Internal control for SMEs: task separation, access matrix and risk management in 2026

This article delves into the definition and challenges of internal control for SMEs in French-speaking Switzerland. It presents concrete risks related to invoicing, payments and bank access management, details simple internal controls to implement by process (including task separation), proposes a methodology for creating an access matrix, and lists warning signals to watch for. A FAQ covers key points according to COSO standards, the Swiss regulatory context (CO, legal obligations) and performance standards in 2026.

By Ark Fiduciaire

Published on 07/10/2026

Reading time: 15min (2961 words)

comptabilitecomptablereportingferpmesuisse

You have an SME in Geneva (or French-speaking Switzerland) and you think: "We're too small for internal control." Let me be frank: that's often where things break.

Internal control isn't a dusty binder or a big-company fantasy. It's a series of practical habits to avoid three very common things:

  • paying the same invoice twice,
  • getting tricked by a fake IBAN,
  • discovering at closing that VAT was handled "by instinct".

And in 2026, one topic comes up in almost every case: access (bank, e-banking, ERP, invoicing software, cloud). Rights are too broad, not reviewed, not tracked. Result? An error becomes an incident. An incident becomes a dispute. And sometimes, a fraud.

What concrete risks for a Swiss SME in 2026? (errors, frauds, bank access, CO compliance)

Risk #1: the "simple" error that costs a lot

We still see SMEs where one person:

  • creates the supplier,
  • enters the invoice,
  • prepares the payment,
  • validates in e-banking.

Beware, it's a classic trap. Not because the person is dishonest. But because when they're rushed, tired, or replaced, errors slip through.

Very concrete examples:

  • invoice entered twice (same amount, same date, slightly different reference),
  • credit note forgotten,
  • VAT coded at the wrong rate (8.1% instead of 2.6%, or vice versa),
  • payment sent to an old IBAN "copy-pasted" from an email.

Risk #2: the "clean" fraud (the one that looks like a normal operation)

In 2026, the most frequent fraud in SMEs isn't a robbery. It's process manipulation.

Two scenarios we encounter:

  1. IBAN change: an email "from the supplier" announces a new account. The invoice is real, the supplier exists, the amount is plausible. Only the IBAN is fake.
  2. Fake CEO / fake director: urgent request for a "confidential" transfer. You're pressured. You're flattered. You're isolated.

If your payment procedure relies on "I recognize the email style", you're exposed.

Risk #3: bank access and overly broad rights

The real issue is the combination:

  • e-banking access with payment rights,
  • access to accounting software,
  • no rights review,
  • no control journal consulted.

In practice, this means the same person can create a supplier, modify the IBAN, then pay. And if no one critically reviews bank statements, you won't notice for weeks.

Risk #4: CO compliance and board responsibility

We're not talking about "nice best practices". The Swiss Code of Obligations imposes management responsibilities and appropriate organization.

Two articles always come up in serious discussions:

  • art. 716a CO (non-transferable and inalienable duties of the board of directors, for corporations),
  • art. 961 CO (presentation of accounts; and, in practice, everything related to the reliability of financial information).

You can delegate execution. Not responsibility.

Source: Appropriate organization of internal control for corporations/LLCs: legal obligations and art. 716a & 961 CO.

Field observation (Geneva): the problem surfaces at the worst time

In practice, many Geneva SMEs discover their weaknesses at closing. Why? Because:

  • the fiduciary asks simple questions ("who validates?", "who has access?", "where is the document?"),
  • and then you realize everything depends on one person.

Result? Emergency fixes. And emergencies always cost more.

Simple controls by process: how to act on invoicing, purchasing, payments and bank access?

Let's keep it simple: a useful internal control is one that happens without heroics. If your control depends on a "very conscientious" person, it won't hold.

Customer invoicing: avoid gaps

Objective: ensure everything delivered/provided is invoiced, and the invoice is correct.

Concrete controls:

  • Continuous numbering of invoices (and checking for gaps).
  • Monthly credit note list: who issued them, why, and validation by another person.
  • Simple reconciliation: orders/contracts → invoices → receipts.
  • VAT: standard coding (rates 8.1%, 2.6%, 3.8% as applicable) and occasional review of exceptions.

Small detail that changes everything: if you make "exceptional" manual invoices, you create a blind spot. Either integrate them into the normal flow, or document enhanced validation.

Purchases and suppliers: the real risk is creation/modification

Fraudulent payment often happens here.

Concrete controls:

  • Supplier creation: mandatory supporting document (extract, contract, pro forma invoice, contact details) + validation by another person.
  • IBAN modification: double validation + phone call to a known number (not the one in the email).
  • Quarterly list of new suppliers: quick review by management.

Payments: stop "blind validation"

If you validate 30 payments in 2 minutes, you're not validating anything. You're just clicking.

Concrete controls:

  • Four-eyes principle on payments (preparation ≠ validation).
  • Validation thresholds: e.g., any payment > CHF 5,000 validated by a second signatory.
  • Grouped payments: review a printed/PDF list with amounts, beneficiaries, IBAN, purpose.
  • Bank reconciliation: weekly if volume, otherwise monthly, but done by someone who doesn't initiate payments.

Bank access: minimal rights and traceability

Concrete controls:

  • Two distinct profiles: "preparer" and "validator".
  • No shared generic account.
  • Semi-annual access review: who has access to what, and why.
  • Immediate deactivation upon departure (even if the person "still has two days").

Checklist #1 — Minimum viable controls (SMEs 5–30 people)

  • Continuous invoice numbering + gap check (monthly)
  • Credit note review (monthly)
  • Supplier creation validated by another person (each creation)
  • IBAN change: double validation + call to known number (each change)
  • Payment preparation ≠ payment validation (always)
  • Double signature threshold (e.g. CHF 5,000) (configured)
  • Bank reconciliation done by someone independent from payments (monthly)
  • Review of e-banking and accounting software access (2x/year)

Mastering access: building a rights matrix and task separation

Task separation isn't "we trust each other". It's "we avoid one person being able to complete an operation without control".

What you're trying to avoid

The dangerous combo:

  1. create/modify a third party (client/supplier),
  2. create an entry or invoice,
  3. trigger a payment,
  4. validate the payment,
  5. reconcile the bank.

If one person can do 1→5, you have a structural risk.

Table 1 — Example of task separation matrix (Geneva SME)

ProcessActionRole A (Accounting)Role B (Management)Role C (Operations)Expected control
SuppliersCreate supplierYesValidationNoValidation B + supporting document
SuppliersModify IBANNo (or request)YesNoDouble validation + call
PurchasesEnter invoiceYesNoYes (receipt)Receipt approval
PaymentsPrepare payment batchYesNoNoPayment list archived
PaymentsValidate e-banking paymentNoYesNoFour eyes + thresholds
BankBank reconciliationYes (if not payments)Occasional reviewNoAnomaly review
SalesIssue invoiceYesNoYes (service)Contract/delivery note
SalesIssue credit noteYesValidationNoMonthly review

Don't have three distinct roles? No problem. Adapt. A 6-person SME can do smart separation with 2 roles and management control.

Field anecdote: "We gave admin to everyone"

Often, accounting software or invoicing tools are installed quickly. To go fast, everyone is "admin". Then no one dares remove rights, because "it might break something".

Result? No one knows who modified an IBAN, who canceled an invoice, who changed a VAT rate.

Our advice: minimal rights + documented exceptions. Convenience should not come before traceability.

Building a robust access matrix (field method)

An access matrix is a table answering three questions:

  1. who has access,
  2. to what,
  3. with what level of rights.

Step-by-step (without overcomplicating)

  1. List your systems: e-banking, accounting software, invoicing, ERP/CRM, payroll management, cloud (Drive/SharePoint), expense tool.
  2. List actual roles (not HR titles): "prepares payments", "validates payments", "creates suppliers", "enters invoices", "does reconciliation", "IT admin".
  3. Define 4 levels of rights (often enough): Read / Entry / Validation / Admin.
  4. Fill the matrix: one row per user, one column per system, and the level.
  5. Mark conflicts: a conflict = a person has incompatible rights (e.g. supplier creation + payment validation).
  6. Decide: either remove a right, or add a compensatory control (e.g. monthly management review).
  7. Validate and date: management signs. Yes, even in SMEs.
  8. Plan the review: every 6 months, and at each departure/arrival.

Checklist #2 — What your matrix must contain (otherwise it's useless)

  • Name + actual function (what the person really does)
  • Covered systems (bank, accounting, invoicing, payroll, cloud)
  • Level of rights (Read/Entry/Validation/Admin)
  • Date of last review
  • System owner (who decides rights)
  • Written task separation rules (in 10 lines)
  • List of exceptions + justification + duration

Simple controls by process ("do it Monday morning" version)

Want something concrete? Here's an operational version, by flow.

Flow 1 — From supplier invoice to payment

  • Invoice received (email or mail)
  • Basic check: known supplier? order? receipt?
  • Accounting entry
  • Approval (operations or management)
  • Payment preparation
  • Payment validation
  • Payment proof archived

Controls that change everything:

  • Mandatory approval before payment (even an "OK" in the tool, but traceable).
  • Payment block if IBAN modified in the last 30 days without enhanced validation.

Flow 2 — From service to customer invoice

  • Contract/order
  • Service/delivery
  • Invoice
  • Receipt
  • Reminder

Useful controls:

  • List of unbilled services (monthly).
  • Discount review: who grants what.

Flow 3 — Expense reports and company cards

Cards and expenses are often the Wild West.

Simple controls:

  • mandatory supporting document,
  • validation by a superior,
  • spending limits by type,
  • monthly review of "out-of-policy" expenses.

Ark Fiduciaire

Need help with this topic?

Our experts are available for personalised guidance. First consultation free, no commitment.

Practical case (CHF) — A Geneva LLC trapped by a fake IBAN

SME: Service LLC (12 employees), Geneva. Volume: ~80 supplier invoices/month. Weekly payments.

Scenario:

  • A regular IT supplier sends an invoice for CHF 18,740.
  • A separate email announces a "new IBAN".
  • The accountant modifies the IBAN in the software.
  • She prepares the payment.
  • The director validates in e-banking without comparing the IBAN to a reliable source.

Result?

  • Payment executed: CHF 18,740 to a fraudulent account.
  • The real supplier follows up 10 days later.
  • The SME pays a second time to avoid service interruption.

Direct total cost: CHF 37,480.

Realistic indirect costs:

  • 6 internal hours (management + accounting) at CHF 150/h = CHF 900
  • bank exchanges + complaint filing + follow-up = CHF 600 (internal time)
  • external fees (analysis, procedure, control strengthening) = CHF 2,500

Total: CHF 41,480.

The control that would have prevented this:

  • IBAN change = call to known number + validation by another person.

It's not glamorous. It's effective.

Warning signals: detecting weaknesses, errors or misappropriation in an SME

You don't need forensic software. You need open eyes.

Supplier/payment signals

  • Urgent payments "to be made today" without complete documentation.
  • Known supplier, but IBAN changed without solid explanation.
  • Invoices with vague descriptions ("services", "consulting") and no deliverable.
  • Repeated round amounts (CHF 5,000, CHF 10,000) just below a validation threshold.
  • Multiplication of small "one-shot" suppliers.

Sales signals

  • Frequent credit notes, especially at month-end.
  • Undocumented discounts.
  • Invoices canceled then reissued.

Access and IT signals

  • Shared accounts ("accounting@", "admin@").
  • Admin rights distributed "to help out".
  • No audit log consulted.
  • E-banking access kept after someone leaves.

Accounting signals

  • Late bank reconciliations.
  • Pending items lingering (suspense accounts, clearing).
  • Numerous manual entries without justification.

3 costly mistakes for Geneva LLCs (and how to fix them)

Mistake 1: confusing "internal control" and "fiduciary control"

The fiduciary checks what they see. If you give incomplete or late documents, they can't guess.

Correction:

  • set a monthly schedule (invoices, bank, payroll),
  • require internal validation before transmission.

Mistake 2: leaving the bank in "comfort mode"

One signatory, or a validator who validates everything without reading. Result? When it goes wrong, it goes fast.

Correction:

  • double signature,
  • thresholds,
  • separate profiles,
  • monthly review of beneficiaries.

Mistake 3: documenting nothing, then panicking during a control

When the AFC (VAT) or auditor asks a question, "we've always done it this way" means nothing.

Correction:

  • 2 pages of procedures (not 40),
  • a dated access matrix,
  • a list of controls with frequency and responsible person.

SCI documentation: what is really expected in SMEs (and what doesn't matter)

Let's be honest: no one asks for a 200-page manual.

What's useful:

  • a simple process map (sales, purchases, payments, payroll),
  • a list of main risks,
  • associated controls,
  • the access matrix,
  • proof it's alive (dated reviews, validations, logs).

What's useless:

  • copy-pasting a generic model unrelated to your reality,
  • procedures impossible to apply,
  • "theoretical" controls no one does.

Source: Risk mapping in SMEs, obligations and function separation.

Reporting and management: internal control that really helps management

Internal control isn't just to prevent fraud. It also helps manage.

Simple indicators (monthly):

  • supplier invoices pending approval,
  • rejected/returned payments,
  • number of IBAN changes,
  • credit notes issued,
  • bank reconciliation discrepancies,
  • pending items > 30 days.

When these numbers rise, it's not "accounting dragging its feet". It's a signal.

Source: Impact of internal control on performance and SME reporting.

Digital controls: what automation does well… and what it will never do

Modern tools help:

  • approval workflows,
  • audit logs,
  • rights by role,
  • semi-automatic bank reconciliation.

But they don't replace:

  • human validation on exceptions,
  • phone call when changing IBAN,
  • access review.

And beware: if your tool is well configured but everyone is admin, you just have an expensive tool.

Governance: who should do what (without passing the buck)

In an SME, roles mix quickly. Let's clarify:

  • Management / Board: sets rules, validates thresholds, requires access review, accepts (or rejects) exceptions.
  • Accounting: executes, documents, reports anomalies.
  • Operations: confirms receipt/service, validates economic reality.
  • Fiduciary: supports, structures, challenges, but doesn't replace your organization.

