Introduction

Traditional internal control frameworks are often implemented as if resources are abundant.

COSO 2013 and similar frameworks were designed for broad applicability. In practice, however, they are often translated into layers of approval, restricted access, formal review, and documentation. This approach may work for mature organizations with stable processes, large teams, and visible agency problems. It does not always work for startups.

Startups operate in a different environment. They have limited resources, incomplete processes, changing products, and high information velocity. In this environment, excessive oversight can create a new control problem. It can slow decisions, fragment information, and prevent employees from seeing the operational context needed to identify risk.

This creates a practical question. Could excessive administrative oversight introduce more issues than it intends to solve? To answer this, we need to reconsider the assumptions behind internal controls.

If those assumptions deserve reconsideration, materiality is the right place to begin. Startups do not operate in the same decision environment as mature companies, so the logic of control scoping should not be assumed to transfer automatically.

Materiality

Investors in startups frequently place more weight on nonfinancial indicators such as market reach, product development milestones, user engagement, retention, developer activity, protocol usage, and other signals of future scale. Financial results may matter, but they may not yet explain the company’s valuation or capital allocation story. Traditional financial reporting practices, therefore, risk misleading rather than guiding the public.

McKinsey’s “Valuation Guide” makes a similar point. For internet companies in the late 1990s, investors relied heavily on nonfinancial metrics because early financial results were not yet connected to long-term value creation. As those companies matured, financial metrics became more predictive, while nonfinancial metrics lost explanatory power.

Nonfinancial metrics are useful only when they explain economic value better than financial metrics alone. If a company cannot translate users, page views, subscribers, protocol activity, or product milestones into profits and cash flows, the nonfinancial metric becomes less useful. It may describe activity, but it does not necessarily support valuation.

For startups, this distinction has direct implications for internal controls.

If users of the company’s information are unlikely to change their capital allocation decisions based on financial metrics alone, then a traditional financial materiality threshold may not capture the real decision-useful risk. For many startups, the more significant issue is whether the company can sustain growth, validate its product, retain customers, meet technical milestones, and maintain the integrity of the operating data used to support those claims.

This does not mean financial reporting is irrelevant. Rather, it means that the control framework must reflect the actual decision environment. For startups, materiality should not be limited to financial metrics. It should be a dynamic measure that considers both financial and nonfinancial indicators that could reasonably influence users of the company’s information.

This leads to a reasonable question. Should traditional oversight models also be reconsidered? If the startup decision environment differs, the design logic of internal controls may also need to change.

Segregation of Duties

One of the clearest examples of inherited control logic is segregation of duties. We have traditionally been taught that segregation of duties is essential for avoiding fraud and errors. But is it always necessary?

Segregation of duties can be highly effective when it separates incompatible responsibilities that create a direct risk of misappropriation, unauthorized postings, or self-review. But it can also cause context loss, information bottlenecks, and additional failure points in the process.

This is the central problem. A control that looks strong in form may become weak in substance if it deprives the control owner of the information needed to understand the transaction.

In practice, startups and small businesses can often sustain a relatively strong control environment through close collaboration and direct accountability, even where formal segregation of duties is limited.

We learned that where people have a sense of belonging to a team and feel responsible for the effective use of the company’s (limited) resources, teams are likely to operate at their best even without proper segregation of duties. In other words, teams in resource-constrained environments often perform optimally through direct, shared accountability rather than rigid administrative separation.

That does not mean startups are immune from fraud or error. It means only that segregation of duties should be evaluated as a targeted response to a specific risk, not as a universal design requirement.

We also learned that segregation of duties cannot compensate for a control environment that rewards the wrong behavior. Wells Fargo1 is the clearest example. The bank had extensive control structures, yet distorted incentives and weak upward escalation allowed misconduct to persist. The lesson is straightforward: structural separation becomes worthless once the organization rewards conduct that defeats the purpose of the controls.

Three practical failures of the broad adoption of practices relying on segregation of duties are especially important:

Context loss.
When impairment testing is treated as confidential information, executives may share only a screenshot or a summary with accounting personnel and ask them to record the entry. The accounting team may complete the task, but it cannot evaluate the assumptions, challenge the completeness of the analysis, or assess the reporting consequences. In that case, segregation of duties becomes the source of context loss.

Restricted information flow.
When read-level access is limited to the minimum information needed to perform a narrow task, employees lose the ability to see the transaction in its broader operational setting. The company may think it has improved control. In reality, it may have weakened collaboration and reduced the likelihood that someone would identify an inconsistency before it becomes a problem.

Additional process failure points.
Segregation can also add failure points to the control process itself. Consider separating journal entry preparation and review. That design works only if the company has a reliable mechanism that prevents the close until all required reviews have actually occurred. If no such mechanism exists, the review layer can become false comfort. In some cases, a stronger control is a structured preparer checklist that requires support for account selection, amount, cutoff, classification, and policy conclusion before the entry is posted.

The issue is whether traditional control design can misfire when applied in organizations that lack abundant administrative capacity, depend on fast information flow, and cannot afford context fragmentation.

Segregation of duties remains critical in environments involving the custody of third-party funds (fiat or crypto) and transactions that require significant judgment. That is especially true for banks, neobanks, custodians, and other financial institutions. In routine processes such as simple account reconciliations, the case for formal separation is often weaker.

Why Traditional Frameworks Break in Startups

Traditional frameworks are conceived from the perspective of a steady-growth organization with abundant resources and a known agency problem (namely, that management might not be incentivized to act in ways that create the most value for shareholders). Startups often have neither. As a result, the control form can overtake the control substance.

