The note provides a practical approach, based on COSO framework, for small/ medium MFIs to put in place an effective internal control system. The functional areas that internal audit and control cover like: financial transactions, operations, adherence to mission, have a direct relationship with different types of risks for an MFI. For small and medium MFIs, managing these risks become more complex as systems are still evolving, processes are individual driven, procedures are sidelined, they face human resource constraints and affordability issues etc. It advocates that it is essential to have system of sound internal audit and control at every stage of institutional growth, though setting up such a system may appear complex and costly. There are innovative and cost effective ways though which such a system could be built based on the elements of proper internal control and ownership at all levels within the organisation.