Andina's controller walks into your office pale. The AP analyst changed a historical supplier's bank details 8 months ago, redirecting $340K to a personal account. No one reviewed the change because there was no process. The responsible party found out yesterday when the real supplier called asking about the late payments.
This is the story every mid-market CFO eventually lives. If you're lucky, the loss is $50K and you learn the lesson. If you're unlucky, it's $1M+ and appears in the auditor's management letter as a "significant control deficiency" the board has to see.
For non-public companies, full SOX (Sarbanes-Oxley) is overkill — implementation costs 5-10% of revenue, dedicated internal control team, externals validating everything. But ABSENCE of controls is not an option either. Mid-market discipline is: implement the MINIMAL SET of controls that captures 80% of risk, execute them well, audit them annually. That is SOX-lite.
In this module you learn the 10 controls that compose that minimum set, their cost, and how to prioritize when you can't implement all at once. Let's go.
If you can only maintain THREE internal controls in your mid-market company, which do you choose?
In plain language
Before the mechanics, the four basic questions.
Why do this at all?
For two reasons, in this order: (1) Prevent material losses from fraud, error, or abuse, which in mid-market typically cost 1-3% of revenue per year when there are no controls. (2) Pass external audit with clean management letter, which translates to credibility with board, bank, shareholders, and buyers in due diligence. Controls are not bureaucracy — they are quantifiable operational protection.
Who designs, executes, and audits them?
CFO + Controller design the program. The OWNERS of each control are functional leaders (Procurement controls PO approval; Treasury controls bank reconciliation; IT controls ERP access). The board AUDIT COMMITTEE approves the program annually. INTERNAL AUDIT (if exists) or the external auditor in their work tests that controls function in practice, not just on paper.
When are they implemented and reviewed?
Implementation: typically 6-12 months for the 10 controls in the minimum set. Annual review of design (do controls remain valid given business change?). Quarterly testing of EFFECTIVE operation (does the control operate as designed?). And eventually: any material change (new ERP, M&A, geographic expansion) triggers review.
What if we implement nothing?
Three predictable consequences: (1) Eventual fraud or material error — for mid-market without controls, the "typical" event costs $100-500K every 18-24 months. (2) Auditor management letter with "significant deficiency" or "material weakness" findings the board has to see and bank/investors can see in due diligence. (3) Invisible operational inefficiency — without controls, processes become ad-hoc, and no one knows what the "source of truth" is in moments of discrepancy. The cumulative loss is typically 2-3% of EBITDA per year, with no one able to put a number on it.
Andina S.A. — the phantom supplier incident
Andina, post the $340K phantom supplier incident, hires an external consultant for a risk assessment. The report arrives in 6 weeks. Diagnosis: 0 formal controls on supplier master data changes, 0 segregation between who creates suppliers and who processes payments, bank reconciliation taking 3 weeks (when it should be one), and no one in treasury auditing it.
The remediation plan recommends the 10 controls of the SOX-lite minimum set, with phased priority: three months for the THREE fundamental controls (segregation, JE approval, bank reconciliation), six months for the next four (approvals, access, inventory), and nine months for the three soft controls (whistleblower, master data, edge transactions).
Total program cost: $138K/year in recurring operation (controller time, partial internal auditor cost, approval software), plus $80K one-time implementation. Total year 1: $218K. Year 2 onward: $138K/year.
Honest comparison: $218K year 1 vs $340K lost in ONE single incident, not counting the management letter finding that in due diligence next year is worth ~$1-2M in price adjustment. The program pays for itself 5x just on the first event it prevents.
The visual below shows the 10 controls. Toggle any and watch the residual risk score change.
The 10 controls, live
Ten controls grouped by category: segregation, approval, reconciliation, access, monitoring. Each control has a risk reduction score (in basis points of total) and an annual cost.
The critical experiment: turn off the THREE first ones (segregation, JE approval, bank reconciliation). Watch the risk score DOUBLE. Those three are the fundamental defense line — if they're off, the rest only cushions.
Interactive visual
10 essential controls — the minimum set
For non-public companies, full SOX is overkill. But absence of controls is a fast path to material errors, restatements, and qualified opinion. These are the 10 controls that capture ~80% of the risk. Toggle any off and watch exposure grow.
Residual risk score
100 / 1200 · Low
Active controls
10 / 10
Annual program cost
$138K
In $K USD. Excludes systems; assumes reuse of existing ERP.
