Internal Controls for Maltese SMEs 2026

A practical guide to internal controls for Maltese SMEs: the five COSO components, segregation of duties on a small team, and key controls to put in place.

Internal Controls for Maltese SMEs 2026

By the EGM Assurance Editorial Team · Last reviewed June 2026 · 11 min read

Internal controls are often thought of as something only large companies need, a bureaucratic overlay of policies and sign-offs that small businesses can do without. That is a costly misunderstanding. Internal controls are simply the processes a company uses to safeguard its assets, keep its records reliable, prevent and detect error and fraud, and ensure it complies with its obligations. Every company has them, whether deliberately designed or not; the only question is whether they are good enough. For a small or medium-sized Maltese company, well-chosen controls are the difference between a business the directors can actually rely on and one that is exposed to loss, error and fraud. They are also a direct protection for the directors personally.

This guide explains internal controls in practical terms for the directors and owners of Maltese SMEs. It sets out what internal control actually means, the five-component framework that auditors and regulators use to think about it, the particular challenge of segregation of duties on a small team, the specific controls worth implementing across the main areas of a business, the role of the director, and how good controls connect to the audit and to director duties under the Companies Act. The aim is implementation, not theory: by the end you should be able to look at your own company and identify where the gaps are. The position reflects general good practice as at June 2026.

This article completes our audit cluster: where the audit findings and management letter guide explains how weaknesses in control are reported to you, this guide explains how to build the controls in the first place. The two are best read together.

1. What internal control actually means

Internal control is the system of processes, policies and practices put in place by a company’s directors and management to provide reasonable assurance that the company achieves its objectives in three broad areas: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. It is not a single document or a piece of software; it is the combination of everything the company does to keep itself honest, accurate and protected.

Two features of that definition matter for SMEs. First, internal control provides reasonable, not absolute, assurance. No system can eliminate all risk, and a control system must be proportionate to the size and complexity of the business. Second, internal control is the directors’ responsibility. It is not something the auditor provides, nor something that can be wholly delegated to a bookkeeper; the directors are responsible for establishing and maintaining an adequate system of control, even where they engage others to operate parts of it.

Every company already has internal controls. The question is only whether they are adequate and deliberate, or accidental and full of gaps. The goal for an SME is not a heavy corporate bureaucracy, but a proportionate set of controls that genuinely reduce the risk of error, loss and fraud. Reasonable assurance, proportionate to the business, is the standard, not perfection.

2. The five components of internal control

Auditors, regulators and standard-setters internationally analyse internal control using a five-component framework, originally developed by COSO (the Committee of Sponsoring Organizations) and embedded in the auditing standards, including ISA 315, which governs how auditors understand a company’s controls. Understanding the five components gives a director a structured way to assess their own company. All five must be present and functioning, regardless of company size, though, as Section 3 explains, smaller companies apply them differently.

Control environment

The control environment is the foundation: the overall culture, integrity, ethical values and governance of the company, set by the directors and senior management. It is the “tone at the top.” A strong control environment means management visibly values honesty and accuracy, defines responsibilities clearly, and does not tolerate shortcuts. Because it underpins everything else, a weak control environment undermines all the other components, most importantly through the risk of management override, where those at the top bypass the very controls they have set.

Risk assessment

Risk assessment is the process of identifying and analysing the risks that could prevent the company from achieving its objectives, including the risk of fraud, so that controls can be designed to address them. For an SME this need not be elaborate, but it should be deliberate: the directors should periodically ask what could go wrong (theft of cash, unpaid debtors, supplier fraud, error in the accounts, a key-person dependency) and ensure there is a control addressing each significant risk.

Control activities

Control activities are the specific policies and procedures that actually mitigate risk: authorisations, approvals, reconciliations, verifications, physical controls over assets, and segregation of duties. These are the controls most people picture: the requirement that a second person approves a payment, that the bank is reconciled monthly, that stock is counted. They can be preventive (stopping an error or fraud before it happens) or detective (catching it afterwards).

Information and communication

This component concerns whether the right information reaches the right people in time to act on it. The company needs accurate, timely information such as management accounts, reconciliations and exception reports, and clear channels through which responsibilities and concerns are communicated. A control only works if the person responsible for it has the information to perform it and knows it is their job.

