Mid-market internal controls should be purpose-designed for small teams of one to five people, not watered-down versions of SOX or COSO — the objectives are the same but the mechanisms must differ. Classic segregation of duties is structurally impossible at this scale, so compensating controls, system-enforced limits, and external review replace the separation that headcount cannot provide. The most common mid-market control failure is not missing controls but undocumented controls: the reconciliation is done, the review happens, but no evidence is retained. The FRC’s 2025 Audit Quality Review found that recurring preparation issues originate at the company, not at the audit firm. ICAEW confirms 73% of audit quality issues trace to preparation quality, and BDO reports 58% of mid-market companies describe their audit as stressful — a direct consequence of 11 months of informal controls followed by one month of frantic documentation.
Most guidance on internal controls assumes an enterprise context: dedicated internal audit teams, formal risk registers, segregation of duties across departments, and compliance frameworks like SOX or COSO. For a mid-market company with one to five people in finance, this guidance is not just impractical — it is misleading. Attempting to implement simplified SOX in a three-person team produces overhead without proportionate benefit and diverts scarce capacity from the controls that actually matter.
This article presents internal controls designed from scratch for mid-market reality. Not enterprise controls made smaller, but different controls that achieve the same objectives — accurate financial reporting , asset protection, and compliance readiness — with the resources available.
Why Mid-Market Controls Need a Different Design
The fundamental constraint in mid-market finance is headcount. With one to five people, the classic enterprise control — segregation of duties — is structurally impossible for most processes. The person who raises the purchase order is the same person who approves the invoice and posts the payment. The person who prepares the reconciliation is the same person who reviews it.
Enterprise frameworks solve this with separation: different people authorise, execute, and review. Mid-market frameworks must solve it differently: compensating controls, system-enforced limits, and external review replace the separation that headcount cannot provide.
The FRC’s Audit Quality Review 2025 identified recurring preparation issues in audited companies — issues that originate at the company, not at the audit firm. The most common: controls are performed but not documented. The reconciliation is done monthly. The finance director reviews the numbers. The variance is investigated. But none of this produces evidence that an auditor — or a successor, or a board member — can verify.
ICAEW confirms: 73% of audit quality issues trace to preparation quality. And preparation quality is determined by the controls operating throughout the year, not by year-end effort. BDO reports that 58% of mid-market companies describe their audit as stressful — a direct consequence of 11 months of informal controls followed by one month of frantic documentation.
Three Categories of Controls
Preventive Controls
Preventive controls stop errors and irregularities before they enter the financial records. They are the first line of defence and the most cost-effective:
| Control | Purpose | Mid-Market Implementation |
|---|---|---|
| Approval workflows | Ensure expenditure is authorised before commitment | Tiered approval: email approval for routine, dual sign-off for material |
| Authorisation limits | Prevent unauthorised payments | System-enforced payment limits; bank mandate with dual signatory above threshold |
| Input validation | Reject incomplete or illogical entries | ERP validation rules: mandatory cost centre, valid GL code, period check |
| Access controls | Restrict who can modify master data , post journals, approve payments | User permissions in accounting system; admin access restricted to finance lead |
| Standard journal templates | Prevent posting errors in recurring entries | Pre-built templates for depreciation, accruals, prepayments |
Preventive controls require upfront configuration but minimal ongoing effort. Once an approval limit is set in the banking system, it operates automatically. The investment is in setup, not in maintenance.
Detective Controls
Detective controls identify errors after they have occurred. They are the safety net that catches what preventive controls miss:
| Control | Purpose | Mid-Market Implementation |
|---|---|---|
| Bank reconciliation | Confirm cash records match bank statements | Monthly; reconciling items investigated within 5 days |
| Balance sheet reconciliation | Confirm all balance sheet items are supported and explained | Monthly for material accounts; quarterly for immaterial |
| Variance analysis | Identify unexpected movements requiring investigation | Monthly actual vs budget and prior period; material variances explained |
| Analytical review | Identify anomalies through ratio and trend analysis | Monthly review of key ratios: gross margin, overhead ratio, working capital |
| Exception reporting | Flag transactions outside normal parameters | Automated alerts: transactions above threshold, duplicate payments, unusual timing |
Detective controls require regular execution and — critically — documented evidence. A reconciliation performed but not saved is invisible to auditors, successors, and governance frameworks.
Compensating Controls
Compensating controls replace controls that cannot operate due to structural constraints. In mid-market finance, the primary constraint is insufficient headcount for segregation of duties:
| Missing Control | Compensating Control | How It Works |
|---|---|---|
| Segregation: raise PO / approve invoice / post payment | Board member reviews bank reconciliation monthly | Independent review catches unauthorised or erroneous payments after the fact |
| Segregation: prepare reconciliation / review reconciliation | External accountant reviews reconciliations quarterly | Independent party provides the review that internal segregation would provide |
| Segregation: post journals / approve journals | System-generated journal listing reviewed by finance lead | All manual journals listed and reviewed; unusual entries investigated |
| Segregation: payroll preparation / payroll approval | Director signs off payroll summary before payment | Independent approval even when preparation and processing are the same person |
Compensating controls are not inferior to segregation — they are different mechanisms achieving the same objective. The key is that each compensating control must be documented and evidenced just as formally as the control it replaces.
