The Importance of Internal Controls & Risk Management for Cannabis Companies

The importance and relevance of internal controls and the need for risk management solutions continue to be a priority for privately and publicly traded cannabis companies, as the industry faces increased regulatory and financial reporting requirements with limited resources. This can feel overwhelming, and a challenge made even more difficult by the increased complexity of financial reporting and the highly adaptable, ever-evolving business models.

Consequently, cannabis companies tend to look at internal controls and risk management through a compliance lens, where regulatory compliance drives a “we have to do it” attitude. As a result, companies find themselves being reactive rather than proactive to issues, which leads to lack of management buy-in, poorly designed internal controls, and uncertainty on how to prioritize risks. This is not sustainable and can result in significant and material issues which could impact a company’s ability to raise capital and deter potential investors.

Why Is Risk Management Essential?

Risk management involves understanding company objectives, identifying risks that can impede those objectives, and protecting against them; a system of internal controls is one of the fundamental methods by which risk is managed. Both are essential for all companies, regardless of size, to proactively help identify and manage threats and vulnerabilities, and reduce the likelihood that company objectives will be jeopardized by unforeseen events.

Risks can affect many areas of a company, such as strategy, operations, finance, technology, and the environment. Particularly, risks that a cannabis company may face stem from a variety of sources and include:

  • High cost of capital
  • Poorly executed merger or acquisition
  • Unreliable accounting records (e.g., high volume of cash-based transactions, limited access to traditional banking, inventory tracking, etc.)
  • Penetration and attack of IT systems by hackers (e.g., Cybersecurity vulnerabilities)
  • System vulnerabilities and disruption to seed-to-sale platforms, point of sale systems, and accounting and ERP systems
  • Breach of regulations and laws (e.g., HIPPA, SOX, etc.)
  • Tax problems (e.g., 280E)
  • Litigation risks
  • Inventory and quality control issues
  • Substantial reduction in financial and other resources (e.g., skills shortage)
  • Physical disasters leading to interruptions of business and/or loss of records

Cannabis companies need to establish a risk-based internal control and risk management framework, which improves performance and drives a “we should do it” attitude. Being proactive and managing risks-to-objectives helps establish the right motives, including management buy-in, better-designed controls, and sustainable processes.

How Centri Can Help

A commitment to internal controls and risk management, which permeate across an organization, is how cannabis companies improve the quality of financial reporting and manage risk. If you have questions about or need assistance with establishing an internal control and risk management framework, identifying risks, or addressing potential vulnerabilities before they are exploited, contact Centri’s risk and cybersecurity experts to learn more about how we can help you.

Nicole Ellis, CCSA

Senior Manager

Nicole is a Senior Manager at Centri. She provides advisory services to a variety of industries, with an emphasis on internal controls and compliance. Nicole is a member of Centri’s Risk Advisory team, performing Sarbanes-Oxley (SOX) compliance and internal control assessments including audit readiness, business process testing and reengineering, and remediation to improve business processes and strengthen internal controls over financial reporting.

Rich Sowalsky, CISA

Managing Director | IT Risk & Cybersecurity Practice Leader

Rich is the Managing Director and IT Risk & Cybersecurity Practice Leader at Centri. He has more than 13 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits & accounting. Over the years, Rich has provided a variety of risk advisory and compliance services for clients across various industries, including insurance, healthcare, life sciences, financial services, and higher education.

About Centri Business Consulting, LLC

Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reportinginternal controlstechnical accounting researchvaluation, mergers & acquisitions, and CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.

For more information, please visit

Philadelphia Office

Eight Penn Center
1628 JFK Boulevard, Suite 500
Philadelphia, PA 19103

New York Office

530 Seventh Avenue
Suite 2201
New York, NY 10018

Boston Office

50 Milk Street
16th Floor
Boston, MA 02109

Tysons Corner Office

1775 Tysons Blvd
Suite 5136
Tysons, VA 22102

Colorado Office

8310 South Valley Highway
3rd Floor
Englewood, CO 80112

Raleigh Office

4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612

Tampa Office

615 Channelside Drive
Suite 207
Tampa, FL 33602

Centri Virtual