Emerging Business: Small Business, Big Risk

By Mark Sheffield, CPA, Principal
ASL Emerging Business Group 

When the Sarbanes-Oxley Act was passed in 2002, large public companies were forced to implement and document formal internal controls. Large companies had to think more about risk and how to strengthen business oversight. Small companies have risk too. Perhaps relatively more risk, because they don’t have the controls the larger companies now have in place. What can small business learn from large business to reduce risk? Here are five processes big companies have that small businesses should also implement.

  1. Implement an Audit Committee: Audit committees in large companies have stepped-up to insure internal processes and systems are working right. Small businesses should have an audit committee too. It can be a sub-committee of board members along with other qualified financial advisors. There should be a written charter of audit committee functions, authority, and responsibilities. The audit committee can help with #2, monitoring accounting results.
  2. Monitor Accounting Results: Large companies have an internal audit function. Internal audits are the next most effective way to detect fraud (after the tip hotline, see #4). Small businesses may not be able to afford an internal audit department. However, they can still monitor or audit their own accounting results by using cross-trained employees, comparing actual to budgeted results, and having the owners review the numbers.
  3. Create a Code of Ethics: Small companies should also have a code of conduct (or code of ethics). Many employees embezzle from their employer because management doesn’t seem to care. The code of ethics also dictates how the company wants its employees to deal with customers and vendors.
  4. Establish a Tip Hotline: The whistle-blower provision is considered the most effective way for a business (including a small business) to detect fraud. Installation is inexpensive, which makes it very reasonable for small businesses to have one.
  5. Do a Risk Assessment: There are several parts to a proper risk assessment:
    • Fraud Risk Assessment- This is the most efficient and cost-effective way to prevent fraud. So it’s a no-brainer for small businesses.
    • Cybersecurity Risk Assessment- This is a hot topic now because of the constant barrage of cyberattacks. Small business is not immune.
    • Regulatory Risk- All business must pay attention to external laws and regulations including vulnerability to foreign tax reporting, foreign corrupt practices laws, and environmental issues.
    • Reputational Risk- Small businesses must protect their reputation. Enterprise risk management principles help mitigate negative social media and ill-advised strategies.