In recent years, the startup ecosystem has witnessed numerous high-profile frauds, underlining the critical need for robust business controls. Contrary to popular belief, business controls do not necessarily impede growth. When designed and implemented thoughtfully, they can enhance a company’s agility while managing risks effectively. The collapse of FTX, among other failures, demonstrates the catastrophic consequences of neglecting corporate controls.
The Downfall of FTX Future Exchange: A Case Study
The failure of FTX, once a leading cryptocurrency exchange, serves as a stark reminder of the importance of business controls. When John Ray III, known for his work in the Enron scandal, took over FTX following the arrest of CEO Sam Bankman-Fried, he described FTX’s corporate controls as a “complete failure.” Key issues included poor governance, irresponsible cash management, and excessive concentration of authority among a small, inexperienced group of decision-makers.
The problems at FTX highlighted several fundamental failures:
- Inadequate Governance: There was a lack of oversight from an independent board of directors, leading to unchecked power among executives.
- Irresponsible Cash Management: The company had no discernible accounting department, and there were instances where corporate funds were used for personal expenses without any formal process or documentation.
- Concentration of Authority: A small group of decision-makers held too much power, with no internal checks and balances to counterbalance their decisions.
The Prevalence of Lax Controls
Despite the evident risks, many startups and small businesses still operate with lax controls, especially under the pressure to scale rapidly. As a KPMG-qualified auditor with extensive experience in both large enterprises and fast-growing startups, I have observed that inadequate controls are alarmingly common in early-stage companies. This oversight not only increases the risk of fraud and mismanagement but also affects the company’s ability to attract investment.
Opportunity Costs of Poor Controls
The cost of capital has risen significantly due to record interest rate increases, making fundraising more challenging. Investors now perform more rigorous due diligence, which includes a thorough examination of a company’s control systems. During a recent Series A funding round, an investor’s scrutiny of payment release strategies and approval levels within the payment processing solution highlighted the growing importance of robust controls even at early stages.
The increased scrutiny from investors means that startups can no longer afford to neglect their internal controls. The cost of implementing these controls is far outweighed by the potential loss of investment opportunities and the higher cost of capital resulting from perceived higher risks.
The Case for Business Controls
Business controls are essential for safeguarding assets, ensuring accurate financial reporting, and promoting operational efficiency. Key components include segregation of duties, authorization procedures, and regular monitoring. These controls become increasingly important as a company grows and the complexity of its operations increases, particularly with the shift towards remote work post-COVID-19.
Business controls, or internal controls, are the backbone of a company’s governance framework. They include:
- Segregation of Duties: Ensuring that no single individual has control over all aspects of a financial transaction. This prevents fraud and errors.
- Authorization Procedures: Formal processes for approving transactions and activities within the organization.
- Regular Monitoring: Ongoing review and auditing of processes and controls to ensure they are effective and up-to-date.
The importance of these controls grows proportionally with the size of the company. As the number of employees increases, so does the risk of errors and fraud. This risk is further exacerbated by the trend toward remote work, which makes traditional controls, such as physical signatures, obsolete.
Designing a Progressive Control Framework
To support a company’s growth while managing risks, it is crucial to develop a progressive internal control framework. This framework should be adaptable, aligning with the company’s complexity, technological sophistication, materiality thresholds, and risk tolerance. The following steps can help in designing such a framework:
- Document Specific Risk and Control Factors:
- Operating Complexity: Assess headcount, staffing models, operating locations, business models, and customer bases.
- Technological Sophistication: Leverage technology to deploy automated controls efficiently.
- Materiality: Define thresholds for tolerable financial discrepancies and nonfinancial impacts.
- Risk Tolerance: Establish subjective judgments on risk tolerance, adjusting over time as the company grows.
- Fundraising Stage: Implement secure control frameworks to meet investor expectations during fundraising rounds (PRS Legislative Research) (PK Revenue).
Documenting these factors ensures that there is a consensus and a common understanding of the key risk areas within the organization. This common understanding is crucial for building efficient workflows that manage risks appropriately.