Monitoring

Monitoring is the process of checking that the controls are actually working over time and remediating deficiencies when they are found. This can be ongoing (built into routine supervision) or periodic (a management review, an internal check, or the findings of the external audit). Controls decay if no one checks them; monitoring is what keeps the system alive.

A simple way for a director to use the five components: the control environment is the culture, risk assessment is asking what could go wrong, control activities are the specific checks you put in place, information and communication is making sure the right people have what they need, and monitoring is confirming it all still works. Walk through your own company against these five and the gaps usually become obvious.

3. The SME challenge: segregation of duties on a small team

The single hardest control for a small company to achieve is segregation of duties, the principle that no one person should control an entire transaction from start to finish. Ideally, the person who authorises a payment is different from the person who makes it, who is different again from the person who records it and the person who reconciles the bank. On a team of three or four, that separation is often simply impossible, and this is where most SME control weaknesses arise.

The standard-setters recognise this. All five components must still be present, but smaller companies are expected to rely more heavily on certain compensating measures where full segregation of duties is not feasible, particularly direct involvement by the owner or director, and after-the-fact monitoring. The practical answer for an SME is not to pretend it has segregation it does not, but to put in place compensating controls:

  • Owner or director review: where one person handles a process end to end, the owner independently reviews the output. For example, the director personally reviews the monthly bank reconciliation and the list of payments made, even if they did not perform them.

  • Bank-level controls: dual authorisation for payments above a threshold set at the bank, so the bank itself enforces a second approval the company cannot bypass.

  • Independent reconciliations: having a person not involved in processing transactions (sometimes an external accountant) perform or review key reconciliations.

  • Direct owner oversight of cash and sensitive areas: the owner retaining personal control of the most theft-prone points, such as opening bank statements or approving new suppliers and payroll changes.

  • Use of the external accountant or periodic external review to provide an independent check the internal team cannot.

The goal is to ensure that no single person can both perpetrate and conceal an error or fraud without someone else having a realistic chance of detecting it. Where duties cannot be split, visibility and review are the compensating defence.

Lack of segregation of duties is the most common control weakness in small companies, and it is the one most often raised in audit management letters. The solution is rarely to hire more people; it is to layer in compensating controls, especially genuine, documented owner review of the areas one person controls end to end. An owner who actually reads the bank reconciliation each month closes most of the gap.

4. Key controls worth implementing, area by area

The following are the practical, high-value controls an SME should consider across the main areas of the business. Not every control suits every company; the point is to match controls to the risks that matter for your specific operations.

Cash and bank

  • Monthly bank reconciliations for every account, reviewed by someone other than the preparer (or by the owner).

  • Dual authorisation for payments above a set threshold, enforced at the bank.

  • Restricted and logged access to online banking, with segregation between who sets up a payee and who approves a payment where possible.

  • Prompt review of bank statements by the owner, ideally before they reach the person who processes transactions.

Purchases and payments

  • Approval of purchase orders and invoices by an authorised person before payment, matched to goods or services actually received.

  • A controlled, verified supplier master file, with new suppliers and changes to bank details independently confirmed (a key defence against invoice-redirection fraud).

  • Segregation, as far as possible, between ordering, receiving, approving and paying.

Sales and receivables

  • Timely, accurate invoicing and an aged debtors review to chase overdue accounts and identify bad debts early.

  • Credit checks or limits for significant new customers.

  • Reconciliation of receipts to invoices and prompt follow-up of unallocated receipts.

Payroll

  • Independent approval of new starters, leavers and changes to pay or bank details.

  • Review of the payroll by the owner or a manager before it is paid, against expectations.

  • Reconciliation of payroll to the accounting records and to FSS and social security submissions.

Inventory and fixed assets

  • Periodic physical stock counts reconciled to the records, with differences investigated.

  • A fixed asset register reconciled to the ledger, and controls over the acquisition and disposal of assets.

  • Physical security over valuable or portable assets.

Financial reporting and IT

  • Monthly management accounts and key reconciliations reviewed by the directors.

  • Controlled access to accounting systems, with individual logins and appropriate permissions rather than shared credentials.

  • Regular, tested backups of accounting data, and basic cybersecurity hygiene.

None of these requires a large team or expensive systems. Most are a matter of deliberate routine: deciding that a control will happen, assigning it to a named person, and confirming it is performed.

