Internal controls are the policies, procedures, and checks a business puts in place to protect its assets, keep its financial records accurate, and prevent fraud and error. The most common examples are segregation of duties, authorization and approval limits, physical safeguards over assets and cash, independent bank reconciliations, and documented record-keeping. Together, they reduce the opportunity for theft and catch mistakes before they become losses.
As a forensic accountant, I am usually called in after a control has failed — after the bookkeeper has been paying a fake vendor for two years, or the office manager has been signing checks to herself. Almost every one of those losses traces back to a missing or ignored internal control. The good news for a small-business owner is that a handful of straightforward controls stops the large majority of these schemes.
What Are Internal Controls?
An internal control is any deliberate step a business takes to make sure money and assets are handled the way the owner intends — not lost, stolen, or misrecorded. Some controls prevent a problem (requiring two signatures on large checks); others detect one that already happened (an independent bank reconciliation that catches a payment to an unknown payee).
Small businesses are the most vulnerable to fraud, and it is not close. Fewer employees means one person often handles the money from start to finish. Long-tenured, trusted staff get less oversight, not more. And owners are busy running the business, so the books run on trust. That combination — concentration of duties, high trust, and thin oversight — is exactly the environment in which internal fraud grows. Controls are how you keep the trust without betting the business on it.
The Five Components of Internal Control (COSO)
The widely used COSO framework breaks internal control into five components. In plain English:
- Control environment — the tone set at the top. Does the owner take honesty and accountability seriously, or look the other way?
- Risk assessment — identifying where the business is exposed (cash handling, payroll, vendor payments) so controls go where the money is.
- Control activities — the actual procedures: approvals, segregation of duties, reconciliations, physical safeguards. This is where most of the examples below live.
- Information and communication — making sure the right people get accurate, timely financial information and know how to flag a concern.
- Monitoring — checking, on an ongoing basis, that the controls are actually being followed, and fixing them when they are not.
A control activity only protects you if the environment, communication, and monitoring around it are real. A two-signature rule means nothing if the second signer rubber-stamps every check.
10 Examples of Internal Controls Every Small Business Needs
This is the heart of it. Each control below pairs with the specific scheme it shuts down.
- Segregation of duties. Split the three jobs that should never sit with one person: authorizing a transaction, holding the asset (cash, checkbook, inventory), and recording it in the books. When one person controls all three, they can both commit and conceal theft. Separating even two of the three breaks most schemes.
- Authorization and approval limits. Require sign-off above set dollar thresholds — new vendors, refunds, write-offs, and large payments. This stops an employee from quietly approving their own questionable spending.
- Independent bank reconciliations. Someone who does not write checks or enter transactions prepares the monthly bank reconciliation and looks at the actual cleared check images. This is the single most powerful detective control for a small business; it catches unfamiliar payees and altered checks.
- Physical safeguards. Locks, restricted access, security cameras over registers, access logs, and periodic surprise counts of cash and inventory. If anyone can reach the asset, controls on paper will not protect it.
- Mandatory vacations and job rotation. Many embezzlement schemes require constant maintenance — the thief has to keep “feeding” the fraud. Requiring a week away, and having someone else cover the role, is how those schemes surface.
- Dual control over cash and check signing. Two people present when cash is counted or deposited, and a second signature (or a second approval in the banking platform) on checks and wires above a threshold.
- Documented policies and record retention. Written procedures for who can do what, plus a policy for keeping invoices, contracts, and bank records. When records go missing, that absence is itself a red flag — and it is what makes a later investigation possible.
- Vendor master-file controls. Restrict who can add or change a vendor, require supporting documentation for a new payee, and periodically compare the vendor list to employee addresses and bank details. Fake-vendor (shell-company) schemes are among the costliest frauds, and they start with an unguarded vendor file.
- Payroll controls. Separate the person who adds employees from the person who runs payroll, and confirm that every name on the payroll is a real, active worker. “Ghost employee” schemes pay wages to people who do not exist or no longer work there.
