Internal controls in a mid-market company are either absent, informal, or inherited from a template that does not reflect how the business actually operates. The first case is dangerous. The second is fragile. The third is theatre.
A controls framework is not a binder of policies that sits on a shelf. It is the operating system that determines whether the numbers your business produces — in management reports, tax filings, investor packs, and board presentations — are trustworthy. Without it, every financial output carries an implicit disclaimer: “these numbers might be right.”
The COSO framework — updated in 2013 and still the global standard — defines internal control through five components: control environment, risk assessment, control activities, information and communication, and monitoring. Every company, regardless of size, needs all five. The question is not whether you need a framework, but how to scale one to fit a mid-market operation.
Starting With Risk Assessment
Most mid-market companies skip this step and jump straight to controls. That is backwards. A control without a defined risk it addresses is a bureaucratic step with no purpose.
Risk assessment for a mid-market finance function asks: what could go wrong with our financial data, and what would the impact be? The answer varies by business, but common financial reporting risks include:
Revenue recorded in the wrong period or at the wrong amount. Costs not captured or misclassified. Cash outflows made without proper authorisation. Payroll processed incorrectly. Intercompany transactions not eliminated. Tax positions taken without adequate support.
EY guidance on mid-market risk assessment recommends ranking each risk by likelihood and impact, then focusing controls on the top 10-15 risks. Below that threshold, the cost of the control exceeds the risk it mitigates.
For each identified risk, define what could cause it (the root cause), what the financial impact would be (materiality), and how likely it is to occur without a control (inherent risk). This assessment becomes the foundation for every control you design.
Designing Proportionate Controls
A control must be specific, assignable, evidenced, and tested. Vague policies — “all expenditure must be approved” — are not controls. A control states who approves what, above what threshold, with what evidence, and how exceptions are handled.
Preventive controls stop errors before they enter the system. Examples: system-enforced mandatory fields (you cannot post a journal without a cost centre), payment approval thresholds (no payment above £5K without dual sign-off), and access restrictions (only designated users can create new suppliers).
Detective controls catch errors after they occur. Examples: monthly reconciliations, exception reports, management review of unusual items. Detective controls are essential because no preventive control catches everything.
The balance between preventive and detective controls matters. An over-controlled environment — where every transaction requires three approvals — slows the business to a crawl. An under-controlled environment with only detective controls means errors are found but not prevented. The right mix depends on the risk: high-risk, high-value transactions need strong preventive controls. Routine, low-value transactions can rely on detective controls.
The Control Environment
COSO places the control environment — essentially, leadership’s attitude towards controls — as the foundational component. If the CEO routinely bypasses approval processes, or if the board does not ask about control effectiveness, no amount of documented policies will create a functioning control environment.
In a mid-market company, the control environment is set by two or three senior people. Their behaviour determines whether controls are followed or circumvented. Hackett Group research on finance function effectiveness shows that companies where leadership actively engages with control outcomes have materially fewer financial restatements and audit adjustments.
This does not mean the CEO needs to review every journal. It means the leadership team needs to ask the right questions: Are reconciliations current? Were there any control exceptions this month? What was done about them? These questions signal that controls matter.
Monitoring and Maintaining the Framework
A framework that is not monitored decays. Controls that were appropriate when the business had 20 employees may not work at 80. A payment threshold set at £5,000 when revenue was £3M needs revisiting at £15M.
Build a quarterly review cycle: are the key controls still operating? Is the evidence being captured? Have any new risks emerged that are not covered? Are there controls that no longer serve a purpose and should be removed?
IIA (Institute of Internal Auditors) recommends that even companies without a formal internal audit function designate someone to perform this monitoring role. In a mid-market company, this is typically the Financial Controller or the most senior finance person below the CFO.
What This Means for Mid-Market Companies
You do not need an internal audit department. You do not need a 50-page controls manual. You need a risk assessment, a short list of key controls matched to real risks, evidence that those controls operate, and someone who checks quarterly that the framework still fits the business.
The return is not abstract. Companies with functioning controls close faster, audit cheaper, report more reliably, and — when it matters most — can demonstrate to investors, acquirers, and regulators that their numbers are trustworthy. That trust has direct financial value.