The recent press-reports of increased misstatements, frauds and compliance / audit issues in startups has brought into sharp focus the need for a set of guidelines and standard operating processes.

Infact, as we started out this discussion between the partners of July, internally, the one word that kept coming up was SOX (Sarbanes Oxley). This is compliance & reporting for corporates. You will read references to this “relic” at the bottom of this post.

While the issue of mis-stated revenue, allegations of diversion of funds and abuse of related-party transaction processes have been an ongoing issue across the industry, there seems to be a “witch-hunt” of startup founders. Another punching bag is that of VCs. Public reports almost seem to allude that the VCs funding these startups have a systematic problem of aggressive push. Be that as it may, I am sure no VC wants their investment to be de-valued and, in this market, that is a real risk. Please note that most of them have anti-dilution clauses and brunt of any de-valuation is eventually borne by the founders.

I am not sure if there is any empirical data to demonstrate that these issues are either more frequent or endemic to startups. My own suspicion is that there is a bit of “sadism” or “jealousy” involved on the part of some commentators’, given that the individuals / organizations involved are high-profile. Not for a moment am I saying that these should not be investigated, laws enforced, and appropriate actions taken, but there should be restraint in presenting the base with the bias of “presumed guilty”.

Painting the whole industry with “tar” in a broad-brushed manner is only going to discourage a still fledging eco-system.  Already many experienced and well reputed folks are wary of becoming Directors on the board of startups.

Instead of blaming the individuals (founders / investors), post-fact, there needs to be a framework that will act like an early warning system and flag appropriate risks.

Here is a set of guidelines that I would recommend for adoption.

Implement internally, a code of conduct charter: Develop and enforce a comprehensive code of conduct that outlines ethical standards, expected behavior, and responsibilities for all employees including the founders.

This would need to be across functions: HR, Finance, Sales & Marketing etc. While it may not be necessary to produce the equivalent of a “hand-book” for each function, the code of conduct should identify areas that would be classified as “zero-tolerance”, the equivalent of a LAKSHMAN REKHA in the corporate world.

Ensure that the code is communicated, understood, and signed by every employee, including top management.

Clear Internal Controls: Establish robust internal controls, including checks and balances, segregation of duties, and proper authorization procedures. Implement systems and processes that promote transparency, accountability, and accurate financial reporting.

The current digitization of systems, eg GST reconciliation, AI / ML led behavioral assessments etc. also allows for these controls to be reviewed automatically / at scale.

Whistleblower Policy: Create a clear and confidential mechanism for employees to report suspected fraud, misconduct, or unethical behavior. Protect whistleblowers from retaliation and ensure that appropriate action is taken on reported incidents. Also, establish a LAKSHMAN REKHA that any profiling (intentional) and coercion (akin to soft blackmail) is an absolute NO and will be dealt with immediately and decisively.

Regular Training and Education: Provide regular training sessions to employees on ethical practices, fraud prevention, and reporting procedures. Raise awareness about the potential consequences of fraudulent activities and the importance of maintaining integrity in the organization.
This should be conducted for the non-line teams that includes finance, compliance etc. A good idea would be to include partners and service providers.
As this may not work for each company (esp startup) to conduct individually, there is merit in having industry / eco-system players like TiE provide these as shared sessions.

Independent Audits: Conduct regular internal and external audits to assess the effectiveness of internal controls, financial systems, and compliance with regulations. Independent audits provide an unbiased evaluation of the company’s financial statements and help identify potential areas of risk or fraud.

Transparent Financial Reporting: Emphasize accurate and transparent financial reporting. Disclose all relevant financial information, transactions, and risks to stakeholders, investors, and regulatory bodies in a timely manner.
As a lot of these services are provided by external agencies / partners, it will be good to ensure there is a template for reporting EXCEPTIONS. In a lot of instances, the founders would neither have the time or the ability to go through reams of data / reports and identify actionable points.

Segregation of Duties: Clearly define roles and responsibilities within the organization, ensuring that no single individual has complete control over any critical process. Separate duties such as authorization, recording, and custody of assets to minimize the risk of fraudulent activities.
All companies (including startups) seem to have this established only for processes like bank operation / payment authorization etc. There is a need to provide this across support functions like HR and Finance.

Background Checks and Vetting: Conduct thorough background checks on employees, especially those in positions of trust and responsibility. Verify educational qualifications, past employment history, and references to ensure the integrity and competence of the individuals being hired. Maybe even have some of these individuals take courses recommended for other functions eg. Independent directors need to take certain courses / learning credits.

Independent Board Oversight: Establish an independent and competent board of directors with diverse expertise. The board should actively monitor and oversee the organization’s activities, including financial reporting, risk management, and compliance.

Strong Ethical Tone from Leadership: Leadership should set a strong ethical tone from the top down. Encourage a culture of integrity, transparency, and accountability throughout the organization. Leaders should lead by example and adhere to the highest ethical standards.

Regular Risk Assessments: Conduct periodic risk assessments to identify potential vulnerabilities and fraud risks within the organization. Implement appropriate controls and mitigation strategies to address identified risks effectively.

Encourage Reporting and Investigations: Encourage employees to report suspicious activities or concerns and ensure that appropriate investigations are conducted promptly and thoroughly. Establish a clear process for reporting and resolving allegations of fraud or misconduct.

Disclosure: When in doubt, Disclose!.
There seems to be deep-rooted wariness to convey any news that has a high-risk profile. In a lot of these instances, the coverup seems to stem from the fact that either the board, or the investors and the other stakeholders were caught by surprise. There should be a structure to DISCLOSE at the instance of internal knowledge. The tendency to “manage” news needs to be dealt with firmly.

For some of us, who have been in the industry – these seem to be the same issues that led to the creation of SOX templates (Sarbanes Oxley) post the Enron debacle over 2 decades ago. History certainly repeats itself. I would recommend the audience of this paper to read the article on Enterprise Risk Management. Rick Navarre, the person credited with the precursor notes on SOX was certainly prescient in his thoughts. (link pasted below)

https://www.cfo.com/risk-compliance/2003/06/fear-factor-3602/

Remember that no set of processes can eliminate the risk of corporate misstatements and fraud, but by implementing these guidelines, startups can significantly reduce the likelihood of such occurrences and foster a culture of integrity and compliance within the organization.