Internal Controls

View this page in: Français
Sal Bianco
Sal Bianco
Partner, Private Company Services
"Lack of internal controls can lead to legal and financial consequences."

Looking beyond the financial statements to reduce risk

Can enhanced internal controls reduce risk? The answer is an emphatic yes. And the benefits for private companies—during good times and bad—can be more significant.

Many private company leaders believe internal controls focus solely on financial statement integrity. But the reality is they are far more robust than an exercise in documenting approvals; they can protect the business from a wide range of operational and financial risks across the entire organization. According to Sal Bianco, partner in PwC’s Private Company Services practice and national leader for the Engineering and Construction Industry for PwC Canada, “Internal controls get to the heart of knowing how your business is being run.”

So, what are internal controls? Risk-based internal controls are designed to help a company achieve their objectives, from financial to operational:

  • Effectiveness and efficiency of operations: Clarify the roles and responsibilities of management and employees, greater controls over the management of business growth, reducing costs resulting from greater operating efficiency, and increase operating performance.
  • Reliability of financial reporting: Facilitate the availability of more accurate and timely information to better manage the business, reduce the risk of errors or irregularities, and heighten management’s credibility with stakeholders.
  • Compliance with laws and regulations: Reduce the risk of employee or customer litigation or business disruption, and create more credibility in contractual relationships with vendors, customers and regulators.

Effective risk-based internal controls also lead to other powerful benefits, such as lower borrowing and financing costs by ensuring more accurate reporting and compliance with debt agreements; an increase in interest from private equity investors and venture-backed firms who seek companies with strong and well-documented internal controls; and readiness for an initial public offering.

The end result: having strong controls in place goes straight to your company’s bottom line.

Indeed, the global economic downturn showcased a breakdown of companies caused by lack of internal controls. To conserve cash, many private companies turned to cost-cutting and downsizing efforts, but wound up as victims to a host of consequences, including financial fraud. The line between acceptable and unacceptable behaviour is often blurred in times of economic uncertainty.

Reduction in the number of staff, for example, often limits the ability to monitor business activity, leaving the business susceptible to fraud and other internal control issues. “Lack of internal controls can lead to legal and financial consequences by failing to manage organizational risks,” says Bianco.

“Private companies need to remember that it is far more time and resource consuming to deal with the consequences afterwards, than to implement sound internal controls up front.”

Key areas to consider
While the vast range of internal controls can sound daunting to many private company owners, the good news is that many effective controls are neither expensive nor time-consuming to put in place. The key, Bianco suggests, is for private companies to remain flexible: “Review the major risks facing your business, and then see what kind of controls are feasible to put in place— now and as the company grows.”

When reviewing internal controls, Bianco recommends that private companies consider the following areas:

  • Controls not in place or not functioning. In many private companies, controls are informal, manual and lack discipline. Conduct a review of the controls that are in place and ensure they are regularly evaluated for continued compliance and effectiveness.
  • Lack of preventive controls. Even companies that have controls may only have detective controls—those designed to spot problems after they already occurred, rather than preventive controls—those designed to avoid potential problems. “Detective controls are like trying to catch the horse after it’s already escaped from the barn. This would include, for example, an investigation into unaccounted for finances at month end. The goal should be to reduce the risk of occurrences by increasing preventive controls,” says Bianco.
  • Game-changing operational risks—and opportunities. Put formal processes in place to identify and assess game-changing events and the risks inherent in such events. A prime example is setting controls to monitor and understand competitors’ strategies and their potential impact— to better, and more quickly, respond to innovations in the marketplace.
  • People-related risk. “Having more stringent internal controls does not mean employing more people; it means having the right people,” explains Bianco. Consider joining outsourcing pools to save on resources, or engaging external services providers like accountants, lawyers and IT specialists on an as-needed basis instead of hiring full-time staff.
  • Information, reporting and communication risk. Risk often arises when information used for monitoring operations is flawed or inappropriate. Ensure that source data in reports is checked periodically and that important information is communicated to appropriate individuals on a timely basis.
  • Asset security and regulatory risk. Secure financial and physical assets, as well as information technology assets—both hardware and software. Protecting intellectually property, such as formulas and customer information, is equally important.
  • IT risk. Most IT risk (e.g. data breaches, malicious attacks on networks) results not from technology itself but from decision making. Take into account the full range of the potential business consequences of technology-related failures.

The bottom line: internal controls can effectively reduce financial, operational, legal and reputational risk. However, Bianco warns that internal controls can only do so much to avoid the land mines associated with risk. “Management and employees need to take responsibility as well, which starts with setting the tone from the top. If a focus on risk management is either unclear or poorly communicated, or never communicated to begin with, private companies can expect an increased risk of unethical behaviour and other consequences.”

 Comment on this article.


Let's Talk: Internal Controls (385 KB)
Download the full PDF publication.


Let's Talk is part of our PwC Private Business Exchange program — a dynamic, interactive community of private business owners and executives. To read all articles in the Let's Talk series, please follow the links below:

Making time to grow your business
Roadmap to a successful social media strategy
Plan more, Pay less: Effective tax strategies for your family business
Planning the next move: Successfully transitioning to a professionally-managed business
Succeeding through succession: Using succession planning to build value and talent
Growing mobile
Driving growth with your supply chain
Advancing the growth agenda
Making strategic planning real
Connecting With Social Media
A business case for sustainability
A Healthy Family Business
The 21-Year Rule is Taxing on Family Trusts
U.S. Estate Tax Laws: What you need to know
Embracing the Power of the Cloud
Internal Controls
Fighting Fraud
Five Steps to a Greener Business
Freezing Your Estate
Maximize Your Tax Savings
Risk Management
Dealing with Your Banker