Mastering internal controls is key to startup success

Written By

Stuart Goldberg (Head of Strategic Finance, Mercury)

Hero image of a cog representing the need for internal controls for healthy budgeting and cash management
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook
Graphic illustration of lotus flower with different components of Mercury's stack of financial tools | Mercury
Financial workflows, simplified.Learn More
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook

For startups, proper financial management is essential for survival and growth. One element that often gets overlooked? Internal controls.

As head of strategic finance at Mercury, I've witnessed firsthand the role that internal controls play in a startup's trajectory. While product development and customer acquisition are often top of mind for founders, ignoring financial operations and governance can hinder the long-term success of your business.

Here are some tangible strategies to integrate internal controls into your startup, and how Mercury can help automate these processes.

What are internal controls?

Internal controls are the policies and procedures implemented within an organization to protect a company’s financial and accounting data. Internal controls are the organization’s own set of checks and balances to prevent fraud, errors, and misuse of funds while promoting operational efficiency and regulatory compliance.


Types of Internal Controls

  • Internal controls are typically broken down into three types—detective, preventive, and corrective—depending on when they're used.

  • Detective controls are monitoring activities that identify problems as they arise. This could involve processes comparing transaction data to account summaries or scheduled audits and physical inspections.

  • Preventive controls are proactive measures designed to stop issues before they occur. Examples include spending approval workflows and background checks during the hiring process, along with technological solutions that ensure only authorized individuals can access company systems.

  • Corrective controls are actions taken to restore compliance after the fact. This includes mechanisms like reporting hotlines for escalating identified issues and discipline procedures for policy violations.

Companies should employ all three of these measures, though I recommend tailoring the usage of each of them to their unique risk exposure.

Why internal controls matter

Internal controls aim to minimize the risk of harmful events, allowing you to focus on what’s most important — growing your company.

For startups, internal controls that enforce proper spending are essential for maximizing your runway. Inaccuracies in financial reporting, whether accidental or intentional, can destroy your credibility with investors, customers, and partners. Accounting controls ensure your books are audit-ready at all times.

While no founder likes to think about fraud, the reality is that startups can be targets. In a recent survey by Alloy of 450+ financial services companies, 25% of respondents lost over $1M from fraud in the last 12 months. While these companies have a unique risk of fraud given their roles in the banking & payments ecosystem, even non-financial services companies have material fraud risks. Vectors of fraud can include vendors, customers, and bad actors entirely outside of the day to day purview of their business. Weak or nonexistent oversight leaves your hard-earned capital unnecessarily exposed to both internal and external threats.

As your startup scales, so does the complexity of your financial operations. Proper internal controls allow you to maintain order amidst increasing complications, preventing chaos as you expand.

Whether you're raising your next round, getting acquired, or taking the company public, investors and regulators may scrutinize your internal controls and financial governance. Gaps or deficiencies send up red flags that can jeopardize funding and decrease your company’s credibility. It is also crucial that you set up proper controls if you want to sell your product to large enterprises; their compliance teams, as they seek to protect their own company, will often vet the management of your company!

The cost of neglecting internal controls

Every startup founder understands the importance of fiscal responsibility in theory. But when you're operating in hustle mode, spinning up formal internal controls can feel like a costly distraction from product development, sales, and other growth priorities.

I get it – implementing and enforcing internal processes requires time, effort, and investment. But avoiding internal controls comes with risk and the potential for big consequences.

Without budgetary oversight, cash burn can balloon out of control from overspending. When there's a lack of clarity around spending and financial data, it breeds a culture of mistrust between founders and employees. A misaligned team is a fractured team.

Comprehensive IT controls, such as firewalls, intrusion detection systems, and regular security audits, identify vulnerabilities and prevent unauthorized access, protecting systems from takeovers and ransomware. Safeguarding customer data is equally crucial; data encryption, secure storage, and regular backups prevent leaks that could damage reputations and cause financial losses.

Establishing strong internal controls early on is not just about ensuring current security – down the line, weak internal controls may bottleneck initiatives like commercial sales, global expansion, mergers and acquisitions, and taking the company public. You'll be forced to hit the brakes and spend precious time remediating. Proactively investing in internal controls not only mitigates current risks but also smooths the path for future growth and opportunities.

Tailoring internal controls to your growth stage

While the size or stage of a startup might impact the controls that need to be in place, it’s important to acknowledge the specific processes required as your startup matures through various stages of growth.

Smaller startups might have simple control systems due to fewer transactions, fewer employees, and less complexity. When a startup is in its earliest stages, the focus is often primarily on the spending side of the financial statements—typically on product development, marketing, or other operational costs. At this stage, internal controls tend to focus on expense approvals, vendor diligence, AP processes, and ensuring funds are being used appropriately.

As a startup grows and generates more revenue, however, the need for more sophisticated internal controls becomes evident. Startups need to manage both income and expenses, increasing the complexity of financial management and the potential for errors or fraud. This drives the need for stronger internal controls that cover the greater risks and a bigger management layer being built to run the company.

