Logo
Internal Controls for Small Businesses

Internal Controls for Small Businesses

July 16, 2026

How to Segregate Duties with a Small Team

Whether just starting out, or during growth phases, small businesses often struggle to segregate duties. A small team means all players wear wears multiple hats, and when there are only two or three people running a business, often one person is wearing almost if not all of the hats!

However, even the smallest business can successfully implement effective internal controls by creating “breaks” in the right places. By creating “breaks,” or “checks and balances,” to segregate certain duties, effective internal controls ensure that no one person controls an entire transaction from beginning to end.

For small business owners, internal controls are not just about formal compliance. They are about protecting the business from fraud, preventing costly mistakes, keeping reliable financial records, and creating better support when reporting to lenders, investors, or other stakeholders. Even when everyone on the team is trusted, internal controls provide structure and accountability so the business can grow safely.

What is the Key to Effective Internal Control?

There are four major financial duties that need to be separated, at least from one step to the next:

  1. Authorization – approving transactions before they happen. Approving bills to be processed or paid is a common example.

  2. Custody – handling assets such as cash, checks, credit cards, inventory, and bank access. This includes the person collecting cash from sales, handling customer checks, or initiating payments through the bank.

  3. Recordkeeping – entering transactions into the accounting system. This may be done by an employee, the owner, an office manager, or an outsourced accounting or bookkeeping firm.

  4. Reconciliation/Review – comparing accounting records to bank statements, payroll reports, customer records, vendor statements, loan statements, or supporting documents. This is often the “oversight” step, or the last opportunity to catch errors or fraud. This step is often split between two people, performed on a staggered basis, or outsourced.

Any one person can do more than one of these duties, but should not do all of the duties. Any one person with control over all four duty types has the opportunity to commit fraud, and has no oversight to help catch errors.

For a small business, this may feel difficult because the owner is often involved in everything. However, the goal is not to create unnecessary bureaucracy. The goal is to create practical review points so that money does not move through the business without a second set of eyes reviewing at the right time in each transaction process.

Ranked Minimum Segregation of Duty Controls

Let’s walk through the eight most important segregation of duty controls. Each small business should have some control established at these points, at a minimum.

Transaction-Level Controls

Separate Bank Reconciliation from Recordkeeping and Banking Access

When it comes to banking and cash, it is most important to separate custody, recordkeeping, and reconciliation. The person who writes checks, initiates electronic payments, or enters accounting records should not be the only person reviewing bank statements.

In a small business, the owner should receive bank statements directly or have direct online access to bank statements. If someone other than the owner handles bookkeeping or initiates payments, the owner should review the monthly bank reconciliation, or the reconciliation should be reviewed by someone independent of the day-to-day bookkeeping.

The reviewer should look for unusual payees, transfers, debit card activity, electronic withdrawals, missing check numbers, duplicate payments, checks payable to insiders, and payments that do not make sense for the business. A good accounting system like Xero or QBO makes this process easier. The reviewer should sign or initial the reconciliation electronically or physically to document review.

Many small businesses outsource the recordkeeping and reconciliation tasks to our team. This works because the outsourced team does not have custody of business assets and does not have authorization to initiate transactions without approval from the business. Even though the outsourced team performs both the recordkeeping and reconciliations, transactions are initiated and reviewed by someone within the business. This allows a very small team, even one or two people, to still have effective internal controls and effective oversight.

Bank reconciliations are one of the most important controls for small businesses because they help catch both fraud and mistakes. They also help ensure the financial statements are accurate, which is especially important when reporting to owners, lenders, investors, or potential investors.

Separate Payment Approval from Payment Preparation and Execution

In the case of payments to vendors, contractors, employees, and reimbursements, it is most important to separate authorization from custody, and custody from recordkeeping.

For a very small business:

  1. Require approval before payment is made.

  2. Establish a dollar threshold for dual approval for payments over a certain amount.

  3. Require the owner or manager to approve business expenses, while payments to the owner or related parties should have additional review or documentation.

  4. Establish a chain of command so that no one is approving their own reimbursement.

  5. Invoices, receipts, and approval documentation should be retained and, if possible, attached within the accounting system.

Example: In the case of a very small business where there are only two people, Person A may collect the payables and provide them to Person B for approval. Either person may approve, but the person who did not process the payments should be the one to enter or review the payments in the accounting system.

In a business where the owner is the only person approving payments, the owner should still avoid informal payment habits. Payments should be supported by invoices, receipts, contracts, or other documentation. Even when the owner has full authority to spend business funds, documentation helps protect the business from duplicate payments, vendor disputes, issues when planning and executing tax strategies and tax compliance, and questions from investors or lenders.

