All notes
Controls5 min read

Financial controls a five-person team can actually run

You cannot run a corporate control framework with five people, and you should not try. Here is the lightweight version that prevents real problems without grinding the team to a halt.

Financial controls have a reputation problem. The phrase calls to mind thick policy binders, segregation-of-duties matrices, and a finance department large enough to have a department. At a five-person company, none of that applies. Often the same person opens the mail, approves the invoice, and clicks pay.

That does not mean controls are out of reach. It means you need a smaller set, chosen for the risks that actually exist at your size: a payment going out twice, a vendor that does not exist, a mistake nobody catches for three months. The goal is not to make fraud impossible, which you cannot guarantee with a tiny team anyway. It is to make mistakes and misuse much harder, and much more likely to be caught quickly.

Below are four controls a small team can genuinely run. None requires new hires. All of them earn their keep.

Dual approval above a threshold

The single most useful control for a small company is requiring two people to sign off on payments over a set amount. Pick a threshold that matches your spending, say $2,500, and require a second approver on anything above it. Below that line, one approver is fine, because the downside of a mistake is small and the friction of two-person review is not worth it.

The two people do not both need to be in finance. The founder can be the second approver. What matters is that the person clicking pay is not the only person who looked at the invoice. A surprising share of payment errors, a wrong account number, a duplicate, an inflated total, get caught simply because a second set of eyes saw the number before the money left.

A monthly review by someone other than the preparer

Whoever does the bookkeeping should not be the only person who ever looks at the books. Once a month, someone else, the founder, a finance lead, or an outside firm, should review the closed month: scan the bank reconciliation, look at the largest transactions, and ask about anything unfamiliar.

This does not need to take long. Thirty minutes of an informed second person asking why a category jumped or why a new vendor appeared catches both honest errors and the rare bad actor. The reviewer's questions matter more than their seniority. A short, structured look every month is worth far more than an annual deep dive.

  • Confirm every bank and card account reconciles to its statement
  • Read the five largest transactions and make sure each makes sense
  • Flag any vendor or payee you do not recognize
  • Compare this month's expenses to last month and ask about big swings
  • Check that nothing sits in an uncategorized or suspense account

Access and permission limits

Most small companies give everyone admin access to everything because it is easier on day one. It is also where quiet problems start. The fix is not heavy: give each person the narrowest access that lets them do their job. The bookkeeper can enter and reconcile but not change the chart of accounts. Only one or two people can add a new vendor or change banking details.

That last point deserves emphasis. A common fraud is not a dramatic theft but a small change, swapping a real vendor's bank details for someone else's, so legitimate-looking payments quietly go to the wrong place. Restricting who can change payee banking information, and confirming any change by a second channel like a phone call, shuts down one of the most common ways small companies lose money.

Reconciliations, done on a schedule

Reconciliation, matching your books to your bank and card statements line by line, is the control that quietly underpins all the others. If the books do not tie to the bank, none of the numbers you are reviewing can be trusted. Done monthly, on a fixed date, reconciliation is where duplicate charges, missed transactions, and unexplained differences surface.

Keep it boring and regular. The first business week after month-end, reconcile every account, and do not call the month closed until each one ties out to the cent. A $40 difference you cannot explain is not too small to chase; it is often the visible edge of a process problem worth understanding.

Start small, write it down

You do not need all four controls live by Friday. Start with dual approval and monthly reconciliation, the two with the highest payoff, then add the review and access limits as you grow. The act of writing down who approves what, and at what threshold, is itself a control, because it turns informal habits into something a new hire can follow and an outsider can check.

As your team grows past ten or fifteen people, you will layer on more, and eventually you will be able to separate duties properly. Until then, the aim is honest and proportionate: a few simple rules, consistently followed, that make the common mistakes hard and the rare bad act easy to spot.

The goal is not to make fraud impossible. It is to make mistakes hard and easy to catch.

Let's get your numbers in order.

Tell us a little about your business and what you need help with, and we will reply with the right next step.

1/3
Your details
What you need
What do you need help with?
Team size
Anything else

We will only use your details to reply to this enquiry.