As the company acquires more customers, they also inherit the responsibility of protecting customer data, adding another layer to their internal control system. While the company scales and more management layers are introduced, the founding team will find themselves with less time to review expenses or invoices in detail, underlining the importance of having strong, automated internal controls in place.

As startups grow and become more successful, they face increased scrutiny from various stakeholders. Investors, auditors, and regulatory bodies will expect robust financial management and governance, including solid internal controls across the org, from accounting to IT to HR. They will also expect that companies have operated with these controls in place for a period of time and have built a culture of compliance around them. If a company has grown internationally, it must navigate and comply with unique sets of regulations across different regions.

Therefore, startups should aim to put the right tools, systems, and processes in place early on rather than waiting as they grow. Doing so will help instill a culture of sound financial management and control, preparing the company for future growth and scrutiny. This approach can make the company's financials more resilient, ultimately contributing to its long-term success.

Building your internal control framework

For internal controls to be effective, they need to be designed and implemented with care. Here are a few best practices:

Conduct a comprehensive risk assessment

Before designing any internal controls, you need to understand where your specific vulnerabilities lie. Assess and identify potential risks or areas of concern within your organization. This could involve financial risks, operational risks, or risks related to fraud. Also think about what the company will look like if (when!) you hit your goals in the next 12-24 months; what will be your risks at that point? Will you be adding new geographies, materially growing your tech infrastructure, scaling your customer base, etc? If so, you should start planning now for how you will support that larger risk footprint.

Document policies and communicate

Policies and procedures should be clearly communicated to all employees in a dedicated manual or internal wiki, including all preventive and detective control activities and protocols. But documentation alone isn't enough — you should evangelize these policies through thorough training and continuous communication. And you, as a leader at the company, need to practice what you preach and be a role model for effective compliance.

Adopt the right financial automation tools

Technology can play a significant role in implementing effective internal controls. For instance, vendor management automation can streamline processes, reducing the chance of human error. At Mercury, we offer a feature in which the company avoids sending payments to fraudulent vendors – it requires legitimate vendors to be added to an approved list before payments can be made, adding an extra layer of security.

Improve constantly

Internal controls should be dynamic and evolve with changes in the business environment and company size. The executive team and the board should also review internal controls regularly to ensure they are still effective and relevant. This includes testing controls for any loopholes that might lead to financial misstatement.

Foster a culture of integrity

Ultimately, the effectiveness of internal controls depends on the company's culture. Encouraging a culture of financial integrity and accountability can go a long way in ensuring the effectiveness of internal controls, especially as the company matures. This starts at the top and flows through to the finance and accounting teams that are ultimately responsible for financial oversight.

How Mercury can help

Of course, implementing internal controls is easier said than done – particularly for companies just starting out. That's where Mercury comes in – we offer a suite of tools for streamlining and automating your core internal control activities. Through accounting and accounts payable automations built right into your bank account

Mercury is a fintech company, not an FDIC-insured bank. Banking services provided by Choice Financial Group and Evolve Bank & Trust ®️; Members FDIC. Deposit insurance covers the failure of an insured bank.
1, you can speed up month-end close and enhance financial precision. This includes:

Automated approval flows

Budgetary overruns are a common pitfall for many startups. With our multi-layered approval flows, you gain control over your expenses, providing an added layer of security that could save your startup from unnecessary expenditures and potential financial pitfalls. You can even approve bills effortlessly right inside Slack or Mercury’s mobile app.

Accounting automations

Mercury's accounting automations speed up month-end close by syncing all your bills, cards, and bank transactions from your Mercury account. Using your real-time financial data, categorize your bills and expenses within Mercury and sync to QuickBooks, NetSuite, or Xero, helping maintain accuracy and transparency in your financial data. Create custom rules to map merchants to your GL codes and apply them automatically — saving your employees the effort and potential for error. With up-to-date and accurate reports, confidently present your financial reports to investors, stakeholders, and regulatory bodies.

Bill management

As soon as a bill arrives in your bill inbox, its details will automatically populate – allowing you to easily cross-check info and eliminate manual errors. Mercury then automatically detects duplicate bills, giving you an extra set of eyes and preventing you from overpaying. By paying bills more accurately with software built into your bank account, your hard-earned money flows where it's supposed to.


At Mercury, we know that startups must adopt sound financial discipline and accountability to position themselves for long-term, sustainable success.

That’s why we’re always innovating our product with an eye toward enhancing financial oversight and governance.

The startups that prioritize internal controls and leverage the right technology to facilitate them will be the ones that avoid financial pitfalls – and reach their full potential.

Notes
Written by

Stuart Goldberg is the Head of Strategic Finance at Mercury. Previously, he worked in Strategic Finance at Block and at SoFi, helping those companies navigate their scaling journeys, including cross border M&A activities, public offerings, and bank charter applications.

Share
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook