Most Kenyan business owners only think about internal controls after a fraud incident. But by then, money is gone and trust is broken. Internal controls — the checks and balances built into your financial processes — are not just for corporates. They are essential for any business with more than one employee handling money.
The COSO Framework (Simplified)
The Committee of Sponsoring Organizations (COSO) defines five components of internal control: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. For SMEs, the most actionable component is control activities — the day-to-day procedures that prevent or detect errors and fraud.
Key Controls Every Business Needs
- Segregation of duties: The person who authorises payments should not also make them. The person who receives cash should not also reconcile the bank.
- Authorisation controls: All payments above a threshold require sign-off from a manager or director.
- Reconciliations: Bank, cash, M-Pesa, debtors, and creditors must be reconciled monthly by someone independent of daily transactions.
- Petty cash limits: Keep petty cash below KSh 5,000 and require receipts for every disbursement.
- Access controls: Limit accounting software access to those who need it; audit trails should be enabled.
Monitoring and Review
Internal controls only work if they are monitored. Management should review exception reports, surprise-count cash, and periodically rotate staff handling high-risk functions. Annual internal audits catch breakdowns before they become material.
Avatechtax provides internal controls advisory as part of our auditing and assurance engagements. Explore auditing packages.


