Read summarized version with
The first time an auditor asked me to “walk through your controls,” I realized we didn’t really have any. We had a finance person who was careful. That’s not the same thing.
What we had was a smart, conscientious person doing the right things because she happened to know they were the right things. Nothing was written down. Nothing was tested. If she approved a payment and also entered it and also reconciled the account, that was fine, because it was her. The control wasn’t a control. It was a person we trusted, which is exactly what internal controls are supposed to replace.
I’m Yuval, founder and CEO of Glitter AI. I’m not an accountant, and I’m not going to pretend internal controls are exciting. But I’ve watched enough finance teams get burned by the gap between “we’re careful” and “we can prove it” that I want to walk through internal controls in accounting the way they actually work, not the textbook version.
Teach your co-workers or customers how to get stuff done – in seconds.
What are internal controls in accounting?
Internal controls in accounting are the policies, procedures, and checks a company puts in place to protect its assets, keep its financial records accurate, and prevent fraud and error. They’re the structural reason a single mistake or a single bad actor can’t quietly drain the company or distort the books.
The framework most people point to here is COSO, which splits internal control into five components: the control environment, risk assessment, control activities, information and communication, and monitoring. Don’t bother memorizing that. What it really comes down to is that controls aren’t just a list of rules. They’re a system. A culture that takes accuracy seriously, an honest read of where the risks are, the day-to-day checks themselves, the right information reaching the right people, and someone watching to confirm the checks are happening.
When people say “internal controls,” they usually mean that third component, control activities. That’s the part you can see and test: approvals, reconciliations, segregation of duties, system access restrictions. The rest of this post focuses there, because that’s where finance teams and controllers spend their time, and it’s the part auditors will ask you to walk through.
Why internal controls matter (beyond passing the audit)
It’s easy to treat controls as an audit tax, the thing you do because someone external makes you. That mindset is exactly why so many control environments are weak.
Good internal controls do three things that matter long before an auditor shows up. They prevent loss, by making fraud and large errors structurally hard instead of betting on everyone staying honest and careful forever. They produce reliable numbers, so the financials you’re making decisions from are actually right, which means every downstream call rests on something solid. And they remove single points of failure, so the company doesn’t stall the week one person is out. The way mine did, before I understood any of this.
The data makes the case plainly. The ACFE’s 2024 Report to the Nations found that organizations lose 5% of annual revenue to fraud on average, with a global median loss of $145,000 per case - and the most common contributing factor is a lack of internal controls, cited in 32% of all fraud cases studied.
The audit is just the moment someone checks whether all of that is real. If the controls are genuinely working, the audit is mostly a documentation exercise. If they’re not, the audit is where you find out, expensively.
The two main types of internal controls
Almost every accounting control falls into one of two buckets based on when it acts: before something bad happens, or after.
Preventive controls
Preventive controls stop errors and fraud before they enter the books. They’re the locked door, not the alarm. Examples:
- Approval requirements. A payment over a threshold can’t be released without a manager’s sign-off.
- Segregation of duties. The person who enters a vendor can’t also approve payments to that vendor (more on this below).
- System access restrictions. Only AP staff can create invoices; only the controller can post journal entries above a limit.
- Mandatory matching. An invoice can’t be paid until it’s matched against a purchase order and receipt.
Preventive controls are the stronger of the two, for a simple reason: a problem you prevented costs nothing. The catch is that no preventive control is airtight, which is why you need the second bucket too.
Detective controls
Detective controls catch errors and fraud after they’ve happened, ideally fast enough to fix or recover. They’re the alarm and the camera footage. Examples:
- Bank reconciliations. Comparing the ledger to the bank statement every month surfaces anything that slipped through.
- Variance analysis. Actuals wildly off from budget or prior periods get investigated.
- Account reconciliations. Sub-ledgers tied back to the general ledger reveal what doesn’t tie out.
- Periodic audits and reviews. Someone independently re-checks a sample of transactions.
You need both working together. Preventive controls keep the volume of problems low. Detective controls catch what gets through and, just as usefully, tell you whether your preventive controls are actually doing their job. There’s a third category too, corrective controls (the documented response once a detective control fires), which is what closes the loop. In practice most teams just fold that into their detective control procedures.
