Internal Controls: Protecting Your Business from Fraud and Errors

Why Small Businesses Are the Biggest Targets

According to the Association of Certified Fraud Examiners, small businesses suffer disproportionately from fraud. The median loss for businesses with fewer than 100 employees is significantly higher than for larger organizations — not because the frauds are bigger, but because small businesses have fewer controls in place to detect them.

The ACFE's 2024 Report to the Nations found that the median fraud loss for small businesses (under 100 employees) was $150,000 — and the average scheme lasted 12 months before detection. For a business doing $500,000 in annual revenue, a $150,000 loss can be fatal.

The most common small business fraud schemes: billing fraud (fake vendors), check tampering, expense reimbursement abuse, skimming cash, and payroll manipulation. The perpetrator is almost always a trusted employee. That is the uncomfortable reality.

Internal controls are the systems and procedures that protect you. They are not about distrust — they are about removing temptation and catching honest mistakes before they become expensive problems.

The Most Common Fraud Schemes and How They Work

Understanding how fraud happens is the first step to preventing it. Here are the five most common schemes in small businesses:

1. Billing Fraud (Fake Vendors)

How it works: An employee creates a fictitious vendor (often using a P.O. Box or the employee's own address), submits fake invoices, approves the payments, and deposits the checks.

Real example: A bookkeeper at a plumbing company created a vendor called "Metro Supply Co." using her home address. She submitted fake invoices of $800 to $2,500 every two weeks for "materials." Over 18 months, she stole $52,000 before the owner noticed the vendor did not appear in any job cost reports.

Prevention: Require owner approval for new vendors. Cross-reference vendor addresses with employee addresses. Verify that every vendor payment ties to a real purchase order or job.

2. Check Tampering

How it works: An employee who has access to the checkbook writes checks to themselves, alters the payee on legitimate checks, or forges the owner's signature.

Prevention: Lock checks in a safe. Require dual signatures on checks over $1,000. Use positive pay with your bank (the bank verifies each check against a list you provide). Review cleared check images monthly.

3. Expense Reimbursement Abuse

How it works: Employees inflate expenses, submit personal purchases as business expenses, or create fictional expenses.

Common tactics:

• Submitting the same receipt twice
• Altering receipt amounts
• Claiming mileage for trips that did not happen
• Expensing personal meals as business meals
• Splitting a $600 purchase into two $300 charges to stay under the receipt threshold

Prevention: Require original receipts, set per diem limits, randomly audit 20% of expense reports each month.

4. Payroll Fraud

How it works: An employee adds ghost employees to the payroll, inflates their own hours, or changes their pay rate without authorization.

Real example: An office manager at a landscaping company added her brother as an employee. He never worked a day. His $800 weekly paycheck was deposited into an account the office manager controlled. The scheme ran for 8 months ($25,600) before a new hire asked who the "employee" was and nobody could answer.

Prevention: Owner approves every payroll run. Verify all new employee additions with a face-to-face meeting. Periodically compare the payroll register to actual employees on the job site.

5. Cash Skimming

How it works: Cash payments from customers are pocketed before being recorded in the books. Since the sale is never entered, the theft is invisible in the accounting records.

Prevention: Use numbered receipts for all cash transactions. Compare POS records to deposits daily. Implement surprise cash counts. Install cameras at the register.

The Core Principles

Separation of Duties

No single person should control an entire financial process from start to finish. The person who writes checks should not be the person who reconciles the bank statement. The person who creates vendor accounts should not be the person who approves payments.

In a small business, perfect separation is not always possible. When you have three employees, someone wears multiple hats. But you can still implement partial separation:

• Owner reviews and signs checks (or approves electronic payments) over a certain threshold
• Different people open mail and record deposits
• Bank reconciliation is reviewed by someone other than the bookkeeper

Separation of Duties by Business Size

Business Size	Ideal Separation	Minimum Separation
1-3 employees	Owner handles bank reconciliation, different person enters transactions	Owner reviews all bank statements and credit card statements monthly
4-10 employees	Different people for AP entry, AP approval, and bank reconciliation	At least two people involved in any payment process
11-25 employees	Dedicated roles for AP, AR, payroll, and reconciliation	No single person controls a financial process end-to-end
25+ employees	Full separation across all financial functions with manager oversight	Formal policies and periodic internal audits

Authorization Limits

Set clear thresholds for spending authority:

• Under $500: Manager can approve
• $500 to $5,000: Owner approval required
• Over $5,000: Owner approval plus second review

Document these limits. Make sure every employee knows them. Any purchase outside these limits without proper approval is a policy violation.

