8 Signs Your Internal Controls Are Weak: How to Identify and Fix Common Control Weaknesses
If you're lucky, you'll discover you have a controls problem from a review or an audit. If you're unlucky, you'll find out from a fraud, a nasty surprise in the accounts, or a due diligence process that turns up something uncomfortable. By that point, the damage is already done.
The warning signs below are drawn from real patterns - the kind of things that show up repeatedly when you look closely at how growing businesses actually operate. If you're not sure what internal controls are or why they matter, this article covers the fundamentals. None of the signs below are unusual. Some will be familiar.
One person controls an entire financial process from start to finish
The person who raises invoices also approves them and processes the payment. The same individual manages payroll end-to-end. One person has sole access to the banking platform and sole authority to release funds.
This is the most common - and most consequential - gap in smaller businesses. It happens for understandable reasons: the business grew quickly, the person is trusted, and involving someone else feels unnecessary. But a lack of segregation of duties isn't just a fraud risk. It's an error risk too. Without a second pair of eyes, mistakes compound silently. It also means that even if that employee is the most trustworthy person on earth, an external fraudster has only one nut to crack to get a hold of everything.
Map out your key financial processes and identify where one person has end-to-end control. For payments specifically, mandate dual authorisation as a minimum - most banking platforms support this for free. Include dual authorisation both for payments but also for settings changes - this is often missed.
There is no documented process for anything critical
If the knowledge of how a key process works lives entirely in one person's head, it isn't a process - it's a dependency. This applies to payroll runs, month-end close, supplier onboarding, payment authorisations, and a dozen other things that happen on a regular cycle in most businesses.
Undocumented processes have two problems. First, they cannot be reviewed for control weaknesses because no one outside the person doing them fully understands what they involve. Second, they create a fragility that only becomes obvious when that person is unavailable - illness or a lottery win could upend your entire operation.
A finance manager goes on extended sick leave. The business discovers that month-end, payroll, and the supplier payment run all lived in that one person's knowledge of which buttons to press in which order. What should be a temporary absence becomes a crisis.
Start with your three or four highest-risk processes - typically payments, payroll, and month-end close - and document them simply. A one-page process note with the key steps, decision points, and who is responsible at each stage is enough. It does not need to be elaborate. The purpose of internal controls here isn't to create red tape; it's to ensure business resilience. A one-page process note ensures the knowledge belongs to the company, not an individual.
The "hero employee" is holding everything together
Every business has one - the person who knows all the passwords, manages all the systems, and hasn't taken a full week off in three years. They are capable, reliable, and the business would genuinely struggle without them. That is precisely the problem, and as your business grows, this becomes a very real risk.
A single point of failure in your people is a single point of failure in your controls. If your business would grind to a halt because one specific person was off sick for two weeks, your controls aren't just weak - they're non-existent in the areas that person covers. This is not about distrust. It is a structural problem where your business is likely a victim of its own success.
Is there any process that only one person knows how to complete? Are there systems or accounts where only one person holds the credentials? What would actually happen if they were not contactable for ten working days?
Identify the single points of failure in your business - the processes only one person can complete and the systems only one person can access. For each one, the fix is either cross-training a second person or documenting the process clearly enough that it could be handed over at short notice.
Financial surprises keep appearing
Not the occasional variance - every business gets those. The pattern worth paying attention to is repeated, unexplained differences between what management accounts show and what the bank or underlying records show. Costs that appear without a clear trail. Balances that don't reconcile cleanly, or that take weeks to resolve.
Individually, these can always be explained away. As a pattern, they are telling you that something in the financial reporting process is not working. Either controls are not operating, reconciliations are not being performed properly, or - in the worst cases - something more deliberate is happening.
The businesses most exposed here are those where the finance function is either under-resourced, or where management accounts are produced by the same person responsible for the underlying transactions, with no independent review.
The first step is making sure bank reconciliations are being performed regularly and reviewed by someone other than the preparer. Beyond that, a structured month-end close with defined timelines and a second-person review of management accounts before they are circulated will catch most issues before they become patterns. If surprises are already recurring, an independent review of your financial controls is worth considering - the cause is not always obvious from the inside.
Your team keeps their own version of the data in spreadsheets
This is one of the most underappreciated warning signs in growing businesses, and in larger more established businesses too. When staff start maintaining their own trackers in Excel because the main system is too slow, too confusing, or doesn't do what they need - data integrity starts to disappear.
You now have two versions of the truth. The "official" figures in the system, and the working version that the team actually uses. Over time, these diverge. The risk of error increases substantially. So does the risk of manipulation, because shadow spreadsheets outside the main system are far harder to audit than records within it.
This is not a technology problem, and it isn't unique to your business. It is a signal that the business has outgrown its operational structure - that processes and systems have not kept pace with growth. Data is one of the most underused assets for most businesses large and small; if you can harness and control it, it can be a real catalyst for genuine data-based decision making.
