Do you think internal control is "for big companies"? In Geneva, we see the opposite every month: an SME with 8 to 60 people, an ERP not fully mastered, two people who "know how to do everything," and one day... a payment goes to the wrong IBAN. Or a customer invoice goes out with incorrectly set VAT. Result? Lost money, lost time, and sometimes a very unpleasant discussion with the bank, the AFC, or the audit body.
Internal control in SMEs is not a dusty binder. It's a series of concrete reflexes and safeguards in three areas that hurt when things go wrong: invoicing, purchasing, payments—and, in recent years, bank access (e-banking, rights, signatures, devices).
We're talking practical. What breaks, why it breaks, and how to lock things down without turning your company into an administration.
Concrete risks faced by SMEs (errors, fraud, uncontrolled access to bank accounts, Swiss examples, regulatory issues)
The classic trio: error, fraud, "DIY"
In an SME, problems rarely come from a big conspiracy. They come from an explosive mix: urgency + trust + lack of task separation.
- Error: an invoice sent twice, a forgotten credit note, wrong VAT rate, a payment entered with an extra zero.
- Internal fraud: an employee creates a fake supplier, modifies a bank account, or reimburses "expenses" that aren't real.
- External fraud: fake "CEO fraud" emails, supplier impersonation, e-banking phishing.
- DIY: shared access, passwords on sticky notes, verbal validations, missing supporting documents at closing.
And often the same symptoms: no one knows exactly who is allowed to do what, and the problem is discovered too late.
Bank access: the number one weak point in 2026
Let's be clear: e-banking has become the SME's safe, and many still treat it like a simple app.
Pitfalls seen in Geneva:
- A single "admin" user who does everything (beneficiary creation + entry + validation + execution).
- Rights not removed after someone leaves (or a long sick leave).
- Collective signature on paper... but e-banking rights bypass the logic.
- Urgent payments validated from a personal phone, without control.
Field observation: many SMEs discover these flaws when changing banks or during an audit. Then you're asked for the list of users, their rights, the logs. And you realize "no one has the full picture".
VAT and invoicing: when a small error becomes a big issue
VAT is not "just a rate". It's a setting, rules, evidence.
- Standard rate: 8.1%
- Reduced rate: 2.6%
- Special accommodation rate: 3.8%
A rate error on dozens of invoices can be corrected. But it costs: credit notes, re-invoicing, client discussions, and sometimes corrections on returns.
Regulatory issues: what management cannot delegate
In Geneva and elsewhere in Switzerland, management has responsibilities that cannot be "outsourced" to accounting.
- Organization and supervision: management responsibilities (source: Internal control organization and Swiss legal framework (Code of Obligations, art. 716a, 961)).
- Governance and obligations related to auditing depending on size and legal form (source: Audit obligations and good SME governance).
- For certain sectors, the pressure on controls (cyber, operational risks) has increased (source: Cyber risk management and specific controls 2024).
You can delegate execution. Not responsibility.
Real mini-case (anonymized): the fake IBAN change
Geneva SME, B2B services, 18 employees. A "supplier" email announces a new IBAN. Accounting updates the supplier record. Payment of CHF 24,870 executed the next day.
The real supplier follows up a week later: "we haven't received anything." The money went to a foreign account, recoverable? No.
Why did it work?
- Only one person could modify the supplier record.
- No control over IBAN changes.
- Payment validation done "quickly" without checking the beneficiary.
We see too many stories like this.
Implementation of key controls by process (invoicing, purchasing, payments: task separation, cross-validation, audit trails, bank access controls, partial automation...)
Let's break it down by process. The idea is not to lock everything down. The idea is to put controls where money goes out, where money comes in, and where data is modified.
Invoicing: securing revenue (and VAT)
Simple controls that change everything:
- Sequential numbering of invoices, no "mysterious" gaps.
- Validation of terms (price, discounts, incoterms, deadlines) by someone other than the issuer.
- Locking VAT rates in the ERP: only 1-2 profiles can modify settings.
- Monthly reconciliation: invoices issued vs services delivered (or hours validated).
- Credit notes: mandatory validation, with written reason.
Anecdote: at closing, we often find credit notes "to please the client" without a trace. The problem isn't the credit note. The problem is the lack of rules. Good luck explaining the collapsing margin.
Purchasing: avoiding phantom suppliers and "comfort" spending
Internal purchasing control is based on a very basic logic: request → order → receipt → invoice → payment.
