top of page

Smart controls - Building internal controls in a small business

“There's a storm coming, Mr. Wayne. You and your friends better batten down the hatches, because when it hits, you're all gonna wonder how you ever thought you could live so large and leave so little for the rest of us”

- Selina Kyle (Catwoman): The Dark Knight Rises (2012)

Caution block

When you’re building a product, taking it into market and “hustling” to get jobs in, the last thing on your mind is creating controls for your business. Most small business owners tend to think, “Sure, we’ll worry about that when we get big” or we shrug it off as “that’s for them big companies”

Fact - it’s not. From day one of forming and running a business, thinking about best control measures is important. We sometimes even habitually put some in place. When organizations grow fast in terms of revenues and team sizes, weak internal controls and lack of processes can be a roadblock to achieving operational efficiencies.

In an SME controls have to be seamless and smart. It shouldn’t be an impediment to its ultimate goal – efficiencies for product / service delivery.

Who is responsible?

Children having fun fishing

When the team is five-members big, every person has the responsibility to ensure that the right controls exist. But without doubt, the buck stops with the CEO. When we study metrics such as COBIT or ITIL, it becomes evident that the person ultimately responsible for digital strategy is the CEO. Applying the same principle to a small business, the founder or the CEO equivalent has the accountability to think through control metrics that should be in place. This has to flow through to the early team members. When the thought process for best controls exist among the first team members, new hires will have a framework to follow and improve upon.

Encourage the why

Ask more questions sign

It’s easy for small business CEOs to fall into the trap of, I built the business and I know what’s best for it. It’s understandable. When time and resources are scarce, you want to put something in place and move on. That’s also the biggest reason why you should encourage the “why”. This is key to keeping innovation alive. In the enthusiasm to create best controls, we may end up creating too many of them. We live in a world that produces tech at the speed of light. Information dissemination happens at split seconds and we sit on too much data all together.

Given this state of affairs, internal controls should be fashioned to solve issues, without creating a new set of processes that only locks in time and resources.

Smart solutions that has in-built controls

A lot of products in the market are targeted at small businesses. So it is important to look for ones that are thoughtfully designed. We have been working on Xero and its add-ons for six years now and have a background in internal audit. When you look at how this system has been designed, you can see that there is deliberate thought put into solving issues.

Features like two-factor authentication, user level accesses, assurance dashboard (a real-time heatmap of user activity), audit trails etc ensures that you are buying into a solution that’s got the basic faculties right. When you look at CRM systems, ticketing solutions or POS, invest time into understanding how they deal with information stored on back-end systems. Read the T&Cs and privacy policies before deciding whether it’s reflective of your risk appetite. In simple words – don’t buy anything that you wouldn’t be comfortable selling yourself.

Another product we love is HelloSign - an electronic signature facility that's legally accepted and have strong in-built controls.

Man-machine integration

Man playing golf

We love solutions that eliminates the human effort. the human effort. And we are at that stage where many manual processes are indeed automated. At the same time, there are still processes that need a human interference, and we don’t mean that in a negative way. The solutions used in a business should be well-integrated to the psyche of the people using them. Unless this key element is considered before controls design and implementation, it will most likely fail.

Simple instance –we don’t need physical sign offs for purchases as user-level access controls on accounting systems can take care of the approval processes. But if the person who is to approve the bills does not want to spend time logging in and sifting through them, the bills will pile up, thus making a good process redundant.

Here is when you have to find work around solutions. Perhaps divide the process as, getting the books updated and creating payments in the bank. As long as payments are approved by the right person via online banking, the end goal is still met. Doubtful payments will not be made and can be flagged as suspicious or needing more input.

A framework is necessary

Internal controls or processes if viewed as “a waste of time”, will always be an impediment to successful implementation and subsequent adaptation. You simply can’t have processes in a business that suits everyone. But lack of good controls will manifest when delivery becomes awry - small businesses today simply cannot afford this. A proactive control environment goes a long way in creating an operational atmosphere that is well-integrated and have the ability to be legacy solutions.

Notes and references

1. All pictures used in the article are allowed for commercial use. Most are from

3. ITIL - Details and references -

4. COSO and the internal control framework -

23 views0 comments
bottom of page