What does FTX’s collapse tell us about the importance of internal controls?

Start-ups and pre-IPOs need money to operate and grow their business. Investors are willing to lend money and expect returns on their investments. Investors are expected to spend considerable time (and many do) evaluating the business before deciding whether to invest. Despite this, according to certain reports, more than 50% of the startups dissolve within 10 years.

One recent example would be the FTX fiasco which made international headlines. FTX disintegrated overnight after it could not meet run-on deposits, leaving the company with an $8 billion hole in its accounts. The cryptocurrency exchange filed for bankruptcy on November 11, 2022. In FTX’s bankruptcy proceeding, the company appointed restructuring CEO John Jay Ray III, who oversaw Enron’s bankruptcy. In a hearing, Mr. Ray stated, “in my career, I have never seen such a complete failure of corporate controls and a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad to the concentration of control in the hands of a tiny group of inexperienced, unsophisticated, and potentially compromised individuals, this situation is unprecedented.”

While most investors know that FTX is a part of the cryptocurrency industry, which is yet to be actively regulated, the extent of the failure of FTX does raise questions on management intent, the lack of effective governance, and poor risk management practices and ineffective controls that are in place at such companies. What Risk and Control related information may have benefited the investors from exercising better control and judgment over how their money was being utilized? Is relying on Auditors good enough anymore?   

Regulating the industry and auditors’ responsibilities are topics for another day. Still, there is a view that better awareness and timely disclosure of Risk Management and internal control information may have provided the Investors with better information to have prevented some of this. 

One thing is clear. Investors need to be more aware of how risks are managed and how effective some controls are, irrespective of the business size, as their investment is at stake.

What can be done about this and what is required?

Investors and Business managers need better insight into identifying and managing risk. This does not mean unleashing more accountants and risk managers to add expensive solutions and costs to the business, increasing bureaucracy and slowing the business down.  

At the same time, a new start-up’s governance and risk management challenges differ from that of a company preparing for its IPO. What does a pragmatic approach look like? This blog will focus on the steps start-ups and pre-IPOs can consider in establishing a fit-for-purpose and pragmatic approach to achieving effective governance and risk management to reduce the chances of business failures.

Step 1: More awareness of Risk management and internal control basics so that the investors can be equipped with the right knowledge to ask the right questions.

Step 2: Investing in the right tools that will enable Business managers to identify, manage  and report on risks. 

Awareness: Risk Management and Internal Controls

For businesses, Risks can be broadly categorized as per the below table:

What are the right tools and technology to help manage risk and protect your investment?

Depending upon the size and the nature, they need to invest in an appropriate Risk Management system that tackles the following risk categories.

1) Enterprise Risk management

2) Financial risk management

3) Access, IT & Data security Management (data security & fraud prevention)

Small start-ups and pre-IPOs have very different needs regarding the type and number of internal controls they require to operate effectively. A small start-up, for example, may only need entity-level controls and track them manually on a spreadsheet. In addition to entity-level controls pre-IPOs need financial and IT general controls.

SafePaaS is an ideal solution for pre-IPOs because it is incredibly flexible and scales at the pace of your business. You can detect potential control violations on any of your internal controls and detect sensitive access risks for all users and identities.

How can SafePaaS address your pre-IPO needs?

1. Entity-level controls

Proactive Enterprise Risk Management (ERM)

Establish an ERM framework and monitor enterprise risk and KRIs to reduce the frequency and severity of losses. Act in real-time to perform root-cause analysis with ad-hoc reports, reduce process inconsistencies, and make better decisions by adding context to data from multiple sources. To proactively address enterprise risk, SafePaaS can:

• Use audit analytics and compliance monitoring with interactive dashboards and reports for real-time corrective action modeling and allow business managers to explore risk exposure ad hoc.
• SafePaaS audit, risk and compliance solutions monitor risk and controls in any ERP system to improve testing effectiveness and findings across the enterprise in a single integrated solution.
• The solution allows pre-IPO companies to establish a unified platform to efficiently manage enterprise-wide Audit, Risk, and Compliance processes. Executives, Business Process Owners, Internal Control Managers, and Auditors can improve their productivity by collaborating on key audit, risk and compliance tasks such as risk assessment, control activities, independent audit, remediation, and management certification. SafePaaS provides a role-based dashboard to ensure that management can make timely and accurate decisions based on complete insight to mitigate risk proactively.
• Implement risk assessment processes to meet your pre-IPO objectives while building your Risk library with processes, risks, and controls.
• Manage enterprise risk ratings like impact and likelihood that best describe your approach to risk evaluation.
• Manage Control Design based on the contextual framework to measure risk factors before controls (inherent), after controls (residual), or both.

