Internal control in SMEs: securing your processes

Quick answer. Internal control is the set of arrangements that let an SME keep its activities under control: producing reliable accounts, protecting assets, preventing and detecting fraud and errors, and ensuring compliance. It rests on five components and one central principle, segregation of duties, scaled to the size of the business.

Many owners discover their internal control system the day something has already gone wrong: a payment sent twice, a supplier invoice paid for goods that never arrived, an unexplained cash discrepancy, or internal fraud uncovered after an employee leaves. Internal control is not red tape reserved for large groups. It is the concrete way work is organised so that no single operation ever depends entirely on one person, and so that the accounts you present to your bank or your partner reflect reality.

This article is written for SME owners and finance directors who want to understand what internal control is really for, how to build it at their scale, how it differs from internal audit, and what the statutory auditor looks at when they step in.

Internal control is the set of arrangements an entity puts in place to keep its activities under control. Its purposes are specific: to make financial and accounting information reliable, to protect assets, to prevent and detect fraud and errors, and to ensure compliance with applicable rules. It is therefore not a document but a way of organising work.

The most widely used international reference framework is COSO. It breaks internal control down into five components that work together. None is sufficient on its own: a fine procedures manual with no real controls protects nothing, and scattered controls with no monitoring eventually fade away.

If you remember only one rule, make it this one. Segregation of duties means splitting between different people the functions of committing the spend, making the payment, recording the entry in the accounts, and performing the control. The idea is simple: no single person should control an operation from end to end, because it is precisely that solitary control that makes fraud possible and errors undetectable.

A telling example: the person who creates a supplier in the system, approves its invoices and triggers the transfers could, in theory, set up a fake supplier and pay themselves without anyone noticing. Separate the creation of the third party, the approval of the invoice and the execution of the payment, and the scheme collapses.

In a small structure, perfect segregation is often impossible: three or four people cannot cover every function. You then compensate with what are called compensating controls, for example a regular review by the owner or a systematic reconciliation done by a third party. This is a point we frequently address as part of our administrative and accounting management support.

The two notions are linked but distinct. Internal control is permanent and embedded in day-to-day processes: it lives in every operation. Internal audit is a periodic, independent evaluation of how effective that system is: it steps back, tests, and flags what does not work.

In other words, internal control does the work, internal audit checks that the control work is being done properly. In an SME, a dedicated internal audit function is rare; this independent evaluation role is often carried out occasionally by the owner, a finance director, an external firm, or addressed during a compliance audit engagement.

When a statutory auditor steps in, they obtain an understanding of the internal control relevant to the audit. The aim is not to judge the organisation for its own sake, but to assess the risk of material misstatement in the accounts. This approach is governed by professional standard NEP 315.

It is important to understand the scope of this review. The statutory auditor is not tasked with certifying internal control itself. However, they rely on its quality to calibrate their work: the more robust and documented the system, the more they can rely on it and reduce certain tests; the weaker it is, the more detailed checks they must carry out. A robust internal control system is therefore not only a protection for the company, it is also a factor that smooths the audit.

This is a logic we apply at the firm, both in our statutory audit engagements and in the advice we give owners beforehand.

In the SME files we handle, the problem is almost never a complete absence of control, but a system built by accumulation, never formalised, resting entirely on one trusted person. It works as long as that person is present, reliable and not overwhelmed. The day they leave, fall ill or make a mistake, the company realises it had no safety net.

Our conviction is that good internal control in an SME is not the most exhaustive, but the most proportionate. A few well-maintained key controls are worth more than a fifty-page manual that no one applies. The point is to target the areas where money and assets are genuinely exposed, then place a simple, systematic control there.

The underestimated risk#

The most often overlooked risk is not large-scale fraud, but the silent erosion of controls. A procedure is put in place, then trimmed because people are in a hurry, then forgotten. Without monitoring, that is, without someone periodically checking that the controls are still running, the system quietly loses its substance without anyone noticing. This is exactly the COSO monitoring component that is most often missing in SMEs.

In an SME, a few key controls are often enough to cover most risks. Here is the checklist of controls we recommend first.

• Regular bank reconciliation, ideally monthly, done by someone other than the person who pays
• Dual approval of payments above a defined threshold
• Separation between bookkeeping entry and disbursement
• Review of expense reports before reimbursement
• Periodic physical inventory of stock and fixed assets
• Access control over payment tools and sensitive data
• Independent approval of new supplier and customer creation

To build this system rather than endure it, here is a five-step approach.

1. Map the at-risk processes: purchasing and payments, sales and collections, payroll, cash, inventory.
2. Spot, in each one, the points where a single person controls the whole chain.
3. Place a simple control at those points: dual approval, reconciliation, or independent review.
4. Write down the essentials: who does what, in what order, and who controls, on one or two pages, no more.
5. Plan for monitoring: a periodic review to check the controls still work and to adjust them.

Bookkeeping itself is a link in this system: regular, documented monitoring limits anomalies upstream. That is the purpose of our bookkeeping and accounts review engagement.

In the files we take over, one pattern recurs: a growing SME where the same administrative employee enters invoices, manages the supplier relationship and prepares transfers, while the owner simply approves in bulk for lack of time. Everything is fine until a job change or an inspection. The first recommendation is not to reorganise everything, but to introduce two targeted controls: owner approval of transfers above a threshold, and a monthly bank reconciliation reviewed by someone outside the payment process. Two simple steps that close the main gap.

Keeping your activities under control also means complying with tax and reporting rules. A well-designed internal control system includes checkpoints on VAT, reporting obligations and the consistency of the accounts, which reduces risk in the event of a tax inspection. That is the whole point of anticipating, as we explain regarding the tax compliance review and tax audits.