Internal Controls for $5M-$25M Companies

Small and mid-sized businesses often operate under the assumption that controls are only necessary for large corporations or public companies subject to regulatory requirements. This assumption is dangerous—and expensive.

The Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations found that small organizations (with fewer than 100 employees) experience median fraud losses of $150,000 per incident. More concerning, the report found that these organizations are less likely to have formal controls in place, making them easier targets for both employee and vendor fraud.

Consider the case of a $15 million revenue company that lost $450,000 to a bookkeeper who had been skimming cash over a three-year period. The fraud went undetected because one person handled cash receipts, recorded transactions, and reconciled bank accounts—classic segregation of duties failure. The loss represented 3% of annual net income.

Beyond fraud, weak controls create other costs. Financial statement errors require restatements. Tax filing mistakes result in penalties. Inaccurate data leads to poor business decisions. These costs often exceed the direct losses from fraud.

The reality is that every business—no matter the size—needs controls proportionate to its risks. The good news is that effective controls for $5M-$25M companies do not require the extensive bureaucracy that large enterprises implement. They require smart, targeted design.

The Committee of Sponsoring Organizations (COSO) framework provides a widely accepted structure for designing, implementing, and evaluating internal controls. While the full framework is comprehensive, its core components translate effectively to smaller organizations.

Control Environment
The foundation of all other controls. This is the tone at the top regarding ethics, integrity, and control awareness. For small businesses, it starts with the owner/CEO demonstrating commitment to honest operations and expecting the same from all employees. Written codes of conduct, conflict of interest policies, and clear expectations about ethical behavior establish this foundation.

Risk Assessment
Identifying and analyzing risks that could prevent achieving objectives. Small businesses should identify their key financial risks: Can someone steal cash? Can vendors overbill us? Can employees manipulate expense reports? Once identified, these risks can be addressed with appropriate controls.

Control Activities
The specific policies and procedures that mitigate identified risks. These include authorization requirements, segregation of duties, reconciliations, and physical safeguards. Control activities are where most small businesses focus their control efforts.

Information and Communication
Ensuring relevant information is identified, captured, and communicated in a timely manner. For small businesses, this means regular financial reporting to management, clear communication of policies to employees, and accessible records that support audit or investigation needs.

Monitoring
Ongoing evaluations to ensure controls are functioning properly. This includes management review of financial reports, periodic testing of control effectiveness, and prompt follow-up on identified issues.

Companies with $5M-$25M in revenue face specific control challenges. They are large enough to have significant exposure but often still too small to have dedicated control or internal audit functions. The following controls address the most common risk areas.

Cash and Banking Controls
Cash is the asset most susceptible to theft. Essential controls include: bank reconciliations prepared by someone other than those who make deposits or sign checks; online banking access limited to authorized personnel with no sole authority; documented approval for all wire transfers; surprise cash counts periodically; and restricted access to company credit cards.

Accounts Payable Controls
Vendor fraud and payment errors represent significant exposure. Controls include: new vendor setup requiring documented approval and W-9 collection; three-way matching (purchase order, receiving document, invoice) for significant payments; secondary approval for payments above defined thresholds; regular review of vendor master file for duplicates or anomalies; and no single person handling both vendor setup and payment processing.

Accounts Receivable Controls
AR fraud typically involves fictitious customers or diverted payments. Controls include: customer setup requiring documented approval; regular aging review by management (not just collections staff); separation of billing from cash handling; documented write-off approvals; and periodic confirmation of receivable balances with customers.

Payroll Controls
Payroll fraud is common because it is easy to perpetrate and difficult to detect. Controls include: documented approval for new hires and pay rate changes; timekeeping systems with supervisor verification; review of payroll register by someone other than payroll processor; separation of payroll preparation from payroll distribution; and periodic reconciliation of payroll to personnel records.

Segregation of duties—the principle that different people should authorize, record, and handle assets related to transactions—is the foundation of effective internal controls. It prevents fraud by requiring collusion for concealment. Yet it is also the control most difficult to implement in small organizations with limited staff.

The classic segregation example is cash: the person who receives cash should not be the same person who records it or reconciles the bank account. In a small company where one bookkeeper handles all accounting, this separation does not exist naturally.

When full segregation is impractical, the solution is compensating controls—additional procedures that provide protection equivalent to segregation. These may include:

Management review of reports
Someone outside the transaction processing (typically the owner or controller) reviews financial reports and investigates unusual items. This review serves as a detection control for errors or fraud that internal segregation would have prevented.

Supervision and oversight
Active supervision of employees performing financial tasks. The supervisor does not necessarily perform the task but reviews work and asks questions about unusual items.

Independent verification
Periodic confirmation of account balances by someone outside the accounting function. Bank statements reviewed by the owner, AR aging confirmed by operations management.

Rotation of duties
Periodically rotating which employees perform specific tasks. This makes it harder to establish patterns of fraud and easier to detect irregularities.

The key insight is that while you cannot always achieve ideal segregation, you can implement controls that provide reasonable assurance against fraud and error. The goal is risk mitigation, not bureaucratic perfection.

Control investments, like all business investments, should be evaluated on expected return. The goal is reasonable assurance—controls should be proportionate to the risks they address.

Control Costs
Controls cost money and time to implement and maintain. Direct costs include technology (accounting software features, approval workflows), personnel (time spent on reconciliations, reviews, approvals), and external resources (consultants, auditors). Indirect costs include potential delays from approval processes and opportunity cost of management time spent on control activities.

Control Benefits
Benefits include reduced losses from fraud and errors (quantifiable in many cases), more reliable financial statements, smoother audits with fewer findings, stronger lender and investor confidence, and operational efficiencies from standardized processes.

The Balance Point
For companies with $5M-$25M revenue, the balance point typically falls at controls that address the highest-risk areas (cash, banking, significant expenditures) with management review providing oversight of lower-risk areas. A company processing $5 million annually might accept somewhat higher risk than one processing $25 million annually—but neither should operate with no controls.

According to the ACFE, organizations that implement controls see fraud losses 54% lower than those without controls. This suggests that even basic control implementations deliver substantial value.

Implementing controls does not require a comprehensive framework overhaul. Start with high-impact, low-complexity controls and build from there.

Step 1: Document Current Practices
Before implementing controls, document what currently happens. Who approves vendor payments? Who reconciles the bank account? Who records transactions? This documentation reveals where risks exist.

Step 2: Identify Critical Gaps
Compare current practices against the essential controls described above. Which gaps present the greatest risk? Address those first.

Step 3: Design Practical Controls
Design controls that fit your organization's size and complexity. The goal is reasonable assurance, not bureaucratic perfection. A simple management review may be more practical than elaborate workflow automation.

Step 4: Implement and Document
Put controls in place and document them in writing. Documentation ensures consistency and provides evidence of control existence for auditors.

Step 5: Train and Reinforce
Ensure all affected employees understand the new controls and why they exist. Training improves compliance and reduces resistance.

Step 6: Monitor and Improve
Regularly evaluate whether controls are functioning effectively. Address control failures promptly and continuously improve your control environment.

By taking a practical, incremental approach to controls, $5M-$25M companies can protect their assets and ensure financial integrity without the extensive control infrastructure that large enterprises require.