Internal controls, compliance and risk culture are often the last things senior management and boards of start-ups and small to medium companies want to discuss during their strategy and operational meetings. Alternative views on these factors are seen as counterproductive to the organisation’s strategic objectives. Indeed, many start-ups spend an inordinate amount of time focusing on the challenges of meeting the expectations of the market and of stakeholders such as investors, customers, financiers and regulators. In the process, they take on new, and sometimes unknown, risks, yet are reticent to address them proactively.
There are reasons, regardless of an organisation’s size and geographic reach, that discussions about integrated internal controls, compliance and risk culture need to happen up front rather than as a final step. From our experience working with start-ups in Singapore, we believe that there are three important questions boards and management in start-up organisations should ask themselves:
1. Do our internal processes provide adequate protection if things go wrong?
Many start-ups face intense pressure to grow revenue and market share, and they compete fiercely for investor and financier funds. Some of these factors contribute to an inclination for management to increase risk appetite and acceptance of risks when making business decisions, especially when it comes to expansion of products and geographies and the possibilities of increased revenues and profitability.
Besides the known risks of such expansion, has executive management considered the impact of non-controllable external forces in a volatile market environment? Having a robust enterprise risk management framework that challenges the status quo will provide a structure for executives to ask the right questions to ensure that proper discussions are taking place. Senior management and boards should play a key role in these discussions. Is senior management providing sufficient tone-from-the-top leadership in your enterprise risk management program? Does your organisation’s board have the right balance or mix and relevant experience in business or corporate governance to advise adequately?
2. Do we have the right systems, processes and technologies in place to control our growing pains?
Whilst enterprise software, applications and database solutions have improved and become more sophisticated, start-ups often face a unique challenge to adopt a solution for their start-up mode and then transform as they scale up. Their enterprise resource planning (ERP) solutions struggle to keep pace with operational and organisational changes, as well as with increased complexities of rapid business growth. For instance, ERP solutions are not designed to cater to new or enhanced business models, or, for some start-ups, system-based controls are not fully implemented, thus causing them to rely too much on manual controls that can be easily circumvented.
Consider also that some start-ups rush to get their systems into production, configuring or failing to configure certain features or functions which are irreversible and required later on in their growth. In addition, after changes in roles and responsibilities of key departments or people, including corporate restructuring, take place, users may continue to have access to data and systems – and, more critically, the authority to approve transactions – which are not under the purview of their new roles and responsibilities. In such cases, the risk of fraud and override of internal controls is significantly increased.
Other factors may affect the level of control startups have as they continue to grow at a rapid pace. These include the lack of dedicated resources and of specialised in-house knowledge of enterprise software, applications and databases, as well as poor blueprinting of future processes and a lack of accountability during implementation.
3. Is there a storm brewing with our cloud computing solution?
Businesses turn to cloud computing solutions for different reasons: to reduce capital expenditure, to optimise internal IT resources, to improve business continuity and redundancy, and to enable a more rapid deployment of new business services with greater flexibility and scalability, to name a few. Start-ups increasingly adopt cloud computing solutions so they can focus on their core business and not have to concern themselves about keeping up with technology changes.
Selecting a cloud service provider that proactively manages or addresses data privacy and security concerns prevalent with cloud computing services is crucial. Important considerations, such as the need for the service providers to conform to your organisation’s policies on handling and encryption requirements of sensitive and confidential data in payment methods, gateways and platforms, must be addressed.
It’s important to obtain answers to a number of significant questions about cloud service providers. How do they use customer data for their own activities, and what are the implications to data security and confidentiality? Does the service provider share customer data with third-party service providers? Does the service provider have oversight controls in place to ensure that the confidentiality of customer data is maintained? Does the service provider have adequate incident response procedures to handle exigencies effectively?
Cloud service providers can invest in far more advanced security technologies than what most organisations are able to for their own on-premise data centers. A security breach can be costly in terms of both costs and reputation. Companies should perform due diligence and risk assessments prior to engaging a cloud service provider and regularly throughout the contract period.
- Mary Ann De Leon, Associate Director, IT Consulting, Protiviti -
- Lai Kee Yin, Senior Manager, Internal Audit and Financial Advisory, Protiviti -