Implementing internal controls in a small business environment

Today’s article builds up from last week’s where we talked about the 6 set of internal controls that can be adopted by a small business to enhance its operations. In this article, we shall therefore try to understand what internal controls mean in general terms and how they can be applied in a small business environment. Wikipedia defines internal controls as the process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies. Now that we’ve got the meaning, let’s break it down further into 5 components for ease of understanding and application.

Control environment – this refers to the culture, the practice, the tone and the attitude of the business owner towards internal controls. Your employees observe and learn a lot from you and you should therefore lead from the front. Set the tone of how you want things done, provide guidelines and constantly communicate your values and expectations.

It is so critical that you get this right regardless of whether you have 1, 2 or 50 employees as this component forms the stepping stone for all the others. For example, you might have designed a very robust set of internal controls but if you don’t instill the culture of making sure that they are implemented as designed, then you are running a futile race.

Risk assessment – in very simple terms, this refers to the process of evaluating both the internal and external factors that could result into the crystallization of risk for your business. There can be many sources of risk which include but not limited to processes, people, systems, laws and regulations. A good indicator of risk is ‘Change’. Anytime a change happens in your business, a new source of risk is introduced. This should be assessed to determine the level of risk exposure and proactively mitigate it. For example, a new staff, a new system, a new product line, service line etc introduces new exposures to risk.

Control activities– once you have identified your sources of risk in step 2 above, then you are ready to put in place activities or procedures that will safeguard your business from crystallization of the identified risks. For example; for new staff, the control activity will include performing background checks before bringing them on board. You want to make sure that they have a good track record and that they are of good integrity. For a new product line, the methods of operation might be different from the existing products e.g. production, distribution etc and if that is the case, this will come with new risks that need to be assessed, evaluated and appropriate mitigations and processes put in place. Other control activities will include all of the principles mentioned in the previous article.

Information and communication – this component is very closely related to the first one on control environment. What this basically means is that you introduce and avail communication channels for disseminating information relating to your control culture and control activities to all staff within your business. Sometimes you will find that the owner of a small business has all these ideologies and controls in his head but the same has not been communicated or cascaded down to the staff. Your staff may therefore be blundering not because they want to, but because you have not clearly communicated and trained them on the key internal control objectives and the procedures, means and ways to achieve them.

Communication can be informal but try as much as possible to have your procedures documented somewhere. If your business is very small, you do not need to have a complicated policy and procedures document. A 2 page or 3 page document should do. Additionally, make it a habit to constantly communicate your values and objectives on a regular basis e.g. during weekly meetings, onboarding of new staff etc.

Monitoring – even in a small business, monitoring should be done on a continuous basis and this can take many forms. If your business is very small, you can handle this by yourself. However, if it is slightly bigger, you can hire an independent internal auditor who can come at agreed intervals say every 3 months or 6 months to supplement what you are already doing as the business owner. Their key mandate will be to give you assurance on the effectiveness of the controls in safeguarding your assets, ensuring financial reliability and business efficiency. If you are much bigger or your business involves complex or big volumes, then you can consider hiring a full time auditor if your finances allow it. Decide on your best option but make sure that someone is keeping watch.

Quick internal control fixes for small and medium businesses


Small and medium businesses more often than not experience frequent cases of frauds and errors more than their counterparts, the large Corporations. This is often because of resource limitation (hence no dedicated resource to oversee risk management issues), lack of well-defined responsibilities and a general lack of understanding or awareness of loopholes that can be exploited. Several small and medium businesses also do not have policy and procedure documents that help in understanding the what, how, when, who etc…and thus there can tend to be a lot of ambiguity.

As the owner or CEO of a small or medium business, there are 6 principles that can act as your quick fix to an improved control environment for your business. Here goes…

Segregation of duties – Under this principle, no one person should be in control of a full process end to end. This is key in ensuring that an employee does not exploit his/her mandate or existing loopholes in the business processes. For small businesses, this might be hard to achieve but should be observed whenever possible.

