Startups need to focus on the Unsexy – It can make or break them

Cash is King! People say. That’s the more true in the startup world than anywhere else. Having cash in your bank account ensures that you can survive and maybe become a Unicorn.
Most founders focus on the problem of getting more cash but if they also focus on how they are spending the money they can ensure that they are not overly dependent on external funds.
One key tool to monitor your cash is doing bank reconciliations on a regular basis. This is a very boring,time consuming and completely unsexy job which requires hours of sitting and comparing transactions in your back account with your books of accounts. However its an essential control which can be implemented without any technology and ensures that you as a founder know where is your money going and all the money that is due to you has actually hit your bank account.
“Show me the money” said Tom Cruise in Jerry Maguire and I feel a lot of startups just get happy with seeing the money by way or orders, transactions etc. However, until the money actually hits your bank its an illusion.
If founders only focus on the illusion then they are setting themselves up to die as a venture cannot survive without cash. Its like walking towards a mirage in a in a desert.
Bank reconciliations also ensure you know if you are over paying/double paying or if someone is cheating you. I have seen large companies loosing millions on due to over payments to vendors. They can take that hit but a startup already starving for cash cannot. 
So make sure you ask your accounting team to give you a status of bank reconciliations every week and if they are not doing it get to start. It maybe the one thing that helps you keep above water till your next round of funding.

Did the Internal Audit department of VW warn the management?

A recent internal audit at VW in response to the scandal revealed that that Bosch (the company that supplies electronics to the auto industry) warned VW only to use the cheat mode internally back in 2007, and that a whistleblower tried to raise the alarm internally in 2011.

You can read more about this at

False Revenue in the books is an ongoing risk

Recently shares of chipmaker Marvell plummeted on Friday after the company said it was unable to file its quarterly earnings results on time, but that it expected to post a whopping $382.4m net loss.

As per Marvell’s SEC filing Audit Committee of the Company’s Board of Directors is conducting an independent investigation to review certain revenue recognition issues in the second quarter of fiscal 2016 and any associated issues with whether senior management’s operating style during the period resulted in an open flow of information and communication to set an appropriate tone for an effective control environment. More specifically, the investigation has focused on the approximately 7 to 8 percent of revenue recognized in the second quarter of fiscal 2016 that, based upon the original customer request date, would have been received and earned in the third quarter of fiscal 2016 and is now no longer available for receipt in that quarter.

As internal auditors this is one area which of perpetual risk given the pressure management at all levels has to meet revenue targets.

Source :

Risk from Mobile Applications

As communication channels are opening up and smart phones are gaining popularity, hackers are taking advantage of people forwarding messages without validating the details.
In one such instance information about a mobile app from RBI started to make the rounds only to discover that it was a fake app.
Please read RBI’s press release below:-
“It has come to the notice of the Reserve Bank of India that an app (application) is doing rounds on What’s App purportedly to facilitate checking of balance in customers’ bank accounts. The application has an RBI logo with the title ‘All Bank Balance Enquiry No’ and has listed several banks with either a mobile number or call centre number.
The Reserve Bank wishes to clarify that it has not developed any such application. Members of public are, therefore, advised to use the application, if at all, at their own risk.
Alpana Killawala
Principal Chief General Manager”
Press Release : 2014-2015/2148

Learning to see the Big Picture

I saw an interesting video on TED today on How art can help you analyze – Amy E. Herman. In the video Amy talks about how learning to analyse art can help doctors, nurses, police officers learn real world skills. Studying art like René Magritte’s Time Transfixed can enhance communication and analytical skills, with an emphasis on both the seen and unseen.

You can watch the video here

This method could also be used as a tool to help internal auditors be better at their jobs and help them see the whole picture or the bigger picture.

A big challenge while training internal auditors is how does one teach the softer analytic and investigative skills that are required to make a good auditor. Case studies can only take one so far, since they only teach how one should reach in situations similar to the case study.

In the past while working with new staff who has joined the audit function from the business you are always faced with a problem of how to teach them to ask the right questions and tailor their approach for the situation they are in. When we cannot teach this skill effectively, the amount of rework and review points go up. Along with this the frustration levels also go up.

As a young auditor you learn to anticipate the type of questions your manager always asks and ensure you have those aspects covered. This ensures that the audit review is smooth and there isn’t too much back and forth between the auditor and the auditee.

However, this approach limits the effectiveness of the audit to the approach of the person managing the audit and may leave the organisation vulnerable to risks on the ground which the auditor didnt pickup during fieldwork due to lack of skills.

