Your business may need internal controls. Internal controls are the policies and procedures a business takes to safeguard its assets.

A key to running a profitable business is to make sure that the assets, especially cash, are protected. Assets are the lifeblood of any business large or small. They represent the items owned by the business that lead to the production of income. If they are left unprotected, then the profitability of the business is limited or in jeopardy. 

Why Your Business Needs Internal Controls

In a solely owned business with just the business owner involved, asset protection is usually straight forward as the owner normally monitors and is responsible for all business activities. It is rare for a sole owner to steal from themselves. 

The issue of control becomes more important when one or more people, beyond the owner, are involved in any aspect of the business. This could be an employee or even a family member.


Fraud is a situation where an individual, other than the owner, attempts to divert assets from the business for their personal use. The most common example would be moving cash from the business to themselves or their personal bank account. 

Another example would be an employee ordering inventory or supplies on behalf of the business but having them shipped elsewhere for their benefit. The motivation for the employee to do this normally revolves around having money problems or having a grudge against the business owner. 

If the motivation exists and an opportunity presents itself because the business has not protected itself, then fraud can occur. The solution is to establish internal control.

Internal Control

Moreover, internal control is simply the policies and procedures a business takes to safeguard its assets. Related to that would be ensuring that all laws and regulations are followed and maintaining operating efficiency, but protecting assets is the primary focus. Internal control is always the responsibility of the owner or management and generally covers the following:

  • Establishing a culture that discourages anything other than normal and ethical behavior
  • Assessing and identifying the risk that fraud can occur within the structure of the business 
  • Designing, documenting, and implementing procedures to reduce those risks 
  • Monitoring the procedures on a timely and regular basis to ensure compliance and effectiveness

Implementing internal controls begin with responsibility. Only one employee should be responsible for a task. Related to this is the segregation of duties. The most obvious examples of this would be that the person writing checks or otherwise making disbursements should not approve the transactions or reconcile the bank account.

Likewise, the person making purchases should not be the person approving them or the one responsible for receiving the goods. If these duties are all in the hands of one person, the opportunity for fraud exists. Similarly, the person maintaining the books should not be the person responsible for having the physical custody of business assets.

Documentation is also important in maintaining internal controls. This doesn’t mean having the procedures written down, although that is very important. It means that all transactions are supported by appropriate documents (original receipts, invoices, purchase orders, etc.) and that those documents are also subject to control and have an agreed-upon flow through the business. 

For example, pre-numbered invoices or purchase orders that are recorded in ledgers and journals (either manually or digitally) and accounted for periodically will help reduce the opportunity for fraud.

Physically controlling assets is also important. Examples would be:

  • Keeping excess cash in a safe place such as cash box or safe or making timely bank deposits
  • Warehouse security, including alarms and monitors
  • Passwords for computer-stored data and accounting records
  • Electronic tracking of inventory, especially in retail businesses
  • Timekeeping systems to control inappropriate time reporting

In a larger company with several layers of management, certain managers can be designated to independently monitor compliance with these procedures. Many such companies use internal auditors or implement specific employee procedures such as job rotation or background checks.

Reasonable Assurance

A company should always balance the cost of designing and implementing a system of internal controls with the expected benefits. The size and type of business should always be considered as should the inconvenience to employees and customers from controls that are overly burdensome. It isn’t good practice to monitor every transaction an employee executes or to check every customer as they leave the store.  

Final Thoughts on Small Business Internal Controls

Internal control is not a major issue for a sole owner running a business by themselves. Common sense and reasonable precautions are the rule. 

For example, having a professional accountant reconcile the bank account and prepare a monthly financial statement would be helpful. However, as the business expands, even if it is with a family member, the owner must begin to think about potential risks of fraud and put minimum controls into place. Large companies with significant assets should be diligent in establishing these controls.
While the assessment, design and implementation of internal control is always the responsibility of the owner or management, an outside consultant, such as a Certified Public Accountant who is not retained to audit, review or compile the financial statements of the company can provide guidance and advice on the types of controls that could be helpful to the business.