Auditors assess two things: the numbers in your financial statements and the controls that produce those numbers. A company can have accurate financial statements despite weak controls — but the audit will be longer, more expensive, and more intrusive, because the auditors cannot rely on the control environment and must instead test every significant balance directly.
Building controls that satisfy auditors does not mean importing a FTSE 100 control framework into a 40-person company. It means identifying the specific risks that matter for your business, designing controls that address them, and documenting enough evidence that an auditor can verify the control operated during the period.
The COSO (Committee of Sponsoring Organizations) framework — the globally accepted standard for internal control — applies the same principles regardless of company size. The difference is in implementation scale: a large enterprise might have 500 key controls. A mid-market company needs 15 to 25.
What Auditors Test
Auditors evaluate controls across three dimensions:
Design effectiveness. Is the control designed to prevent or detect the risk it addresses? A payment approval control that requires sign-off for payments over £5,000 is well-designed if the risk is unauthorised payments. It is poorly designed if the threshold is set at £50,000 and 90% of payments fall below it.
Operating effectiveness. Did the control actually operate during the period? The policy says every journal over £10,000 needs a second review. Auditors sample journals and check for evidence of that review. If 3 out of 25 sampled journals have no review evidence, the control fails.
Evidence. Every control needs proof that it happened. A signature, a system log, a documented approval, a reconciliation with a preparer and reviewer sign-off. Controls without evidence are, from an audit perspective, controls that did not happen.
IIA (Institute of Internal Auditors) guidance emphasises that evidence is the critical gap in mid-market control environments. Controls often exist informally — the FD does review every journal, the CEO does approve every major payment — but without documented evidence, the auditor cannot give credit for them.
The Core Controls Every Mid-Market Company Needs
Rather than building an exhaustive control matrix, focus on the controls that address the highest-risk areas in a typical mid-market finance function:
Bank reconciliation. Monthly, with preparer and reviewer sign-off. This is the single most important reconciliation control — it connects the accounting records to an independent external source.
Journal entry controls. All manual journals above a defined threshold require supporting documentation and a second review. Large or unusual journals at period-end get additional scrutiny. This is where misstatements most commonly enter the financial statements.
Revenue recognition. A documented policy for when revenue is recognised, applied consistently. For complex contracts (multi-element arrangements, long-term projects, subscription models), specific workings for each material contract showing the basis for timing and amount.
Payables completeness. A process for capturing liabilities at period-end — accruals for received-not-invoiced items, cut-off testing for costs that straddle periods. Deloitte identifies payables completeness as one of the most frequently under-controlled areas in mid-market businesses.
Access controls. Who can post journals, approve payments, create suppliers, and modify master data? Access should be restricted to authorised personnel with appropriate segregation. In small teams where full segregation is not possible, compensating controls — such as a monthly review of all transactions by a senior person — fill the gap.
Fixed asset management. A register of all material assets with acquisition dates, costs, depreciation policies, and periodic physical verification. Assets that no longer exist but remain on the register inflate the balance sheet and create audit issues.
Documenting Controls Without Creating Bureaucracy
The documentation does not need to be elaborate. For each key control, capture five things: what the control is, who performs it, how often, what evidence is produced, and what happens when an exception is found. A single-page control matrix covering your 15-25 key controls is sufficient.
The evidence itself should be embedded in normal processes. A bank reconciliation template with preparer and reviewer signature lines. A journal approval log. A payment authorisation matrix stored in the accounting system. Controls that require separate documentation beyond normal work create overhead that mid-market teams will not sustain.
What This Means for Mid-Market Companies
The goal is not to build a control environment that impresses auditors. It is to build one that protects the business and happens to satisfy audit requirements as a byproduct. Controls that prevent errors, catch fraud, and ensure reliable reporting serve the company first — the audit benefit is secondary.
Start with the 10 highest-risk processes in your finance function. For each, define one or two key controls. Document them in a single matrix. Ensure evidence is captured as part of normal operations. Review the matrix quarterly. This is enough to transform an audit from an adversarial investigation into a cooperative confirmation.