I think we could look at techniques used to analyse art as another way to train audit staff. Some of the techniques are

Audit IT without IT audit staff

In the early 1990s auditors (internal or external) never really looked inside the IT infrastructure of a company and it was treated like a black box. During an audit transactions were audited as if the IT applications did not exist.
Then came the wave of specialised IT audits who could open the black box and identify numerous new risks associated with the complex workings inside the servers, computers and applications used. The financial/operational auditor could never really understand these risks and full reliance was placed the IT auditor.
However, in this day and age when the business processes are completely embedded into the IT applications, can we still have two specialists auditing within the company? One being the IT auditor who typically has ownership of risks arising from the IT infrastructure (i.e. your networks, applications, operating systems etc.) and the operational auditor who typically looks at risks in the business process and people managing the business process.
I don’t think so, its time we had non-IT auditors get into the IT infrastructure to audit it from a business risk point of view. This will ensure all risks associated with transactions as they weaves in and out of the IT infrastructure is well understood and audited holistically.
One would argue that there are some purely IT risks, where the operational auditor has no skill to audit and I agree there are some areas like that e.g. IT general controls, network security, database security etc. where specialised skills are required. However, in all the other aspects the operational auditors need to get deeper into the IT infrastructure, taking a simple example how do two applications interface and transfer data, can someone change the logic this stage or is the business management aware about points of failure in the interface and do they validate the transactions when a break occurs in the interface.
Further, even in highly technical areas working with operational auditors will help identify areas of high risk from a business perspective and may even identify risks which the IT team was not aware of. For example in one company while looking at the sales process we noticed a sales channel using a technology which the IT Audit team was not aware of being used in the company and in another audit we found out that the business was looking to implement a new software without even involving the IT team.
Also, there is the case of shadow IT, i.e. extensive use to excel and MS Access. However this is now being addressed atleast in financial services.
A business auditor having a basic understanding of IT concepts can help identify risks in the IT infrastructure which the IT may not focus on as those risks are not IT vulnerabilities but weakness in how a business process has been configured to run in the IT environment. This will help prevent risks related to company insiders taking advantage of weaknesses in the IT configuration.
To put it differently, a lot of IT audits right now focus on the external treats of hackers etc. but as its common knowledge companies suffer more because of insiders than outsiders. And increasing the level of involvement operational audits have in IT audits may help reduce that.

Think Business Continuity in a Start-up

Events like 9/11 and tsunami hitting Japan after the Tohoku Earthquake in April 2011 have emphasised the importance of planning for business continuity and each new event has forced companies to think about new aspects when planning for business continuity. For example 9/11 made companies sit up and think about offsite storage of key documents and stopping of manufacturing of specialised chips in Japan after the tsunami made companies relook at their supply chains and critical vendors.

Ensuring that you can run your business and service customers after a business disruption is critical. The business disruptions don’t have to as big as a magnitude 9 earthquake however its impact on the business can be similar, especially in a Start-up enterprise.

In the initial phases when you are developing your product and working with limited customers it is important to ensure you have thought about things that can go wrong and disrupt your business. Examples of these could be:-

– disagreements between co-founders or some co-founders leaving (case of )
– leaving of a critical employee
– unable to hire the right skill sets when it is time to scale up
– crashing of computer/harddisk with key piece of code/website
– unexpected competition from new or established players
– A key vendor backing out

The founders should spend time to review their business practices, infrastructure and business relationships to ensure they are aware of any critical points of failure (which in a start-up maybe all!!!!) and look at possible backup plans they can formulate before hand to ensure they don’t too many crisis to manage. They could even have someone from the outside do a quick review to ensure they are covered all angles.

Back Ground Verification – Important in everyday life also

I along with Bangalore are shocked to follow the recent events involving the rape of a six year old girl in a Bangalore school. Yesterday the Bangalore police arrested a skating instructor on suspicion of being involved and as I read about the arrest (Bangalore school rape case: Skating instructor arrested) and saw the news stories, the panic level started to increase.

Especially, when we realised today that the person who was arrested had taught my daughter to skate a couple of months back! Imagine how close she came to an incident like this!

The articles have talked about how there have been complaints about the person in the past and because of this he was let go from another school. This made me sit up and think, don’t schools do background checks of their employees much like a lot of companies do? (A background verification will confirm a person’s identify, education qualification and past employment history).

Looks like this may not be a common practice outside the Financial services domain where it is regulated by foreign regulators and Indian companies are forced to comply.

I think its time we as parents start to force schools to adopt these practices, as India starts to replicate western culture more and number of instances like these rise. 

From a school’s point of view, having this process makes a lot of sense as the success of a school is based solely on its reputation and once such instance can close you down. I believe ICSE board may consider to do that as per this article – Vibgyor School Rape case; ICSE Board to derecognize the school?. I am sure spending a few thousand rupees per person is better than risking such an incident.