- Periodic independent oversight. Have an outside professional analyze the books and the controls on a regular cadence. Employees who know an independent set of eyes will look are far less likely to test the system.
Preventive vs. Detective vs. Corrective Controls
Controls fall into three roles. A healthy small business uses all three, because no single layer is enough.
| Type | What it does | Examples |
|---|---|---|
| Preventive | Stops a problem before it happens | Segregation of duties, approval limits, locked access, vendor-setup approval |
| Detective | Surfaces a problem that already occurred | Independent bank reconciliation, surprise cash/inventory counts, exception reports |
| Corrective | Fixes the problem and closes the gap | Recovering funds, disciplining staff, redesigning the failed control |
Owners tend to over-invest in prevention and skip detection. But detective controls are what limit the size of a loss — the faster you catch it, the less it costs.
The Internal Controls That Specifically Stop Fraud
Occupational fraud rests on three legs, often called the fraud triangle: pressure (a financial need or motive), opportunity (a way to do it and not get caught), and rationalization (the story the person tells themselves). An owner cannot control an employee’s debts or how they justify their choices. Opportunity is the only leg you control — and internal controls are how you remove it.
That is why segregation of duties, independent reconciliations, and vendor/payroll controls matter so much: each one closes a specific opportunity. Remove the opportunity and most fraud never starts, because the person who might have rationalized it can no longer find a clean way to do it.
Strong Controls With Limited Staff
The most common objection I hear is, “I only have three people — I can’t separate every duty.” That is fair, and it is where compensating controls come in. When you cannot fully segregate duties, the owner steps into the control:
- Have the bank statements and the merchant-processing reports sent directly to the owner, and look at the cleared-check images each month before anyone else touches them.
- Approve new vendors and new employees personally — a 30-second sign-off that closes the two costliest scheme types.
- Run occasional surprise counts of cash and inventory yourself.
- Watch the bank feed weekly rather than monthly; small, frequent attention beats a once-a-year deep dive.
None of this requires hiring. It requires the owner to own a few specific control points and stay consistent.
How a Forensic CPA Tests and Strengthens Your Controls
When I assess a small business’s internal controls, I map who can authorize, who holds the assets, and who records the transactions — then I look for the spots where one person controls too much of that chain. I analyze vendor and payroll files for the patterns that signal shell companies and ghost employees, and I evaluate whether the detective controls would actually catch a problem or just look good on paper. The deliverable is a short, prioritized list of the few changes that remove the most risk for the least disruption.
If you suspect a control has already failed — money is missing, the numbers do not make sense, or a trusted employee is suddenly defensive about the books — that is forensic work, and it is what my practice does. You can learn more about my forensic accounting services, and business owners across Broward, Miami-Dade, and South Florida are welcome to call my Pembroke Pines office at 954-282-9615.
Key Takeaways
- Internal controls are the policies and checks that protect assets, keep records accurate, and prevent fraud and error.
- The highest-impact examples: segregation of duties, approval limits, independent bank reconciliations, physical safeguards, and vendor/payroll controls.
- The COSO framework’s five components (environment, risk assessment, control activities, information/communication, monitoring) hold the system together.
- Use preventive, detective, and corrective controls together; detective controls limit how big a loss gets.
- Small businesses can compensate for limited staff by having the owner own a few specific control points.
Frequently Asked Questions
What are the most common examples of internal controls?
The most common examples are segregation of duties (no single person authorizes, holds, and records the same transaction), authorization and approval limits, independent bank reconciliations, physical safeguards over cash and inventory, vendor and payroll controls, and documented policies with record retention. Together they protect assets and keep financial records accurate.
What are the 5 components of internal control?
Under the COSO framework, the five components are the control environment (the tone set by ownership), risk assessment (identifying where the business is exposed), control activities (the specific procedures like approvals and reconciliations), information and communication (getting accurate financial information to the right people), and monitoring (checking that controls are actually working).
