Why controls matter even at small scale
Financial controls are not just for large companies. The most common fraud at small companies is a trusted bookkeeper or finance person stealing via payment fraud. Basic controls - separation of duties, dual approval for payments over a threshold, regular reconciliation review - prevent most of these.
Controls also catch errors before they compound. A single miscategorized transaction is easy to fix. Months of consistent miscategorization compounds into an error that requires significant cleanup. Controls that include regular review catch these early.
Investors and acquirers expect basic controls. A company without documented controls raises risk flags during diligence. Adding controls during diligence is possible but awkward. Doing it before diligence is much easier and signals operational maturity.
The basic controls every company should have
Separation of duties is the foundation. The person who can create a vendor should not be the person who can approve payment to that vendor. The person who records transactions should not be the one reconciling them. This separation prevents most single-person fraud patterns.
Dual approval for payments above a threshold. Any payment over, say, $10K requires two approvers. This is not overhead - it takes minutes - and it catches both errors and potential fraud. Set the threshold based on your typical payment profile.
Monthly bank reconciliation by someone other than the person posting transactions. The reconciler catches errors in posting. The poster cannot hide errors by also reconciling. This is basic double-check that many small companies skip but should not.
Running an audit
A lightweight controls audit takes 4-8 hours and should happen annually at minimum. The steps: list your key financial processes, document the controls for each, test that the controls are actually operating, identify gaps, and remediate.
Key processes to review: cash management (who can move money), payments (vendor and payroll), journal entries (who can post what amounts), access controls (who has access to what systems), and reconciliations (are they happening on cadence).
For each process, document the specific controls. Write them down even if simple. "Payments over $10K require second approver" is a control. Without written documentation, you cannot test whether it is actually happening or whether exceptions are routine.
Common gaps to look for
Too many people with full accounting system admin access. Often companies start with one or two finance people having admin access, then grow and never downgrade access for people who moved to other roles. Quarterly access reviews catch this.
Payment processes that rely on a single person. If one person can create a vendor, post the bill, approve payment, and execute the payment, that person controls the entire cash flow for the relevant amount. This is the single biggest fraud risk in most small companies.
Reconciliations performed but not reviewed. The bookkeeper reconciles, produces a report, and files it. Nobody reviews. Mistakes or fraud in the reconciliation are never caught. A senior person (controller or founder) should initial reviewed reconciliations to evidence the review occurred.