Disclosure: This article was written with the assistance of ChatGPT. The content and ideas and revisions are mine. ChatGPT just cleans it up and adds clarity. While I avoid using AI in my fiction writing, I do use AI for business-style writing, as illustrated in the article below. The former (fiction writing) is deeply human and sacred to me. The latter (commercial writing, like this article) is for informational purposes. In other words, “it isn’t personal Sonny, it’s strictly business.”

For the Small Business: Internal Controls Can Be as Simple as Not Spilling Coffee

“Internal controls.” You hear that and your mind jumps to dense regulations, compliance manuals, and auditors donning bowties and Buddy Holly glasses. Let’s bypass those fears in this post. To begin, understand that internal control starts with an objective. Here this is our objective:

Prevent coffee from spilling onto computer hardware.

Sounds trivial? Not really. Coffee accidents have caused more than one laptop to be replaced and more than a few hours of lost productivity. To a small business, where your world exists on that hardware, that could be devastating. Sidebar: even if you are in an industry that is not legally required to have a Business Continuity/Disaster Recovery Plan (this sounds fancy too but it doesn’t have to be fancy in practice) having a plan is a best practice. This FTC guidance is helpful to determine such applicability.

---

The Checklist as a Control Mechanism

How do you make sure the control objective (not spilling coffee on your computer/protecting your vital computer hardware)? By breaking it into practical steps. A simple checklist works as a control mechanism here:

• ☑ Coffee is placed in an area away from where the computer is located.
• ☑ Coffee is positioned on the user’s left side.
• ☑ Placement ensures that, if spilled, coffee cannot reach the computer.
• ☑ The table space nearest the computer is occupied by writing material, not beverages.

Why is the checklist a control mechanism here? Because it translates the objective (not spilling coffee on hardware) into specific actions that can be consistently followed and verified. Instead of relying on memory or good habits alone, the checklist enforces the behavior needed to reduce the risk.

Why is the checklist verifiable? A checklist is verifiable because it creates a documented, repeatable record of the control being performed.

Here’s why:

1. Clear Criteria — The checklist breaks the control objective into specific, observable actions. This makes it easy to check whether each step was completed.
2. Documentation — A filled-out checklist serves as physical proof that the control was performed.
3. Sign-offs — When responsible or accountable parties sign the checklist, they confirm compliance, creating accountability.
4. Observability — The steps on a checklist are concrete and monitorable, so someone can physically observe whether they were done correctly.

So verification comes from the fact that the checklist turns abstract goals (“don’t spill coffee”) into concrete actions that can be checked, signed, and stored as evidence.

The verification also ensures that the control is monitorable. Good controls are monitorable. They are also measurable. In this example, monitoring could be done by periodic observation—such as a supervisor checking coffee placement at the start of a shift—or by reviewing completed checklists signed off by the responsible employee. Measuring could then be achieved by tracking compliance rates over time (e.g., percentage of days the checklist was completed without incident) and reporting those results in regular oversight reports. This creates a quantifiable record of control effectiveness that can be used for continuous improvement and audit purposes.

---

RACI: Governance on Top of the Control

But controls aren’t just about what you do—they’re about who is responsible. That’s where RACI comes in.

For our “coffee placement” control:

• R (Responsible): Desk Employee
• A (Accountable): Manager
• C (Consulted): President
• I (Informed): Board of Directors

This isn’t bureaucracy—it’s clarity. Everyone knows who places the coffee, who makes sure the rule is followed that it is placed properly, who provides compliance perspective, and who is kept in the loop.

Here’s the sheet in practice:

Is it overkill to assign high-level employees to a process like this? At first glance, yes. But in a small company—say, an S-Corp with a single shareholder and one employee—you are all of these people. In that context, a “Board of Directors meeting” isn’t a grand affair. It’s essentially a documented consultation with yourself, serving to show that you’re maintaining the corporate form and protecting against alter ego liability.

---

Strengths and Weaknesses of the Present Controls

Looking at this example as if it were a real control environment, here’s how it stacks up:

Strengths

• Checklist: Clear, actionable steps that directly mitigate the risk.
• Sign-offs: RACI chart provides signature lines for accountability and evidence.
• Clarity of Ownership: Roles are explicitly defined.
• Communication Flow: Information moves to the right people in the process.

Weaknesses

• No Segregation of Duties: The same desk employee both executes and benefits from the control. Oversight is minimal.
• Board of Directors as Informed Role: Having the BOD as “Informed” on coffee placement is excessive for such a minor operational risk.
• Recommendation: Frame BOD involvement in terms of Disaster Recovery Preventative Controls.
• For small operational controls (coffee placement, daily habits), oversight should remain at the employee/manager/CCO level.
• For broader continuity risks (loss of a primary computer, IT outage, disaster recovery), the BOD should be informed at a higher reporting level, not on day-to-day operational steps.

---

Why This Matters

The coffee example may seem trivial, but it’s a perfect analogy for how internal controls work in real business:

• Objective: Define what you’re trying to prevent or achieve.
• Mechanism: Put in place practical steps or tools to enforce the objective.
• Governance (RACI): Make sure roles and responsibilities are crystal clear.
• Review: Strengths and weaknesses should be assessed and controls refined over time.

Whether you’re an author, content creator, IT company, or consultant just trying to protect your workspace, the formula is the same.

---

Final Thought

Internal controls don’t have to be abstract. Sometimes they’re as straightforward as asking: “Where’s the coffee cup sitting?”

If you can explain controls in terms of everyday risks, your team is more likely to understand them, follow them, and—most importantly—believe in them.

Have any controls yourself? Let me know! — I’d be glad to hear about them.

About the Author
David O’Boyle is a lawyer, writer, entrepreneur, and compliance professional with experience in consumer finance and self-publishing. He ‘boyles down’ complex regulatory and governance concepts into practical, relatable lessons—sometimes using coffee cups instead of flowcharts. He is also the founder and President of Boyledown Lending Inc. a consumer finance company in Virginia license CFI-256.

Disclosures:

DISCLOSURE 1: This website and Boyledown Lending Inc. are under the common control of David O’Boyle.

DISCLOSURE 2: This post is for informational and educational purposes only. It does not constitute legal, tax, or financial advice, and no attorney–client or advisor–client relationship is created by reading it. Readers should consult their own qualified legal, tax, or compliance professionals before making any decisions related to the topics discussed.