Control Designs by Team Size
The 1-Person Finance Team
A sole finance person — typically a bookkeeper or part-qualified accountant, sometimes the founder — handles everything from transaction posting to year-end preparation. Segregation is structurally impossible.
Control framework:
| Process | Control | Evidence | Reviewer |
|---|---|---|---|
| Payments | Bank mandate requires dual signatory above £5,000 | Bank records | Director/owner |
| Journal posting | Monthly journal listing generated from system | System report saved | External accountant (quarterly) |
| Bank reconciliation | Monthly reconciliation completed by Day 5 | Saved reconciliation file | Director reviews and signs |
| Expense claims | All claims submitted with receipts; director approves | Email approval chain | Director |
| Month-end close | Close checklist completed monthly | Completed checklist saved | External accountant reviews quarterly |
| Payroll | Director approves payroll summary before submission | Signed payroll summary | Director |
Key principle: The director or owner provides the independent review that a second finance person would otherwise provide. The external accountant provides periodic independent assurance.
The 3-Person Finance Team
A typical configuration: finance director or controller, management accountant, and bookkeeper/AP clerk. Some segregation is possible but not complete.
Control framework:
| Process | Preparer | Reviewer | Approver | Evidence |
|---|---|---|---|---|
| Payments under £10K | Bookkeeper | Controller | — | Payment list reviewed weekly |
| Payments over £10K | Controller | FD | Bank dual signatory | Signed payment authorisation |
| Bank reconciliation | Bookkeeper | Controller | — | Signed reconciliation |
| Balance sheet reconciliation | Controller | FD | — | Signed reconciliation pack |
| Journal posting | Controller | FD reviews listing | — | Monthly journal listing signed |
| Payroll | Bookkeeper prepares | Controller reviews | FD approves | Signed payroll summary |
| Month-end close | Controller leads | FD reviews close pack | — | Close checklist and sign-off |
| Management report | Controller prepares | FD reviews and approves | — | Final version saved with review notes |
Key principle: The three-person team allows a prepare-review separation for most processes. The FD provides oversight rather than execution, freeing capacity for analysis and governance.
The 5-Person Finance Team
A more mature configuration: FD, controller, management accountant, AP/AR clerk, and finance assistant. Meaningful segregation is achievable.
Control framework:
| Process | Preparer | Reviewer | Approver | Evidence |
|---|---|---|---|---|
| Purchase orders | Requesting manager | AP clerk processes | Controller approves above threshold | System workflow |
| Payments | AP clerk | Controller | FD (dual signatory above £25K) | Bank records + signed authorisation |
| Bank reconciliation | Finance assistant | Management accountant | Controller signs | Signed reconciliation |
| Balance sheet reconciliation | Management accountant | Controller | FD reviews summary | Reconciliation pack |
| Revenue recognition | Management accountant | Controller | FD confirms | Documented calculation |
| Journal posting | Management accountant | Controller reviews | — | Journal listing signed |
| Payroll | AP/AR clerk | Controller | FD approves | Signed summary |
| Month-end close | Controller coordinates | FD reviews | — | Close pack with sign-offs |
| Forecast and budget | Controller prepares | FD reviews | Board approves | Board minutes |
Key principle: With five people, genuine three-way segregation (prepare, review, approve) is possible for high-risk processes. The control framework approaches enterprise quality without enterprise overhead.
The Control Documentation Matrix
Regardless of team size, every control needs to be documented in a simple matrix:
| # | Control Description | Type | Frequency | Owner | Evidence | Last Tested |
|---|---|---|---|---|---|---|
| 1 | Bank reconciliation prepared and reviewed | Detective | Monthly | Controller | Signed reconciliation | Feb 2026 |
| 2 | Payments above £10K require dual bank signatory | Preventive | Per transaction | FD | Bank records | Ongoing |
| 3 | Manual journal listing reviewed by FD | Detective | Monthly | FD | Signed listing | Feb 2026 |
| 4 | System access review — finance systems | Preventive | Quarterly | Controller | Access report | Q4 2025 |
| 5 | Payroll summary approved before submission | Preventive | Monthly | FD | Signed summary | Feb 2026 |
This matrix serves three audiences:
- The finance team — a checklist of what must happen each period
- The auditor — evidence that controls exist and operate
- The successor — understanding of the control framework they are inheriting
Keep the matrix in a shared location (SharePoint, shared drive). Update it when controls change. Review it quarterly. It takes one to two hours to create and fifteen minutes per month to maintain.
Controls Performed but Not Documented
The most common control failure in mid-market finance is not missing controls — it is undocumented controls. The finance director reviews the monthly numbers but does not save evidence of the review. The controller reconciles the bank account but overwrites last month’s file. The bookkeeper checks invoices against purchase orders but does not tick a checklist.