Teach your co-workers or customers how to get stuff done – in seconds.
Segregation of duties: the control everyone gets wrong
If you only fix one thing, fix this. Segregation of duties (SoD) is the principle that no single person should control a transaction end to end. The classic split is into three functions that should never sit with the same person:
- Authorization - approving that a transaction should happen.
- Recording - entering it into the accounting system.
- Custody - handling the actual asset (cash, checks, the ability to release a payment).
When one person does all three, they can create a fake vendor, approve a payment to it, record it, and release the money, with nobody else ever seeing it. That’s not a hypothetical. The ACFE finds that frauds go undetected for a median of 12 months - and organizations with proper anti-fraud controls in place experience both smaller losses and faster detection. Four specific controls - surprise audits, financial statement audits, hotlines, and proactive data analysis - were each associated with at least a 50% reduction in both fraud losses and fraud duration. Broken segregation of duties is what makes those 12-month windows possible.
Here’s the honest problem for small finance teams: you often just don’t have enough people to split three ways cleanly. That’s real, and pretending otherwise helps nobody. The answer isn’t to give up. It’s to add compensating controls. If the same person enters and pays, then someone independent (often the owner or a controller) reviews every payment over a threshold and reconciles the bank account themselves. The duties still aren’t fully segregated, but the compensating review makes the gap visible. The mistake is doing neither and calling careful people a control. SoD in modern systems is usually enforced through role-based access control, so the system itself stops one login from doing all three jobs.
The practice of matching invoices, POs, and receipts in accounts payable is segregation of duties made concrete: purchasing creates the PO, receiving confirms the goods arrived, and AP matches both against the invoice before anyone pays. No single function can push a payment through alone. If you want to see how that lands in a real workflow, the accounts payable process walks through where each control sits step by step.
SOX and the documentation requirement
If you’re at a public company (or heading toward one), the Sarbanes-Oxley Act, usually just called SOX, makes a lot of this non-optional. The part finance teams feel most is Section 404, which requires management to assess and report on the effectiveness of internal control over financial reporting, with the external auditor attesting to it.
The implication people consistently underestimate: under SOX, a control that exists but isn’t documented effectively doesn’t exist. You have to show the control, show who performs it, show evidence it ran each period, and show it was independently reviewed. “We always reconcile” is not a SOX control. “Here is the documented reconciliation procedure, here are the signed reconciliations for all twelve months, here is the reviewer’s sign-off” is a SOX control.
Even if SOX doesn’t legally apply to you, this is still the right bar. Private companies get acquired, raise institutional money, and run into their own regulatory compliance obligations, and every one of those moments turns into a controls review. Building documented controls early is a lot cheaper than reconstructing them under deal pressure. (Service organizations run into a parallel version of this with SOC 2 compliance, where the same “document it or it didn’t happen” rule governs operational controls.)
How to document internal controls so they actually hold up
Here’s the part where most teams fall short, and where I have strong opinions, because documentation is the thing Glitter AI exists to fix.
A control isn’t real until three things are documented: what the procedure is, who performs and reviews it, and evidence that it ran each period. Miss any one and an auditor (or an acquirer’s diligence team) treats the control as not operating.
A few things that reliably separate documentation that holds up from documentation that doesn’t:
- Write the actual procedure, not a policy statement. “We reconcile bank accounts monthly” is a policy. The control is the step-by-step: who pulls the statement, what they compare it against, how exceptions get logged, who reviews it, where it’s filed. The detail is the whole point.
- Name roles, not people. Tie controls to “the AP Clerk” and “the Controller,” not “Sarah.” People leave. The control has to survive them, which is the entire reason it exists.
- Capture the screen, not just the words. Most accounting controls live inside QuickBooks, Sage, NetSuite, or your ERP. A control procedure that’s pure text loses the part that actually matters: which screen, which button, which field. This is exactly why I built Glitter AI to record the workflow as you do it once, screenshots and all, instead of asking someone to write it from memory later.
