations required for processing business transactions within your ERP system.
- Monitor transactions to improve your visibility into financial, operational, fraud, and risk management controls by automating Transaction-level Compliance to stop cash leakage and financial losses. Empower business users to prevent control failures across all key processes.
- Monitor master data to mitigate financial and operational risks by ensuring accuracy, consistency, and timeliness to data that ERP systems require to execute effective business processes. You can ensure the consistency of master data by identifying duplicate records that often occur in ERP systems simply because the user is not aware of that existing record or uses a "workaround" the system controls by using a modifier on a record key to update key attributes such as supplier payment terms or payment currencies.
3. IT General controls
Self-service identity-based access provisioning
Organizations must regulate user access permissions on IT assets to avoid internal security risks and comply with regulatory requirements. SafePaaS automates and streamlines user account creation and controls privileges, making it easier for IT administrators to manage the organization's identity and access management program. To ensure seamless and secure provisioning of user access, SafePaaS can:
- Safeguard your most important business information against cybersecurity risks with policy-based centralized user identity management and access control orchestration.
- Improve productivity and reduce costs by enforcing access policies, such as segregation of duty (SoD) rules, before violations get introduced into the ERP environment, controlling sensitive business information to potential threats and vulnerabilities.
User access certification
Access certification is mandatory for compliance and risk management. With access certification, organizations can validate users within systems and ensure their access privileges are appropriate based on their role in the business. To provide zero-trust user access, SafePaaS can:
- Automate periodic user access reviews to comply with access policies and maintain an audit trail to support IT General Controls.
- Enable managers to detect dormant users and unauthorized system access.
- Orchestrate access across the entire enterprise with seamless integrations.
A solution like SafePaaS in place to prepare for SOX compliance removes the pain and pressure from pulling together your supporting audit documentation and evidence. SafePaaS provides the data and security needed for pre-IPO SOX compliance by securing risk across all your business applications, automating manual tasks, and enforcing internal controls.
Financial reporting accuracy and timeliness heavily depend on a well-controlled IT environment. In this guide, we hope to equip you with the information you need to prepare successfully.
Governance in the Digital Age
Digital transformation should include a corporate governance transformation to minimize risks; by implementing the right technology solutions, relevant policies and procedures that can be rapidly embedded and continuously monitored, allowing organizations to identify and address any corporate governance deficiencies quickly.
4 Tips to build an effective internal control testing program
Having effective and targeted internal controls can protect your company's assets and intellectual property to prevent costly errors, reduce the risk of fraud, and decrease the chance of non-compliance. However, implementing internal controls is not enough. Internal controls should be continuously evaluated and tested to identify weaknesses and opportunities for improvement.