Establishing effective internal controls as an emerging growth company can seem burdensome, but it doesn’t have to be. Awareness of common obstacles can make preparation for 404(b) compliance less arduous. Here are a few steps we recommend taking along the way:
Before starting an internal controls project, it is important to identify decision makers and the team responsible for leading implementation activity. Many decisions must be made throughout the controls definition process. Consider the following questions:
Who will have ownership and oversight of controls? Identifying governance over controls helps eliminate duplicate efforts across departments.
Do we prefer centralized or de-centralized controls? In a centralized environment, key controls are managed at the corporate office, and supporting controls are managed at the local level. A centralized control, for example, would be corporate Accounts Receivable personnel verifying all work tickets and including signatures and support documentation before submitting an invoice to the customer.
As emerging growth companies evolve, the defined controls must grow and change accordingly. Consider how acquisitions, reduced head count, or process re-engineering can impact established controls. The nature of how organizations change over time requires frequent re-evaluation of internal controls. If the structure changes or new technologies are implemented without assessing the impact on existing controls, there is a risk of control failure. Control owners must be aware of upcoming changes so control areas can be reassessed quickly and adjusted policies and procedures are communicated to stakeholders.
One of the most difficult components of implementing new controls is ensuring new process and procedure requirements are carried out. Often, control activities are partially developed but need an extra boost to establish a fully effective control.
For example, most companies perform account reconciliations each month, but lack documentation of management review. This results in an incomplete control. The goal here is twofold—to add a new step for documentation and encourage people to accept it. To add this control step, communicate why it's necessary. If personnel understand the why, they are more likely to accept the change and contribute to the effectiveness of the control.
The risks of building a controls framework from the ground up can be overwhelming. It's important to plan which controls to implement based on immediate needs instead of the longer-term SOX 404(b) requirements. If there are issues with unauthorized systems access, missed approvals, or if auditors have pointed out control weaknesses, focus here first. In the short-term, prioritizing areas of focus can prevent “control fatigue” and re-position attention to critical areas.
In large companies, it is easy to separate processing activities across multiple resources. However, emerging growth companies have fewer resources, so it is difficult to separate duties without adding extra work and slowing down the business. If it is not feasible to fully separate processing activities, such as entering AP invoices and printing vendor checks, consider establishing monitoring controls to be reviewed on the back end. These controls include periodically reviewing user access and conducting account trend analysis to compare account balances to prior months.
For emerging growth companies seeking to reduce the risk of fraud and collusion and adhere to Sarbanes-Oxley, internal controls are a necessity. Don’t wait until obstacles arise to address the issues. Plan now and set the stage to enhance your controls environment ahead of time.
Trenegy is a non-traditional consulting firm helping businesses implement proper SOX controls. With proper SOX controls in place, business can benefit from efficiencies and improvements. Ask Trenegy how: info@trenegy.com.
