Internal Controls for Growing Businesses: What Your Controller Should Implement

Most business owners think internal controls are for large corporations with armies of accountants. That's backwards.

Growing businesses are actually at higher risk. You have enough transactions for fraud to hide in, but not enough oversight to catch it. You have enough people handling money that trust alone doesn't work, but not enough staff to fully separate duties.

The good news: effective internal controls don't require bureaucracy. They require thoughtful design by someone who understands both accounting and your business. That's a controller's job.

What Are Internal Controls?

Internal controls are processes designed to:

• Prevent errors: Catch mistakes before they affect financial statements
• Prevent fraud: Make it hard for anyone to steal without detection
• Ensure compliance: Meet regulatory and contractual requirements
• Protect assets: Safeguard cash, inventory, and other company property

Controls don't have to be complex. A simple rule like "the person who enters bills can't also approve payments" is an internal control.

The Three Types of Controls

• Preventive controls: Stop problems before they happen (approval requirements, access limits)
• Detective controls: Find problems after they happen (reconciliations, reviews)
• Corrective controls: Fix problems once found (error correction procedures)

A well-designed control environment uses all three, with emphasis on prevention.

Segregation of Duties

The most fundamental control: no single person should have complete control over any financial process.

The Principle

Three functions should be separated:

• Authorization: Approving transactions or changes
• Custody: Physical access to assets (cash, checks, inventory)
• Recording: Entering transactions into the accounting system

When one person controls all three, fraud is easy and detection is hard.

Practical Applications

Segregation at Small Scale

"We only have three people—we can't segregate." This is where outsourcing helps. An outsourced controller or accounting team can provide independent review that you can't achieve with just internal staff.

Minimum viable segregation for small teams:

• Bookkeeper handles data entry; owner or controller reviews and approves
• Someone independent (owner, outsourced controller) reviews bank reconciliation monthly
• Any payment over $X requires second approval

Approval Workflows

Approval requirements ensure transactions are authorized before execution.

Expense Approvals

Define approval thresholds based on dollar amount and type:

Vendor Setup

New vendor setup is a fraud risk point. Controls include:

• Require W-9 before vendor activation
• Verify vendor legitimacy (address, phone, website)
• Separate setup from payment authority
• Review vendor master file periodically for suspicious entries

Journal Entries

Manual journal entries are another fraud vector. Controls include:

• All journal entries require supporting documentation
• Non-standard entries require controller or CFO approval
• Review all entries over a threshold amount
• Restrict journal entry access to appropriate personnel

Reconciliation Procedures

Reconciliations are the primary detective control—they find problems that preventive controls missed.

Bank Reconciliation

The most critical reconciliation:

• Reconcile all bank accounts monthly (weekly if high-volume)
• Investigate all reconciling items—don't carry items forward indefinitely
• Independent review of reconciliation by someone who doesn't handle cash
• Match deposits to invoices, payments to approved bills

Accounts Receivable

• Reconcile AR subledger to GL monthly
• Review aging and investigate old items
• Confirm large balances periodically with customers
• Review credit memos and write-offs for legitimacy

Accounts Payable

• Reconcile AP subledger to GL monthly
• Three-way match: PO → receiving → invoice
• Review aged payables—why are items unpaid?
• Confirm large balances with vendors periodically

Payroll

• Reconcile payroll register to GL entries
• Verify headcount against HR records
• Review rate changes and new hires for authorization
• Independent review of payroll before processing

Access Controls

Limit who can do what in your financial systems.

Principle of Least Privilege

Each person should have access only to what they need for their job—no more.

• Define roles with specific permissions (AP clerk, controller, admin)
• Review access quarterly and remove unnecessary permissions
• Remove access immediately when employees leave
• Log and review admin-level access usage

System-Specific Controls

• Accounting system: Restrict journal entry access, period closing, rate changes
• Banking: Dual authorization for wire transfers, ACH batch approval
• Payroll: Restrict pay rate changes, new employee setup
• Expense: Limit card spending limits, approval routing

Password and Authentication

• Require strong passwords (12+ characters, complexity)
• Mandate two-factor authentication for financial systems
• No shared accounts—individual login for each user
• Use password manager for secure credential storage

Fraud Prevention

Beyond standard controls, specific measures help prevent and detect fraud.

Red Flags to Watch For

• Employees who never take vacation (can't be away from their scheme)
• Vendors with addresses similar to employee addresses
• Round-number invoices without itemization
• Unusual patterns in expense reports
• Vendors with only a P.O. box address
• Duplicate invoice numbers or payments

Preventive Measures

• Background checks: Screen employees with financial responsibility
• Mandatory vacation: Require time off so others cover responsibilities
• Vendor verification: Verify vendor legitimacy before first payment
• Statement review: Have bank statements sent to owner/executive for review
• Physical safeguards: Secure check stock, limit signature stamp access

Audit Preparation

Well-designed controls make audit preparation easier and reduce audit costs.

What Auditors Look For

• Control environment: Does management take controls seriously?
• Control activities: Are controls documented and operating?
• Information systems: Are systems producing reliable information?
• Monitoring: Are controls reviewed and updated?

Documentation

For each control, maintain:

• Written procedure describing the control
• Evidence the control operated (signatures, logs, reconciliations)
• Documentation of exceptions and how they were handled

For audit considerations, see our Compliance & Audit Guide.

Implementing Controls Without Bureaucracy

Controls should protect you, not slow you down. Here's how to implement effectively:

Prioritize High-Risk Areas

Start with the areas that have the most risk:

• Cash and banking (highest fraud risk)
• Payroll (second-highest fraud risk)
• Accounts payable (vendor fraud risk)
• Large or unusual transactions

Right-Size to Your Business

A $5M business doesn't need the controls of a Fortune 500 company. Focus on:

• Key controls that prevent the biggest risks
• Detective controls that catch problems before they compound
• Controls that don't create significant operational burden

Use Technology

Modern tools build controls into workflow:

• Bill.com: Approval workflows built into payment process
• Ramp/Brex: Spending limits and receipt requirements enforced automatically
• Gusto/Rippling: Payroll changes require authorization through the system