When the accounts payable function is outsourced, the accounting or bookkeeping firm handles the entry and recordkeeping, while someone within the business handles the collection and approval. The outsourced accounting team also provides an additional layer of review and should raise questions if bills appear unusual, duplicated, unsupported, or inconsistent with the business’s normal operations.

Separate Cash and Check Handling from Deposit Recording and Customer Recordkeeping

Incoming cash and checks are highly vulnerable because they can be diverted before they are captured in the accounting records. In the case of payments received by the business, it is most important to separate custody from recordkeeping and reconciliation.

In this case, custody includes collecting cash from customers, receiving checks, opening the mail, handling deposits, using a point-of-sale system, and preparing deposits to go to the bank. Reconciliation includes comparing sales records, deposit records, customer accounts, and bank deposits.

Perhaps the most challenging part of handling this is managing custody.

Ideally, two people should be involved when cash is counted, deposits are prepared, or checks are received through the mail. This prevents theft of cash or rerouting other assets by requiring collusion. The people opening the mail or collecting cash should create a deposit log of checks and cash received, and provide that information to the person who records the deposit.

The person who makes the deposit should not be the same person who records the deposit, but can be one of the people who collected the cash, checks, or other payments for deposit. Additionally, customer payments should be compared periodically to bank deposits to ensure sales and receivables were correctly captured.

For businesses with point-of-sale systems, daily sales reports should be compared to bank deposits and merchant processor deposits. Credit card settlements, cash receipts, refunds, discounts, and voids should be reviewed for unusual activity. Refunds and voids are particularly important because they can be used to conceal theft or errors.

Where an outsourced accounting team is employed, the outsourced team may record the deposits and reconcile the deposits to the bank statement. This verifies that the deposits collected actually made it to the bank and were properly recorded in the accounting system.

Separate Payroll Approval from Payroll Processing and Payroll Changes

Because it would obviously be very easy for someone to increase their own pay, very few people should be given access to the payroll system. In addition to maintaining confidentiality, this shrinks the payroll process down to as few people as possible, which can make segregation of duties more challenging.

In the case of payroll, it is most important to segregate authorization from custody and execution, meaning the person approving changes to payroll should not be the same person who processes payroll. It is also important to segregate custody and execution from recordkeeping and reconciliation, meaning the person who processes payroll should not be the only person entering or reviewing payroll in the accounting system.

For a very small business, proper segregation within the payroll process might look like:

  • The owner approves compensation for employees.

  • A supervisor or manager approves employee timesheets, commissions, bonuses, or other variable pay.

  • Changes to pay rates, bank accounts, or employee status require approval from someone other than the person who processes payroll.

  • Someone independent of approving compensation processes payroll; ideally, the entry will be automatically synced from the payroll processor to the accounting system.

  • The owner, manager, or outsourced accounting team reviews payroll reports and reconciles them to the entries in the accounting system.

When an outsourced accounting or bookkeeping firm is employed, the outsourced team can handle approved changes to payroll, processing the payroll, and recording the payroll. However, the owner or another appropriate person should review payroll either before processing or on a monthly basis.

Payroll is frequently one of the largest and most consistent expenditures within a small business. Without segregation of duties, one person could create a ghost employee, change a pay rate, approve unauthorized or inappropriate hours, alter direct deposit information, or process improper bonuses or reimbursements for their own benefit.

Additionally, payroll is one of the more frequent places where we see errors due to the complexity of hourly wages, overtime, commissions, bonuses, tax withholdings, employee benefits, reimbursements, retirement plan contributions, and employer-covered expenses. Even without fraud, errors in payroll can quickly become costly problems, so it is very important to have someone knowledgeable reviewing payroll.

Separate Credit/Debit Card Custody from Statement Review and Expense Coding

When a small business issues credit or debit cards, we highly recommend having a strict use and procedures policy in place to provide an enforceable framework. After that, having the proper segregation of duties in place helps prevent misuse.

In the case of credit and debit cards, it is important to segregate custody from authorization of spending limits, and custody from recordkeeping and reconciliation. With cards particularly, card use should be reviewed by someone other than the cardholders to help detect personal expenses, missing documentation, recurring subscriptions, duplicate charges, and charges outside of normal business purposes.

First, an approval policy should be in place where card charges must either be approved prior to purchase or approved immediately after purchase. The approver typically also identifies the coding when reviewing the purchase’s purpose. The business should require documentation, including a receipt and record of approval, for every purchase.

