Posted: 19 Aug. 2024 6 min. read

Fast-growing companies need internal controls too. Consider starting with these four steps.

By Andrew Warren, Audit & Assurance Managing Director, Deloitte & Touche LLP

Talking points
  • Fast-growing companies can mitigate process errors and compliance gaps by making it a priority to improve their internal controls.
  • Internal controls can allow companies to create a culture with an underlying focus on risk as well as foster synergy across the tiers of an organization.
  • This blog explores four areas of establishing proactive internal controls that reduce risk and enhance sustainable growth.

With half of 2024 behind us, we’re now in the back half of the year—a time when many fast-growing companies take stock of what it will take to finish the year strong. The to-do list may include objectives like securing additional funding, exploring adjacent markets, and filling key positions. But one priority high-growth companies often leave off the list is improving their internal controls, which takes time and money. Doing so can empower businesses to move more quickly and confidently into the future.

Here are four steps to get started on a proactive system of internal controls.

Identify risk

Controls mean establishing risk protocols and clear lines of vertical communication between the different tiers within a fast-growing company. This process extends from the top of the organization (where entity-level controls are instituted) down to the various operational levels of the company (where more day-to-day and process-level controls are implemented). 

A risk assessment provides the necessary support for implementing controls over identified risks. An appropriate risk assessment can reveal processes that are susceptible to errors. It can also help you gauge what could happen if the errors occurred and prioritize the processes that are important to your business strategy. This effort creates a foundation upon which a business can confidently scale and expand. 

Educate employees at every level

By confirming that the company operates within the established control structure framework, controls can mitigate risk and provide a systematic way for employees to identify and escalate issues. Paired with clear guidance from governance and risk committees, a controls framework can also get everyone on the same page and make controls a fundamental pillar of company culture. 

For these reasons, everyone in the company should understand the importance of internal controls. The sooner a company educates employees on risk, risk mitigation, and the importance of daily adherence to control structures, the better positioned it is to create a more effective and efficient operating environment. 

Include IT infrastructure and oversight for users with elevated access

When it comes to cybersecurity, data privacy, and other digital risks, information technology (IT) controls are where things typically go off the rails. Controls can be important to a sound IT infrastructure and risk mitigation across all levels of a company. 

An effective IT controls framework meticulously considers processes, access, and cybersecurity protocols, favoring the organization’s protection over individual access. It answers tough questions like who has access, why they have access, and whether the company is educating people on cybersecurity at all levels. A robust, active internal audit department also plays a key role by identifying and helping to remediate any business cycle and IT control process issues.

Enlist governance and risk committees to integrate internal controls into the company’s culture

When governance and risk committees are actively engaged in the processes of identifying risk, integrating internal controls, and finding resolutions to problems, it can foster a more positive environment throughout the company. Regular meeting cadence and maintaining transparency into those processes encourages involvement of all employees. These practices also emphasize the daily importance of internal controls at every level of an organization. A culture that thinks differently about controls and Sarbanes-Oxley compliance can help the organization navigate more effectively whenever challenges arise.

What role can Deloitte play?

Many fast-growing companies might view compliance and internal controls as processes that can impede their ability to move quickly. But regardless of your size (or status as a public or private company), it’s essential to think about internal controls as early as possible. 

Effective internal controls go beyond meeting the minimum of what regulation requires. Establishing a proactive system of internal controls involves assessing risk, implementing controls that address those risks, and educating personnel on the importance of those controls. This approach can embed a controls framework into your company culture—a culture in which doing the right thing every single day becomes second nature.

Remember, you don’t have to go it alone. Deloitte can advise you on how to create an effective internal controls framework. Don’t hesitate to reach out with any questions you may have. 

 

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Subscribe to receive The Pulse

Get in touch

Andrew Warren

Andrew Warren

Audit & Assurance Managing Director | Deloitte & Touche LLP

Andrew is an Audit & Assurance managing director with Deloitte & Touche, LLP, based in Nashville, TN. With more than 15 years of experience at Deloitte, Andrew currently focuses his efforts on leading audit engagements as well as cross-functional advisory and implementation projects for clients across Tennessee. Andrew completed a two-year rotation in Deloitte’s National Office Accounting Services group with a specific focus on revenue recognition (ASC 606) and business combinations (ASC 805), among other accounting topics. During his time in National Office, he has consulted with engagement teams around the U.S. related to complex accounting topics. As the leader of Nashville’s Accounting and Reporting Advisory Services practice, Andrew has extensive experience in internal control optimizations, finance transformation, implementation of new accounting standards, and advising clients on technical accounting issues. Andrew received his Bachelor of Science in Accounting from the University of Kentucky. He is licensed as a Certified Public Accountant (CPA) in Tennessee and Kentucky, and is a member of the American Institute of Certified Public Accountants.