With all the challenges startups face just to get off the ground, is it any wonder if thoughts of compliance requirements are not top-of-mind? Nevertheless, as the board and CFO know all too well, IT controls must become a top priority as the company matures and considers an IPO. Without proper IT controls, you run the risk of hurting both the top line and the filing deadlines.
Traditional internal controls, however, can run counter to the company’s culture and competitive mindset. To satisfy control and compliance requirements without disrupting the company’s culture of independence and innovation, we suggest that startups create their own IT general controls (ITGC). Our point-of-view paper, Agile Technology Controls for Startups – a Contradiction in Terms or a Real Opportunity?, discusses these matters at length.
- Analyze the system environment. It’s important to focus on the necessities. Understand which systems and processes are in scope for the purpose of the compliance audit and determine if some systems can be excluded. Identify owners of each process, and eliminate unnecessary redundancies by aggregating processes under common owners when possible.
- Identify and support key corporate data activities. Utilize existing development operations (DevOps) and agile process activities to eliminate unnecessary, unaligned and ineffective control activities. DevOps and agile process activities should be the basis for identifying and defining key ITGCs, such as test case coverage or automation of regression testing. Add additional control activities as necessary and consider alternative approaches to mitigating risk.
- Define a future-state vision. Create a road map to envision easily how all the processes fit together. Rather than adding new manual activities, you may find that there are automated controls that can be leveraged for ITGCs to increase efficiency. Don’t forget to keep an eye on a “backlog” of improvement opportunities and initiatives that you should consider as you move toward the future.