Share this article:

Deloitte’s three-part series explores the potential benefits your company can derive from risk assessment, effective internal control design, and regular monitoring.
 
Public and private companies are subject to different regulatory requirements relating to their financial and operational disclosures, including to whom the disclosures are provided and the level of detail they should contain. Nevertheless, any business can benefit from having transparent financial and operational information available for decision-making and reporting to stakeholders.
 
As the owner, executive, or investor of a private company, what can you do to increase your certainty about the information coming to you from across the enterprise?
 
Whether your company is venture-backed, funded by private equity investors, or a family business, internal controls are an important part of the answer as you grow. They can be an integral part of operations that can help mitigate risks and add business value. 
 
The following point of view series explores:
  • What internal controls are, the value they can provide, the role of a risk assessment, and how to apply the results of the assessment
  •  
  • Internal control design and implementation
  •  

  • How to sustain, monitor, and rationalize controls over time
  •       
    Performing risk assessments 
    It’s important to note that effective internal controls don’t need to be complicated. They can be preventive or detective in nature; that is, designed to prevent something from going wrong or to detect if something did go wrong. They should be designed to address the particular risks your company may face, and the specific information needs of management. Their performance should be consistent and repeatable. When they are a natural part of the process, they are likely to operate more effectively if they have been designed with the related risk in mind.
     
    A thoughtful risk assessment can help you identify which critical processes might be susceptible to errors and create quantitatively and qualitatively significant risks for your company. It can help you determine what impacts the company might sustain if such errors occurred and help you focus on the ones that matter most to your business strategy and operations. Essentially, a risk assessment helps you critically think about and answer questions such as: 

         

      Get the latest OC business and Coronavirus updates

    • Who are my stakeholders?
    • What are our key business risks?
    • What information can help us manage identified risks?
    • How susceptible to error is the information we currently have, and how can that affect strategic decisions and governance obligations?
    • What resources do we need to address these risks?
    •        
      Other factors might also come into play. For example, what activities across the enterprise do you currently monitor? What questions do you regularly hear from your board of directors and other stakeholders? If your business has debt, what are the debt covenants based on? Bottom line: If the results matter to you or your stakeholders, they should be assessed.
       
      Once you’ve identified and prioritized potential risks, it’s important to understand the nature and extent of your company’s exposure. That means analyzing related processes and identifying gaps or weaknesses that can lead to potential problems. From there, you may want to refine the processes and implement controls where required.
       
      Deploying internal controls 
      Designing and implementing internal controls is a multistep process. After performing a risk assessment and identifying specific areas of risk, you should try to gain a clear picture of “what could go wrong” in each areaa prerequisite to understanding your company’s risks and designing effective internal controls.
       
      Once risks or risk areas have been identified, categorized, and prioritized, it’s important to consider what type of internal controls could best mitigate those risksi.e., preventive or detective, manual or automated. This can vary according to the assessed level of risk and other factors.
       
      As you implement the controls, don’t underestimate the importance of clear and detailed documentation. It’s your record of how the process should work and how the related controls should operate. This will help as you evaluate how the controls perform in the future to make sure they are operating as designed and continue to mitigate the risks you have identified. Plus, control ownersthose people responsible for performing the control activitieswill only be effective if they have a clear understanding of the process related to the control and the internal control design itself.
       
      With documented controls in place, it’s time to close the loop on the controls environment by developing an effective monitoring program that can help you sustain, monitor, and rationalize the controls over time.
       
      Extending value over time 
      An important aspect of a system of internal controls is determining how to sustain their effectiveness and, optimally, improve them over time. A well-designed internal control framework, informed by periodic risk assessments, can make your system of internal controls nimble and scalable   
       
      It may be tempting to jump right in and start reviewing controls. However, it’s important first to consider the following questions:
      • Who will be on the monitoring team?
      • What is expected of team members?
      • How will control deficiencies be defined and identified?
               
        Your monitoring program should clearly define expectations for when and how deficiencies are identified, as well as an escalation process that enables the monitoring team to address them effectively and in a timely manner.
         
        As your company grows, its business and operating models may change, mergers or acquisitions may be undertaken, market conditions may shift, and new product opportunities may arise. It’s important to step back periodically and assess whether you’ve identified all material applicable risks to your company, analyzed your controls to so they are effective and mitigate the risks they were designed to address, and evaluated your monitoring program to incorporate any updates.
         
        This is how a thoughtful and nimble internal control framework, focused on key risks, can provide a mechanism to support the strategic direction of your company. It can help generate sustainable value by providing business insights and validate the data used to develop financial reports. It can even help make your company more competitive and attractive to suitors in the future, depending on your strategic objectives.
         
        For more information, contact: 
         
         
        Greg Palme
        Audit & Assurance Partner
        Deloitte & Touche LLP
        gpalme@deloitte.com
        714-436-7225