The First Foundation of Finance Is...

The First Foundation of Finance Is...
Secret CFO
February 3, 2024
In this article:
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See Ledge in action

You wouldn't leave the house without brushing your teeth, would you? Nor should you run a business without appropriate financial controls. And behind every strong control environment, is a system that makes it tick. With that, a word from this season's sponsor:

Worried that your balance sheet might not stand up to audit scrutiny?

Meet Ledge, a finance operations platform that automates transaction reconciliation, double-entry ledgering, and provides real-time cash flow visibility and reporting.

Ledge automates workflows across your ERP, banks, payment processors, and other sources – no R&D or IT required – and makes sure you can properly account for cash movements even with a high volume of transactions and complex flows.

Get ‍real-time visibility, control & accuracy over your cash movements. Check out Ledge.

Out of Control

“Hey I need your help. It’s serious.”

It was the first time I’d heard this from the CFO. He was a big round aging dude. We’ll call him Sam.

I was Corporate VP of Finance. I hadn’t been there long and was still learning the business.

“There is a big problem in one of our divisions. There’s a hole in the balance sheet. I think it’s big. At least $10m. I need you to help me work out what happened.”

I could tell Sam was panicking.

When I arrived, the Divisional CEO and CFO (whose neck was on the block) greeted me. We’ll call them Ollie and Adam. It was clear, they were panicking too.

This was going to be interesting.

Ollie and Adam had a presentation ready for me. I thanked them but said I’d rather just sit with the controller for the location where the issue had arisen. The issue was at one particular operating location that had rolled out a new ERP system (4 or 6 months before).

No time for the face-saving bull sh*t, I needed to know what had happened before I heard their spin.

It wasn’t long before I discovered a prepaid expenses account on the balance sheet with over $15m on it. All unsupported. Essentially P&L losses that the controller had believed couldn’t be true.

The new system meant he couldn’t understand them properly, he’d hoped they’d reverse next month. Tomorrow never came.

Ollie and Adam were none the wiser. I’d found in an hour, what they’d failed to find in six months.

In fact … they hadn’t even looked. They’d just assumed it was ok.

The CIO had pushed a system implementation on them that they were not ready for. And they’d neglected their duties to put any controls around the change program.

But it was Adam’s attitude that shocked me most of all.

He was adamant this wasn’t his fault, despite being the CFO responsible for the balance sheet. I promised myself when I became a CFO, I wouldn’t be like Adam.

Both Ollie and Adam were fired. And Sam had to issue a restatement of the last set of accounts.

What a f*cking mess.

Finance’s First Foundation

Imagine presenting a bunch of insights in a board meeting, only to find out later the data was wrong. Horror show.

Those pretty charts on labor productivity might look great. But what if you don’t have the right controls to properly capture labor costs to begin with? Meaningless.

Nothing in finance works without controls.

It’s like building a house without a roof.

It doesn’t matter how nice your new kitchen is or how big the 4K TV is. With no roof on your house, it’s all going to get wrecked.

Building a finance function that delivers insights and creates value is a good goal for most CFOs. But you can’t run before you can walk.

No CEO worth their salt wants to hear ‘insights’ from a finance team that takes four weeks to close the books. Or can’t invoice its customers. Or is forever restating reporting because costs weren’t properly captured.

My friend, Andrew Lynch, created this pyramid which shows the different building blocks of a finance function.

Source: Andrew Lynch on Twitter

Everyone wants to be operating at the top of the pyramid. But you have to earn your way up there. It starts at the bottom.

Specifically, it starts with transaction processing. Basic bookkeeping.

Good bookkeeping is surprisingly uncommon.

One of my favorite quotes is by Brent Beshore: “All businesses are loosely functioning disasters.”

Things in business don’t work by themselves.

Your business will fail to invoice customers on time. Inventory will go missing. Suppliers won’t get paid. The employee who left 4 months ago is still getting their salary.

Financial controls exist to stop these things from happening.

What is a financial control?

Without guardrails, you are relying on chance and goodwill. Chance and goodwill are a terrible way to run a business.

Financial controls are the processes and tools businesses use to effectively allocate financial resources. And, more importantly, monitor that the business is using them as intended.

Why is financial control important?

Without financial controls, you will lose money you shouldn’t have. And you probably won’t even know you’ve lost it.

That could be through mistakes, lack of attention, theft, fraud, or a whole host of other issues. Financial controls help make sure that expensive accidents don’t happen.

Types of financial controls

There are three types of financial controls:

  • Preventative: stop errors from happening in the first place
  • Detective: find and report errors once they have happened
  • Corrective: find and correct errors once they have happened (and prevent repeat)

Let’s bring that to life.

Let’s say we were designing controls to avoid invalid supplier payments:

  • Preventative Control = Segregation of duties (i.e. the person who makes payments, cannot also set up new suppliers. And vice versa).
  • Detective Control = Bank reconciliations ensures finance can account for all payments made.
  • Corrective Control = Bank automatically flags payments to new suppliers for review by the CFO.

Prevention is better than cure, but preventative controls come at a cost. Lock everything down too far and you will grind business to a halt.

There is a cost to implementing financial controls. Especially preventative. Not just the physical cost of running the controls themselves.

But the cost of slower execution. Most businesses underestimate the cost of slower execution. It’s intangible, but it’s very real.

I recently dealt with a business whose new supplier setup process took between 4 & 6 months on average. That is no way to conduct business.

Controls can be an accelerant to growth, or they can be a killer to growth. The devil is in the detail.

There is a sweet spot to find in your business. A balance.

Risk vs. Control

And how do you find that balance? Risk.

The more severe the risk, the more control you need.

Some of that risk is acceptable. It is a function of accessing higher return opportunities.