- Calibrate the Three Levers of Control:
- Value Limit or Tolerance: Adjust the amount that triggers a control.
- Cadence: Set the frequency of control reviews.
- Objective: Decide whether controls should prevent or detect unauthorized actions (PK Revenue).
These levers allow for flexibility in the control framework, ensuring that it can be adjusted to fit the company’s specific needs and risk appetite. For example:
- Value Limit or Tolerance: This lever adjusts the amount or value that triggers a control. For instance, a department store may require a line manager to get approval before granting a refund, with the control limit set lower for high-risk items like electronics and higher for low-risk items like clothes.
- Cadence: This lever adjusts how often a control is performed. For example, a restaurant might count high-demand inventory like alcohol multiple times per day, while counting vegetables and frozen foods daily or every other day.
- Objective: This lever defines whether the control is designed to prevent or detect unauthorized actions. For example, system authorization limits might prevent inappropriate credit notes from being issued by requiring preapproval, or detect inappropriate issuances through monthly reports reviewed by management.
By calibrating these levers, companies can design controls that are both effective and efficient, minimizing the risk of fraud and errors without creating unnecessary administrative burdens.
Delegating Authority
Effective delegation of authority is crucial for managing controls as a company scales. A “delegation of authority” matrix, developed by the CFO and approved by the board, clarifies decision-making authority across the organization. This matrix helps prevent bottlenecks and ensures that the founder or CEO can focus on high-value work rather than administrative tasks .
Business Area | Sub-area | Topic | Approval Limits | Approval Required |
---|---|---|---|---|
OpEx/CapEx | Operating Expenses | Nonrecurring Expenditures | Under $5,000 | Line Manager |
Between $5,000 and $20,000 | Senior Manager | |||
Above $20,000 | C-suite | |||
Vendor Contracts | Annualized value under $5,000 | Senior Manager | ||
Annualized value between $5,000 and $20,000 | C-suite | |||
Annualized value above $20,000 | C-suite and CEO |
In this example, the delegation of authority to a line manager to incur an operating expense on behalf of the company is limited to $5,000, and any expense greater than this will require prior approval from the next most senior person noted.
A growing business faces increased complexity across the organization over time as it employs a larger workforce, processes larger transaction volumes, and handles larger sums or quantities of transactions. As complexity grows, so does risk.
While many companies and executives are aware of the delegation of authority matrix and have a working understanding of its purpose, in my experience, few understand how documenting risk factors and implementing the levers I’ve described can achieve an optimal balance between risk reduction and operating efficiency. Following the approach outlined here will also help to get buy-in from the wider management team and result in greater adherence to any implemented business controls. It can also help to rein in finance teams that may default to a standard control framework that doesn’t take into account the complexity or risk tolerance of their particular company.
Implementation and Review
Regular review and adjustment of the control framework are essential to match the company’s evolving size and complexity. As decision-making authority extends beyond the founding team, the delegation of authority matrix becomes increasingly critical. Implementing this framework early, ideally by the time the company hires middle and line managers, ensures seamless scalability and robust risk management.
A good control framework should be dynamic and evolve with the company. This involves:
- Regular Audits and Reviews: Regularly auditing the controls to ensure they are still effective and relevant.
- Training and Awareness: Ensuring that all employees understand the controls and their importance.
- Feedback and Improvement: Continuously seeking feedback from employees and improving the control framework based on this feedback.
A well-designed control framework is not a barrier to growth but a facilitator of sustainable success. By managing risks effectively and ensuring operational efficiency, business controls protect companies from internal and external threats. Investors feel more secure, and the company is better positioned to thrive. As demonstrated by the failures of FTX, Theranos, and Enron, growth without adequate controls can expose a company to significant risks. Embracing a progressive control framework ensures that growth is not only achievable but also sustainable.
Implementing robust business controls is essential for navigating the complexities of growth and investment, safeguarding the company’s future, and maintaining investor confidence. As we have learned from past failures, growth without guardrails can leave a company wide open to risk—both from within and without. Therefore, integrating thoughtful, progressive controls into the fabric of a growing company is not just a necessity but a strategic advantage.