Whether a business is small or large, fraud is always a risk. In fact, many smaller operations believe they are the least susceptible to fraud but are often the most likely candidates, simply because they haven't set up the proper internal controls. The COSO Internal Control initiative, a collaboration of the American Institute of CPAs and private businesses, breaks down internal control into five critical components: the control environment, risk assessment, information systems, control procedures and monitoring of controls.

The Control Environment

When determining acceptable behavior, employees follow the lead of their managers. For this reason, the control environment is the tone set by the owner and top managers of the business. Managers should have established policies, like a code of ethics, and follow these policies in order for employees to take the internal controls seriously.

Risk Assessment

A company should perform a risk assessment to identify where fraud might occur. Every company faces general financial risks and specific risks based on their product and industry. Identifying risks allows the company to create policies that will minimize the damage of fraud or mistakes.

Information Systems

An information system is how the company processes accounting data. The owner must have an accurate system for keeping track of assets, profits and losses. The information system should be able to capture, record, summarize, post and record financial transactions. Along with traditional, modular accounting software, there's a variety of low-cost, good quality accounting software available designed for small businesses.

Control Procedures

Control procedures are the way the company gains access to the objectives of internal control. Control procedures include proper segregation of duties, comparisons, checks, adequate records, proper approvals and physical safeguards to protect assets. Segregation of duties can be tricky for small businesses with a small staff. In this situation, it's useful to take advantage of part-time or contract staff build in additional controls.

Monitoring of Controls

Monitoring controls means that no person or group can process a transaction without some sort of surveillance. Nowadays, the surveillance can be built into the computer system used to process transactions. Systems can be programmed to “red flag” high-risk transactions for additional managerial scrutiny. A company should utilize internal auditors to monitor controls internally and external auditors to test the system from the outside.