What FTX's collapse can teach start-ups and pre-IPOs about the importance of internal controls
Start-ups and pre-IPOs today are operating across a patchwork of solutions. To proactively address risk and bring their companies to the market in the current environment, start-ups and pre-IPOs must manage risks across their business processes. To protect transactions and sensitive data, start-ups, and pre-IPOs need to implement an in-depth controls program that utilizes clearly defined functional roles and automated controls.
In light of the recent FTX revelations and the record-breaking years IPOs have had, revisiting the importance of strong internal controls is particularly relevant. FTX is a reminder of the importance of governance and internal control systems to ensure transparency and accountability. This blog will focus on the steps start-ups and pre-IPOs can take to establish governance, risk management, and internal control systems to prevent similar events.
What happened at FTX?
FTX disintegrated overnight after it could not meet a run on deposits, leaving the company with an $8 billion hole in its accounts. The cryptocurrency exchange filed for bankruptcy on November 11, 2022.
In FTX's bankruptcy proceeding, the company appointed restructuring CEO John Jay Ray III, who oversaw Enron's bankruptcy. In a hearing, Mr. Ray stated, "in my career, I have never seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad to the concentration of control in the hands of a tiny group of inexperienced, unsophisticated, and potentially compromised individuals, this situation is unprecedented."
Risk Management and Internal Controls
Risk management and internal controls are closely related but not the same. Risk management focuses on identifying, assessing, and prioritizing risks that could affect the organization. Risk management aims to minimize the likelihood and impact of risks on the organization.
The requirements and needs of start-ups will differ from those of a pre-IPO company. Initially, start-ups should acknowledge risks and have an active process of reducing or eliminating those risks. Awareness of risks helps the company prevent and prepare for possible incidents. Pre-IPOS, on the other hand, should begin implementing internal controls and exploring governance, risk, and compliance solutions to improve their risk management posture.
On the other hand, internal control systems are designed to ensure that an organization's activities are carried out reliably and efficiently and that its financial reporting is accurate and reliable.
Internal Controls are the rules and processes put in place to mitigate a range of risks that can arise within an organization. Controls are typically designed with the guidance of the organization's board of directors or senior management. Internal Controls also help to ensure compliance with regulations or standards established by external governing bodies, such as SOX or GDPR.
Internal controls fall into four main categories (manual Controls, IT-dependent manual controls, application controls, and IT general controls) and are unique to each organization—one size does not fit all. Internal controls should be effective and efficient for each organization. For example, the internal controls for a large multinational would not be appropriate for start-ups or pre-IPOs. It is essential for an organization's leadership team to carefully design internal controls that manage risks to the business without overburdening it with unnecessary costs and effort. For example, you shouldn't spend a thousand dollars to implement a control that protects $100 of petty cash. Control implementation should take a risk-based approach.
Internal control frameworks
There are several control frameworks that start-ups and pre-IPOs can select. Various non-profit industry groups have developed frameworks to help companies strengthen their internal controls and prepare for SOX compliance.
- COSO - created the
"Internal Control Framework" to guide the development of your company's controls.
- COBIT - ISACA developed COBIT, an industry group focused on IT governance. COBIT will help bring your IT processes into compliance.
- ITGI - recommendations draw on COSO and COBIT but focus more on the security-related aspects of internal controls.
Why are internal controls essential in start-ups and pre-IPO companies?
Many start-ups and pre-IPOs don't understand the necessity of internal controls and can feel like internal controls will slow them down. Internal controls are like the breaks in a Formula one car. They aren't there to reduce the car's speed; they safeguard the driver.
Controls enable you to run your business and manage your growth. While it's true that regulators don't require start-ups and pre-IPOs to have internal controls, you still have to demonstrate accountability and transparency to your employees and stakeholders.
Typically, internal controls in start-ups and pre-IPOs are informal. To move to the next level of internal control maturity, start-ups, and pre-IPOs should seek guidance on risk management, risk assessment, linking controls to risk, and setting up their control framework.
A critical part of any internal controls program is the control environment. The control environment is defined by how people in the company behave, specifically the tone at the top and leadership support of internal controls. Even following processes as mundane as turning in expense reports can signal a leadership's attitude towards the internal controls program.
How internal controls help start-ups and pre-IPOs manage compliance and security
One of the most significant changes for start-ups and pre-IPOs is ensuring accurate financial reporting in compliance with US Securities and Exchange Commission (SEC) regulations and laws that govern public filers. To prevent embarrassing disclosures, fraud, and breaches, a company planning to go public must comply with standards by maintaining strict internal controls. By having solid internal controls in place, start-ups and pre-IPOs can benefit by being ahead of the game when preparing for SOX compliance.
Benefits of Internal controls
Internal controls deliver numerous benefits to organizations of all sizes and provide leadership and management greater confidence in attaining business goals and objectives. Other benefits of internal controls include:
- Safeguarding of assets
- Mitigation of identified risks
- Reliable financial reports that help leaders make the right decisions about business development, pricing, hiring, etc.