For companies with more formal governance, the Swiss Code provides a framework of best practices.

Source: Swiss Code of Best Practice for Corporate Governance (economiesuisse).

FAQ

1) What exactly is internal control (SCI) in an SME?

It's the set of rules, controls and habits that secure your processes: reliability of accounts, asset protection, compliance, and quality reporting. In SMEs, this means validations, task separation, controlled access, and regular reviews.

Source: Impact of internal control on performance and SME reporting.

2) What legal obligations in Switzerland (art. 716a and 961 CO)?

Art. 716a CO sets non-transferable board responsibilities (for corporations) related to management and organization. Art. 961 CO deals with account presentation; in practice, an organization is expected to make financial information reliable and traceable. You can delegate execution, not responsibility.

Source: Appropriate organization of internal control for corporations/LLCs: legal obligations and art. 716a & 961 CO.

3) What's the difference between internal and external audit?

External audit (auditor) provides assurance on accounts according to legal/contractual mandate. Internal audit, when it exists, continuously tests your processes and controls to reduce risks. Many SMEs don't have formal internal audit; they can still do targeted reviews (payments, access, VAT) with a fiduciary.

4) What's the point of the COSO model for an SME?

COSO is a framework to structure internal control (control environment, risk assessment, control activities, information/communication, management). You're not required to "do COSO". But being inspired by it helps avoid missing something: for example, having controls without management, or rules without evidence.

Source: Impact of internal control on performance and SME reporting.

5) Give me 10 examples of simple and effective internal controls

  • Double payment validation
  • Signature thresholds (e.g. > CHF 5,000)
  • Call to known number when changing IBAN
  • Monthly review of new suppliers
  • Independent bank reconciliation
  • Monthly review of credit notes
  • Continuous invoice numbering + gap check
  • Audit log enabled and consulted (third-party changes, IBAN, cancellations)
  • Semi-annual access review (bank, accounting, payroll)
  • List of pending items > 30 days and processing

6) How to document your SCI without spending weeks?

Keep it short and dated:

  • 1 page "who does what" (roles)
  • 1 page "controls by process" (frequency + responsible)
  • 1 access matrix
  • 1 list of signed exceptions And keep evidence: validations, exports, logs, reconciliations.

7) Does the SCI need to be presented to the AGM?

The AGM doesn't need a detailed manual. But management/board must be able to explain the organization, main risks, and controls in place. If you have an auditor, they may ask about the existence and coherence of controls.

8) What are the limits of internal control?

SCI reduces risks, it doesn't eliminate them. There will always be:

  • human errors,
  • bypasses (collusion),
  • exceptions. The goal is to make errors visible quickly, and fraud difficult.

9) What's the link between internal control and risk management?

Risk management identifies and prioritizes risks (payments, VAT, dependence on one person, cyber). Internal control puts up concrete barriers: validations, access, reviews, evidence. Without controls, "risk mapping" is just a nice document.

Source: Risk mapping in SMEs, obligations and function separation.

10) Does it really improve performance?

Yes, when done well. Fewer corrections at closing, less time wasted searching for documents, fewer supplier disputes, more reliable reporting. And above all: management decides with clean numbers, not intuition.

Source: Impact of internal control on performance and SME reporting.

Table 2 — 30-day deployment plan (SME without internal service)

WeekActionsDeliverablesResponsible
1Map sales/purchases/payments + list systems1 page processes + system listManagement + accounting
2Write validation rules + thresholds + task separationSigned rules (max 2 pages)Management
3Build access matrix + resolve conflictsDated matrix + parameter screenshotsAccounting + IT/bank
4Set up monthly reviews (credit notes, new suppliers, pending items, bank)Checklists + calendarAccounting + management

This plan works because it's realistic. If you try to redo everything at once, you'll finish nothing.


References

Odoo and Internal Control: Securing Access Rights, Validations, and Audit Trail for Supplier Invoices in SMEs (2026)

For Swiss SMEs, configuring Odoo is a key link in internal control and compliance, especially for tracking user access rights, supervising validation workflows, attaching supporting documents, and ensuring the reliability of the audit trail on supplier invoices. This article details best practices, Swiss legal obligations, common pitfalls (frequent errors), and answers essential questions about Odoo auditability in 2026.

SME Internal Control: Securing Invoicing, Purchasing, Payments, and Bank Access in 2026

In the 2026 context in French-speaking Switzerland, securing critical processes (invoicing, purchasing, payments, bank access) through effective internal control is a major challenge for SMEs. This article analyzes typical risks, presents concrete controls to implement (including task separation), describes how to build an access matrix and warning signals, to strengthen governance and limit fraud or errors.

Let's talk

Get in touch

Our experts can help you understand the details and implications for your business. Get personalised advice tailored to your situation.