When implementing or designing financial controls within Accounts Payable (AP), every CFO should start by asking themselves this question: are our financial controls suitable for the cyber-threat environment of yesterday or today?
Adequate internal controls are a crucial pillar of anti-fraud and anti-cyber-crime strategies. Technology now enables us to automate all or part of the business processes that make up financial controls, which can be a critical efficiency during economic downturns and the rising costs of running an accounts payable team.
That doesn’t mean that every control can or should be automated, though. So let’s explore the pros and cons of manual vs automated controls.
In finance, internal controls are processes designed to ensure the integrity of financial and accounting information, foster accountability, safeguard assets, increase operational efficiency, and promote compliance with laws and regulations. Financial controllers, auditors, and accountants are primarily responsible for these controls, but all employees play a role in reducing financial risk and enhancing security.
Internal control objectives, as defined by COSO, fall into three categories: operations (efficiency and effectiveness), reporting (reliability and transparency), and compliance (adherence to laws). The five components of the COSO framework are control environment, risk assessment, information and communication, monitoring activities, and control activities. These components help organisations create, implement, and maintain effective internal controls to manage risks and ensure compliance.
A KPMG survey found that, while many organisations are embracing digital transformation, nearly half of surveyed organisations’ internal control systems remain “patchy, undocumented, not automated and lacking clear ownership.”
Whether automated or manual, the risks of inadequate controls are too high to ignore, especially with cyber-crime rates on the rise. Without strong controls in place, your organisation could be more vulnerable to fraudsters and cyber-criminals — not to mention error and oversight.
When evaluating manual versus automated financial controls, we’ll be considering controls that fall into the following three categories:
Find out more about the components of financial controls and the different types of internal controls.
Once we start examining the objectives of different controls, it’s clear that some of them aren’t good candidates for lots of automation. For instance, some corrective controls might require careful decisions and contextual reasoning, which means it shouldn’t be an automated task.
Across each different category, though, there are a number of highly manual, time-consuming tasks that don’t require quite as much contextual decision-making. These are the types of measures that can benefit from more automated AP controls.
Manual controls may be resource-intensive, requiring more time and labour.
Further, they carry a higher risk of human error and are more vulnerable to malicious actors who want to bypass your controls and defraud your company. Traditional, analogue AP processes haven’t changed all that much over the past few decades, so it’s little surprise that threat actors are more familiar with how your manual controls function — and are therefore more capable of circumventing them.
For certain objectives, manual controls are also simply not as effective as automated controls. There’s often a misconception that the more manual controls an organisation has in place, the safer they are. Unfortunately, this doesn’t always play out in reality.
For instance, when a payment approver checks a payment line item against an invoice to ensure the BSB and account details are accurate, this doesn’t help detect fraudulent invoices. Along with being labour-intensive, it won’t always be effective at preventing some of the more serious risks of fraud.
Along with that inefficiency is the risk of cutting corners. Many organisations have controls that are effective, in theory, but are able to be curtailed or skipped in practice. For example, even hardworking and meticulous employees may skip reviewing every detail of every line item when they make payments, especially during busy periods or toward the end of a long day. Discrepancies can easily slip through the cracks despite the fact that someone is technically reviewing the items.
Lastly, highly manual or repetitive tasks can take a toll on employee morale, not to mention the additional costs to your organisation. Automating those tasks can free employees to prioritise higher-value work, while the organisation can save costs — a win-win.
Especially as technology continues to reshape the cyber-threat landscape, finance and AP leaders increasingly need to look at manual controls with a critical eye.
However, where individual judgement and discretion are necessary, manual controls are indispensable. They also have a role to play in monitoring automated controls to make sure they’re functioning as intended.
Setting up and calibrating your automated controls may take a bit more time in the very beginning, but you could end up saving your AP team countless hours of work in the long run. Importantly, they can also align with your segregation of duties policies by restricting access to critical data on a need-to-know basis.
Automated controls are better suited for circumstances where there are high volumes of transactions, all of which are similar in nature.
Think of it this way. When there are many simple decisions to be made, such as whether to process a payment after cross-checking supplier payment details, automated controls are better. When there are a few complex or multi-faceted decisions to be made, then manual controls are better.
There will always be exceptions, but it’s a general rule of thumb that can help you find the right mix between manual and automated controls.
It’s essential to bring together all relevant internal stakeholders to develop, implement, maintain, and adjust internal controls that meet the organisation’s unique needs. For the AP team, relevant stakeholders will likely include the CFO, Accounts Payable manager, and Internal Auditor. Other stakeholders may include the Chief Risk Officer or the Chief Information Security Officer.
The key is to start with clear policies, procedures, and processes in place. Equally important is ensuring every member of your AP team understands what you’re trying to achieve with your internal control activities, and the vital role each of them plays in protecting the organisation.
You’ll also want to evaluate your tech stack to make sure you have the necessary tools and systems for setting up automated controls. For instance, solutions like Eftsure help automate supplier verifications, payment processing, and onboarding new suppliers, adding an additional layer of security while removing some of the more manual elements of financial controls.
Phishing attacks that contain suspicious links can pop up at any time, whether you’re at work, on your personal email account, or …
In a world increasingly dependent on digital platforms, you may wonder how likely it is that you’ll fall victim to a scam.
Accounting problems are issues that create a material financial statement error, hide fraud due to poor internal controls, stray from Generally Accepted …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
