Change is inevitable, and we know this now more than ever. The technological disruptions that were hastened by the exigencies of the pandemic have now become widely accepted and mainstream, with such changes continuing to grow more rapidly each day.
The pace of change in organizations has also accelerated. As a response to risk events such as cybersecurity breaches and fraud, especially during the pandemic, organizations had to quickly reinforce controls to protect their assets and manage compliance, reputational and legal risks. Regulatory activities have increased over the last several years in response to these events, and recently, as a result of corporate failures from previous decades, have become a race to adopt a compliance-focused mindset.
With the pandemic slowing down, some companies are now re-aligning risk management with changes in business models and emerging risks in the face of disruption and technological advancements. This is challenging for private companies, especially for small- and medium-sized enterprises (SMEs), which are recovering lost growth and managing transitions to more resilient business and operating models while simultaneously meeting new demands from internal and external stakeholders.
Private companies have an opportunity to clarify or reinforce the roles and responsibilities within their internal control environment, stressing that management is responsible for internal controls. Enhancing internal controls by formalizing ad hoc practices, creating units or departments that will complement the monitoring functions of existing business units (such as the compliance department or risk management unit) or strengthening internal audit are some ways to respond to the emerging risks. Controls need to respond to the challenges of ever-changing business and regulatory landscapes. Private companies cannot just focus on growth today; they need to level up to ensure they protect their future.
CREATING A WELL-DEFINED GOVERNANCE STRUCTURE
Clear reporting lines and a strong governance structure play important roles in any organization’s internal control environment. A well-defined governance structure provides an end-to-end view of stakeholder involvement by clearly assigning process ownership and accountabilities, identifying the roles and those responsible for responding to risks, and ensuring that controls are working. It also describes how performance ratings of the control owners are linked to the effectiveness of the controls for which they are responsible.
Since maintaining a strong internal control environment normally involves people who work in various functions within the organization, the governance structure of a private company should be designed such that it enables effective coordination and communication across various business units. Having a well-defined governance structure in place also facilitates the timely reporting and analysis of any observations and findings on the effectiveness of controls. This in turn helps ensure that any weaknesses and deficiencies are identified, appropriate risk and impact assessments are performed, and remedial action is taken and implemented.
PERIODIC REASSESSMENT
When governance structures and internal controls are not regularly reassessed, private companies may struggle to keep up with the pace of disruption and change. With today’s dynamic operating environments, controls that worked in the past may no longer be as effective today.
As complexity and disruption continue to rise in business, performing periodic reassessments enables private companies to evaluate whether the owners and management still have the appropriate level of oversight over business processes. It also helps private companies assess whether their current structure still fosters a culture of risk awareness and whether internal controls still work as effectively as intended. By periodically reassessing internal controls and their governance framework, private companies can also identify opportunities for improvement and optimization. This includes automating certain processes and controls as well as updating the controls mix in response to changes in the business.
AGILE RESPONSE
Private companies should stay on top of the changes in business, regulatory, tax and financial reporting requirements, and weigh any possible resulting risks to the organization. It is important that private companies have a process to identify these changes early and communicate them to those responsible for related processes and controls.
By being proactive, private companies can timely assess the impact of changing regulatory requirements on various functions across the organization, such as governance, technology, people, policy, processes and controls. This also helps facilitate an appropriate interpretation of the changes and their application to the business, enabling management to evaluate whether the current internal control environment remains adequately equipped to respond to the changes.
Private companies can stay abreast of these changes by regularly monitoring updates from organizations such as the Philippine Financial and Sustainability Reporting Standards Council (FSRSC) for accounting standard updates, the Securities and Exchange Commission (SEC), the Bureau of Internal Revenue (BIR) and other regulators for new developments and updated regulations. Private companies need to empower their C-suites, such as chief financial officers, chief risk officers or chief legal officers, to proactively discuss changes with the board and craft related action plans. When evaluating the impact that the changes have on the organization, private companies should also closely coordinate and work with their external advisors, experts and even external auditors to ensure that a holistic view of the impact is being considered.
TALENT RETENTION AND UPSKILLING
The success of sustaining an effective control environment also depends on the resources involved. Given the pace of change, private companies may need a workforce with a broad range of skills and competence. It is therefore important for private companies to consider whether current skillsets in the organization are sufficient in addressing its changing requirements. Given their growth strategies and the anticipated changes in their business, private companies should also consider whether these are the same skillsets they will need in the future to maintain an effective control environment.
Any gaps in skills should be evaluated for their impact on the organization. Similarly, the organization should identify solutions that can address gaps, such as expanding the sources of talent and upskilling the current workforce through partnerships with training and learning providers.
For private companies that are implementing new processes or migrating manual processes to technology-enabled solutions, it is important that, as part of the transition, the organization also evaluates whether the resources selected to monitor the scope and mix of internal controls continue to possess the necessary skills and competence.
BUILDING CONFIDENCE IN INTERNAL CONTROLS
The ability to respond to the challenges of today and the future by identifying and managing risks early is a vital enabler of success for any business regardless of its stage of growth. Since businesses with strong and effective internal control environments are in a better position to timely identify and mitigate risk, it is increasingly important for private companies to build confidence in their internal control environment if they are to succeed in navigating business and industry disruptions. Having effective internal controls, especially on financial reporting, builds confidence in the information that management uses. Suffice it to say, timely and reliable financial information are crucial in making impactful business decisions.
Investing now to manage the risks of the present and beyond is as crucial as spending to grow a business. In the long run, a strong and effective governance and internal control framework that is responsive to the changing business and regulatory environments will enable private companies to continually build and strengthen the right foundation to support their growth ambitions, comply with regulations, sustain long-term profitability and protect company value.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co.
Kristopher S. Catalan is an assurance partner and the EY private leader of SGV & Co., and Dwayne G. Ignacio is a manager from the Financial Accounting Advisory Services (FAAS) of SGV & Co.