- Minimize the effects of risk incidents
- Consistent transaction processing, communication, and reliable financial records
- Operational and business process efficiency
- Enable leadership to accurately communicate performance against goals and objectives to stakeholders
Despite the advantages offered by internal controls, not all businesses apply controls. Start-ups such as FTX that ignore the importance of internal controls for fear of slowing growth or cost, lack a proper understanding of how a solid system of internal controls can benefit them.
Best practices and solutions
Develop strong entity-level controls
Corporate culture and values are developed and supported through entity-level controls. Entity-level controls influence how staff performs their duties and responsibilities.
Entity-level controls help set the tone at the top of the organization and provide a concrete basis for lower-level controls. All five components of internal controls (control environment, risk assessment, control activities, communication and information, and monitoring) are effectively implemented if the entity-level controls are robust and properly implemented.
- Code of Conduct
- Policies and procedures manual
- Controls related to the control environment
- The company's risk assessment process
- Controls that monitor lower lever internal controls
- Controls over the period-end financial reporting process
- Internal audit
- Whistle-blower policy
- IT environment and organizations
Set the tone the top
The tone at the top refers to leadership embodying and demonstrating a commitment to compliance and ethics. It communicates that those at the organization's top are honest, acts with integrity, and enforce an ethical corporate culture. Leadership that demonstrates poor tone creates an organization more likely to engage in unethical behavior and fraudulent activity and not support internal controls.
Leadership can ensure a solid tone by communicating, rewarding, and displaying ethics and values. This is done by having a formal code of conduct, frequently engaging with staff, and promoting the organization’s ethics and values. Staff should also be encouraged to report misconduct without fear of facing repercussions.
Take a proactive approach to risk management
No organization can predict specific risks, but they can prepare for them. Maintaining business operations in an increasingly perilous and complex environment requires proactive risk management and integrated solutions encompassing internal controls, data, and infrastructure. Start-ups and pre-IPOs should establish well-defined directions from leadership to clarify how to respond to challenges that arise. Risk management is vital for start-ups and pre-IPOs to demonstrate to investors that they have the necessary policy frameworks to report accurate numbers and that their capital is invested safely.
In our recent webinar, "ERP Controls, what are they and why they matter," Risk and Controls expert Deepak Iyer shared his view that as organizations continue to reckon with novel risks, leaders in startups and pre-IPOs should take a fresh approach to risk management programs by proactively assessing their risk exposure and risk processes and by viewing effective risk management as an opportunity to increase competitive advantage instead of a barrier to growth and agility.
Assess risk across the organization to ensure proper risk awareness
A comprehensive, continuous risk assessment is essential because it creates an understanding of the risks that could impact your organization’s ability to meet its objectives. Understanding your risks helps focus risk management efforts and benefits you by creating a roadmap and approaches for developing internal controls to mitigate risks to an acceptable level.
It's best to think of controls in terms of categories. For example, operational controls prevent risk in processes like the procure-to-pay process or order-to-cash process. In the case of IT general controls, you'll need to assess and implement controls at the network and database levels. For example, look at ways to prevent user access risks like segregation of duties and superuser accounts.
Once you have identified your risks and implemented the controls, you must assign responsibility for those processes and controls. Assigning control ownership can be tricky. In some cases, you may need outside advice from control experts to guide you on where to place the responsibility and accountability for your specific controls.
Solutions like SafePaaS can reduce the mystery and confusion of control alignment by equipping you with a governance platform that manages the business's risk and chaos stemming from misalignment. Policy-based governance solutions allow you to design a policy and assess the risk against the policy to ensure the control is deployed to prevent risk through automated control. For example, if your business moves to a hybrid workforce model, your organization can remain agile because your policies and controls are consistently enforced to safeguard your organization. A good governance solution will catch any deviation, whether your controls are turned off or on. For example, if you turn on three-way match control in your ERP system, your purchase orders, invoices, and receipts must match up. Still, there's the possibility that someone can turn off the control, and you may not catch it if you are using a manual control, but if you have a governance solution monitoring your processes, nothing slips through the cracks.
Deciding to go public is exciting. However, the preparation can be daunting. Preparing for an IPO requires many decisions about your internal control structure and framework. While public companies must comply with SOX, compliance requirements are often overlooked or underestimated by start-ups and pre-IPOs. Implementing a solid internal controls program can catapult your business to the market and prevent disasters like FTX from occurring.
Ready to learn how SafePaaS can help you assess risk and effectively implement your controls?
SOX preparation for pre-IPO
Financial reporting accuracy and timeliness heavily depend on a well-controlled IT environment. In this guide, we hope to equip you with the information you need to prepare successfully.
Internal Controls, what are they and why you should automate them
An organization's internal controls are unique to each organization—one size does not fit all. Internal controls should be effective and efficient for each organization. Failure to have the internal controls in place can expose your organization to an elevated risk of fraud or error, resulting in substantial losses and irreparable damage to your organization's reputation.
Everything you need to know about SOX ITGC
Technology and applications are part of almost every business process in the enterprise today. From the finance department to marketing, businesses depend on technology solutions to help them run. But technology doesn't come without some risks, and that's where your IT General Controls (ITGC) come into play.