Internal controls in a business are like a 'bridle' or headgear worn by a horse. It controls the horse to go in the intended direction at a pace that the rider feels safe. The internal controls guarantee that the startup or business moves forward to achieve its goals in compliance with the stipulated laws and regulations.
The primary focus when framing internal controls is the high-risk areas of the business. So, it plays a vital role in mitigating risks. Yet another positive outcome is that it helps create a collaborative and professional workplace. It implies that internal controls are necessary to improve the overall efficiency of any business.
Since each startup has its DNA, the internal controls will also be unique. The next obvious question is: how to frame an internal control for a startup or business. The COSO framework is the answer to this. It helps to design and implement internal controls in any organization.
The Committee for Sponsoring Organisation or COSO, led by James Treadway Jr and other members like the American Accounting Association, American Institute of Certified Public Accountants, etc., created this framework in 1992. It underwent revision in 2013, considering the changes in the business environment and industry standards. The organizations that follow this framework give the minimum assurance that they are transparent and ethical.
The COSO framework has five components:
The industry standards and business practices comprise the control environment. It becomes the basis for framing the internal controls of a business.
Risks are inevitable in business. The identification, evaluation, and management of risks, or Enterprise Risk Management (ERM), play a vital role in the success of a business.
These are the internal controls made after considering the control environment and risks of the business.
Information is sensitive to business. So, internal and external communications must adhere to industry standards, ethical codes, and legalities.
Constant monitoring helps in evaluating and finding deficiencies in the internal controls. Every business has periodic internal audits for this reason.
The objectives of the COSO framework are to improve the efficiency of operations, financial reporting, and compliances. The internal controls of any startup or business must have these objectives in mind.
As mentioned earlier, internal controls are unique to each business. Some of the standard internal controls are:
The organizational structure reveals the chain of command, 'span of control', departments, division of labor or work specialization, etc. It provides clarity regarding the duties and responsibilities of every different job role. A good organizational structure helps improve the operational efficiency of the business.
Finance is the backbone of any business. Every penny in and out of any business contributes to its success. There must be an approved process for financial transactions to improve the efficiency of financial management and decrease the possibilities of fraud. Every entry must have multiple checks and authorizations of different people. The turnaround time (TAT) for reconciliation and reporting must be adhered to for smooth functioning.
Every employee does not require all information. Sensitive information is accessible to certain levels or groups of employees. Access logs will provide the details of people who access the information. It will help reduce the risk of leaking the information.
Financial records are proof of bills paid or the amount received. A standardized way of recording the documents like bills, invoices, tax receipts, etc., will help in reconciliation and auditing. Maintaining orderly documentation helps in reducing risks and improves the overall efficiency of a business.
The Institute of Internal Auditors (IIA) explains internal audit as a value-adding activity to improve the operational efficiency of any business. The internal auditing reports help the top management change the processes to improve efficiency. It also helps in finding any possible wrongdoings.
Data and information are vital to any organization, especially startups. Startups handle an enormous amount of data on their research to find the most viable product (MVP). Patents, copyrights, and trademarks protect the data and information of startups. There are rules and regulations to protect against data leakage and associated risks within any organization. The Sarbanes- Oxley Act is a law that protects the investors by ensuring the company provides accurate and reliable financial disclosures. It helps in better management of financial data.
An organization has different departments, employees of varied skill sets, yet working towards a common organizational goal. The scalability of an organization depends on upskilling its employees. Training gives the confidence to work with more efficiency. Staff retention is another advantage of training. International risk management standards AS/NZS ISO31000 recognized training as an internal control as it helps in minimizing risks.
A racing car also has brakes. It needs that control to stay ahead in the race. The internal controls play the same role as the brakes in a business or startup. It helps a startup to know the legal requirements, standard practices, ethical issues, etc., that is the control environment. When all these come into the picture, the MVP or prototype will have better quality. The internal controls improve the processes, mitigate the risks and above all, ensure compliance with laws and regulations.
A startup has multiple hurdles to face to turn into a sustainable and scalable business. The COSO cube, which is the revised COSO framework, emphasizes Enterprise Risk Management (ERM). This requires expert hand-holding. The team at Tickmarks has significant experience of working along with startups to understand and implement ERM most effectively.