Treat the spreadsheet as a symptom rather than the problem. The question to ask is why staff feel they need their own version - is the system too slow, not fit for purpose, or missing a key function? The answer might be a system upgrade, additional training, or a process redesign. In the meantime, establish a clear policy on where the master data lives and who is authorised to maintain it. This exercise can be linked with sign 7 below on access controls.
Nobody can quickly produce a transaction trail
Here is a practical test. Pick a payment made six months ago - something reasonably significant. How long would it take to produce a clear, documented trail showing it was raised, approved, and released by the right people with the right authority?
If the answer involves scrambling through old email chains, chasing down paper files, or reconstructing approvals from memory - your controls are failing a basic audit readiness test. Good financial controls mean the trail is always there. Not assembled retrospectively under pressure, but present as a natural byproduct of how the process works.
This matters most in two situations: when something goes wrong and you need to investigate, and when an auditor, acquirer, or investor asks for evidence. In either case, the inability to produce a clear trail quickly creates both a practical problem and a credibility problem.
Establishing robust internal control procedures for transaction trails is largely a discipline issue. Approvals should be recorded in the system at the point they happen - not reconstructed later. If your current systems do not support that easily, even a simple email approval trail that is filed systematically is better than nothing. For businesses heading towards an audit or sale, an audit readiness review will identify the specific gaps that need closing before external scrutiny arrives.
Access to systems and data hasn't been reviewed since someone joined
When a member of staff changes role, access permissions rarely get updated immediately. When someone leaves, there is often a delay - sometimes weeks, sometimes longer - before their access is removed. In businesses without a formal access review process, people accumulate permissions over time, and former employees sometimes retain access they should never still have.
This shows up as a material weakness in almost every access controls review of a small or mid-sized business. It's rarely malicious; usually, no one simply owns the revocation process.
The practical exposure is significant. A former employee with active access to a financial system, a CRM, or a cloud storage platform represents a real risk - regardless of how the employment ended. There's also a practical efficiency argument here. The more controlled your systems access is, the less time is needed reviewing activity after the fact. If the salesperson doesn't have the ability to amend prices in the system in the first place, the risk of an unauthorised discount slipping through unnoticed is reduced - and your finance team don't need to spend time reviewing pricing changes made by the sales team.
Implement a quarterly active user review as a standing task - it takes a couple of hours and involves nothing more than running a user list from each key system and confirming that everyone on it still needs the access they have. Build leaver notifications into your offboarding process so that access removal happens on the last day of employment, not weeks later.
Annually, consider a more comprehensive access exercise - deep diving into who has access to which parts of each system, and who can amend master data. This is more time-intensive work, but the exposure it uncovers is often significant. Feel free to reach out if that is something we can help with.
Your business continuity plan has never been tested
Many businesses have a business continuity plan. Fewer have tested it. There is an important difference between a document that describes what would happen in a crisis and an organisation that actually knows what would happen.
Untested plans fail in predictable ways: the contact list is out of date, the backup system hasn't been restored from in years, the recovery time assumptions bear no relationship to operational reality. A tabletop exercise - even a straightforward one - will surface these gaps in a controlled environment before a real incident does it in an uncontrolled one.
If your BCP has not been tested in the last twelve months, you do not yet know whether it works. Our practical guide to testing a business continuity plan covers how to run an exercise and what good looks like.
Run a tabletop exercise. Pick a realistic scenario - a ransomware attack, the loss of your main office, a key supplier failing at short notice - and walk your senior team through it for two hours. You do not need external facilitation for a first exercise, though it helps. The goal is not to pass a test but to find the gaps in a controlled environment. Update the plan based on what comes up, and repeat annually. Reach out if you need any support on this.
For businesses in regulated sectors such as aviation, an untested plan carries additional weight. Regulators increasingly treat an untested BCP as equivalent to no plan at all. A tabletop exercise simulating a scenario relevant to your operation - whether that's a fuel supply failure, a ground handling system outage, or a key personnel loss - is often the most efficient way to demonstrate compliance readiness as well as genuine resilience.
What to do if several of these sound familiar
A few of these applying to your business is normal. No small business has a perfect control environment, and that is not the standard to aim for. The question is whether your controls are proportionate to the risks you face - and whether the gaps you have are ones you have consciously accepted or ones you simply haven't got round to thinking about.
If you want a structured view of where your business stands across governance, financial controls, risk management, operational resilience, and systems access - the Navpoint Controls & Risk Health Check covers all five areas in around 15 minutes. It is free, requires no login, and gives you a domain-level maturity score with tailored insights.
How do your controls actually stack up?
The Controls & Risk Health Check covers all five control domains in around 15 minutes. No login required, no obligation - just an honest picture of where your business stands.
If you have identified specific gaps and want to discuss what a practical, fixed-price review would look like, get in touch. You will be speaking with someone who has spent approaching a decade working on controls and risk across a FTSE 100 business and a broad client base from a Top 10 accountancy firm - not a generalist consultant.