top of page

Trust Is Not An Internal Control

Having worked in both accounting and recruiting for so many years, I’ve heard my fair share of horror stories of trusted employees that have stolen from unsuspecting employers. Recently in a seminar, I heard the quote that I used above for the title of this blog post: “Trust is not an internal control.” I’ve never heard it so succinctly stated.

In a small business, it’s common to have too few people to be able to adequately separate duties. Although separation of duties doesn’t 100% prevent fraud, it does make it more difficult for any one person to commit fraud if parts of the process are handled by others. The most common concern business owners have is the lack of people needed to separate out duties. There are ways to combat this even in the smallest of companies though.

The fundamental to remember regarding internal controls for a small business is that you need to separate out 1) the ability to make a transaction (“authority”), from 2) the duty of recording the transaction (“record keeping”). While there are many more detailed practices for internal controls that you can implement as your company grows, this basic precept is a great start. Examples of separating the authority from the record-keeping are:

  • The person that prints checks should not be able to sign checks, and preferably not mail them either. In the case of ACH payments, have notifications of outgoing payments sent to someone other than the person authorizing the payments, such as the owner or another manager.

  • Bank statements should be sent directly to, and opened by, someone that doesn’t record the transactions.

  • Incoming paper checks (payments) can be logged by someone other than the person that applies the payments to customer accounts.

Another key control is to enforce vacation time for your accounting/bookkeeping employees. Although it can be a headache to cover for the individual while they are gone, it forces a review of what is being done in accounting even if it is for a brief period.

Lastly, criminal background checks should be run. Although this policy won’t stop a first-time offender, it gives you valuable information if there is a public record. Surprisingly it’s common for companies to skip this easy step, even though the cost is low.

In a nutshell, there are many basic practices that even the smallest of small businesses can implement to better their internal controls and deter possible theft. Interestingly enough, as an owner you will even find that the most honest employees actually appreciate such controls being in place. Although you may think that they would be offended, they typically respect having strong procedures that protect both the organization as well as themselves.

While I don’t personally do such reviews, if you need a qualified professional to review your internal controls, please reach out and we would be happy to make a referral.

Until next time, I wish you the best in your business.

Mark Goldman


Recent Posts

See All

Infrastructure Must Scale Too

I’m writing this post to address an issue we see with so many successful entrepreneurs as they grow their companies. They start their business with a dream, they quickly sell enough to warrant gettin


bottom of page