Internal Controls for Small Businesses
A guide to setting up proportionate internal controls in a small business, covering segregation of duties, authorisation procedures, reconciliations and fraud prevention.
Internal controls are the policies, procedures and checks that protect a business from errors, fraud and operational failures. For a small business, they do not need to be complex or bureaucratic. Even straightforward measures – such as having a second person approve payments, reconciling the bank account monthly and restricting access to accounting records – dramatically reduce the risk of mistakes going undetected or money going missing.
Many small business owners assume internal controls are only for large companies. In practice, smaller businesses are more vulnerable to fraud because they have fewer staff, less segregation of duties and more reliance on trust.
Why internal controls matter
| Risk | What can go wrong | How controls help |
|---|---|---|
| Fraud | Employee theft, fictitious supplier payments, inflated expense claims | Segregation of duties, approval limits, regular reconciliations |
| Errors | Duplicate payments, incorrect invoices, missed transactions | Reconciliations, review procedures, automated matching |
| Regulatory non-compliance | Late filings, incorrect tax returns, breaches of AML regulations | Checklists, calendar reminders, documented procedures |
| Cash flow problems | Unrecorded liabilities, delayed debt collection | Aged debtor reviews, cash flow monitoring, credit control procedures |
| Data loss | System failure, ransomware, accidental deletion | Backups, access controls, disaster recovery |
Good internal controls also support accurate bookkeeping and give confidence that the numbers in your accounts are reliable.
Core control principles
Segregation of duties
The single most effective internal control is ensuring that no one person controls an entire process from start to finish. In an ideal setup:
- The person who authorises a payment is not the person who processes it
- The person who receives goods is not the person who records the purchase
- The person who reconciles the bank is not the person who makes the payments
In a very small business with only two or three people, full segregation is not always possible. In that case, compensating controls are needed – typically the owner or a director reviewing transactions regularly.
| Transaction | Ideal segregation | Small business alternative |
|---|---|---|
| Supplier payments | One person raises purchase order, another approves invoice, another processes payment | Owner reviews and approves all payments above a set threshold |
| Payroll | One person prepares payroll, another reviews and approves | Owner reviews payroll summary before each pay run |
| Bank reconciliation | Prepared by bookkeeper, reviewed by someone else | Owner reviews completed reconciliation monthly |
| Expense claims | Claimed by employee, approved by manager | All claims approved by owner with receipts attached |
| Sales invoicing | Prepared by one person, dispatched by another | Owner spot-checks a sample of invoices monthly |
Authorisation limits
Set clear spending authority levels so that everyone knows who can approve what:
| Expenditure level | Approval required |
|---|---|
| Up to £250 | Team lead or manager |
| £250 to £1,000 | Director or business owner |
| £1,000 to £5,000 | Two directors or owner plus finance manager |
| Over £5,000 | Board approval or owner sign-off with documented justification |
The exact thresholds depend on your business size and risk appetite. The point is to have defined limits rather than allowing anyone to spend anything.
Reconciliations
Regular reconciliations are non-negotiable. They catch errors, identify missing transactions and detect fraud:
- Bank reconciliation – monthly at minimum, weekly is better. Match every transaction in your accounting system to your bank statement
- Supplier statement reconciliation – compare key supplier statements to your purchase ledger quarterly
- VAT reconciliation – cross-check your VAT return figures against your accounting records before filing
- Petty cash reconciliation – count the physical cash and compare it to the petty cash record
Access controls
Restrict who can access your financial systems and data:
- Use individual login credentials for your accounting software (not shared accounts)
- Set user permissions so staff can only access what they need for their role
- Restrict bank access – only authorised signatories should have online banking access
- Protect sensitive data – payroll information, customer payment details and supplier bank details should be accessible only to those who need them
Financial controls checklist
Purchases and payments
- All purchases over the threshold require a purchase order before the goods or services are ordered
- Three-way matching – match the purchase order, delivery note and invoice before authorising payment
- Never change a supplier’s bank details based on an email alone – always verify by phone using a known number
- Run a duplicate payment check before processing a payment run
- Review the aged creditors report monthly to ensure liabilities are accurate
Sales and receipts
- Issue invoices promptly after delivering goods or services
- Review the aged debtors report weekly and chase overdue invoices
- Record all receipts against the correct invoices in your accounting system
- Investigate and resolve unallocated payments within the month
Payroll
- Review the payroll summary before authorising each pay run
- Check for ghost employees periodically (verify that every person on the payroll actually works for you)
- Keep payroll processing and bank payment authorisation separate where possible
- Reconcile payroll records to your nominal ledger monthly
Petty cash
- Set a maximum float and top it up through the imprest system (replenish to a fixed amount)
- Require a receipt for every petty cash payment
- Never use petty cash for payments above a set limit (£50 is typical)
- Count and reconcile the float at least monthly
Fraud prevention
Small businesses lose a disproportionate amount to fraud compared to larger organisations, partly because controls are weaker and partly because trust substitutes for verification.
Common fraud risks for small businesses:
- Expense fraud – inflated or fictitious expense claims
- Supplier fraud – payments to non-existent suppliers or to an employee’s own company
- Payroll fraud – overtime manipulation, ghost employees, salary diversion
- Bank mandate fraud – criminals impersonating a supplier and requesting a change of bank details
- Theft of stock or cash – particularly in retail, hospitality and construction
Red flags to watch for
- An employee who never takes holiday and insists on handling everything themselves
- Missing documentation for transactions
- Suppliers or customers you have never heard of
- Unexplained adjustments or journal entries
- A sudden lifestyle change in an employee with financial responsibilities
Proportionate fraud controls
- Require dual authorisation for payments above a defined limit
- Conduct surprise audits of petty cash, stock and expense claims
- Implement a whistleblowing procedure so staff can report concerns confidentially
- Rotate duties periodically so no one person has unchecked control for too long
- Review bank statements yourself regularly, even if someone else does the bookkeeping
These measures align with the wider compliance framework around anti-money laundering , where the same principles of verification, documentation and oversight apply.
Technology and automation
Modern accounting software provides built-in controls that manual systems cannot match:
- Audit trails – every transaction is logged with the user, date and time
- Automated bank feeds – reduce manual data entry errors
- Approval workflows – route invoices and expenses for digital approval before payment
- Role-based access – restrict users to the functions they need
- Automated reconciliation – matching algorithms flag discrepancies for review
Documenting your controls
Write down your key controls, even if it is just a one-page document. This ensures:
- Staff know what is expected of them
- Controls survive staff turnover
- You can demonstrate compliance to auditors, lenders or regulators
- New employees can be trained consistently
A simple controls document should cover who can authorise what, how reconciliations are done and by whom, how access to systems is managed, and what happens when something goes wrong.
Reviewing and improving
Internal controls are not a one-off exercise. Review them at least annually and after any significant change such as a new employee joining, a system change, a fraud incident or rapid business growth. Controls that worked when you had three employees may not be adequate when you have fifteen.