Compliance management

Transform compliance “silos” with a single enterprise platform that delivers reduced testing time, standardized self-assessment, and management certification templates. To help ensure regulatory compliance, SafePaaS can:

Integrate with ERP controls to streamline compliance with continuous monitoring. Management can easily update documentation and certify internal controls to comply with the most complex regulations, such as Sarbanes-Oxley (SOX).

The solution can be configured to support various industry and regulatory frameworks such as AML, Basel II, COSO, COBIT, GDPR, FCPA, FISMA, FERC, HIPAA, NCR, OMB-123, OSHA, PCI DSS, and Solvency II.

Audit analytics & planning

The run-up to your first audit can be stressful, making preparation and testing of controls essential in the IPO process. To plan and prepare for your first audit, SafePaaS can:

• Transform audit management to a data-driven service by shifting repetitive tasks to intelligent audit bots that can free up time and eliminate errors.
• Replace time-consuming audit scripts with business objects based on metadata representing complex data structures of enterprise applications to prevent losses such as “duplicate payments” within minutes.
• Detect hidden risks in data such as “similar suppliers” using fuzzy rules where such errors slip through discrete logic.
• Substitute ineffective sampling methodology with non-linear pattern recognition in large data sets in real-time and at scale to identify complex risk events such as manual journal entries created and approved by the same user in the current fiscal year.
• Reduce risk exposure window by enabling closed-loop issue/remediation workflow with event-driven escalation hierarchy.
• Audit Planning enables you to schedule projects and resources, so there is a clear view of work assignments and tracking of audit testing in an annual plan.
• Web-based audit planning tool for small or large groups, allowing multiple plans to support enterprise audit objectives.

Segregation of duties (SoD) policy management

The complexity of enterprise applications has increased the risk of SoD control violations. All major audit firms are testing SoD controls and holding executives accountable for successful risk remediation. To mitigate SoD risk, SafePaaS can:

• Analyze SoD conflicts with a risk-based SoD analysis, including hundreds of SoD rules based on thousands of application functions in our rules repository.
• Rapidly reduce SoD risks and conflicts with a workflow-enabled process that includes process owners, application managers, IS security, and auditors.

2. Financial controls

Automated financial control monitoring

SafePaaS continuously monitors business activities within your enterprise applications with instant access to the most extensive catalog of automated application monitors covering major processes such as Procure-to-Pay, Order-to-Cash, Hire-to-Retire, Design-to-Ship, and Financial Record-to-Report. To ensure smooth business processes, SafePaaS can:

• Monitor ERP Configuration Controls to mitigate financial and operational risks by ensuring the accuracy and consistency of application configurations required for processing business transactions within your ERP system.
• Monitor transactions to improve your visibility into financial, operational, fraud, and risk management controls by automating Transaction-level Compliance to stop cash leakage and financial losses. It empowers business users to prevent control failures across all key processes.
• Monitor master data to mitigate financial and operational risks by ensuring accuracy, consistency, and timeliness to data that ERP systems require to execute effective business processes. You can ensure the consistency of master data by identifying duplicate records that often occur in ERP systems simply because the user is not aware of that existing record or uses a “workaround” the system controls by using a modifier on a record key to update key attributes such as supplier payment terms or payment currencies.

3. IT General controls

Self-service identity-based access provisioning

Organizations must regulate user access permissions on IT assets to avoid internal security risks and comply with regulatory requirements.

SafePaaS automates and streamlines user account creation and controls privileges, making it easier for IT administrators to manage the organization’s identity and access management program. To ensure seamless and secure provisioning of user access, SafePaaS can:

• Safeguard your most important business information against cybersecurity risks with policy-based centralized user identity management and access control orchestration.
• Improve productivity and reduce costs by enforcing access policies, such as segregation of duty (SoD) rules, before violations get introduced into the ERP environment, controlling sensitive business information to potential threats and vulnerabilities.

User access certification

Access certification is mandatory for compliance and risk management. With access certification, organizations can validate users within systems and ensure their access privileges are appropriate based on their role in the business. To provide zero-trust user access, SafePaaS can:

• Automate periodic user access reviews to comply with access policies and maintain an audit trail to support IT General Controls.
• Enable managers to detect dormant users and unauthorized system access.

A solution like SafePaaS in place to prepare for SOX compliance removes the pain and pressure from pulling together your supporting audit documentation and evidence. SafePaaS provides the data and security needed for pre-IPO SOX compliance by securing risk across all your business applications, automating manual tasks, and enforcing internal controls.