Concrete controls:
- Supplier creation: supporting document (register extract, contact details, IBAN) + validation by a second person.
- Order: approval thresholds (e.g. > CHF 5,000, management validation).
- Receipt: proof of receipt (delivery note, report, service validation).
- Supplier invoice: 2-way reconciliation (order/invoice) or 3-way (order/receipt/invoice).
Payments: where task separation is non-negotiable
If one person can:
- create a beneficiary,
- enter a payment,
- validate,
- execute, ... you have a huge gap.
Recommended controls:
- Double validation on payments (at least above a threshold).
- Blocking IBAN modifications without validation.
- Whitelist of beneficiaries (when the bank allows).
- Urgent payments: specific procedure, not "we'll do it quickly and see".
Audit trails: if it's not traceable, it doesn't exist
Effective internal control leaves traces:
- who created/modified a supplier record,
- who validated an invoice,
- who approved a payment,
- when and from which profile.
If your tool doesn't keep logs, compensate: monthly export, signed validation, or a simple workflow.
Partial automation: useful, but not magic
Automate, yes. Rely on automation, no.
- OCR supplier invoices: saves time, but check sensitive fields (IBAN, amount, VAT).
- Approval workflows: great, as long as roles are clean.
- Bank reconciliations: excellent, but watch manual entries.
Access matrix and role separation (methodology, practical example, tools, changes since 2025)
The access matrix is the table that answers a simple question: who can do what, in which tool, and with what level of validation.
In 2026, it's become a management document. Not a gadget.
Simple (and realistic) methodology for an SME
Five steps. No need for a 6-month project.
- List the tools: e-banking, ERP/accounting, invoicing tool, expense management, document safe.
- List sensitive actions: create/modify beneficiary, modify IBAN, validate payment, export payment file, modify VAT rate, create supplier, create credit note.
- Define roles (not people): accountant, finance manager, management, purchasing manager, project manager.
- Assign rights according to the principle: minimum necessary.
- Test: simulate a payment, an IBAN change, an invoice cancellation. Check that it blocks when it should.
Practical example of matrix (excerpt)
| Sensitive action | Accounting | Finance manager | Management | Control note |
|---|---|---|---|---|
| Create a supplier | Yes (prepare) | Yes (validate) | No | Mandatory validation before use |
| Modify supplier IBAN | No | Yes (prepare) | Yes (validate) | Control outside email: call known contact |
| Enter payments | Yes | Yes | No | Entry separate from validation |
| Validate payments > CHF 10,000 | No | Yes | Yes | Double validation |
| Add e-banking beneficiary | No | Yes | Yes | Never by the same person as execution |
| Modify VAT settings | No | Yes | Yes | Log + quarterly review |
Update this table with each arrival/departure, and at least once a year.
Tools: what SMEs really use
- A well-kept spreadsheet (yes, it works) + management validation.
- An export of e-banking rights (most Swiss banks provide it).
- An approval workflow in the ERP if you have it.
- An access register (who has access to what, when, why).
Changes since 2025: what's changed in practice
Since 2025, three clear trends:
- Banks push harder for granular rights and multiple validations.
- SMEs increasingly adopt file payments (pain.001): practical, but dangerous if export/import isn't controlled.
- Supplier impersonation attacks have become common. The "confirmation call" control is back in fashion.
Warning signals and best practices (mistakes to avoid, indicators to track, training, reporting, internal control pdfs and available guides)
Want to know if your internal control is solid? Look for weak signals. They don't lie.
Warning signals: when to start worrying
- The same user does entry + validation + execution.
- "Urgent" payments every week.
- Suppliers created without a file (no extract, no contract, no contact).
- Frequent credit notes, without standard reason.
- Manual accounting entries at month-end, without supporting document.
- E-banking access not reviewed for over 12 months.
Simple indicators to track (monthly or quarterly)
- Number of new suppliers created.
- Number of IBAN modifications.
- Top 10 payments (amounts) and associated validation.
- Cancelled invoices / credit notes issued.
- Unexplained bank reconciliation discrepancies.
Training: 45 minutes that prevent weeks of damage
We're not talking about "training everyone in finance." We're talking about reflexes:
- recognizing a suspicious email,
- checking an IBAN change,
- refusing a "confidential" request that bypasses procedure,
- documenting an exception.
A short annual session + a reminder for new arrivals is already very solid.