Someone other than the cardholder should review monthly statements, record the transactions, and reconcile the transactions to the statements. If the owner is a cardholder, another person, such as an outsourced bookkeeper, accountant, controller, investor representative, or trusted manager, can provide some review over the activity.

This is not because the owner lacks authority to spend business funds. Rather, it is because credit card activity is a common place for missed receipts, improper expense classification, accidental personal charges, duplicate subscriptions, and expenses that are difficult to explain later. It’s also easy for credit cards to be stolen and used by unauthorized parties; timely details review of all charges helps catch fraudulent charges quickly, leading to quicker resolution. Clean documentation and review make financial reporting more reliable and makes investor or lender questions much easier to answer.

Separate New Vendor Approval/Setup from Invoice Approval and Payment

New vendors should go through a vetting and approval process to ensure appropriate vendor choice and, ideally, to collect a W-9 before payment. Each new vendor should be approved for addition to the payment system before the vendor’s bill is added and approved, and certainly before they are paid.

Typically, the owner, manager, or person approving bills for payment will approve new vendors. However, the business should also review for related parties, unusual vendors, unfamiliar payment instructions, and changes to vendor banking information.

Vendor fraud often occurs when someone can create or modify a vendor, then approve or issue payments to that vendor. The simple additional step of reviewing new vendors before adding them into the payment system helps reduce the risk of fictitious vendor schemes.

This control is also important for small businesses because vendor records support tax reporting, 1099 preparation, job costing, financial statement classification, and investor reporting. If vendor records are incomplete or inaccurate, the business may have difficulty explaining costs by department, project, location, customer, or product line.

In cases where an outsourced accounting team is employed, the outsourced team should also be vigilant to new vendors and should not blindly add new vendors, changed payment instructions, or abnormal invoices, even though the bills must still be approved before payment.

Oversight Controls

Separate Accounting System Access from Administrative Oversight

This means that those with final approval, usually the owner, managing partner, or senior manager, do not necessarily need access to change accounting transactions, though they may quite appropriately be given read-only access. Additionally, accounting users should be given appropriate authorization and restrictions for their role.

In a small business, this means:

  • Each user has a unique login.

  • Administrator rights, including the ability to add users and change permissions, are very limited.

  • Passwords are not shared.

  • Read-only access is used where appropriate.

  • Journal entries can only be posted by individuals without payment rights and are reviewed regularly by another individual.

This prevents unauthorized changes to the books and limits information appropriately for each user. This also prevents those with oversight authority from accidentally changing legitimate transactions while reviewing.

Accounting system access matters because the accounting records are the source of financial reporting. If users can make unrestricted changes, delete transactions, modify prior periods, or override system controls, the business may not be able to rely on its own financial statements. For businesses reporting to investors, lenders, or outside stakeholders, clean accounting system access and review procedures provide stronger support for the numbers being reported.

Separate Financial Preparation and Reporting from Owner or Investor Review

Most businesses have some natural segregation here, where one person prepares the financial statements and the owner reviews them. However, some businesses are very small, such that the owner is also approving transactions, entering activity, reviewing bank accounts, and preparing the financial statements.

Even if the owner is heavily involved in the books, financial statements should still be reviewed regularly. The review should include budget-to-actual comparisons, cash balances, debt balances, gross margin, payroll costs, unusual expenses, accounts receivable, accounts payable, and variances for unusual or unexpected activity.

When a business has outside investors, financial reporting becomes even more important. Investors generally want to understand whether the business is using funds appropriately, producing reliable results, managing cash flow, and identifying problems early. Internal controls help support that reporting because they reduce the risk that the financial statements include errors, unsupported transactions, or activity that has not been properly reviewed.

When an outsourced accounting or bookkeeping firm is employed, preparing the financial statements is easily done by the outsourced team, where the owner or management team can then review the financials before sharing them with investors, lenders, or other stakeholders.

Minimum Control Matrix

The minimum duty segregation discussed above can be summarized as follows:

Conclusion

Internal controls help keep your small business safe, organized, and financially reliable. Even if you are only two people, your business can implement effective internal controls with the right planning and precautions.

Small businesses can make internal controls more robust by outsourcing certain functions to accounting and bookkeeping firms, but even without that added expense, the controls discussed above can help any business owner write and implement practical policies to protect assets, prevent mistakes, and strengthen financial reporting.

Good internal controls are not about making a small business feel corporate or complicated. They are about creating enough structure so the owner can trust the numbers, catch problems early, protect the business from fraud, and provide better information to lenders, investors, and other stakeholders.