IT Controls for Tech Startups? Yes, It’s Possible.

Steve Hobbsby Steve Hobbs, Managing Director
Leader of Protiviti’s Public Company Readiness Practice




For cutting-edge tech companies focused on not just staying ahead of but shaping the technological curve, compliance issues are hardly a top priority. In fact, it is common for these companies to treat the subject with disdain, and view it as running counter to a tech startup’s innovative, entrepreneurial and fast-paced culture.

Placing compliance on the back burner, however, can be costly, especially as a company grows its customer base or considers an initial public offering (IPO). A lack of IT controls not only could disrupt filing deadlines and cause headaches at audit time, it can also turn away cloud providers’ customers who themselves have to prove the presence of controls to their auditors.

Consider this:

  • Public companies are required to establish effective IT general control (ITGC) frameworks to comply with the Sarbanes-Oxley Act. This includes areas such as change management, data quality/governance and disaster recovery.
  • Cloud and other service providers increasingly are being asked to provide Statement on Controls (SOC) reports for the IT general control frameworks associated with their customer-facing systems environments.
  • The Public Company Accounting Oversight Board (PCAOB) and the new COSO framework have introduced requirements for financial controls assessment and increased scrutiny of ITGC frameworks and IT risk management.

In the face of these demands, what is a tech startup to do? Many find themselves halting development activities and backtracking to provide adequate evidence of approvals and other controls to audit teams. This is a time-consuming and disruptive process that can cause frustration and, in the end, may still fail to satisfy external auditors and customers.

A better approach is to move away from traditional control checklists and templates to a more flexible ITGC framework compatible with innovative software development practices. By matching the controls environment to their non-traditional business practices instead of vice versa, tech companies can strengthen controls and achieve compliance objectives without compromising flexibility, speed, drive and ingenuity.

Two strategies towards building this new framework are process rationalization and agile activity alignment.

  • Process rationalization: Companies can reduce process redundancy (rationalize processes) by aggregating similar but unconnected processes used by different teams under common control activities, which leads to more centralized controls and reduced time in applying them. This is especially true in areas such as software development and access management.
  • Agile activity alignment: In agile software development, approvals could be shifted to the end of each development iteration rather than at every sequential development phase. This ensures control while cutting down on administrative effort that doesn’t contribute to the production of quality software.

Is your company feeling the pressure to put better ITGC controls in place? Asking the following questions should help you get started:

  • What systems and processes are in scope for the purpose of your compliance audits (SOX or SOC)?
  • What areas are in need of additional controls?
  • What existing activities can be used to mitigate key risks?
  • What alternative approaches can be used to mitigate key risks?
  • What is the future-state vision for your controls framework (generating a backlog of improvements, leveraging automated activities, etc.)?

Customers demand speed, agility and assurance, and regulators demand formalized controls. Emerging tech firms can meet these demands without hampering their speed and innovation using out-of-the-box thinking and the approach we outlined here.

What control challenges does your tech company face? Let us know in the comments.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s