Reporting: one page, not a novel
In our opinion, the best approach is ultra-simple reporting to management:
- incidents (even minor),
- validated exceptions,
- access changes,
- points to correct.
One page. Monthly or quarterly.
Ark Fiduciaire
Need help with this topic?
Our experts are available for personalised guidance. First consultation free, no commitment.
Resources and guides
For a structured approach, you can rely on:
- Internal control components according to COSO (source: Internal control components COSO).
- Expectations and best practices on cyber risks (source: Cyber risk management and specific controls 2024).
- Obligations and best practices related to audit and governance (source: Audit obligations and good SME governance).
- Swiss legal framework on organization and control (source: Internal control organization and Swiss legal framework (Code of Obligations, art. 716a, 961)).
- A practical SME-oriented guide (source: Practical guide internal control SME (invoicing, purchasing, payments – Ark Fiduciaire, 2025)).
Step by step: implementing an internal control "that works" in 30 days
You don't need to wait for an audit to get started. Here's a method we often use with Geneva SMEs.
Week 1 — Map and choose a maximum of 10 controls
- List your flows: invoicing, purchasing, payments, expense reports.
- Identify where money goes out and where data is modified.
- Choose 10 controls maximum to start (otherwise, no one follows).
Week 2 — Lock e-banking and document roles
- Export the list of users and rights.
- Decide on rules: double validation, thresholds, beneficiary creation.
- Remove unnecessary access.
Week 3 — Integrate validations into daily routine
- Validate new suppliers.
- Set up an IBAN change procedure.
- Formalize credit note approval.
Week 4 — Test, correct, finalize
- Do an end-to-end test: an invoice, a purchase, a payment.
- Check traces (logs, documents, validations).
- Write one page of procedure per process. One page, not twenty.
Checklist 1 — Documents to have on hand (otherwise you waste time)
- List of e-banking users + rights + date of last review
- Access matrix (roles vs sensitive actions)
- IBAN change procedure (with validation outside email)
- Approval thresholds (purchases, payments, credit notes)
- Exception validation template (when departing from the rule)
- Standard supplier file (contract, contact details, supporting documents)
- Incident log (even "small" ones)
Checklist 2 — Minimum viable controls (if you're short on time)
If you only do this, you already greatly reduce risk:
- Double validation of payments above a threshold (e.g. CHF 10,000)
- Prohibition of creating a beneficiary and executing payment by the same person
- Mandatory validation of any IBAN change + confirmation by phone to known contact
- Monthly review of new suppliers
- Locking VAT settings (limited access + review)
- Monthly bank reconciliation with discrepancy handling
Practical case with figures (Geneva): securing payments and suppliers in a service SME
Geneva SME, 25 employees, communication agency. 120 client invoices/month, 80 supplier invoices/month. Two people in finance:
- Aline (accounting): enters supplier invoices, client invoicing, prepares payments.
- Marc (management): payment validation, supervision.
Starting situation (high risk)
- Aline can create/modify suppliers and IBAN in the ERP.
- Aline prepares payments and can also validate them in e-banking (historical rights).
- Marc validates "when he has time," sometimes after execution.
An incident occurs: payment of CHF 18,450 to a modified IBAN following a fraudulent email.
Measures implemented (2 hours of work + 1 bank meeting)
- ERP:
- Aline can create a supplier, but not validate.
- Any IBAN modification triggers a validation task.
- E-banking:
- Aline: enters payments, no final validation.
- Marc: mandatory final validation.
- Threshold: above CHF 10,000, double validation (Marc + board member or second signatory).
- IBAN procedure:
- If IBAN change: call the already known number (not the email), note in the file.
Concrete result (over 3 months)
- 9 IBAN changes requested: 2 blocked as not confirmed.
- 1 fraud attempt detected (impersonated email).
- Additional time: about 15 minutes/week.
- Reduced financial risk: eliminated the "one person does everything" scenario.
It's not glamorous. It's effective.