Background verification plays an important role in other areas also, like when you hire someone to work at your house, sending your child to a class etc. And we ensure we do it to an extent in most cases either informally by talking to people we know or a more formal police check.

So if we do it for the help we hire at home should we not ensure that the school does it for the teachers who interact and take care of our child for most of the day?

I am already asking about this at the school my daughter goes to.

Hiring for Internal Audit – Everyday Challenge

I recently read an interesting post by Norman Marks on risk management where he posed a question to a Big 4 consultant and didnt get a answer. The question was about managing risk when hiring someone. You can read the full post here (

This got me thinking about hiring for Internal Audit. Given the importance of the function and the absolute need to have skilled staff, how do audit functions ensure they get the right people.

Having hired for a number of years now in India, I can tell you its a challenge to get right people. One needs to assess if the person understands risk and controls, can the person write up and issue can he/she negotiate the issue with senior management, will the person be a self starter who can really dig into a process to find issues or will he just do the minimum to complete the documentation, is she a quick learner?

So how do you ensure you get the super star auditor every time? Well you rely on the resume, ask questions maybe get a case study completed, check reference. All good practices.

But do we have controls in place to take care of the human factor? Which forces us to make compromises when there are multiple forces pulling the hiring manager. I am sure a lot of you reading this will be thinking that in your company you have the right controls, and it maybe so.

However, that is not the case everywhere. A lot of times junior auditors are hired based on call taken by only one person in the team or a the candidates for the head of audit position is interviewed by peers and CEO for shortlisting.

So do we need more independence in the hiring process and how should it be brought in?

A few options are to either train HR to interview internal auditor on functional aspects so that they question the audit team if a good candidate is not selected or you take outside help.

Do you agree?

Risk Management in a Start-up

So you thought of a great idea and have decided to start a new venture. There are almost a million articles on the internet about how to start up, launch your product, acquire customer, raise money etc. I know, because I have been thinking about doing something on my own for about 6 months or more and have read enough of these articles.

Being an auditor, I was interested to learn about things that can go wrong and found this one articles (5 Common Startup Mistakes That WIll Sink You Later) on mistakes that start-ups make. Except for the last point about building the right processes and controls all other topics are have been covered to death by most other articles that I read.

Ensuring you have the right processes and controls is key and should be tackled as soon as the start-up moves ahead with the idea and starts to invest money into the venture. I know its not something everyone has time to focus on. Especially when, you have to focus on developing the product, building the website, marketing the product, looking for customers and investors, hiring people and million others things that need to be done for your venture to succeed. 

Also, why should you think about boring things like processes and controls? Especially when starting something on your own was about breaking free and not worrying about them in the first case! Well, having controls and good processes are as important as having a good foundation for your house. If the foundation is not right you would have problems in future which will be very expensive to fix or may take the whole house down. 

When I was thinking of writing on this topic I wanted to find out the reasons start-ups fail, but didn’t get too much information about that other than they had something which the market did not want. Exploring this more, in most established companies there are lots of controls around launching new products to ensure the company does not lose money on a new product. If some of the start-ups had similar controls maybe the success rates could have been higher.

Another factor to consider is management of money, not everyone is good at managing it. Well ask Madoff if you don’t believe me.

So as a start-up when you have limited funds, management of money becomes even more important, you may not have funds to hire a CFO (and you don’t need to), but you need to have good processes and controls to know where money is being spent and who can spend the money.
Similarly there are others areas where good processes and controls can help to ensure the foundation for the business is solid are :-

  • There is no revenue leakage i.e. you are making sure all the work/product/services done for the customer is getting converted into rupees or seen as a value add by the customer. This is one of the most important control in even the most mature organisations who struggle to ensure customers are being billed for everything. For a start-up this is even more important as in the initial phases we are struggling for every rupee.
  • Structuring the company, looking at regulatory requirements, taxes etc. For example there is recent news that Flipkart maybe in breach of Rs. 1400 on FEMA (Refer Something like this if upheld can cause real problems when you want to sell your stake or go in for an IPO.
  • Controlling the vendors 
  • Ensuring compliance’s are met on an ongoing basis
  • Controls on information and customer data
  • Working Capital Management
  • etc. etc.

I hope I have been able to give some insight about why it is important to ensure you have the right foundation for your venture by putting in a good structure and control principals as soon as possible. These can then be expanded/evolved as the company grows.

The best option is to think about these and try and implement it yourself. You feel you need help you could work with any number of consulting firms to help you with these if you are well funded and able to spend big dollars or you could with freelance consultants like me to help you navigate these risks.