From a governance and audit perspective, a control without evidence is a control that does not exist. The auditor cannot test what they cannot see. The successor cannot rely on what they cannot verify.
The fix is simple and costs nothing:
- Save, do not overwrite — file reconciliations by period, do not reuse the same file
- Add a sign-off line — “Prepared by: [name] [date] / Reviewed by: [name] [date]” at the bottom of every reconciliation and report
- Use a checklist — print or share a monthly close checklist; tick items as completed; save the completed checklist
- Retain email evidence — when approval happens by email, save the email chain alongside the transaction documentation
These are not additional controls. They are evidence of controls already being performed. The marginal effort is five minutes per control per month. The marginal value — in audit cost savings, governance quality, and succession readiness — is substantial.
Practical Examples of Mid-Market Control Failures
Example 1: The Duplicate Payment
A three-person team processes supplier payments. The bookkeeper enters invoices, and the controller approves the payment run. No duplicate check exists in the system. A supplier submits the same invoice twice with different reference numbers. Both are paid. The error is discovered three months later during a supplier statement reconciliation.
Prevention: Configure the accounting system to flag invoices with matching amounts from the same supplier within 30 days. Cost: zero (most accounting systems support this). Time: 30 minutes to configure.
Example 2: The Unreconciled Balance
A one-person finance team reconciles the bank account monthly but does not reconcile the debtors ledger. At year-end, the auditor identifies £45,000 of unreconciled items — old invoices that were paid but not matched, credit notes that were issued but not applied. The finance person “knows” the balance is approximately right but cannot prove it.
Prevention: Monthly debtors ledger reconciliation — even a simple comparison of the aged debtor report to the control account — would have identified and resolved these items progressively. The Financial Data Quality Checklist provides the validation points.
Example 3: The Journal Nobody Understands
A finance director posts a monthly adjustment journal that corrects an allocation error in the ERP. The journal has been posted for three years. The FD retires. The replacement cannot find documentation explaining the journal. The auditor queries it. Nobody can explain it. The adjustment is reversed, creating a material misstatement in the current year.
Prevention: Every manual journal requires a description field completed with: (a) what is being adjusted, (b) why, and (c) the supporting calculation. This takes two minutes per journal and prevents institutional knowledge from evaporating.
Frequently Asked Questions
Do mid-market companies need an internal audit function? Not typically. An internal audit function is proportionate for companies with £50M+ revenue or complex group structures. For mid-market companies, the compensating alternative is a combination of external accountant quarterly review, finance lead self-assessment, and board-level oversight of key controls.
What is the difference between SOX controls and mid-market controls? SOX requires documented controls, independent testing, management attestation, and auditor verification — all mandated by US securities law. Mid-market controls pursue the same objectives (accurate reporting, asset protection) but through proportionate mechanisms: simpler documentation, self-assessment rather than independent testing, and board review rather than formal attestation.
How do I handle segregation of duties with only two people? Identify the highest-risk processes (payments, journal posting, payroll) and assign prepare-review roles across the two people. Where both people are involved in the same process, introduce a compensating control: director review, system-enforced limit, or external accountant oversight.
What evidence do auditors actually need? Auditors need evidence that controls exist (documentation), that they operate (completed checklists, signed reconciliations), and that exceptions are resolved (follow-up notes). They do not need perfection — they need a demonstrable system. The audit trail must show who did what, when, and what the outcome was.
How often should I review the control framework? Quarterly for the control documentation matrix. Annually for the overall framework design. Additionally, review whenever there is a significant change: new team member, new system, new process, or organisational restructure. The governance calendar embeds these reviews into the annual rhythm.
Related Reading
- Internal Controls & Audit Readiness Framework — the overarching audit readiness framework and governance calendar
- Month-End Close Best Practices — the close process that produces control evidence monthly
- Documenting Financial Data Processes — how to document the processes that controls govern
- Key Person Risk in Finance — why undocumented controls create key person dependency
- Financial Data Quality Checklist — validation checks that serve as detective controls
- Data Ownership Framework — accountability for the data that controls protect
- Financial Data Governance Framework — the governance architecture that controls implement
- Variance Analysis Guide — analytical review as a detective control
Sources
- FRC Audit Quality Review 2025 — recurring preparation issues originate at the company level
- ICAEW — “Audit Quality and Preparation” 2025 — 73% of audit quality issues trace to preparation quality
- BDO Mid-Market Report 2025 — 58% of mid-market companies describe audit as stressful
- UK Audit Fee Survey 2024–2025 — mid-market fees rose 8–12%
- COSO — Internal Control — Integrated Framework — enterprise reference framework
- FRC — Guidance on Risk Management, Internal Control and Related Financial and Business Reporting — UK governance code guidance
Martin Duben is the founder of Onetribe, where he designs governance and control frameworks for mid-market finance teams that need enterprise-grade assurance without enterprise-grade overhead. His work focuses on making controls practical, proportionate, and — above all — documented.