Unlocking enterprise value
There is significant value that accrues to an enterprise that streamlines its organizational structure, produces reliable financial information, establishes strong controls and has a corporate culture that drives employees to do the right thing. This value, however, is often overlooked.
In a company’s early years, management’s focus is primarily on product creation, customer development, distribution logistics and fundraising. During this early stage, development of business processes, controls and corporate culture is often set aside; and, in many cases, is not attended to until the company is preparing to go public or when there is a costly breakdown in systems or information. But much of the enterprise value is locked up in how reliably it operates, not just what it sells. This value can be realized by building control maturity.
Over the last six years, we have led efforts at over fifty companies to improve control maturity. Our experience in leading these engagements has enabled us to reduce what can be a complex and expensive process to a simple set of straightforward and relatively inexpensive steps. Our process is based on the framework developed by the Committee of Sponsoring Organizations (COSO). This framework is used by public companies to comply with the Sarbanes-Oxley Act, but don’t let that frighten you off. If implemented judiciously, this framework can be a powerful and effective tool for any company. In the paragraphs that follow, I will share key steps to a judicious implementation along with tips to assist in making good decisions along the way.
Assessment 1 –
Financial Reporting Risks
Conducting an assessment of financial reporting risks is a logical place to start. Begin by mapping out each business process (like purchasing) and subprocess (like requisitions, receiving and disbursements) and then evaluate the relative risk by asking: how material are the transactions which flow through this process; what is the transaction volume; how complex are the transactions; is judgment or estimation involved; how susceptible is the process to errors or fraud? Most businesses have two to four critical business processes that represent the greatest risk of something going wrong. By focusing on these critical risks, control maturity can significantly improve… and that can have enormous value.
Tip – Taking time up front to carefully evaluate and document risks focuses the project and creates a roadmap for where effort should be expended.
Assessment 2 –
Now that you have assessed where the risk lies, turn your attention to defining objectives, evaluating risks and developing controls over these critical business processes. Ask what the objective of this business process is and what could go wrong? Then design a control structure that is responsive to the risks, without going overboard. One thing we have learned over the years is to economize on the number of controls and make them really count. In most critical business processes there are somewhere between six and ten key controls. If these key controls are carefully designed, they can be very effective. Ironically, stripping away redundant or ineffective controls can oftentimes improve the control structure while reducing processing costs. A couple of tips:
Tip – The best controls are built-in rather than bolted on. Controls work best when they are part of operational oversight. For example, analytical processes like comparison of business results with meaningful benchmarks can be part of effective operational oversight. If done at the right level of precision, these analytical procedures can also be effective controls.
Tip – By automating controls a company can improve control reliability and reduce processing costs. Generally, this is achieved by designing around existing software functionality.
Assessment 3 –
Most people think of controls as activities that occur along a business processing stream. They are right. However, cross-company policies that set norms for how employees are expected to behave and work together have a significant impact on the effectiveness and reliability of the control structure. In fact, the impact of corporate culture can be even more significant than the design of processing controls, and it is often overlooked as a place to devote significant attention. Examples of cultural controls include communication of core values, hiring practices, internal communication, employee development and incentives. A significant resource for understanding and evaluating cultural controls is COSO’s supplemental guidance for smaller enterprises (Internal Control over Financial Reporting – Guidance for Smaller Public Companies, found at coso.org/publications). Evaluating and improving these controls can have a pervasive impact on the control maturity of a company.
We generally look at about 85 different key attributes of a company’s internal environment that can be benchmarked against attributes found in companies as they move up the spectrum of control maturity. We then assess logical steps a company can take to improve control maturity, some of which can be implemented now and some which can be rolled out as the company continues to mature.
Assessment 4 –
IT General Controls
Depending on a company’s level of dependence on technology systems, the need for IT controls can vary greatly. However, in every company, there are two IT controls that should be evaluated: change controls and user access controls.
Simply stated, change controls help ensure changes in a production system have been properly approved, developed, tested and validated. User access controls isolate information access and enable a company to properly segregate incompatible employee duties. An often-used guide for evaluating these controls is published by ISACA (isaca.org) titled IT Control Objectives for Sarbanes-Oxley 2nd Edition.
We generally evaluate a company’s control structure against these and other established benchmarks and develop steps to remediate control deficiencies.
Unlock Enterprise Value
Optimizing business processes, controls and corporate culture can unlock enterprise value. The four key assessments outlined above can help a company to realize this value. With proper planning and focus these assessments can be done in a cost effective manner, and the benefits can be enormous.
Originally published in the North Bay Business Journal, Executive Legal & Accounting Guide July 27, 2009