What you are seeing
Three critical lessons: (1) The TOP THREE controls (segregation of duties, manual JE approval, bank reconciliation) capture ~50% of total risk. If a control among the 10 cannot be maintained, do NOT make it one of those three. (2) Total program cost is $130-150K/year — 5-10x cheaper than the cost of ONE material incident (discovered fraud, restatement, qualified opinion). (3) "Soft" controls (whistleblower channel, edge-transaction review) capture risk that "hard" controls miss — collaborative fraud or patterns that pass formal filters. Three layers of control, not one in depth.
The critical reading of the visual: controls have VERY uneven impact scale. Segregation of duties reduces 220 risk points; edge transaction review reduces 50. If your plan says "we will implement the 10 controls," fine. But if it says "we will implement 5 of the 10," the critical question is WHICH — and the right answer is the 5 with highest risk reduction, not the 5 easiest.
And critical for mid-market context: total cost of the 10-control program is ~$138K/year. That's 0.07% of revenue for a $200M company. The right conversation with the board is NOT "this is a lot of cost" — it's "it costs less than ONE material incident and eliminates the repeat findings on management letter." That reading changes the decision from "skipped" to "approved" in 5 minutes.
Third reading: "soft" controls (whistleblower channel, edge transaction review) capture risk that "hard" controls miss. Collaborative fraud (two people conspiring) passes segregation controls. Transaction patterns evading all individual thresholds pass tier approvals. That's why defense is in LAYERS — not in depth on a single control.
The mechanics: how to build a SOX-lite program
- Start with an honest risk assessment before designing controls. Where has something close to fraud happened? Where has the auditor found deficiencies? What processes are concentrated in a single person? The assessment guides prioritization — without it, you implement "by-the-book" controls instead of what your company most needs.
- Implement in waves, not all at once. Wave 1 (3 months): the THREE fundamentals — segregation of duties, manual JE approval, monthly bank reconciliation. Wave 2 (6 months): PO approval + ERP access + inventory. Wave 3 (9 months): soft controls (whistleblower, master data, edge transactions). Implementing all at once generates massive operational friction and "implementation theater" that doesn't work.
- Assign clear OWNERS to each control. A control without owner is a control that does not exist. Procurement is owner of PO approval. Treasury of bank reconciliation. IT of ERP access. Controller of JE approval. Without name and surname attached to each control, everyone assumes someone else handles it.
- Test controls quarterly — not just audit their existence. A control that exists in the manual but is not executed (or executed poorly) is worse than not having it: gives false sense of security. Quarterly testing takes 1-2 days per quarter and costs nothing. Documentation: transaction sampling, evidence of approval, generated reports.
- Document deficiencies and remediation plan with owner and deadline. When a control test fails, do NOT silence it. Document as deficiency, assign owner, define remediation plan with date. The external auditor will see this in their next work — honest documentation GENERATES credibility; silence destroys trust.
- Report program status to the audit committee QUARTERLY. It is the audit committee's responsibility to oversee internal control (in sophisticated boards). Quarterly report includes: implementation status of each control, testing results, open deficiencies with plan, non-compliance events. Without this report, the committee can't fulfill its function — and you lose the governance backing the program needs.
- Preventive controls. Block errors BEFORE they occur. Example: PO approval before purchasing. Stronger but require process.
- Detective controls. Identify errors AFTER they occur. Example: monthly bank reconciliation. Weaker individually but catch what escapes preventives.
- Compensating controls. Reduce risk when a primary control can't be implemented. Example: in a 5-person company you can't do pure segregation, but you can compensate with monthly CFO review of all transactions.
- Hard controls. Formal controls with documented process, evidence of execution, named owner. Example: JE approval.
- Soft controls. Cultural controls — code of conduct, whistleblower channel, tone at the top. Capture collaborative fraud and patterns that escape hard controls.
- Practical rule: defense in LAYERS combines all five types. Only hard controls leaves gaps in collaborative fraud and patterns; only soft controls leaves gaps in individual transactions.
Adversarial check
Adversarial check
1.Your internal audit consultant recommends implementing 35 controls inspired by COSO in the first year. Do you proceed?
2.Your team tells you that the "manual JE approval" control is being skipped because "it slows the close." What do you do?
3.Your board asks: "do we need formal internal controls if our external auditor has not found problems?". What do you respond?
Exit checklist
Suggested re-review: annually with audit committee program review. Any material change (M&A, new ERP, geographic expansion) triggers re-evaluation of control design.
Optional
Go deeper
Sources and books to dig into the original material