Deloitte’s three-part series explores the potential benefits your company can derive from risk assessment, effective internal control design, and regular monitoring.

Public and private companies are subject to different regulatory requirements relating to their financial and operational disclosures, including to whom the disclosures are provided and the level of detail they should contain. Nevertheless, any business can benefit from having transparent financial and operational information available for decision-making and reporting to stakeholders.

As the owner, executive, or investor of a private company, what can you do to increase your certainty about the information coming to you from across the enterprise?
Whether your company is venture-backed, funded by private equity investors, or a family business, internal controls are an important part of the answer as you grow. They can be an integral part of operations that can help mitigate risks and add business value. 

Performing risk assessments 
A system of internal controls should be informed by an appropriately detailed and periodically performed risk assessment that identifies which critical processes might be susceptible to errors, thereby potentially creating quantitatively and qualitatively significant risks for your company. A risk assessment can help you determine what impacts your company might sustain if such errors occurred, and help you focus on the ones that matter most to your business strategy and operations. 

A risk assessment helps you critically think about and answer questions such as: 
<ul>

Once that’s done, it’s time to design and implement the internal controls.

Deploying internal controls 
Designing and implementing internal controls is a multistep process. After performing a risk assessment and identifying specific areas of risk, you should try to gain a clear picture of “what could go wrong” in each area—a prerequisite to understanding your company’s risks and designing effective internal controls. 

Once risks or risk areas have been identified, categorized, and prioritized, it's important to consider what type of internal controls could best mitigate those risks—i.e., preventive or detective, manual or automated. This can vary according to the assessed level of risk and other factors.  

As you implement the controls, don't underestimate the importance of clear and detailed documentation. Control owners—those people responsible for performing the control activities—will only be effective if they have a clear understanding of the process related to the control and the internal control design itself.

With documented controls in place, it’s time to close the loop on the controls environment by developing an effective monitoring program that can help you sustain, monitor, and rationalize the controls over time. 

Extending value over time 
An important aspect of a system of internal controls is determining how to sustain their effectiveness and, optimally, improve them over time. A well-designed internal control framework, informed by periodic risk assessments, can make your system of internal controls nimble and scalable. As your company evolves, new risks may be identified, and previously identified risks may no longer be relevant.
 
A thoughtful and nimble internal control framework, focused on key risks, can provide a mechanism to support the strategic direction of your company. It can help generate sustainable value by providing business insights and validate the data used to develop financial reports. It can even help make your company more competitive and attractive to suitors in the future, depending on your strategic objectives. 

For more information, contact:
Ashok Parmar, Partner
Deloitte & Touche LLP
[email protected]
805-405-0174