Record Number of Internal Control Deficiencies: Hidden Blind Spots in SMEs

The Shock of Internal Control Deficiencies Reaching the Third-Highest Level Ever

In fiscal year 2025, the number of listed companies reporting “material weaknesses” or “significant deficiencies” in their internal controls under the internal control reporting system reached the third-highest level since 2012, according to a report by ScanNetSecurity.

At first glance, this news might seem like a concern only for large corporations. However, I believe that SME owners, in particular, should not dismiss these figures as someone else’s problem.

Why? Because the root cause of internal control deficiencies is less about “the absence of a system” and more about “a system that exists but isn’t functioning.” And this fundamental dysfunction is essentially the same for both large corporations and SMEs.

This article analyzes this news from a “risk design” perspective and offers concrete actions that SME owners can apply to their own governance right now.

The Fundamental Problem in “Design” Revealed by Internal Control Deficiencies

What deserves attention in this news is not just the number of deficiencies, but their “quality.”

According to the report, the deficiencies cover a wide range of issues, including the formalization of management checks, insufficient IT system controls, and lax subsidiary management. What they all have in common is that “rules were created, but they aren’t functioning on the ground.”

Here, recall the editorial policy’s definition of “governance = a high-level management design concept.” Internal controls are a “mechanism” for achieving business objectives. If the mechanism isn’t working, it’s because there’s a problem with the design itself.

Many companies fall into the trap of thinking about “internal controls for compliance.” They increase checklists and complicate approval flows just to follow laws and regulations. However, this only increases the burden on the front lines without reducing fundamental risks. In fact, it leads to formalization and causes companies to overlook the risks that truly need monitoring.

This news is a classic example of how designing internal controls with an “all-or-nothing” mindset inevitably leads to cracks somewhere.

The True Nature of “Invisible Deficiencies” Lurking in SMEs

While deficiencies in listed companies’ internal controls are being reported, what about internal controls in SMEs? Unlike listed companies, SMEs have no obligation to disclose their internal controls, so the true extent of deficiencies remains invisible. However, based on my experience supporting over 38 clients, I can say that many “invisible deficiencies” lurk within SMEs.

The most prominent of these is “over-reliance on specific individuals.” Practices with business partners known only to one employee, accounting rules not handed down from a predecessor, or key contract terms known only to the president—all of these are internal control deficiencies.

Over-reliance on individuals creates the risk that operations will grind to a halt the moment that person leaves. It can also become a breeding ground for fraud. However, many SME owners tend to downplay this risk, thinking, “We’re small, so we’ll be fine,” or “We’ve been doing this for years, so there’s no problem.”

This is precisely the trap of an all-or-nothing approach to risk. Even if the probability of occurrence is low, if the potential impact is severe, it’s a risk that cannot be ignored. The risk of over-reliance on individuals is a classic case of “low probability, but extremely high impact.”

Three Concrete Actions to Start Right Now

So, how should SME owners address these “invisible deficiencies”? You don’t need to introduce a large-scale internal control system like a big corporation. Start with these three actions.

Start by “Visualizing” Your Workflows

First, try creating simple diagrams of all your major workflows. Who does what, and in what order? Be sure to clearly identify the points where approvals or authorizations occur.

This process will highlight tasks that are overly dependent on one person, duplicated efforts, or, conversely, tasks for which no one is responsible. The diagram doesn’t need to be perfect. The act of visualizing the current state is valuable in itself.

Introduce a “Double-Check” System

You don’t need a double-check for every task. However, for high-risk tasks like cash handling or signing important contracts, create a system that ensures at least two people review the process.

The key point is that the person doing the checking should have not only the “authority to check” but also the “authority to reject.” To make it a substantive check rather than a mere formality, you need an environment that ensures psychological safety.

Establish an Annual “Internal Control Review Day”

Once a year, set aside a day for all employees to gather and review the state of your company’s internal controls. Use this day as an open forum for everyone to freely share any risks they’ve noticed or workflows they’d like to improve.

As the owner, commit to sincerely listening to the feedback and implementing improvement measures. This process itself becomes the most powerful driver for enhancing the effectiveness of your internal controls.

Transforming Internal Controls into a “Growth Engine”

Internal controls are not just for “defense.” When properly designed, they become a “mechanism” that promotes operational efficiency, eliminates over-reliance on individuals, and accelerates organizational growth.

What this news shows us is that internal control deficiencies stem not from a “lack of a system” but from “errors in design.” And this perspective on “design” is essential for all business owners, regardless of company size.

Are your company’s internal controls truly functioning? Take this opportunity to confront your own “invisible deficiencies,” redesign your risks appropriately, and guide your company toward its next phase of growth.