Audit & Analytics
Kezia Farnham Image
Kezia Farnham
Senior Manager

29 key internal controls for small businesses

December 21, 2023
0 min read
The CEO of a small business reviewing internal controls

Internal controls are the processes and policies that help small businesses keep their systems and data secure. While internal controls are often associated with large companies, small businesses have every reason to implement them. 28% of small businesses experience fraud, while only 22 — 26% of large companies say the same.

Given that fraud is on the rise, small businesses have everything to gain by integrating internal controls within their operations. This article will help small businesses get and stay protected by explaining:

  • What internal controls for small businesses are and why they matter
  • 29 internal controls all small businesses need
  • A checklist to start implementing small business controls today

Why do small businesses need internal controls?

Small businesses need internal controls because they have assets and information to protect. Though larger corporations with millions of dollars in the bank are often more diligent about finances and cybersecurity, small businesses have just as much to lose.

Because many small businesses lack internal controls, they’re more vulnerable to breaches and fraud. When fraud occurs, it also costs small businesses an average of $150,000 — money many small business owners can’t afford to lose.

Effective internal controls for small businesses help:

  • Reduce theft and fraud
  • Avoid losing money
  • Build customer trust
  • Securely grow the business
  • Prevent liabilities

The most important internal controls for small businesses

Many small businesses will require employees to manually review orders or verify the identity of credit card users. These measures are helpful, but they aren’t enough to prevent fraud, data breaches, and more.

Small businesses need more robust internal controls, including:

1. Separate financial duties

Many small business owners and employees are jacks of all trades. They accept and reconcile payments, request and approve purchases and calculate and complete deposits. While understandable, this introduces two risks: the risk of error and the risk of theft.

Financial controls help managers to implement checks and balances. It assures that all finances are accurate, free of errors and protected from bad actors who may misreport how much cash is in the till at the end of the day.

2. Separate bank accounts

When people start small businesses, they’re often sole proprietors or single-member LLCs. If this is the case, it’s too easy to mix personal and business finances. When this happens, it’s too easy for business owners to use business assets for personal purchases. This leads to the misappropriation of assets.

3. Require background checks

Your employees have access to critical business systems like point-of-sale and payroll. A common internal control for small businesses is to conduct background checks on all new hires. This is a key internal control for small businesses because it verifies they’re trustworthy and don’t have a history of theft, fraud, or embezzlement.

4. Regularly inspect inventory

Small business owners should have a business control process for inspecting and verifying inventory. Account for anything lost or stolen and verify that all orders were accurately fulfilled. Assign one employee to sign for incoming orders, then assign another to audit your inventory to ensure all records add up.

5. Implement access controls

Access controls are processes like giving designated log-in credentials to each employee. These internal controls for small businesses ensure that only verified users can access systems and data. It’s also important to only give employees the minimum level of access they need to do their job.

6. Restrict access to financial systems and data

Many employees don’t need access to all systems. While it’s important to only give employees the minimum level of access, be even more discerning with financial systems. Only give access to those who need that data to do their work, such as your bookkeeper. This prevents employees from stealing valuable information or misappropriating funds.

7. Update your passwords

Once employees have created credentials, they should be updated regularly. This reduces the chances that a bad actor will obtain the passwords and have access to valuable company systems. It’s common to require password updates every 30 days.

8. Reconcile transactions

Transactions don’t end after you’ve purchased new inventory or sold it to a customer. Implement a process to regularly check transactions against your bank accounts — including credit card and cash sales and your own purchases and expenses.

This ensures that no unauthorized transactions or payments get past you, whether a bad actor got a hold of your card or an employee purchased something they weren’t authorized to.

9. Check credit card statements

Though you should limit who has access to your credit cards, it’s still an important business control to thoroughly review every statement. If you do, you’ll catch any fraudulent charges, whether an unknown bad actor captured your credit card information or an employee purchased something they shouldn’t have.

10. Compare receipts

Part of reconciling transactions should be matching receipts to purchases. You want to confirm that the receipts match the transactions your POS recorded. If you see a transaction but don’t have a receipt, that could indicate a fraudulent transaction.

11. Create a vendor approval process

Vendor approval should be a multi-step process. If you select vendors yourself, enlist your bookkeeper or other trusted employee to double-check the vendors’ identity. If employees recommend vendors to you, complete due diligence to ensure it’s a genuine vendor and not a shell created to steal your funds.

12. List all vendors

Create a database with all vendors and their contact information. Bad actors or even employees may send false invoices, hoping you’ll send a payment. Check any invoice you review and the contact information associated with it to verify that you pay only approved recipients.