Physical Controls

Protect physical assets and access:

• Lock the checkbook in a safe or locked drawer
• Limit access to accounting software with individual user credentials
• Secure inventory with locks and access logs
• Shred financial documents before discarding

Reconciliation and Review

Regular review catches problems early:

• Bank reconciliation: Monthly, at minimum. Done by someone other than the person entering transactions.
• Credit card statements: Review every transaction monthly. Look for unfamiliar vendors or unusual amounts.
• Vendor master file: Review quarterly. Look for duplicate vendors, vendors with P.O. Box addresses only, or vendors with names similar to employees.
• Payroll review: Owner should review every payroll before it processes. Look for ghost employees, unauthorized overtime, or rate changes.

Specific Controls to Implement

Accounts Payable Controls

• Require purchase orders for all purchases above a threshold
• Implement three-way matching (PO, receipt, invoice) before paying
• Do not allow the same person to create vendors and approve payments
• Review the vendor list quarterly for anomalies
• Require two signatures on checks above a threshold (or dual approval for electronic payments)

Cash Handling Controls

• Never let one person handle cash from receipt to deposit
• Count cash with a witness and document amounts
• Deposit cash daily
• Compare point-of-sale records to actual deposits
• Use numbered receipts

Payroll Controls

• Owner reviews and approves all payroll before processing
• Audit timesheets regularly, especially for overtime
• Verify any new employee additions or pay rate changes
• Separate the person who enters timesheets from the person who processes payroll

Expense Reimbursement Controls

• Require original receipts for all reimbursements
• Set per diem limits for meals and travel
• Require manager approval for all expense reports
• Audit expense reports randomly — look for split transactions (keeping individual charges below the receipt threshold)

Technology Controls

• Individual logins for accounting software — no shared passwords
• Role-based access (bookkeeper sees different things than the owner)
• Automatic audit trails (most modern software has this built in)
• Regular password changes
• Two-factor authentication on financial accounts

The Internal Controls Checklist

Use this checklist to assess your current controls. If you answer "No" to more than five items, you have significant exposure:

Control	Yes/No
Owner reviews bank statements monthly (not the bookkeeper)
Checks are locked and access is limited
All purchases over $500 require owner approval
Bank reconciliation is done by someone other than the transaction entry person
Vendor list is reviewed quarterly for anomalies
Owner approves every payroll before processing
Credit card statements are reviewed monthly by the owner
Expense reimbursements require receipts and approval
Cash is counted with a witness and deposited daily
Accounting software uses individual logins with role-based access
Two-factor authentication is enabled on bank accounts
Physical inventory counts are done at least annually
Employee timesheets are reviewed before payroll is processed
New vendors require owner approval before first payment
Financial records are backed up regularly

Preventing Errors (Not Just Fraud)

Internal controls are not only about preventing theft. They also catch innocent mistakes that can cost you money:

Common Costly Errors

Error Type	How It Happens	Cost
Duplicate payment	Same invoice entered twice, especially from emailed copies	$500 - $10,000+ per occurrence
Miscategorized expense	Bookkeeper puts COGS item in operating expense	Distorted margins, wrong financial analysis
Missed vendor discount	Invoice not paid within discount period	2% per invoice (36% annualized)
Incorrect payroll tax filing	Wrong tax rate applied or state filing missed	IRS penalties of 2% - 15% of unpaid amount
Bank error not caught	Bank charge or fee not reconciled	$10 - $500+ per occurrence
Forgotten recurring charge	Canceled service still charging your card	$50 - $500/month
Sales tax not collected	Taxable sale processed without tax	Full liability for uncollected tax plus penalties

A simple monthly reconciliation process catches most of these errors within 30 days, when they are still easy to fix. Left undetected for 12 months, these errors compound and become expensive to untangle.

Warning Signs of Fraud

Watch for these red flags:

• An employee who never takes vacation (they cannot risk someone else discovering irregularities)
• Unexplained lifestyle changes (new car, expensive vacations on a modest salary)
• Vendor complaints about unpaid invoices that your records show as paid
• Increasing costs without clear explanation
• Missing documents or gaps in sequential numbering
• Defensive or controlling behavior around financial records
• Bank reconciliation that is always "almost done" but never completed

Behavioral Red Flags to Watch

Behavior	Why It Matters
Employee works early/late, especially around financial tasks	May be conducting unauthorized transactions when no one is watching
Refuses to share duties or cross-train others	Protecting the scheme from discovery
Unusually close relationship with a specific vendor	Possible kickback or fake vendor arrangement
Frequently overrides system controls	Bypassing safeguards that would detect the fraud
Personal financial difficulties (gambling, divorce, addiction)	Creates pressure that motivates otherwise honest people to steal
Excessive control over financial records	Prevents others from seeing anomalies

The ACFE reports that behavioral red flags were present in 85% of fraud cases. Owners who pay attention to these signals catch fraud faster.