Two useful tables: thresholds and controls by process
Table 1 — Example approval thresholds (to adapt)
| Operation type | CHF 0–2,000 | CHF 2,001–10,000 | > CHF 10,000 |
|---|---|---|---|
| Non-recurring purchase | Service manager | Finance manager | Management |
| Supplier payment | Accounting (prepares) | Finance manager (validates) | Double validation (management + second signatory) |
| Client credit note | Account manager | Finance manager | Management |
Table 2 — Recommended controls by process
| Process | Control | Frequency | Expected evidence |
|---|---|---|---|
| Invoicing | Review of credit notes (reason + validation) | Monthly | List of credit notes + validation |
| Invoicing | Locking VAT settings | Quarterly | Change log |
| Purchasing | Supplier creation validation | Each creation | Supplier file |
| Purchasing | Order/receipt/invoice reconciliation | Each invoice | Delivery note + invoice + validation |
| Payments | Double validation above threshold | Daily | E-banking log |
| Payments | Review of new beneficiaries | Monthly | Beneficiary list + signature |
Common mistakes (and how to fix them without redoing everything)
Mistake 1: "We're a small team, we can't separate"
Yes, you can. Task separation doesn't mean 4 people. It means: at least two eyes on sensitive actions.
Correction:
- one person prepares,
- another validates,
- and keep a trace.
Mistake 2: inherited e-banking rights never reviewed
Classic trap. Rights pile up, no one dares touch.
Correction:
- annual access review,
- immediate removal upon departure,
- and prohibition of shared accounts.
Mistake 3: IBAN change treated as a formality
Exactly what fraudsters want.
Correction:
- validation by a second person,
- confirmation outside email,
- temporary payment block if in doubt.
Mistake 4: controls "in the head"
"I always check" is not a control. The day the person is absent, everything collapses.
Correction:
- a checklist,
- a log,
- a validation in the tool.
Mistake 5: undocumented exceptions
Exceptions happen. The problem is when they become the norm.
Correction:
- an exception form (even simple),
- reason + approval + document.
Internal control and cyber: the underestimated link
Today, fraud often happens through:
- a compromised mailbox,
- a reused password,
- an unsecured phone,
- overly broad e-banking access.
Practical best practices:
- strong authentication wherever possible,
- dedicated or at least secured devices for e-banking,
- review of access and logs,
- "incident" procedure: who to call, what to block, what to document.
For cyber expectations and controls, refer to surveillance recommendations (source: Cyber risk management and specific controls 2024).
Management's role: what you must oversee yourself
Are you a director, administrator, managing partner? You don't need to do accounting entry. You must oversee:
- approval thresholds,
- access matrix,
- periodic review of payments and exceptions,
- culture: "we follow procedure, even when it's urgent".
And yes, it's obvious when it's taken seriously. Teams align.
FAQ on internal control in SMEs (definition, difference between internal audit/internal control, legal obligations, pdf resources, simple tools for SMEs, management's role)
1) What exactly is internal control in SMEs?
It's all the rules and controls that prevent (or quickly detect) errors and fraud in your sensitive processes: invoicing, purchasing, payments, bank access, VAT, master data. It's not a document. It's a way of working, with evidence.
2) Internal control vs internal audit: what's the difference?
Internal control is what the company implements daily. Internal audit is a function (often absent in SMEs) that tests and evaluates these controls independently. In SMEs, internal audit is often replaced by occasional reviews (management, fiduciary, audit body as applicable).
3) Does Swiss law require SMEs to have internal control?
Management must organize and supervise the company, and ensure compliant accounting. Depending on size and audit obligation, expectations for the internal control system increase. The legal framework and management responsibilities are described in the Code of Obligations (source: Internal control organization and Swiss legal framework (Code of Obligations, art. 716a, 961)).
4) Are there "PDF-type" resources or practical guides for SMEs?
Yes. There are reference frameworks (source: Internal control components COSO) and SME-oriented guides on invoicing/purchasing/payment processes (source: Practical guide internal control SME (invoicing, purchasing, payments – Ark Fiduciaire, 2025)).
5) What simple tools to use without a big budget?
A spreadsheet for the access matrix, e-banking exports for rights and validations, a monthly checklist, and a standard supplier file. If your ERP offers workflows, activate them on sensitive actions (supplier creation, IBAN change, credit notes, payments).
6) What is management's concrete daily role?
Set the rules (thresholds, validations), validate exceptions, require evidence (logs, documents), and conduct periodic reviews. The message must be clear: urgency does not justify bypassing controls.
References
- Internal control components COSO
- Recent adaptations in anti-money laundering
- Audit obligations and good SME governance
- Internal control organization and Swiss legal framework (Code of Obligations, art. 716a, 961)
- Cyber risk management and specific controls 2024
- Practical guide internal control SME (invoicing, purchasing, payments – Ark Fiduciaire, 2025)