- Keep version history. Auditors don’t just want the current procedure, they want to know it didn’t quietly change mid-year. Version history turns “trust us” into a record.
If you’re standing up control documentation across the finance function, our playbook for documenting accounting procedures is the broader reference, and it breaks the work down role by role so you can see where each control belongs. Teams that have to produce this for audit or diligence usually end up living in something like our compliance SOPs solution, because the version trail is the whole game.
A practical starting point
You don’t need a 200-page control manual on day one. You need the high-risk controls documented well. Starting from zero, here’s the order I’d go in: cash disbursement approvals, bank and account reconciliations, the vendor setup and banking-change procedure, journal entry review, and access/permission reviews. Those five cover where the money and the misstatement risk actually pile up.
Get those genuinely documented (procedure, roles, evidence) before you worry about being complete. A handful of real, tested, documented controls beats a thick binder of policies nobody follows. The whole point of internal controls in accounting is that the company stays safe and the numbers stay true even when the careful person isn’t in the room. Finance teams that have lived through this usually centralize all of it, which is why so many run their documentation through our financial services solution instead of scattered Word files.
Teach your co-workers or customers how to get stuff done – in seconds.
Frequently Asked Questions
What are internal controls in accounting?
Internal controls in accounting are the policies, procedures, and checks a company uses to protect assets, ensure accurate financial records, and prevent fraud and error. They include approvals, reconciliations, segregation of duties, and system access restrictions, organized so no single mistake or bad actor can quietly distort the books.
What are the main types of internal controls?
The two main types are preventive controls, which stop errors and fraud before they enter the books (like approval requirements and segregation of duties), and detective controls, which catch problems after they occur (like bank reconciliations and variance analysis). Corrective controls, the documented response once a problem is detected, are often folded into detective procedures.
What is the difference between preventive and detective controls?
Preventive controls act before a problem happens to stop it, like requiring approval before a payment is released. Detective controls act after the fact to catch what slipped through, like a monthly bank reconciliation. Strong control environments use both: preventive controls keep problem volume low, and detective controls confirm the preventive controls are working.
What is segregation of duties in accounting?
Segregation of duties is the principle that no single person should control a transaction end to end. The three functions that should be split are authorization (approving the transaction), recording (entering it in the system), and custody (handling the asset or releasing payment). Splitting these makes it structurally hard for one person to commit and conceal fraud.
How do small teams handle segregation of duties without enough people?
Small finance teams that can't split duties three ways should add compensating controls. The most common is an independent review: if one person enters and pays, someone else (often a controller or owner) reviews every payment over a threshold and personally performs the bank reconciliation. The duties aren't fully separated, but the independent check makes any gap visible.
What does SOX require for internal controls?
The Sarbanes-Oxley Act, particularly Section 404, requires public-company management to assess and report on the effectiveness of internal control over financial reporting, with the external auditor attesting to it. In practice this means controls must be documented, performed by identified roles, evidenced each period, and independently reviewed. An undocumented control is treated as not operating.
What is the three-way match and why is it a control?
The three-way match compares the purchase order, the goods receipt, and the vendor invoice before a payment is approved. It's a preventive control and a form of segregation of duties: purchasing creates the PO, receiving confirms delivery, and accounts payable matches both against the invoice, so no single function can push a payment through alone.
How do you document internal controls properly?
Effective control documentation captures three things: what the procedure is (the step-by-step, not a policy statement), who performs and reviews it (named by role, not by person), and evidence it ran each period. Capturing the actual system screens and keeping version history are what make documentation hold up under audit or diligence.
Which internal controls should a company document first?
Start with the highest-risk controls where money and misstatement risk concentrate: cash disbursement approvals, bank and account reconciliations, the vendor setup and banking-change procedure, journal entry review, and access or permission reviews. A handful of genuinely documented and tested controls is worth more than a thick binder of unfollowed policies.
Do private companies need internal controls?
Yes. Even when SOX doesn't legally apply, private companies face acquisitions, institutional fundraising, lender requirements, and their own regulatory compliance obligations, each of which triggers a controls review. Building documented internal controls early is far cheaper than reconstructing them under deal or audit pressure later.
