Processes

Defining internal controls in Accounts Payable teams

Niek Dekker
7 Min

A well-established internal control framework is a key component of a robust risk management strategy. But how can you determine if you have effectively designed controls in place?

According to the internal controls and governance 2022 report, 48% of all internal control deficiencies identified in 2021-2022 were repeat findings. The absence of adequate internal controls leaves an organisation vulnerable to a heightened risk of fraud and errors. And, in turn, those can lead to substantial financial losses and permanent reputational harm.

Want to evaluate the effectiveness of your internal controls? Let’s explore the important components, types and limitations.

What are internal controls?

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) defines internal controls as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

In other words, they’re an essential component of any financial management system, especially in the Accounts Payable (AP) function, which focuses on managing payments, tracking expenses and ensuring proper documentation.

For AP teams, financial controls play a critical role in maintaining the integrity of financial data and preventing fraud, errors and mismanagement. They provide a systematic and comprehensive approach to managing financial transactions and ensure that payments are authorised, accurate and properly documented.

Importance of internal controls in accounting

A recent survey conducted by KPMG found that while many organisations are embracing digital transformation, nearly half of the organisations’ controls remain “patchy, undocumented, not automated and lacking clear ownership.”

Failure to have the necessary internal controls in place may be exposing your organisation to increased risk of fraud or error.

This is especially critical in AP functions. After all, this is the department responsible for the outflow of funds from the organisation. It’s vital that proper procedures are in place to ensure an organisation protects its assets, including its financial assets. According to CPA Australia, there are seven objectives when it comes to internal controls:

  1. Help align objectives of the business: to ensure thorough reporting procedures and that the activities carried out by the business are in line with the business’s objectives.
  2. Safeguard assets: ensuring the business’s physical and monetary assets are protected from fraud, theft and errors.
  3. Prevent and detect fraud and error: ensuring the systems quickly identify errors and fraud if and when they occur.
  4. Encourage good management: allowing the manager to receive timely and relevant information on performance against targets, as well as key figures that can indicate variances from target.
  5. Facilitate action against undesirable performance: authorising a formal method of dealing with fraud, dishonesty or incompetence if detected.
  6. Reduce exposure to risks: minimising the chance of unexpected events.
  7. Ensuring proper financial reporting: maintaining accurate and complete reports required by legislation and management, and minimising time lost correcting errors and ensuring resources are correctly and efficiently allocated.

Components-of-internal-controls-framework

Components of internal controls

The internal controls structure consists of five inter-related components:

Internal Control Component Description
Control environment This component refers to the overall culture of the organisation, which includes management's philosophy and operating style, organisational structure, and the tone and priorities coming from top leadership. It sets the foundation for the effectiveness of the internal control system and helps ensure that everyone in the organisation understands the importance of following established policies and procedures.
Risk assessment This component involves identifying and analysing potential risks to the organisation and determining the appropriate course of action to mitigate or manage those risks. This includes regular evaluations of the internal control system to ensure that it’s adequate and appropriate in light of any changes in the organisation.
Control activities These are the policies and procedures designed to address risks and ensure that the organisation's goals and objectives are met. These activities might include segregation of duties, approvals, authorisations and reconciliations to help reduce the risk of errors, fraud and other less-than-ideal stuff.
Information and communication This refers to the flow of information an communication processes within the organisation. It includes internal reporting and the dissemination of information to relevant parties to help ensure that the internal control system is operating effectively.
Monitoring This component involves ongoing review of the internal control system to assess its effectiveness and identify any areas for improvement. This can include regular self-assessment and external audits. The goal of monitoring is to ensure that the internal control system is working as intended and that you can promptly identify and address any issues.

Types of internal controls

There are several types of internal controls, including preventative controls, detective controls and corrective controls. Understanding the different types of internal controls is important in developing a comprehensive internal control system that effectively manages risk and promotes efficiency in an organisation.

The main controls we’ll be looking at are preventative, detective and corrective controls.

Preventative controls

Preventive controls help your organisation prevent fraud or errors. A good example would be segregation of duties. By having different members of your team responsible for different steps in the payment cycle, you can reduce the risk of internal threats, such as the manipulation of invoice payment records. They’ll also help you identify any errors that could lead to incorrect payments.

