The FTX failure should not have come as a surprise to any seasoned assurance provider working in the asset management industry. Too often investment managers and deal teams relying on their own expertise and their own investment due diligence processes are reluctant to involve internal audit, compliance specialists or risk managers as advisors with their views on operational due diligence (ODD) particularly when that view may be contrary or a paint a lesser complementary view of the investment that may overshadow the potential ROI.

These privately-held companies typically operate outside the purview of regulators and the broad market of investors. But there are red flags to watch for in these portfolio investments such as a security breach that goes unreported and comes out only inadvertently in a casual conversation with portfolio company managers or a report of minor theft or rumors of inappropriate behavior by portfolio company executives. These events may seem inconsequential but are risk indicators of a darker side to the governance, ethics, communication and state of internal and financial controls in these companies that could led to a major investment loss (see Ontario Teachers' Statement on FTX), significant control deficiencies and reputational damage by attracting the attention of regulators and the ire of clients. But good governance over these companies requires a risk assessment in the deal identification and rationalization process to avoid bias and ‘rolling the dice’ on such investments because it’s part of a growth venture fund.

Assurance providers like internal audit have the tools and capability to inform and advise investment managers early in the due diligence process. They are objective and can act with speed and agility so as not to delay an investment decision or the investment approval process and can participate in a comprehensive investment review and operational risk assessments of portfolio companies.

COSO’s Internal Control–Integrated Framework provides a comprehensive set of components and principles for quickly evaluating a portfolio companies’ Control Environment (governance), Risk Assessment, Control Activities, Information and Communication and Monitoring Activities. Auditors can use COSO’s components and principles to conduct control environment discussions and interviews with control and risk owners, gathering related documents, applying specific procedures and evaluating the results to adequately assess the state of governance, ethics and internal controls and understand the degree of risk taken on as a mean for further inquiry and recommendations for improvements to portfolio managers.

These portfolio companies do not typically require controls evaluations (SOX302/404 or NI52-109, etc.) but were legislated for the very reasons that FTX failed. But the COSO framework has been broadly adopted for applying control evaluations and is useful in these circumstances.

One of the biggest internal control lessons to learn from investing and monitoring portfolio investments like FTX is communication of good quality information on events, incidents and control failures by portfolio company management to portfolio managers. Sharing this information with their internal expertise on technology and information security, internal audit, compliance, risk management and the legal department would improve their monitoring activities.