Internal control frameworks were written for corporations with control departments. SMEs need something different: a way to find the handful of gaps that actually leak money, fix them without bureaucratising the business, and verify the fixes happened. That is what a right-sized control review does.
Why SMEs put this off, and why that is backwards
The standard objections: we are too small, we trust our people, we cannot afford process overhead. But control failures hit smaller businesses harder, not softer, there is less cushion to absorb a leakage, less redundancy to catch it, and the person with end-to-end access has more of the business in their hands. Trust is not a control; it is what controls protect.
The four cycles to review first
A first review should not boil the ocean. Four cycles cover most of the money in most SMEs:
- Payments: who can initiate, who approves, who releases, and whether those are genuinely different people. Test actual transactions, not the described process
- Revenue and receivables: whether everything dispatched or delivered gets invoiced, whether invoices reach the ledger, and who follows up old balances, uninvoiced work and silently ageing receivables are classic SME leaks
- Payroll: ghost employees, unapproved changes to salary masters, and exits that stay on the payroll a month too long
- Inventory: whether physical stock matches the records, how differences are investigated, and who can write stock off
What a review actually involves
- Walkthroughs with the people who do the work, not the org chart version, the real version, including the workarounds
- Sample testing of real transactions through each cycle, end to end
- A look at system access: who has admin rights, shared logins, and rights that outlived role changes
- A short, severity-ranked report: the gap, what it could cost, and the practical fix, not a framework lecture
What good findings look like
Useful findings are specific and actionable. From real SME reviews, anonymised:
- The same login that creates vendors can approve payments to them, split the roles
- Credit notes need no approval above any value, add a threshold and a second signature
- Stock write-offs are recorded by the storekeeper who reports the shortage, route them through someone independent
- Three customers' balances have aged past a year with no correspondence on file, investigate before they become write-offs
After the report: the part most businesses skip
A review that ends with the report changes nothing. Each finding needs an owner and a date, and someone (internal or external) must verify implementation a quarter later. Our standing recommendation: a focused review once a year, rotating attention across cycles, with a follow-up check in between. The second year is usually cheaper and faster than the first, because the easy gaps are gone.
Starting this quarter
If nothing else, do two things this month: confirm that payment initiation and approval are separated above a sensible threshold, and read the bank reconciliation yourself. Those two controls alone would have prevented a remarkable share of the SME losses we have seen in three decades of practice.