Few industries face as many hurdles right out of the gate as cannabis. Not being legal on a federal level introduces all kinds of obstacles that traditional industries don’t have, particularly related to banking and complying with differing individual state regulations.
At the Institute of Internal Auditors General Audit Management Conference in March 2023, a panel of risk advisors who work in the industry discussed how cannabis companies are responding to the difficulties of banking as a cash-intensive industry and complying with the numerous and evolving state laws. The speakers were Chris Clai, director of information security at Green Thumb Industries and board member with the Cannabis Information Sharing & Analysis Organization (ISAO); Chris Jeffrey, partner and firmwide cannabis leader at Baker Tilly; and Jason Meneses, former vice president of internal audit at a national cannabis holding company. Mumta Taneja, director and risk advisory cannabis leader at Baker Tilly, moderated the panel. The panel discussion took a deep dive into top risks facing the cannabis industry, perspectives on addressing those risks and the role in internal audit.
One of the biggest fallacies about cannabis companies is that they are unbanked, Jeffrey said. While it is true that federally chartered banks will not yet do business with cannabis companies, some state-chartered banks and credit unions will. Unfortunately, for multistate operators (MSOs) that means rather than using one or two banks, they must create a patchwork of banking relationships among several financial institutions in the states and jurisdictions where they are doing business, which can sometimes require relationships with 20-30 (or more) banks.
Often these are smaller banks, so they may not have the sophistication and controls larger institutions do, including multifactor authentication or positive pay. From an internal audit perspective, this may require putting in place additional operational controls, Jeffrey said.
It’s not just that cannabis companies don’t have the convenience of using a larger bank; they also may not have access to the same types of financing at the same rates that companies in traditional industries do, he said.
Many cannabis companies obtaining debt financing are paying much higher interest rates than traditional companies do given the risk profile of the industry and because there isn’t the same competition among those financial institutions from a lending perspective.
That said, the industry is enjoying meteoric growth, raking in an estimated $30 billion in medical and recreational cannabis sales in 2022, according to MJBizDaily, and even though the industry is highly regulated, certain companies still won’t work with them.
That creates an even larger problem for cannabis companies because in many cases, they don’t have a large selection of vendors to choose from. For example, if a cannabis company works with a financial institution or vendor, and that vendor is bought by another entity, the new owner may be unwilling to work in the industry going forward, severing ties with the company without warning, Meneses said.
Compliance and regulation are significant factors as each state has its own unique standards. For MSOs, each of their dispensaries may operate differently due to the provisions of the states they are in. That’s also true on the inventory side. Some states are stricter than others, with some requiring cannabis companies to perform daily physical inventory counts. If the company is off by even one inventory SKU, it must be reported within 48 hours. That type of responsiveness requires strong controls to be able to detect, identify and report the information correctly.
Doing so much business in cash exposes cannabis companies to additional risks such as misappropriation of funds, fraud, theft, safety and security, and others.
Several of these risks can be mitigated by having strong cash-handling controls. For instance, investing in a point-of-sale system is critical as it provides a company with automated cash management functionalities, which will help support cash counts and generating cash logs. Additionally, companies should conduct regular cash reconciliations (i.e., more than once a day). Of course, on-site access controls, segregation of duties, and physical security controls should be in place so there are processes around who is handling the cash, putting it in the safe, coordinating the armored car pickups, etc.
Beyond that, though, companies often don’t spend enough time on the human element of internal controls, like training employees in the dispensaries on proper cash controls, Jeffrey said. In that vein, companies should ensure strong segregation of duties around cash and cash controls. In general, education and awareness are fundamental to a company’s internal control environment whether it be around cash processes or cybersecurity.
From a compliance standpoint, some states have more specific standards than others, Meneses said. All companies are required to have cameras, physical security personnel present and, depending on the state, certain vault sizes, but many others go beyond that to ensure the risk exposure is limited.
On the information security side of things, Clai said having a strong understanding of their weaknesses (e.g., business email compromises and third-party breaches) is helping them to better address and help prevent them from occurring.
With 41 states having medicinal cannabis laws in place, cannabis companies must safeguard patient healthcare data appropriately. When Meneses was at his former employer, one state required cannabis operators to comply with HIPAA, so the company’s legal and risk teams worked with a third party to perform a full cyber risk assessment and privacy assessment. They then made sure mitigating steps were taken and they monitored compliance. The assessments were presented to leadership to validate the need to develop a strong cybersecurity culture.
It's the industry’s fluid and dynamic nature that makes internal audit a critical function in cannabis companies, Meneses said. Inherently, internal auditors are risk managers who understand risk and controls as well as the proper protocols organizations need to help mitigate those risks.
More than doing the basics of reconciling cash, internal auditors have an opportunity to really work with their stakeholders to identify areas of risk and areas to optimize across states. States may have different requirements, but there are ways to streamline controls to mitigate their risks together. Internal auditors can provide reasonable assurance over those controls.
Infosec, governance, risk and compliance (GRC) or internal audit roles are essential in that they work to find the company’s deficiencies and could help the company reduce waste and other inefficiencies, Clai said. Furthermore, all risk managers have a point of view that is valued at cannabis companies, Meneses said. Leadership knows what they do is pivotal to the company’s operations and to help it progress.
The industry is only expected to keep growing. One estimate predicts medicinal and recreational sales of almost $50 billion in 2026, and 91% of Americans indicated they support either medical or adult use of cannabis to be legal, according to a 2021 Pew Research study. The U.S. is also close to having adult-use recreational cannabis legal in half the states, which some believe is the tipping point for talks of federal legalization. The industry has prompted its own startup culture of ancillary businesses in the absence of traditional vendors. It’s also an industry that has attracted young, eager and motivated workers who are excited to help actually grow a new industry rather than join a more established, less dynamic one. That said, implementing needed and somewhat mundane controls will be a vital part of the industry’s unprecedented evolution.