Which internal controls prevent fraud in a small business?
The controls that prevent the most small-business fraud are segregation of duties, independent bank reconciliations that include looking at cleared-check images, approval requirements for new vendors and employees, dual control over cash and check signing, and mandatory vacations. Each one removes a specific opportunity to both commit and conceal theft.
What is segregation of duties?
Segregation of duties means no single person controls all three parts of a transaction: authorizing it, holding the related asset (cash or the checkbook), and recording it in the books. When one person controls all three, they can steal and hide it at the same time. Separating those roles — even two of the three — is the foundational fraud-prevention control.
Can a business with only a few employees still have good internal controls?
Yes. When you cannot fully separate duties, the owner uses compensating controls: receiving bank statements directly and looking at the cleared-check images, personally approving new vendors and employees, running surprise cash and inventory counts, and monitoring the bank feed weekly. These close the costliest gaps without adding staff.
What is the difference between preventive and detective controls?
Preventive controls stop a problem before it happens (approval limits, segregation of duties, locked access). Detective controls surface a problem that already occurred (independent bank reconciliations, surprise counts, exception reports). A business needs both — preventive controls reduce how often fraud starts, and detective controls limit how large a loss becomes before it is caught.
About the Author
Joey Friedman is a CPA, Accredited in Business Valuation (ABV), and forensic accountant who holds a Master of Accounting and a Master of International Business and is a member of the AICPA and the Association of Certified Fraud Examiners. He also holds a Florida real estate license. Beyond those credentials, he has personally owned and operated more than a dozen of his own businesses across industries including marketing, printing, transportation, restaurants, hospitality and entertainment, and event planning — so he has designed and depended on internal controls from the owner’s side of the desk, and he brings both a forensic accountant’s eye for how controls fail and an operator’s sense of which controls actually hold up in a small business with limited staff.
{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[{“@type”:”Question”,”name”:”What are the most common examples of internal controls?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”The most common examples are segregation of duties (no single person authorizes, holds, and records the same transaction), authorization and approval limits, independent bank reconciliations, physical safeguards over cash and inventory, vendor and payroll controls, and documented policies with record retention. Together they protect assets and keep financial records accurate.”}},{“@type”:”Question”,”name”:”What are the 5 components of internal control?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Under the COSO framework, the five components are the control environment (the tone set by ownership), risk assessment (identifying where the business is exposed), control activities (the specific procedures like approvals and reconciliations), information and communication (getting accurate financial information to the right people), and monitoring (checking that controls are actually working).”}},{“@type”:”Question”,”name”:”Which internal controls prevent fraud in a small business?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”The controls that prevent the most small-business fraud are segregation of duties, independent bank reconciliations that include looking at cleared-check images, approval requirements for new vendors and employees, dual control over cash and check signing, and mandatory vacations. Each one removes a specific opportunity to both commit and conceal theft.”}},{“@type”:”Question”,”name”:”What is segregation of duties?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Segregation of duties means no single person controls all three parts of a transaction: authorizing it, holding the related asset (cash or the checkbook), and recording it in the books. When one person controls all three, they can steal and hide it at the same time. Separating those roles \u2014 even two of the three \u2014 is the foundational fraud-prevention control.”}},{“@type”:”Question”,”name”:”Can a business with only a few employees still have good internal controls?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Yes. When you cannot fully separate duties, the owner uses compensating controls: receiving bank statements directly and looking at the cleared-check images, personally approving new vendors and employees, running surprise cash and inventory counts, and monitoring the bank feed weekly. These close the costliest gaps without adding staff.”}},{“@type”:”Question”,”name”:”What is the difference between preventive and detective controls?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Preventive controls stop a problem before it happens (approval limits, segregation of duties, locked access). Detective controls surface a problem that already occurred (independent bank reconciliations, surprise counts, exception reports). A business needs both \u2014 preventive controls reduce how often fraud starts, and detective controls limit how large a loss becomes before it is caught.”}}]}