Proof of concept. Product market fit. Growth hacking. For venture-capital-backed companies, these terms cause more excitement than some of the other business concepts that have recently dominated newspaper headlines, namely risk management, internal controls, and compliance.
As news related to culture and controls at high-profile startups is netting media attention, we received more requests from boards on what they need to do to ensure that the same troubles don’t befall the companies they serve. If a startup fails, it ought to be for business reasons and not on regulatory issues or internal control weaknesses. What can a company do to avoid these pitfalls?
At the board level, the audit committee is a logical starting place to house facets of risk management oversight and internal controls, even if the committee’s charter doesn’t specifically enumerate these duties. The latest edition of KPMG’s Audit Committee Guide is a primer on the general expectations of audit committees at companies of all sizes, public and private. To understand how putting a spotlight on controls may affect how the audit committee approaches controls, we reached out to investors and independent directors of venture-capital-backed enterprises.
One experienced director told us that early-stage, start-up boards would be smart to prioritize audit committee-like reviews of financial reporting processes and internal controls. “Bring in an independent director as early as possible. It’s just good governance hygiene,” he said. In addition to oversight of financial reporting risk and managing the relationship with the external auditor and internal audit, audit committees can also play a critical role in the understanding and oversight of the non-financial risks that the company faces in relation to legal, regulatory, and compliance responsibilities tied to the company’s core business. “Regulated industries face additional levels of control concerns that may not reveal themselves in a financial review,” one director remarked.
Information technology (IT) is another such risk. “Unless you have a Service Organization Controls report or an audit of payment card industry compliance for companies that process credit cards, there will be gaps in the board’s understanding of IT risk,” said one audit committee chair. “It always comes down to capital and resources, including the board’s time. IT risk is one place where the audit committee can come in and ensure that there are resources for an independent review.”
Company expansion activities—from hiring to mergers and acquisitions—are also prime areas for the audit committee’s oversight. “Some of the controls that you had in place may no longer be effective,” one director opined. “How does integration impact controls, particularly in functional areas like cash management or permissions? The more people you hire, the more types of controls you need.”
Every member of the audit committee has oversight of risk and controls on their radar screens. But when there are so many things to get done—driving revenue, building out the business—oversight of “back-office issues” can be an afterthought. “As an audit committee member, you have to push these issues to the forefront. You have to have thick skin and make your concerns a priority for the company,” one director said. “Unlike a public company setting, mistakes can be corrected and the board and investors may have some tolerance as the control functions are developed, but let’s get it addressed.”
But, even a little room for error at first can eventually turn into big headlines.