See if your information has been exposed in a data breach with our latest free tool Check Now

Seven myths about internal control policies and procedures

photo of niek dekker
Niek Dekker
5 Min

Internal controls are essential for maintaining your organisation’s financial integrity and help ensure that you meet critical regulatory obligations.

But having lots of controls doesn’t guarantee that you have stronger security.

According to the internal control trends report, the proportion of “high-risk” control deficiencies increased from 5.9% to 8.2% in 2020-2021. With the threat landscape changing rapidly, leaders need to reevaluate and update internal controls – or potentially open their organisations to higher risks of cyber-crime, fraud or reputational damage.

To help you implement effective controls and safeguard your financial assets, let’s look at – and dispel – seven myths about internal control policies and procedures.

Myth #1: Internal controls are only necessary for large businesses

Generally, small businesses do rely on manual controls compared to larger enterprises that use a mix of internal controls. Despite the benefits of automated controls, 84% of small businesses still rely on manual processes.

But internal controls definitely aren’t just for large businesses.

Internal controls are integral for all types of businesses, including small businesses. Of course, controls might sometimes look different in smaller organisations, since they should be designed according to your company’s size and structure. By having the right controls in place, you can mitigate the risk of financial loss and improve accuracy in financial reporting.

Myth #2: Internal controls are too expensive

Another common misconception is that it’s too costly to implement internal controls.

But the cost of implementing internal controls should be viewed as an investment in the company’s long-term success. The cost of not having internal controls can be much more significant, especially when calculating the cost of a data breach.

You can also minimise the cost of controls through standardisation and automation. According to a KPMG analysis, “creating a cost-effective control environment requires an effective use of automation.”

Myth #3: Internal controls stifle creativity and innovation

Sometimes there’s a perception that internal controls can discourage creative or new ways of approaching problems. However, effective internal controls can actually promote innovation by providing a secure environment in which employees can take risks without fear of financial losses or fraud.

An accounts payable essential guide
Follow this 8-Step Guide will ensure your Accounts Payable function follows best-practice principles that mitigate the risk of incorrect payments.

Myth #4: Internal controls are only for some departments

Internal controls aren’t just for accounting departments. All operations need to have guardrails that keep the business running securely and efficiently.

It’s difficult to create or drive an effective cyber-crime strategy if you aren’t aligning your financial controls with your IT or security team’s approaches. That’s why it can be helpful to assess internal control activities across an entire organisation rather than within siloes.

Myth #5: Internal controls guarantee 100% prevention of fraud

Internal controls can significantly reduce the risk of fraud, but they can never guarantee 100% prevention. For instance, financial controls often don’t protect against internal fraud or business email compromise (BEC) attacks, in which fraudsters impersonate senior executives to deceive your accounts payable team into providing credential logins.

This type of cyber-crime has become prevalent in the news, such as the Facebook and Google BEC scam. It’s essential to have a robust fraud prevention plan in place to detect and mitigate any fraudulent activity.

We explore in-depth five reasons why internal controls sometimes fail.

Myth #6: Manual controls are more effective than automated controls

When there are lots of manual controls in place and lots of steps for employees to take, it can feel like you’ve done everything possible to protect yourself. But many of these manual controls aren’t capable of catching the newer, more digital approaches of cyber-criminals – plus, manual controls often look good on paper yet aren’t always followed in reality.

We’ll take it one step further: not only are you not safer but, the more manual controls there are, the more opportunities there are for human error. For example, a mistake in data entry or a misplaced decimal point could cause significant financial issues, regardless of how many manual controls are in place.

While manual financial controls are certainly effective against certain types of risks, relying solely on manual controls isn’t enough to protect against the modern threat landscape.

Read more about weighing manual controls versus automated controls.

Myth #7: The more controls you have, the more secure your organisation is

For several reasons, implementing more controls doesn’t necessarily make your organisation more secure. Firstly, too many internal controls can create a labyrinthine system that actually increases the chances of errors or omissions.

This sort of overly complex system might increase the odds that an employee undermines the controls, whether intentionally or unintentionally. When it comes to financial controls, it’s quality that counts, not quantity.

It’s also important to note that internal controls can only address the risks that have been identified and may not be enough to address every single possible security threat.

The truth about security

Setting up effective internal controls is a significant challenge for any organisation. If the controls are too strict, they can hinder productivity. If they’re too lenient, they can leave you vulnerable to financial losses due to fraud or errors.

A strong set of policies and procedures is a good starting point for an effective control system. The separation of duties and detective controls should be implemented. Internal auditors can be useful in this case to ensure that controls are strong and business practices align with your internal control system.

That’s why it’s crucial to assess your current financial controls against gaps in other teams and the reality of rising cyber-crime rates. For instance, technology like Eftsure’s solution can step in when internal controls fail, or when controls in other teams aren’t enough to prevent fraud attempts.

Effective controls depend on a multi-faceted approach that considers people, processes and technology. Is your organisation’s approach up to scratch?

Assess your internal controls as part of a wider cyber-crime strategy
Check out our 2023 Cybersecurity Guide for CFOs and find out how to bolster controls, improve your security and stop fraudsters in their tracks.

Related articles


Pros and cons of faster payments

Faster payments are part of our every day – but cybercriminals are exploiting the system. Discover how you can reduce the risks in your business.

Read more

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.