What are Internal Controls? (and why most businesses get them wrong)

If you search "what are internal controls" you'll get a wall of definitions from the Big Four, GRC software vendors, and various governance institutes. Most of them will tell you that internal controls are "the processes, policies and procedures designed to safeguard assets, ensure accurate financial reporting, and promote operational efficiency." Which is accurate. It's also completely useless if you're running a business and trying to work out what this actually means for you in practice.

So let's cut through it.

Internal controls in plain English

Internal controls are the checks and balances built into the way your business operates that stop things going wrong — or catch them quickly when they do. That's it. No framework jargon, no acronym soup. Just the mechanisms that mean the right people are doing the right things, in the right order, with the right oversight.

Some are preventative — they stop problems before they happen. Segregation of duties is the classic example: the person who raises a purchase order shouldn't be the same person who approves the payment. Some are detective — they catch problems after the fact. Bank reconciliations, stock counts, exception reporting. And some are corrective — what happens when something does go wrong, and how you make sure it doesn't happen again.

If you've ever had someone check a colleague's work before it goes out, required two signatures on a payment above a certain threshold, or locked down who can amend supplier bank details — congratulations, you already have internal controls. The question is whether they're deliberate, consistent, and actually working.

The real problem: controls that get bolted on

Here's what I see time and again when I work with businesses on their control environment. Someone — usually an auditor, an investor, or a new FD — identifies that "controls need to be strengthened." So a set of controls gets written up, documented in a policy, circulated to staff, and filed somewhere sensible. Job done.

Except it isn't. Because those controls were designed in isolation, away from the people who actually do the work. They sit alongside the process rather than being woven into it. And within a few months, one of two things happens: most likely, people find workarounds because the controls slow them down, or the controls get followed mechanically without anyone really understanding why they exist.

I've lost count of the number of times I've seen a beautifully documented approval matrix that nobody actually follows, or a monthly reconciliation that gets signed off without anyone genuinely reviewing it. The control exists on paper. In reality, it's a rubber stamp.

This is what happens when controls are treated as a compliance exercise — something you bolt on to satisfy an auditor or tick a governance box. They become bureaucracy rather than business practice.

What good looks like: controls baked into the process

The businesses with genuinely strong control environments don't treat controls as a separate layer. They build them into the way work actually gets done. The control is the process, not an addition to it.

Think about it practically. If your purchase-to-pay process requires a goods received note to be matched against the purchase order before a payment can be released, that's a control embedded in the workflow. The accounts team can't skip it even if they wanted to — the system won't let the payment through without the match. Nobody needs to remember to "do the control" because the control is simply how the process works.

Compare that with a policy that says "all invoices over £5,000 must be reviewed by the Finance Director before payment." That's a control that depends entirely on someone remembering to route the invoice, the FD having time to review it, and nobody deciding to process it anyway when the FD is on holiday. It can work, but it's fragile and easily circumvented — and fragile controls are the ones that fail when it matters most.

The principle applies well beyond finance. Access controls that are enforced by your IT systems are stronger than access policies that rely on people following instructions. Onboarding checklists that are embedded in your HR platform are more reliable than a Word document in a shared drive. Quality checks that happen at each stage of a production line catch problems earlier and cheaper than a final inspection at the end.

Why this matters more than you might think

For growing businesses — particularly those in the £5m to £500m turnover range — getting this right isn't just about keeping auditors happy. It's about three things that directly affect your bottom line.

First, it's about trust. If you're seeking investment, going through a sale process, or preparing for any kind of due diligence, the strength of your control environment will be scrutinised. Acquirers and investors treat weak controls as a risk premium. It's not unreasonable to see how control weaknesses can directly reduce the offer price, because the buyer will factor in the cost of fixing what should already have been in place, or have doubts about the accuracy of the numbers.

Second, it's about efficiency. Well-designed controls actually speed things up rather than slow them down. When everyone knows the process, when approvals are built into workflows rather than chased by email, and when reconciliations happen continuously rather than in a month-end scramble — the business runs more smoothly. The irony is that the businesses most resistant to "adding controls" often have the most chaotic, time-consuming processes precisely because they lack them.

Third, it's about sleeping at night. If you're a Finance Director, a business owner, or a board member, you need to know that the numbers you're looking at are reliable, that cash isn't walking out the door without proper oversight, and that the business can withstand a key person being absent. Good controls give you that confidence. Without them, you're relying on trust alone — and trust isn't a control.

Controls need to be commercially viable, not just thorough

Here's something the Big Four and expensive consultants won't tell you: it's entirely possible to over-control a business. I've seen it happen. A well-meaning controls project introduces four layers of approval for routine purchases, mandatory sign-off from three departments before a supplier can be onboarded, and weekly reconciliation meetings that pull senior people out of the work that actually generates revenue. The control framework looks bulletproof on paper. In practice, the business grinds to a halt at worst, or margins start falling at best.

The point of internal controls is to protect the business — but the business still needs to operate. Every control has a cost, whether that's someone's time, a process delay, or the opportunity cost of management attention being spent on oversight rather than growth. If the cost of a control outweighs the risk it's mitigating, it's not a good control. It's just bureaucracy with a governance label.

This is where proportionality matters. A three-way match on purchase orders makes perfect sense when you're processing thousands of invoices a month. For a business that processes twenty, it might be overkill — and a simpler approval with a monthly review might give you 90% of the protection at 20% of the effort. The right answer always depends on the size of the business, the nature of the risk, and the commercial reality of how the operation actually runs.

In the control environments I've worked in I've always tried to strike a balance: rigorous where the risk is material, pragmatic where it isn't, and always designed with the understanding that the business exists to make money — not to produce audit evidence. I haven't always gotten it perfect first time, but good controls look like a business moving confidently in the direction of sustainable growth, with controls designed to support this. If your controls are slowing down your commercial operations without a proportionate reduction in risk, they need rethinking.

Getting started without overcomplicating it

If you're reading this and thinking your controls might not be where they should be, don't panic, and don't rush out to buy expensive GRC software. Start with the basics.

Look at your core financial processes — purchase-to-pay, order-to-cash, payroll, month-end close — and ask: where are the points at which something could go wrong? Then ask: what's currently stopping that from happening? If the answer is "nothing" or "we trust the person doing it," that's your gap.

Focus on the controls that are proportionate to your risk. A £10m business doesn't need the same control framework as a FTSE 100 company. But it does need the fundamentals: proper segregation of duties, sensible approval thresholds, regular reconciliations, and access controls that actually restrict access.

And critically, design them into the process from the start. If you're implementing a new system, build the controls into the configuration. If you're redesigning a workflow, make the control a mandatory step — not an optional add-on. The goal is to make it harder to do the wrong thing than the right thing.

Where do you stand?

Most businesses have some controls in place. The question is whether they're the right ones, whether they're actually working, and whether there are gaps you haven't spotted yet.

Take our free Internal Controls Health Check

It takes about 15 minutes and covers five key domains: governance, risk management, financial reporting controls, business continuity, and systems & data. You'll get an instant visual breakdown of where your business is strong and where the gaps might be — no commitment, no sales call, just a practical starting point.

Take the Health Check →

If you already know your controls need work and want to talk it through, you can find out more about how we help businesses strengthen their control environment on our internal controls services page.