13. Mark all invoices

The more vendors you work with, the easier it is to accidentally pay a vendor twice. Once you’ve paid an invoice, an internal control is to mark it as paid and store it separately from your unpaid invoices.

14. Randomize your reviews

Though you should regularly reconcile your transactions and accounts, do so randomly. If you keep a consistent schedule, your employees may be able to doctor the books so you don’t see any unauthorized activity. Auditing at random dates and times will give you a peek at how your employees handle finances when they don’t know you’re looking.

15. Use a point-of-sale system

A point-of-sale (POS) system is a critical financial control because it manages all transactions and controls who can access the register and when. This secures any petty cash you’ll use to provide change to customers.

16. Connect the register to the POS

Your register and your POS should talk to each other. That means your register will only open if the POS gives the signal, which typically only happens if a purchase is made or an authorized employee manually opens the register. This makes it difficult for employees to steal cash from the till.

17. Document all transactions

Keep records of all transactions, including customer purchases, your own purchases, refunds and more. Essentially, you should have a complete record of any money that goes in and out. Your POS will likely do this for you. If you don’t have a POS, create your own system for documentation.

18. Establish a backup record

Systems break, malfunction or go offline. Internal controls for small businesses account for that by creating a backup file. This makes it more difficult for an employee or bad actor to mess with your records by damaging or overriding the system.

19. Count your register daily

Your point-of-sale (POS) is likely one of the most valuable assets you have on-site because cash will either be in the safe or the till. Count your cash on hand at the beginning of the day and the end of the day. If your numbers are off, you’ll be able to catch the error and remedy what caused it.

20. Assign two employees to count cash

Miscounting cash is relatively common, whether two bills stick together, the employee gets distracted, or they’re intentionally misreporting how much cash is present. One employee should conduct a first count, and a second employee should confirm that the count is accurate. They should recount the cash until their counts match. Using an electronic cash counter can expedite this process.

21. Limit who accesses cash

Only designated employees should have access to cash. This includes the safe where you store cash and the ability to open the POS without a transaction. Limiting who has access to cash prevents mishandling, which can happen accidentally or intentionally.

22. Secure blank checks

Blank checks are as good as cash, so it’s crucial they don’t fall into the wrong hands. Secure all checks in a safe, and only give certain employees access to the safe. The fewer people have access, the more secure it is.

23. Introduce a check signing process

Checks can be an easy target for fraudulent payments. A common internal control is if the business owner is the only person authorized to sign checks or digital payments. If the business owner can’t, require two signers to approve each check, one of whom should be someone you trust.

24. Use manual signatures

Businesses are increasingly using electronic signatures because they’re easy to procure. They’re also easy to replicate, which can lead to fraud and unauthorized account access. Requiring manual signatures on checks and other documents reduces the likelihood that someone will co-opt your signature.

25. Implement expense limits

Employees shouldn’t make purchases unless they’re approved to do so. If it doesn’t feel realistic for you to approve every transaction, implement approvals for transactions over a certain amount, like $50.

26. Monitor expense reimbursements

Employees may use their personal credit card or cash to purchase something for your business. Still, you shouldn’t reimburse employees at random. Create a process employees must follow to be eligible for reimbursement. Commonly, businesses will approve the purchase and the amount and then only reimburse the employee once they provide a receipt.

27. Verify reporting accuracy

Financial reporting is a tool small business owners can use to make decisions about their business. Lenders and investors will also reference those records to verify cash flow and other indicators of financial status. Regularly review your reporting procedures and confirm that all information is accurate and timely.

28. Conduct external reviews

Though you should internally audit your financial controls and data, you should also seek regular independent reviews, whether from an auditor or a certified public accountant (CPA). This person can evaluate your systems with an unbiased eye, ensure you’re compliant with relevant regulations and identify opportunities for improvement.

29. Implement controls technology

As your business grows, your internal controls system will, too. Some processes that once worked may not scale across multiple locations or multiple employees, especially if you’ve hired someone to take over a few of your own responsibilities. Internal controls management technology can create a more effective infrastructure, automating repetitive processes and evolving along with your business.

Get ahead with an internal controls checklist

How effective internal controls for small businesses will be has everything to do with how you implement them. It’s creating the controls, thoroughly documenting them, distributing control checklists, and providing the training and support employees need to integrate them into everything they do.

With 29 or more controls, multiple employees and an already-packed business day, that’s easier said than done. Get our seven-step process for the implementation of controls to start putting your new policies into practice.


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.