5. Management override: the risk at the top

The most dangerous control weakness is not on the shop floor but at the top. Management override of controls, where a director or owner uses their authority to bypass the controls that apply to everyone else, is the risk that no ordinary control activity can fully address, because the person overriding is the person controls are meant to constrain. It is a leading cause of significant financial-statement fraud.

For an owner-managed SME this requires honesty from the directors themselves. The defences are governance-level rather than procedural: a genuine culture of doing things properly; transparency to co-owners and, where relevant, to a board or external accountant; not treating company assets as personal; and submitting the most sensitive areas (large or unusual transactions, related-party dealings, director expenses) to independent review even though the director could approve them alone. Where there is more than one owner or director, mutual visibility is itself a powerful control.

Controls only work if they apply to everyone, including the people at the top. The fastest way to hollow out a control system is for the owner to treat the rules as applying to staff but not to themselves. Submitting your own significant and unusual transactions to independent review is not a loss of control. It is the mark of a system that will withstand scrutiny from auditors, co-owners, lenders and regulators.

6. How internal controls connect to the audit

Internal controls and the external audit are closely linked, and understanding the link helps directors get value from both. When a company is audited, the auditor is required (under ISA 315) to obtain an understanding of the company’s internal control relevant to the audit, in order to identify the risks of material misstatement and design appropriate procedures. The auditor does not opine on the effectiveness of the controls, but the deficiencies they notice along the way are reported to management and the board.

This is the direct connection to the audit findings and management letter: the control weaknesses an auditor identifies are exactly the gaps this guide is about, classified by severity (a deficiency, a significant deficiency, or a material weakness). A company with strong controls tends to have a smoother, less costly audit, because the auditor can place more reliance on the system and perform less extensive substantive testing, while a company with weak controls faces more testing, a higher fee, and a longer management letter. Improving controls is therefore not only good business; it directly reduces audit friction and cost.

Strong internal controls and a smooth, economical audit go together. Where controls are reliable, the auditor can test less and trust the system more; where they are weak, the auditor must do more work, the fee rises, and the management letter grows. Every control weakness closed is one fewer finding in next year’s management letter. Our audit findings guide explains how those findings are reported and how to respond.

7. Internal controls and director duties

Beyond the operational benefits, there is a governance and legal dimension. Directors of Maltese companies owe duties under the Companies Act, including to exercise the degree of care, diligence and skill reasonably expected and to promote the well-being of the company. Maintaining an adequate system of internal control, proportionate to the company, is part of discharging those duties. Directors are also responsible for keeping proper accounting records and for safeguarding the company’s assets, both of which depend on functioning controls.

The protection runs in both directions. Good controls protect the company from loss and the directors from the consequences of failures they could have prevented. Where a company suffers a fraud, a major error, or an insolvency, the adequacy of its internal controls, and the directors’ attention to them, is part of how the directors’ conduct is judged. A director who established sensible controls and monitored them is in a far stronger position than one who left the company exposed. In this sense, building internal controls is a form of director protection, not merely an operational nicety.

8. Implementing controls without over-engineering

A common fear is that introducing controls will bog the business down in bureaucracy. The answer is proportionality: the right controls for the risks that matter, and no more. A practical implementation approach for an SME:

  • Start with a simple risk assessment: list the ways the company could lose money or misstate its accounts, and rank them by likelihood and impact.

  • Address the biggest risks first with targeted controls, rather than trying to control everything at once.

  • Make each control someone’s explicit responsibility, with a clear frequency (daily, monthly, at year-end).

  • Favour controls that are cheap and high-impact, such as owner review of the bank reconciliation, dual bank authorisation and supplier-bank-detail verification, over elaborate procedures that will not be sustained.

  • Document the key controls simply, so they survive staff changes and can be demonstrated to an auditor or lender.

  • Review the controls periodically and after any significant change in the business, the team or the systems.

The test of a good SME control system is not how comprehensive it looks on paper but whether it is actually performed, proportionate to the risks, and genuinely reduces exposure. A handful of well-chosen controls that are reliably carried out beats an elaborate manual that no one follows.

9. Frequently asked questions

Do small companies really need internal controls?