Based on our experience, the risk of material misstatements is higher in companies that are either (a) declining or slowing down, or (b) under significant pressure to grow. Both are features of an environment in which the inability to admit the issue lies the foundation for, and becomes the root cause of, subsequent misstatements and fraud in these organizations. This is why we highlight the importance of transparency and open access to context.

Finally, we want to highlight that the solution we propose below requires the organization to implement radical transparency protocols that will, naturally, reduce its ability to exercise its right to privacy. However, we believe our approach will benefit the public in general and businesses that adopt it.

This is why startups need a control framework built without

Startups need a control approach that does not rely on assumptions of redundancy, surplus personnel, or resource abundance. That is the purpose of the non-abundant approach.

Non-Abundant Approach

The non-abundant approach is built for startups that lack the administrative resources assumed by traditional control frameworks. It focuses on the conditions under which internal controls remain effective when resources are scarce.

In practice, the approach depends on six considerations

1. Materiality & Priorities

Control design should begin by defining what information actually matters to users of internal and external reporting. For startups, that often includes annual recurring revenue, customer churn and retention, runway, developer activity metrics, product milestones, and other operating indicators that shape investment and management decisions.

Management should determine which financial and nonfinancial metrics are decision-relevant, why they matter, which processes affect them, and what kinds of failures could change a user’s judgment.

2. Context Access

Restricted contextual access weakens the control owner’s ability to assess risk reliably. A non-abundant approach depends on informed judgment. People responsible for executing controls need sufficient context to understand the transaction, the surrounding facts, and the reporting consequences.

The company should adopt radical transparency as a default operating principle. This allows broad access to supporting information for accounting, finance, legal, operations, and management personnel involved in executing controls. Contracts, technical accounting analyses, board materials, valuation reports, DCF models, and projections should remain available to the people responsible for evaluating reporting risk.

3. Controls

Once materiality and context are in place, the company should prioritize preventive controls at the point of potential failure. Process-level controls are stronger than broad management reviews that rely on generic control objectives.

For software capitalization, for example, developers’ work should be approved for payment only after the project phase has been assessed and documented, together with technical feasibility and the types of costs eligible for capitalization under US GAAP. Its effectiveness derives from intervening before the risk can be inadvertently realized.

4. Escalation Protocols

A non-abundant approach relies on targeted escalation rather than long chains of formal review. Initial responsibility for escalation should rest with the person who first identifies the issue.

Escalation should be triggered by the likelihood and magnitude of material misstatement or significant waste. That allows the response to remain proportionate to the risk.

5. Transparency

This principle addresses one of the primary roots of material misstatement: the organization’s inability to admit what is happening once facts begin to contradict the preferred narrative. A sound control environment permits those facts to be reported, evaluated, and acted upon. The management team should have an established routine for identifying contradictory facts and addressing them during monthly close, business performance reviews, or other similar activities.

6. Monitoring

Management should establish regular review routines that combine issue identification, response design, and follow-up. A non-abundant approach depends on management’s ability to quickly identify emerging problems, assign responsibility, evaluate the response, and monitor whether the response resolved the issue.

Practical Implementation of the Non-Abundant Approach

Assume a SaaS startup has limited finance headcount and no formal segregation of duties between payment processing, journal entry preparation, and bank reconciliation.

A traditional design may require separate individuals to process invoices, authorize payments, disburse funds, post journal entries, review entries, prepare reconciliations, and approve reconciliations. In particular, each of the following activities might need to be performed by a separate individual under traditional views:

1. Processing incoming invoices by verifying the validity of the claim against actual service usage or other existing contractual obligations, confirming vendor payment details, recording the invoice in the ERP system, and initiating the payment authorization request.

2. Authorizing, denying, or escalating payment authorization requests upon review of requests received against authorization limits, internal policies, contracts, proof of delivery, and other support documentation received.

3. Disbursing funds to make a payment on all approved payment requests.

4. Posting a journal entry for payment (or a clearing journal entry for automated bank postings).

5. Approving a journal entry submitted by a preparer.

6. Preparing the bank account reconciliation that includes the payment transaction.

7. Reviewing and approving the bank account reconciliation.

As you can see, it takes 7 accountants to make a single vendor payment. For an early-stage company, that structure may be impossible to sustain.

A non-abundant approach begins with the actual risk. The most important question is whether one person can process a significant disbursement from start to finish without visibility, escalation, or meaningful review by management.

That risk can often be addressed more precisely. The company may require separate authorization for significant payments, maintain transparent access to disbursement activity, use standardized process documentation, apply clear authorization thresholds, and require escalation when payments exceed policy limits or involve unusual facts.

Under those conditions, a single accounting employee may be able to perform multiple routine steps in the process without undermining the control environment. Resources are then concentrated where judgment, concealment risk, or payment significance make a stronger structural separation necessary.

This approach preserves control substance without requiring an administrative structure that the business cannot sustain.

Note. If you want to learn about specific types of risks that often are left unaddressed by startups in the web3 space, refer to our audit readiness checklist.

Conclusion

Traditional oversight assumes that organizations have administrative resources and capacity that many startups lack. The non-abundant approach addresses this issue by organizing internal control around materiality and risk considerations. The purpose is to ensure that every control addresses only identified risks that are relevant and material, whether in quantitative or qualitative terms, alone or when aggregated with other risks. This approach creates space for innovation and growth for companies with limited resources and may become a genuine competitive advantage for companies that adopt it.