Why Small Businesses Are the Biggest Targets
According to the Association of Certified Fraud Examiners, small businesses suffer disproportionately from fraud. The median loss for businesses with fewer than 100 employees is significantly higher than for larger organizations — not because the frauds are bigger, but because small businesses have fewer controls in place to detect them.
The most common small business fraud schemes: billing fraud (fake vendors), check tampering, expense reimbursement abuse, skimming cash, and payroll manipulation. The perpetrator is almost always a trusted employee. That is the uncomfortable reality.
Internal controls are the systems and procedures that protect you. They are not about distrust — they are about removing temptation and catching honest mistakes before they become expensive problems.
The Core Principles
Separation of Duties
No single person should control an entire financial process from start to finish. The person who writes checks should not be the person who reconciles the bank statement. The person who creates vendor accounts should not be the person who approves payments.
In a small business, perfect separation is not always possible. When you have three employees, someone wears multiple hats. But you can still implement partial separation:
- Owner reviews and signs checks (or approves electronic payments) over a certain threshold
- Different people open mail and record deposits
- Bank reconciliation is reviewed by someone other than the bookkeeper
Authorization Limits
Set clear thresholds for spending authority:
- Under $500: Manager can approve
- $500 to $5,000: Owner approval required
- Over $5,000: Owner approval plus second review
Document these limits. Make sure every employee knows them. Any purchase outside these limits without proper approval is a policy violation.
Physical Controls
Protect physical assets and access:
- Lock the checkbook in a safe or locked drawer
- Limit access to accounting software with individual user credentials
- Secure inventory with locks and access logs
- Shred financial documents before discarding
Reconciliation and Review
Regular review catches problems early:
- Bank reconciliation: Monthly, at minimum. Done by someone other than the person entering transactions.
- Credit card statements: Review every transaction monthly. Look for unfamiliar vendors or unusual amounts.
- Vendor master file: Review quarterly. Look for duplicate vendors, vendors with P.O. Box addresses only, or vendors with names similar to employees.
- Payroll review: Owner should review every payroll before it processes. Look for ghost employees, unauthorized overtime, or rate changes.
Specific Controls to Implement
Accounts Payable Controls
- Require purchase orders for all purchases above a threshold
- Implement three-way matching (PO, receipt, invoice) before paying
- Do not allow the same person to create vendors and approve payments
- Review the vendor list quarterly for anomalies
- Require two signatures on checks above a threshold (or dual approval for electronic payments)
Cash Handling Controls
- Never let one person handle cash from receipt to deposit
- Count cash with a witness and document amounts
- Deposit cash daily
- Compare point-of-sale records to actual deposits
- Use numbered receipts
Payroll Controls
- Owner reviews and approves all payroll before processing
- Audit timesheets regularly, especially for overtime
- Verify any new employee additions or pay rate changes
- Separate the person who enters timesheets from the person who processes payroll
Expense Reimbursement Controls
- Require original receipts for all reimbursements
- Set per diem limits for meals and travel
- Require manager approval for all expense reports
- Audit expense reports randomly — look for split transactions (keeping individual charges below the receipt threshold)
Technology Controls
- Individual logins for accounting software — no shared passwords
- Role-based access (bookkeeper sees different things than the owner)
- Automatic audit trails (most modern software has this built in)
- Regular password changes
- Two-factor authentication on financial accounts
Warning Signs of Fraud
Watch for these red flags:
- An employee who never takes vacation (they cannot risk someone else discovering irregularities)
- Unexplained lifestyle changes (new car, expensive vacations on a modest salary)
- Vendor complaints about unpaid invoices that your records show as paid
- Increasing costs without clear explanation
- Missing documents or gaps in sequential numbering
- Defensive or controlling behavior around financial records
- Bank reconciliation that is always "almost done" but never completed
What to Do If You Suspect Fraud
- Do not confront the employee. This gives them time to destroy evidence.
- Secure evidence. Make copies of relevant financial records.
- Contact your accountant. They can help assess the scope.
- Consult an attorney. Understand your legal options before acting.
- Consider a forensic accountant. For significant amounts, a specialist can trace the full extent of the fraud.
- File a police report. Fraud is a crime.
- Review your insurance. If you have crime or fidelity coverage, file a claim.
The Cost of No Controls
Small business owners often say "I trust my people." Trust is good. Controls are better. The cost of implementing basic controls is minimal — a few hours of setup and a few minutes of daily oversight. The cost of not having them can be catastrophic. Median fraud losses for small businesses run into the tens of thousands, and some cases run into hundreds of thousands.
The Bottom Line
Internal controls are not bureaucracy. They are protection. For you, for your business, and honestly, for your employees too. Good controls remove temptation and create accountability. Implement the basics, review them regularly, and take warning signs seriously.
4Sources
- 01Business Security and Fraud Prevention — U.S. Small Business Administration
- 02
- 03AICPA Fraud Resources — AICPA
- 04Report Tax Fraud — Internal Revenue Service