Examples of preventative controls: 

  • Separation of duties
  • Pre-approval of actions and transactions
  • Access controls
  • Physical controls

Detective controls

Detective controls are designed to identify fraud or errors after the fact so that you can enhance processes to ensure they don’t happen again. Audits are an important example of detective controls. When conducting one, auditors will seek to reconcile processed payments with invoices and purchase orders. Reconciliation will help identify anomalies, which leaders can then investigate further to uncover any gaps that need remediating.

Examples of detective controls: 

  • Monthly reconciliations of departmental transactions
  • Review organisational performance
  • Physical inventories

Corrective controls

Corrective controls play a crucial role in maintaining the integrity of the accounts payable process and reducing the risk of fraud. They help to ensure that the accounts payable team is following best practices and you can address any potential problems, reducing the risk of financial loss and damage to the organisation’s reputation.

Examples of corrective controls: 

  • Disciplinary action
  • Report filing
  • Software patches
  • New policies

Discover the difference between manual versus automated controls, and which types are best for accounts payable teams.

Combat cyber-crime with a robust call-back control procedure
Call-back controls are among the most important measures to mitigate your organisation's exposure to the risk of fraud.

In this call-back control procedure template, we explore a five-step checklist designed to ensure you're implementing call-backs correctly.

Consequences of weak internal controls

From losing face with partners to losing cold hard cash, weak internal controls can lead to serious consequences for an organisation. Here are some of the biggest ones.

Fraud

Weak internal controls can leave an organisation vulnerable to fraudulent activities, such as embezzlement, theft and other financial crimes.

Financial losses

The lack of adequate controls can lead to errors, waste or mismanagement of resources, potentially resulting in significant financial losses.

Reputational damage

With ongoing supply chain disruptions and uncertainty, strong partnerships are more important than ever. Organisations need good relationships with their suppliers to help navigate circumstances or events that are outside the company’s control. But poor internal controls can damage an organisation’s reputation and relationships with suppliers, leading to loss of credibility and trust. And it might damage a supplier relationship right when you need it most.

Regulatory violations

Human error and even malicious external activity, like cyber-criminals or fraudsters scamming your AP team, can land organisations in hot water with regulators. Strong controls and procedures help you ensure you’re compliant with relevant regulations, and they can help you prove that compliance to external auditors and regulators.

Inefficient operations

Last but not least, inefficient or inadequate controls can cause double-up and wasted resources. Further, with the cost of AP team operations continuing to rise, you’ll want to make sure you’re keeping up morale and reducing the amount of tedious manual tasks that AP staff need to perform. Smart, strong controls are important for keeping staff efficient and retaining talent within your organisation.

Key internal controls for fraud prevention

Every organisation will have different goals and circumstances, which means every control framework will look a little different. So it’s essential that every organisation bring together all relevant internal stakeholders to develop, implement, maintain and adjust internal controls that meet the organisation’s unique needs.

For the AP team, relevant stakeholders will likely include the CFO, AP manager and Internal Auditor. Other stakeholders might include the Chief Risk Officer or the Chief Information Security Officer.

The most common type of controls that prevent fraud from occurring include:

  • Segregation of duties
  • Physical asset control
  • Signatures
How Eftsure saved a leading engineering firm over $1m with strong controls
One of Eftsure’s customers is a large engineering and construction firm. Due to their diverse portfolio of services and products, they pay a substantial volume of invoices every month.

As a result, they recognised that they were at higher risk of fraud and error. This led them to rethink certain controls and how to update them in the face of rising cyber-crime rates.

Adding an additional layer of defence

Many organisations make valiant attempts to implement internal controls, but struggle when it comes to ensuring they’re actually effective. Often, controls look good on paper but aren’t always effective in practice. When a task slows down a process – and isn’t standardised or automated – it’s only human to cut corners or skip a step in order to get something over the line.

But cyber-crime rates are on the rise.

Cyber-criminals are continuously hunting for new ways to circumvent your controls and defraud your organisation – and rapidly evolving technology is giving them a leg up. There’s never been a more important time for CFOs and finance leaders to prioritise strong, robust accounts payable internal controls that protect against scammers and fraudsters.

Streamline your supplier onboarding with our checklist
Having accurate supplier onboarding is vital for finance teams to reduce risk, detect fraud, comply with regulations, and maintain strict accounts payable controls. The payment process starts with supplier onboarding, which is time-consuming but necessary.

Download our procure-to-pay checklist to simplify your onboarding process.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.