Public and private companies are subject to different regulatory requirements regarding their financial and operational information, including to whom the information is provided and the level of detail it should contain. Nonetheless, any business can benefit from transparent financial and operational information available for decision making and reporting to stakeholders.
As a private business owner, executive, or investor, what can you do to increase your certainty about the information coming to you from across the business?
Whether your business is backed by venture capital, funded by private investors, or a family business, internal controls are an important part of the answer as you grow. They can be an integral part of operations that can help mitigate risk and add business value.
The following set of viewpoints explores:
- What are internal controls, the value they can provide, the role of a risk assessment and how to apply the results of the assessment
- Design and implementation of internal control
- How to maintain, monitor and streamline controls over time
Performing risk assessments
It is important to note that effective internal control does not have to be complicated. They should be designed to address the particular risks your business may face and the specific information needs of management. Their performance must be consistent and reproducible. When they are a natural part of the process, they are likely to work more efficiently if they have been designed with the associated risk in mind.
A thoughtful risk assessment can help you identify critical processes that are likely to be error-prone and create quantitatively and qualitatively significant risks to your business. It can help you determine the impacts the business might experience if such mistakes occur and help you focus on the ones that matter most to your strategy and business operations. Essentially, a risk assessment helps you think critically and answer questions such as:
- Who are my stakeholders?
- What are our main business risks?
- What information can help us manage the identified risks?
- How error-prone is the information we have and how can this affect strategic decisions and governance obligations?
- What resources do we need to deal with these risks?
Once you’ve identified and prioritized the potential risks, it’s important to understand the nature and extent of your business’s exposure. It means analyzing related processes and identifying gaps or weaknesses that can lead to potential problems. From there, you might want to fine-tune the processes and implement controls as needed.
Deployment of internal controls
The design and implementation of internal controls is a multi-step process. After performing a risk assessment and identifying specific risk areas, you should try to get a clear picture of “what could go wrong” in each area, a prerequisite for understanding your business risks and making it easier to understand. design of effective internal controls.
Once the risks or risk areas have been identified, categorized and prioritized, it is important to determine what type of internal control could best mitigate those risks: preventive or detection, manual or automated. This may vary depending on the level of risk assessed and other factors.
When implementing controls, don’t underestimate the importance of clear and detailed documentation. Control owners, i.e. those responsible for carrying out control activities, will only be effective if they have a clear understanding of the process related to control and the design of internal control itself. .
With documented controls in place, it’s time to close the loop on the control environment by developing an effective monitoring program that can help you maintain, monitor, and streamline controls over time.
Increase value over time
An important aspect of a system of internal controls is determining how to maintain their effectiveness and, optimally, improve them over time. A well-designed internal control framework, informed by periodic risk assessments, can make your system of internal controls flexible and scalable.
It can be tempting to go out there and start reviewing the controls. However, it is important to consider these questions first:
- Who will be part of the surveillance team?
- What do we expect from team members?
- How will control deficiencies be defined and identified?
Your monitoring program should clearly define expectations about when and how deficiencies are identified. The program should also include an escalation process that allows the surveillance team to remedy deficiencies quickly and effectively.
As your business grows, its business and operating models may change, mergers or acquisitions may be undertaken, market conditions may change, and new product opportunities may arise. It is important to take a step back periodically and assess the situation: have you assessed all the material risks applicable to your business? Have you analyzed your controls for their effectiveness in mitigating the risks for which they were designed? Have you checked your monitoring program for updates?
This is how a thoughtful and flexible internal control framework focused on key risks can provide a mechanism to support the strategic direction of your business. It can help generate lasting value by providing business insights and validating data used to develop financial reports.
It can even help make your business more competitive and attractive to suitors.
For more information, contact:
Lisa D’Angelo, audit and certification partner,
Deloitte & Touche LLP
[email protected], 212-436-4520
Khalid Shah, Audit & Assurance Partner,
Deloitte & Touche LLP
[email protected], 202-220-2109