The private company guide to effective internal controls

Overview: Private company internal controls series

Public and private companies are subject to different regulatory requirements relating to their financial and operational disclosures, including whom the disclosures are provided to and the level of detail they should contain. Nevertheless, certain lessons learned by public companies can benefit private companies across a broad spectrum, whether they are venture-backed, funded by private equity investors, or family businesses. One of these lessons is the value that effective internal controls can provide from both operational and financial perspectives.

The following point of view series explores:

• What internal controls are, the value they can provide, the role of a risk assessment, and how to apply the results of the assessment
• Internal control design and implementation
• How to sustain, monitor, and rationalize controls over time

Internal controls and risk assessments: What every private company should know

Information from across your company is vital for your strategic business decisions. What can you do to increase your comfort that the information coming to you is timely, accurate, and reliable? Internal controls may be an important part of the answer. They can be an integral part of operations that can help mitigate risks and add business value.

A system of internal controls should be informed by an appropriately detailed and periodically performed risk assessment that identifies which critical processes might be susceptible to errors, thereby potentially creating quantitatively and qualitatively significant risks for your company. A risk assessment can help you determine what impacts your company might sustain if such errors occurred and help you focus on the ones that matter most to your business strategy and operations. Once that’s done, it’s time to design and implement the internal controls.

Deploying internal controls: What private companies can learn from public entities

Designing and implementing internal controls is a multistep process. After performing a risk assessment and identifying specific areas of risk (subjects of the first point of view in our series), you should try to gain a clear picture of “what could go wrong” in each area—a prerequisite to understanding your company’s risks and designing effective internal controls.

Once risks or risk areas have been identified, categorized, and prioritized, it’s important to consider what type of internal controls could best mitigate those risks—i.e., preventive or detective, manual or automated. This can vary according to the assessed level of risk and other factors.

As you implement the controls, don’t underestimate the importance of clear and detailed documentation. Control owners—those people responsible for performing the control activities—will only be effective if they have a clear understanding of the process related to the control and the internal control design itself. With documented controls in place, it’s time to close the loop on the controls environment by developing an effective monitoring program that can help you sustain, monitor, and rationalize the controls over time.

Private company internal controls: Extending value over time

An important aspect of a system of internal controls is determining how to sustain their effectiveness and, optimally, improve them over time. A well-designed internal control framework, informed by periodic risk assessments, can make your system of internal controls nimble and scalable. It can also help you assure that the controls are operating effectively and remain relevant as your business grows and evolves.

The following considerations should guide the development of your monitoring program:

• Who will be on the monitoring team?
• What is expected of team members?
• How will control deficiencies be defined and identified?

To provide value, your internal control framework should also be scalable and flexible. As your company evolves over time, new risks may be identified, and previously identified risks may no longer be relevant. Such changes provide an opportunity to rationalize your internal controls.