If a private company aspires to an IPO, to register public debt or to be acquired by a public company, the need to demonstrate a sound internal control environment is clear. A recent PricewaterhouseCoopers Trendsetter Barometer survey of nearly 350 fast-growth CEOs found that one in four of the fastest-growing, privately held businesses in the country have voluntarily adopted some of the Sarbanes-Oxley “ best practices ” that have emerged from their public sector counterparts.
Why would they do this? These fast-growth companies are adopting certain compliance practices to help create better companies – ones that are attractive to public and private investors, merger and acquisition (M&A) prospects, customers and other stakeholders. Nowadays, investors, credit grantors and business people in general are all keenly aware that the lack of strong internal controls increases investment and operational risks.
Effective controls afford a broad array of benefits for private companies, such as:
Financial reporting benefits allow companies to gain heightened credibility with their stakeholders, become better informed in order to manage their businesses and experience a reduction in risk of errors or irregularities;
Operational benefits provide clarity on the roles and responsibilities of management and employees, greater control over business growth, reduction of costs and maximization of performance;
Regulatory benefits offer decreased litigation risk or business disruption, lowered risk of employee or consumer litigation and increased credibility in contractual relationships with vendors and customers, as well as with regulating bodies such as the Internal Revenue Service (IRS) and the Federal Trade Commission (FTC).
Internal controls of private companies today
In many private companies, internal controls remain informal. Consequently, controls may not be known or adhered to, or may simply fail to accomplish their objectives. Although management may believe controls are in place, there are many factors that can cause them to function improperly, be poorly implemented or simply ignored.
Even when controls exist, they’re often ‘detective’ rather than preventative; in other words, they are designed to uncover problems after they occur rather than prevent them from occurring in the first place. Such inadequate control systems leave companies vulnerable to a broad spectrum of risks, many of which they presumed to be mitigated.
An internal controls framework
While implementation requirements were only mandated in 2002, internal controls have been codified for over two decades. The committee of Sponsoring Organizations (COSO) of the Treadway Commission established the initial framework in 1992. COSO, a blue-ribbon body chartered by leading accounting organizations to articulate the purpose and elements of internal controls, identified five essential elements of effective controls:
1. The control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
While each of these five mechanisms is indispensable for an effective system, a company must have a strong control environment for the system to function properly. The critical “ tone at the top ” includes a clear mission statement and a written, reinforced, broadly communicated code of conduct.
ONE OF THE GREATEST RISKS FOR PRIVATE COMPANIES IS AN IMPROPERLY FUNCTIONING CONTROL ENVIRONMENT. IF THE CRITICAL “ TONE AT THE TOP ” IS UNCLEAR, POORLY COMMUNICATED OR NEVER ENUNCIATED TO BEGIN WITH, THERE MAY BE NO REAL FOCUS ON PROMOTING ETHICAL BEHAVIOR.
Private companies are at risk
Absent or malfunctioning controls leave companies vulnerable to a myriad of financial risks, including inappropriate revenue recording; unauthorized transactions and wire transfers; excess inventory purchases or purchases of products and services at higher-than-expected costs; unapproved payroll changes; inappropriate investment of excess funds; unnecessary fixed-asset purchases and possible theft.
One of the greatest risks for private companies is an improperly functioning control environment. If the critical “ tone at the top ” is unclear, poorly communicated or never enunciated to begin with, there may be no real focus on promoting ethical behavior.
Compliance with a company's ethics code should be periodically confirmed. Companies also may want to establish an “ ethics hotline ” as a reprisal-free medium for reporting ethical breaches. Investigation and enforcement must be a visible reality, fostered and strengthened by the ethical behavior of senior management and the owners. Additionally, an independent advisory board and organization-wide training programs will further ensure compliance with policies, codes and control activities.
Careful monitoring of budget, forecasts, prior periods and competitors are essential for combating fraud. Responsibility for these reviews should fall to different staff members to guard against error or misconduct. These checks should include regulation of equipment, inventories, cash and other assets, which should be regularly compared with control records.
In addition, companies must ensure that their code of conduct and business ethics are regularly communicated to their employees. In some cases, employees do not understand the reasons they are performing certain procedures or what procedures should be performed to ensure their compliance with the internal controls process. Staff turnover – a significant issue in today's business environment – exacerbates this problem, as does failure to document policies and procedures. Documentation is critical to ensure that controls assumed to be in place and operating as planned are actually continuing as a new employee takes on that responsibility.
To ensure that the ethics code becomes a fluid, integrated part of a company, management should encourage department heads to solicit and consider suggestions from their staff as two-way communication between senior management and operational personnel. This type of duel communication will allow for clear working channels to make recommendations for improvement.
Additionally, inadequate security is a serious control risk. Financial and physical assets need to be secured, as does access to information technology assets, including both hardware and software. Securing intellectual property, such as formulas and customer information, is equally important.
To create secure control mechanisms, regular reviews of control processes and procedures are essential as the information used to monitor operations may be flawed or inappropriate. The only way to evaluate whether controls are working as intended is to ensure that appropriate monitoring, by a level above the person performing the control, is taking place. Enhancement recommendations by the external auditors should be fully considered and promptly addressed.
Finally, regulatory noncompliance is a significant control risk that demands the focused attention of private companies. At the federal level alone, agencies such as the IRS, FTC, Food and Drug Administration (FDA) and the Environmental Protection Agency (EPA) issue and enforce regulations that apply to both private and public companies. If employees do not follow the relevant company policies and procedures, or do not know what they are, problems are likely to ensue.
The time to act is now
Private companies are being held to a higher level of accountability for their actions and it is important that they create internal metrics and mechanisms to monitor and reinforce their operational, financial and reporting activities.
Sarbanes-Oxley control provisions may become the “ gold standard ” for controls in all companies both public and private, thereby defining the level of excellence that leading businesses will strive to reach.
Jeffrey L. Able