Financial control deals with the components of risk that are avoidable. Specifically, controls focus on reducing the risk of fraud and error.

Quantifying Risk

You can categorize each risk by its likelihood (scored 1-5) and impact (scored 1-5). Multiplying the scores together places the risk on a heat map:

Source: Tech Target

The closer to the top right, the more severe the risk.

But a better way to think about risk scores is in terms of ‘gross risk’ and ‘net risk’.

Gross risk score is the severity of the risk before accounting for the benefit of mitigation through controls (i.e. how bad is the risk if no controls exist).

Net risk score accounts for the mitigation through controls (i.e. how bad is the risk, given the controls that currently exist).

Good controls will reduce both the severity of the risk and the likelihood.

It’s important to look at your business through the lens of net risk. This represents the residual possibility of losing money (after controls)

Once you can quantify a net risk, you can do 3 things with it:

  1. Mitigate the risk (through further controls - remembering there is a trade-off with cost)
  2. Transfer the risk to someone else (through insurance)
  3. Accept the risk (the risk is sufficiently small, and the organization can accept it as a cost of doing business)

The choice will come down to the nature of the risk itself and the company's appetite, its stage of maturity, and its ownership structure.

An early-stage start-up will be prepared to accept a lot of risk vs. a F500.

You can also use a net risk score to determine your overall approach to that risk.

Source: E-Spin

Control failings

There is nothing wrong with accepting risk (and choosing not to control or insure), as long as it is a conscious choice.

Most major control failings occur when a business accepts risk by default i.e. without realizing it. Unintentional risk.

There are two reasons a control could fail:

  1. Design. The design of the control has flaws.
  2. Implementation. The design of the control is fine, but it isn’t working as intended.

Let’s say that there was an error in the balance sheet because no one was reviewing the reconciliations prepared by a junior accountant. That could be because:

  1. There is no company procedure which requires a ‘four eyes’ review
  2. There is a procedure, but the reviewer didn’t do their job

Whilst the result is the same, the correction and culpability could be very different.

So, properly diagnosing the cause of a control failure is critical to ensuring you or the team can correct it properly.

Control design issues tend to signal a lack of intention, or thoughtfulness in controls. Probably a lack of capability in management.

Control implementation issues usually occur in cultures and environments where compliance is poor. That’s more an underlying cultural issue.

There are lots of ways to get fired as CFO, but failing to address risk with controls is one of the most prolific.

If you deliver poor insights to the board you will probably get fired… eventually.

But if you end up with a hole in your balance sheet or a restatement, you will get fired tomorrow.

Just as Adam did in the earlier anecdote. He’d been highly thought of in the business until the issue. Some even said at the time he could be the future Group CFO.

I looked him up when writing this piece. His career never recovered.

The Role of Audit

External auditors will report on any control failures they find.

But, from my experience, external auditors are not good at this. Particularly on issues of control design.

They don’t understand your business well. Nor do they really understand how a business works - most auditors have never worked the ‘other side of the desk.’

Their diagnosis of your control issues will lack precision and nuance.

So if you find your business relying on your auditors to identify control problems, and taking their recommendations at face value... you are probably managing risk and control badly.

Financial control is your job as CFO, not that of your auditors.

Internal audit has a huge role here. We’ll talk about it next week.

Getting Buy In

Financial controls do not exist on an island. They need to integrate into the broader operation of a business.

You can have great control of a new supplier setup. But they will fail if your head of procurement circumvents them. Inventory controls are of no use unless the warehouse team is deploying them.

You need buy-in from the business to make a success of financial control.

And this isn’t easy. Let’s face it. Control is not the most exciting topic.

Control is not opposed to growth. But there are enough people who see it that way.

It starts at the top. You need C Suite buy-in.

And that can be hard. “Don’t you trust me?”

You need to win hearts and minds. To do this, you can use the ‘carrot and stick’ approach.

The carrot: sell the benefits of the control. How can it help them improve their KPIs. Not your KPIs, their KPIs. Show them how it makes their life easier.

The stick: explain what happens if the risk materializes. Specifically how it would be bad for them.

Hopefully, their desire to do the right thing for the company will help them do the right thing. And if not, appealing to the human instincts of greed and fear should help.

Here’s an example:

Let’s say you have decided the business needs to improve inventory controls.

You tell the head of operations you need to move from monthly inventory counts to a perpetual counting system.

“Our current methods work fine. Don’t you trust us?”

Here’s how you could respond:

“It’s not a question of trust. The complexity of our inventory is growing, and our business is growing fast. The risk of errors in our inventory management is growing. We will help you put new perpetual inventory controls in place. This will help you improve your pick accuracy, service delivery times, and improve inventory turnover. Inventory write-offs have been growing, and if we can’t isolate the errors, that is going to lead to some uncomfortable questions for you and the team. This approach helps us get in front of that.”

Response to a ‘control reluctant’ Head of Operations

This shows how you’d address it if you have one sticky individual.

But often reluctance to embrace controls can be more widespread.

That’s culture.

And evolving culture to the right control environment is one of the most difficult tasks of the CFO.

More to come on that …

Next week we will dive into how controls should evolve as businesses grow.

And in the third and final week, we will go deep on what to do when controls fail.

The Bottom Line

  1. Financial Control is the CFO’s first foundation. Focus on nothing else until they are at least adequate.
  2. Too much control is no good, either. Businesses need oxygen to grow.
  3. What is adequate today, may not be tomorrow. The more decision-making becomes distributed into the business, the more formality you need in financial controls.

This post originally appeared on


We're on a mission to automate and simplify finance operations for teams working at scale.

New York

325 Hudson St, 4th Floor, New York, United States 10013

Tel Aviv

8 Shaul HaMelech St. Tel Aviv, Israel 6416202