What to Do If You Suspect Fraud

1. Do not confront the employee. This gives them time to destroy evidence.
2. Secure evidence. Make copies of relevant financial records.
3. Contact your accountant. They can help assess the scope.
4. Consult an attorney. Understand your legal options before acting.
5. Consider a forensic accountant. For significant amounts, a specialist can trace the full extent of the fraud.
6. File a police report. Fraud is a crime.
7. Review your insurance. If you have crime or fidelity coverage, file a claim.

Forensic Accounting: When You Need It

If the suspected fraud exceeds $10,000 or involves complex transactions, hire a forensic accountant. They specialize in tracing hidden transactions, reconstructing financial records, and preparing evidence for legal proceedings.

Forensic accountants typically charge $200 to $400 per hour. For a case involving $50,000 or more in potential losses, the $5,000 to $15,000 investigation fee is a worthwhile investment to determine the full scope and support recovery.

Cybersecurity as Internal Control

Modern internal controls must include cybersecurity. Small businesses are increasingly targeted by cyber fraud:

Business Email Compromise (BEC)

Criminals impersonate a vendor or executive via email, requesting payment to a new bank account. These emails look legitimate and have cost businesses billions.

Prevention:

• Verify any request to change payment details by calling the vendor directly using a known phone number (not the one in the email)
• Require dual approval for any wire transfer or ACH payment change
• Train all employees to recognize phishing emails

Unauthorized Access

Former employees, hackers, or current employees accessing systems they should not.

Prevention:

• Immediately revoke access when an employee leaves (same day)
• Use unique login credentials for every employee
• Enable two-factor authentication on all financial accounts, email, and accounting software
• Review user access logs quarterly

Ransomware and Data Loss

Malicious software encrypts your financial data and demands payment.

Prevention:

• Regular automated backups to a separate location (cloud backup for cloud software, offline backup for desktop software)
• Keep software updated with security patches
• Train employees to avoid clicking suspicious links or attachments
• Maintain cyber insurance ($500 to $2,000/year for most small businesses)

Insurance Protection Against Fraud

Fidelity Bond / Crime Insurance

Covers losses from employee theft, forgery, and dishonesty. Typical cost: $200 to $1,000 per year for up to $500,000 in coverage. Given that the median small business fraud loss is $150,000, this is some of the cheapest protection available.

Cyber Insurance

Covers losses from data breaches, ransomware, and business email compromise. Typical cost: $500 to $2,000 per year for $500,000 to $1 million in coverage.

Directors and Officers (D&O) Insurance

If you have a board or advisory board, D&O insurance protects against claims arising from management decisions, including failure to implement adequate controls.

The Cost of No Controls

Small business owners often say "I trust my people." Trust is good. Controls are better. The cost of implementing basic controls is minimal — a few hours of setup and a few minutes of daily oversight. The cost of not having them can be catastrophic. Median fraud losses for small businesses run into the tens of thousands, and some cases run into hundreds of thousands.

The ROI of Internal Controls

Control Implementation	Annual Cost	Risk Prevented	Potential Loss Without It
Owner reviews bank statements (30 min/month)	$0 (your time)	Check tampering, unauthorized payments	$5,000 - $100,000+
Dual approval for payments over $1,000	$0 (process change)	Fake vendor schemes, unauthorized purchases	$10,000 - $200,000+
Fidelity bond/crime insurance	$200 - $1,000/year	All employee theft	$150,000 median loss
Positive pay on checks	$50 - $200/year	Check fraud	$5,000 - $50,000+
Two-factor authentication	$0 - $100/year	Account takeover, unauthorized access	$10,000 - $500,000+
Quarterly vendor list review (1 hour)	$0 (your time)	Fake vendor schemes	$20,000 - $100,000+

Total cost of these controls: under $1,500 per year plus a few hours of your time per month. Total potential loss without them: tens of thousands to hundreds of thousands of dollars.

The Bottom Line

Internal controls are not bureaucracy. They are protection. For you, for your business, and honestly, for your employees too. Good controls remove temptation and create accountability. Implement the basics, review them regularly, and take warning signs seriously.