Internal Control Procedures

Internal control procedures. I know… super sexy topic, right?

But let me tell you this, having proper procedures in place can save you thousands, or hundreds of thousands, of dollars… or maybe even save your business.

Although what may immediately come to mind is petty theft (“stealing from the till”), internal controls help avoid both intentional and unintentional harm to your business.

There are five key components to internal controls:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

Good internal controls are critical if you want to have a healthy business.

Control Environment

This is a fancy way of talking about the general nature of your business.

It your business is a highly ethical establishment? Do you have documented policies and procedures? Does everyone know what everybody else is responsible for? Do you have a Board of Directors in place? Are your transactions well-supported with documentation?

Let’s say you’re a criminal and you’re interested in swindling a company out of some cash. You have the choice of working at Business A which runs a tight ship and does background checks on all its employees, or you can apply to work at Business B which has no real procedures or policies and is kinda wishy washy in the ethics department. Which one do you apply to? Yeah, Business B. And that’s why you want to own Business A.

Risk Assessment

Great, you’ve got an ethical and orderly environment. Now take a look around and figure out what the greatest risks to your business are.

Your risks may be internal or external. Maybe you live in a tsunami zone, so all your documentation should be living in the cloud. Maybe all your stuff is in the cloud, and your biggest risk is making sure all that data stays safe. Or maybe your team is prone to errors due to inadequate training.

Some of the most common, obvious, and biggest risks are those related to the assets of your business: inventory and cash. You want to do whatever you can to avoid misappropriation of those resources (you know, embezzlement, fraud, theft).

Whatever the risks are, you’ll want to identify them and then start developing a plan for how to best protect yourself.

Control Activities

This is the meat of your internal control system - it’s all about putting your protection plan into action. Here are some ways to do that:

Redundant Systems - this is important for online businesses in particular. If you are keeping your accounting on a desktop computer and then a tsunami takes out your system and all of your backups. Um, yeah. That’s bad. This is one of the biggest reasons we’re a fan of cloud accounting - the heart and soul of your business is safe and sound regardless of whether your house is flooded.

Segregation of Duties - you want to keep access to your assets completely separate from the person who’s responsible for recording the activities. Here’s an example. Imagine you have a villain in your midst who has the authority to issue a check (or multiple checks) on your bank account, and this person also happens to be your bookkeeper. So he writes himself a check for $3,000 and records it as a payment to your biggest supplier. Poof! You probably just lost $3,000. If you keep those duties separate, person A would have to convince person B that they should collectively steal $3,000. It’s still possible, but it’s much more difficult to do.

Proper Authorization of Transactions - before your business issues a payment or writes off an invoice (money owed to you), make sure that the person who’s approving the transaction has the authority to do so. We know an extremely busy company. They didn’t want their suppliers to have to wait for payment because they could get early payment discounts in many cases. But they were buying stuff all the time. It was just too busy to manage. So they gave out their credit card information to all of their suppliers. You know what happened, right? A supplier stole hundreds of thousands of dollars before the theft was identified.

[In case you’re wondering, the proper way to ensure valid payment authorization in this situation: 1) issue a purchase order, 2) verify that you received all the products as ordered, 3) match the amounts from the vendor’s invoice to the received order, and 4) issue payment with the documentation as complete support for the transaction.]

Physical Securities - it’s great if you’re making sure that every purchase order matches up as the orders are coming in, but don’t forget about the products once they get there. You may want to protect your products through insurance or even through a basic security system to ensure they’re not going out through the back door.

Also, keeping your computers and accounting systems password protected and/or limiting bank access can help you ensure your data and accounts aren’t compromised.

Information and Communication

One of the best tools at your disposal is your accounting system. As simple as it sounds, just being able to read your financial statements and looking for trends over time can help point out potential problems in your internal controls. In fact, this is how the “missing” hundreds of thousands of dollars was discovered - payments were made for inventory that seemingly didn’t exist. It didn’t pass the smell test which caused everyone to dig deeper until the source of the issue was found.

Again, requiring support for each accounting transaction helps to establish that there is a true, authorized purpose for each transaction so you can rely on the validity of the data.


This is one of the most important parts of internal control procedures… this is not a “set it and forget it” task. Management needs to monitor the company’s internal controls on an ongoing and periodic basis so you can ensure that all controls are working as designed.

We ask all of our clients to sign up for a login to This site can allow you to monitor and ensure all of your income tax and payroll taxes are being remitted to the proper authorities. You don’t want to end up in this boat.

One of the most common ways of doing this for an online retailer is by performing physical inventory counts, preferably monthly, but no less frequently than annually. This will help you maintain control over your product and ensure you aren’t “losing” anything.

Regardless what risks you identify or what actions you take, the most important thing is that you start thinking about what dangers might be lurking out there for your business and then do your best to protect it using strong internal controls.



see all