Yes. Every company has internal controls of some kind; the question is whether they are adequate. Small companies are often more exposed to loss and fraud precisely because they lack segregation of duties and rely on a few trusted people. Proportionate controls, matched to the size and risks of the business, protect the company’s assets and records and protect the directors. The aim is not corporate bureaucracy but a sensible, deliberate set of checks.

What are the five components of internal control?

Control environment (the culture and tone at the top), risk assessment (identifying what could go wrong), control activities (the specific checks such as approvals and reconciliations), information and communication (getting the right information to the right people), and monitoring (checking the controls still work and fixing deficiencies). The framework comes from COSO and is used in the auditing standards. All five must be present, though smaller companies apply them more informally.

How do I achieve segregation of duties with only a few staff?

Often you cannot achieve full segregation, so you use compensating controls instead. The most important is genuine owner or director review of the areas one person controls end to end. For example, the owner personally reviews the bank reconciliation and the payments made. Others include dual bank authorisation enforced by the bank, independent reconciliations (sometimes by an external accountant), and the owner retaining control of the most sensitive points such as approving new suppliers and bank-detail changes.

What is management override and why does it matter so much?

Management override is when a director or owner uses their authority to bypass the controls that apply to everyone else. It matters because ordinary control activities cannot constrain the very people who can override them, and it is a leading cause of significant financial-statement fraud. The defences are governance-level: a genuine culture of doing things properly, transparency to co-owners and the external accountant, and submitting significant, unusual and related-party transactions to independent review even where the director could approve them alone.

Will better internal controls reduce my audit fee?

Often, yes. Where controls are reliable, the auditor can place more reliance on the system and perform less extensive substantive testing, which tends to make the audit faster and more economical. Weak controls have the opposite effect: more testing, a higher fee and a longer management letter. Improving controls reduces audit friction year on year and closes the findings that would otherwise recur.

Does the auditor check or design our internal controls?

The auditor obtains an understanding of the controls relevant to the audit, to assess the risk of material misstatement and design procedures, but does not express an opinion on the effectiveness of internal control, and cannot design or operate the controls without impairing independence. The auditor can point out deficiencies in the management letter, but designing and implementing the controls is management’s responsibility.

Are internal controls a legal requirement in Malta?

Directors are responsible under the Companies Act for keeping proper accounting records and safeguarding the company’s assets, both of which depend on functioning internal controls, and for exercising reasonable care, diligence and skill. While an SME is not required to adopt a particular formal framework, maintaining an adequate, proportionate system of control is part of discharging directors’ duties, and its adequacy is relevant if the company’s conduct is later examined. Regulated entities face additional, specific control requirements from their regulator.

Where should an SME start if it has no formal controls?

Start with a simple risk assessment, listing how the company could lose money or misstate its accounts and ranking the risks, then address the biggest risks first with targeted, low-cost controls. Owner review of the monthly bank reconciliation, dual bank authorisation for larger payments, and independent verification of new supplier bank details are high-impact starting points. Assign each control to a named person with a clear frequency, and build from there rather than trying to control everything at once.

How do internal controls help prevent fraud?

Controls make it harder for any one person to both commit and conceal a fraud without detection. Segregation of duties (or compensating owner review), authorisation requirements, reconciliations, verification of supplier and payroll changes, and monitoring all reduce both the opportunity and the chance of going unnoticed. No system eliminates fraud entirely, but a proportionate set of controls removes the easy opportunities and increases the likelihood of early detection.

How often should we review our internal controls?

Periodically, at least annually, and whenever something significant changes: a new system, a change in key staff, a new line of business, or rapid growth. Controls decay if no one checks them, and a change in the team or the systems can quietly open a gap. The external audit and the management letter are also a useful annual prompt to review and improve the control system.

Related guides from EGM Assurance

Authoritative references

Want to strengthen your company’s internal controls? EGM Assurance helps directors of Maltese SMEs design proportionate, practical internal controls, closing the gaps that lead to loss, fraud and audit findings without burdening the business in bureaucracy. Build a system you can actually rely on. Get in touch →

This article is prepared by EGM Assurance for general informational purposes and reflects general good practice and the internationally recognised framework for internal control as at June 2026. It is not legal or professional advice. The appropriate internal controls for a company depend on its specific size, risks and circumstances. Always obtain specific advice from a qualified professional when designing or assessing your internal control system.