Maker Checker principle (Also known as 4 Eyes principle) –This basically requires that for every transaction made, there is a second person confirming or authorizing the transaction and can be a key control in detecting errors. This principle is closely related to segregation of duties as observing the tenets of the principle ideally means that no one person will be in charge of a process end to end.

Reconciliation – this entails reviewing and comparing two sources of documents to ensure accuracy and completeness of the financial records. For example, at the end of the day, a cashier should reconcile the invoices/receipts with the physical cash at hand. On a monthly basis, the accountant should compare the cash records with the bank statements.

Access controls – this involves employing restriction measures in the system as well as physical control where applicable. For example, you can use passwords to restrict access of sensitive records to ensure they are not tampered with. This can be achieved even if you are using a simplistic system such as excel.

Surprise checks – As the owner, it is wise to form a habit of doing regular surprise reviews of records and assets of your business. This will send a message to your employees that they are being watched and may act as a deterrence to fraud/theft. You should however ensure that the surprise checks do not form any particular pattern eg do not always carry out your surprise checks on Friday mornings. Try and stager the days and timings.

Establishing a responsibility matrix – this entails assigning specific roles to each of your employees. This eradicates ambiguity, blame game and inefficiencies. Each of your employees can therefore be held accountable if something goes wrong in their assigned areas.

Internal Controls for Small and Medium Enterprises (SMEs)

Why are internal controls important?

This might sound like an obvious question with an obvious answer to the risk and governance expert but a candid issue that many startups and existing small and medium sized companies alike grapple with. Sometimes the real hurdle is that a company or business owner does not know where to start, what really is required, what to prioritize and the implication on the bottom line of their company.

As an SME, you may be grappling with and wondering if you are;

  • Complying with regulatory requirements.
  • Having loopholes that are being exploited thus leading to fraud.
  • Having unproductive business processes that could be deterring you from achieving your strategic objectives.
  • Accounting for and reporting for all of your income streams and expenses.

A robust set of internal controls will therefore go a long way in ensuring that your above needs are being met, your company’s resources are well safeguarded, you are complying with regulatory requirements and inherent risks are adequately mitigated. Not only that, but you will also manage to free up your time to concentrate on your key objectives and your company will experience improved operational efficiency that will ultimately do good your bottom line.

What next?

Setting up and retaining an internal audit function can however be very costly for many business owners and company CEOs who often find themselves in a tight position having to design and implement controls through trial and error. However, don’t stress!! There are limitless options out there that you can explore for added value without seriously denting your pocket. You can reach out to an independent consultant or a firm that will offer services that meet your needs. These may include any of the following: designing a set of internal controls for your key processes (policy and procedures), reviewing the existing internal controls to give assurance on their robustness, co-sourcing the internal audit function whereby your consultant will step up to give specialized services in key areas to supplement your existing audit unit. You can also fully outsource the internal audit function to a consultant who will deal with all of your worries. And trust me, you will find a consultant that meets your budget!

Finally, I hope this article sheds some light to a business owner or CEO for an SME out there on how to handle their internal controls situation. Step up and advance your business and all the best at it!!

Yours sincerely,


The Birth!

Today marks the birth of SMALL Steps and I am super super thrilled!

SMALL Steps is an online blog founded on the premise of the famous Chinese proverb, The Journey of a thousand miles begins with a single step! SMALL steps will therefore be a platform for learning and sharing business insights with and from startups, small and medium enterprises and entrepreneurs in general to help unlock the business potential for our communities, to pursue excellence and more importantly, to continue making small simple steps wherever we are to push us closer to our goals and dreams.

SMALL steps is also for you, who is yet to take that very important and hard STEP that stands between you and your dreams. Look beneath your feet, your dreams start right there! And of course, keep it locked here!

SMALL steps is also most definitely for me. I am yet to unlock my full potential. Every time I log onto this platform I will be reminded of my goals, my dreams and be encouraged that as long as we keep taking some steps towards our goals and our dreams, one day we will get there, we will count for something and most importantly, we will leave this place a little better than we found it.

Welcome aboard folks, and see you here!

Yours truly,