Internal Controls Critical for Non-Regulated Businesses Too
By Mike Raia Posted March 15, 2016
The recent unpleasantness surrounding the very successful HR benefits software company, Zenefits, was an example of the importance of internal controls in an organization. While in the case of highly-regulated, compliance-conscious industries like pharma, insurance, finance, etc. mistakes can be catastrophic, internal controls and compliance are critical in any business.
To recap, Zenefits' issues centered around inadequate internal processes around state licensing requirements and skirting regulatory requirements through other means (the investigation is ongoing). According to the new CEO, David Sacks, "internal processes" around compliance have been "inadequate" but the issue seemed to be more than just about processes. He said, "Our culture and tone have been inappropriate for a highly-regulated company." More information is available here, and here, and here.
More on the "culture and tone" issue later, but while the repercussions of inadequate internal processes for highly-regulated companies are great, there is a great deal of risk for any company when compliance is taken for granted. Some examples:
Whether or not you're organization is in the business of finance, placing strong internal compliance controls on finance activities should be a "sooner rather than later" proposition. Especially for high-growth companies, putting processes in place for things like capital/operational expenditure requests, ledger entries, travel expenses, wire transfers, etc. may be seen as "slowing down." The reality is that this is a good example of "slowing down to speed up."
The problem with neglecting these compliance initiatives is that at some point the company will grind to a halt as it tries to clean up the messes caused by years of uncontrolled spending and unapproved decisions. So if your options are a short period of "slow" or a long period of "stop?" Which would you choose?
We work with a large telecommunications company that takes its brand very seriously. Our software runs under the umbrella of their Brand Center, which is a portal for employees, partners, and vendors to get guidance and submit requests related to maintaining brand integrity. This Brand Center is taken very seriously not just by the Marketing team, but by everyone who uses it as well as the C-Suite. When a brand is valuable to a business, there are no compromises. The damage that can be inflicted by one unapproved tweet is immediate. The damage from a poorly-managed brand image can be slower but even more dangerous.
- Imagine a partner putting your logo on a new product without your approval. The product turns out to have serious flaws.
- Imagine a salesperson showing up at the biggest tradeshow of the year with some sales collateral and business cards they printed at home.
- Imagine a local affiliate running a commercial that misspells your tagline.
These things, on their own, are bad, but when they become systemic, your brand and your organization can become considered "amateurish" and confidence in your organization erodes. That means fewer sales, more customer defections and loss of market share.
I've worked at companies where the hiring process was solely the responsibility of the hiring manager. Often the methods for finding, reviewing and onboarding new employees varied drastically from manager to manager with HR and Finance often being the last to know someone was starting. The results were predictably unpredictable, usually on the bad side of "unpredictable." Here's where a lack of internal controls can negatively impact bringing on new co-workers:
- Approval: Before the hiring process even begins. What steps are taken to ensure a new or replacement position is valid and has been approved by executive oversight? A flurry of emails in all directions is sometimes employed but there's a good chance a key stakeholder will be left out of the loop or fail to reply in due time. Besides, as an approval tool, email is horribly inefficient.
- Requirements: On their own, how well does a hiring manager determine things like salary, benefits, qualifications, culture fit, etc.? Some may get most of it right. Others may get none of it right. How well do they craft a job description? Is the messaging on point? Without a process in place that ensures interaction with hiring professionals, this is all left to the skill/experience of each manager.
- Recruiting: Instead of using existing company resources, including knowledgeable and trained recruiting staff, hiring managers simply freelance and search amid small networks or past employers, friends and family. While great hires can be found through these channels, the assumption is that there is no one else in the world who could be better for the position. The odds are obviously patently against that notion. In addition, they may ignore internal candidates that HR is currently developing.
- Screening: What kind of background, skills grading, personality testing, etc. are done without internal controls? In most cases none.
- Hiring: Are official offer letters sent? Are the proper contracts drawn up? Are offers in keeping with company policy? Is any of it reviewed by the proper executives in legal, finance and HR?
- Onboarding: I could go on and on about proper onboarding (in fact, I did!) and how implementing a standardized onboarding system is crucial to employee development, but I think you get the importance of internal controls in HR by now.
As you can see, while many folks think of highly-regulated organizations as those most in need of internal controls like workflow management, the truth is that almost any organization can benefit from a focus on standardization and consistency in their operations.