Processes

Manual vs automated controls: which is better in Accounts Payable?

Niek Dekker
8 Min
manu

When implementing or designing financial controls within Accounts Payable (AP), every CFO should start by asking themselves this question: are our financial controls suitable for the cyber-threat environment of yesterday or today?

Adequate internal controls are a crucial pillar of anti-fraud and anti-cyber-crime strategies. Technology now enables us to automate all or part of the business processes that make up financial controls, which can be a critical efficiency during economic downturns and the rising costs of running an accounts payable team.

That doesn’t mean that every control can or should be automated, though. So let’s explore the pros and cons of manual vs automated controls.

What are internal controls?

In finance, internal controls are processes designed to ensure the integrity of financial and accounting information, foster accountability, safeguard assets, increase operational efficiency, and promote compliance with laws and regulations. Financial controllers, auditors, and accountants are primarily responsible for these controls, but all employees play a role in reducing financial risk and enhancing security.

Internal control objectives, as defined by COSO, fall into three categories: operations (efficiency and effectiveness), reporting (reliability and transparency), and compliance (adherence to laws). The five components of the COSO framework are control environment, risk assessment, information and communication, monitoring activities, and control activities. These components help organisations create, implement, and maintain effective internal controls to manage risks and ensure compliance.

The importance of robust financial controls

A KPMG survey found that, while many organisations are embracing digital transformation, nearly half of surveyed organisations’ internal control systems remain “patchy, undocumented, not automated and lacking clear ownership.”

Whether automated or manual, the risks of inadequate controls are too high to ignore, especially with cyber-crime rates on the rise. Without strong controls in place, your organisation could be more vulnerable to fraudsters and cyber-criminals — not to mention error and oversight.

Manual vs automated: understanding the different types

When evaluating manual versus automated financial controls, we’ll be considering controls that fall into the following three categories:

  1. Preventative controls, such as segregation of duties or payment pre-approvals, help lower the risk of fraud or error before it happens.
  2. Detective controls, such as monthly reconciliations or internal audits, help identify issues after the fact so that you can adjust processes and preventive controls.
  3. Corrective controls, like software patches or implementing a new control framework, help address systemic issues that could open the organisation to greater risks of fraud or error.

Find out more about the components of financial controls and the different types of internal controls.

Once we start examining the objectives of different controls, it’s clear that some of them aren’t good candidates for lots of automation. For instance, some corrective controls might require careful decisions and contextual reasoning, which means it shouldn’t be an automated task.

Across each different category, though, there are a number of highly manual, time-consuming tasks that don’t require quite as much contextual decision-making. These are the types of measures that can benefit from more automated AP controls.

Manual controls vs automated controls

Disadvantages of manual financial controls

Manual controls may be resource-intensive, requiring more time and labour.

Further, they carry a higher risk of human error and are more vulnerable to malicious actors who want to bypass your controls and defraud your company. Traditional, analogue AP processes haven’t changed all that much over the past few decades, so it’s little surprise that threat actors are more familiar with how your manual controls function — and are therefore more capable of circumventing them.

For certain objectives, manual controls are also simply not as effective as automated controls. There’s often a misconception that the more manual controls an organisation has in place, the safer they are. Unfortunately, this doesn’t always play out in reality.

For instance, when a payment approver checks a payment line item against an invoice to ensure the BSB and account details are accurate, this doesn’t help detect fraudulent invoices. Along with being labour-intensive, it won’t always be effective at preventing some of the more serious risks of fraud.

Along with that inefficiency is the risk of cutting corners. Many organisations have controls that are effective, in theory, but are able to be curtailed or skipped in practice. For example, even hardworking and meticulous employees may skip reviewing every detail of every line item when they make payments, especially during busy periods or toward the end of a long day. Discrepancies can easily slip through the cracks despite the fact that someone is technically reviewing the items.

Lastly, highly manual or repetitive tasks can take a toll on employee morale, not to mention the additional costs to your organisation. Automating those tasks can free employees to prioritise higher-value work, while the organisation can save costs — a win-win.

Advantages of manual financial controls

Especially as technology continues to reshape the cyber-threat landscape, finance and AP leaders increasingly need to look at manual controls with a critical eye.

However, where individual judgement and discretion are necessary, manual controls are indispensable. They also have a role to play in monitoring automated controls to make sure they’re functioning as intended.

Automated controls vs manual controls

Setting up and calibrating your automated controls may take a bit more time in the very beginning, but you could end up saving your AP team countless hours of work in the long run. Importantly, they can also align with your segregation of duties policies by restricting access to critical data on a need-to-know basis.

Advantages of automated financial controls

Enabling continuous controls monitoring Best-practice accounting requires continuous controls monitoring. For any AP team, it's essential to ensure that the data you've entered in your ERP system or vendor master file at the time of onboarding a supplier remains correct when it comes time to remit funds. Given that there might be lots of time between these two events, there will be plenty of opportunities for malicious insiders or external threat actors to manipulate the data. Continuous controls monitoring ensures that the data always remains correct and up-to-date. But, without some level of accounts payable automation, continuous controls monitoring can be challenging to implement effectively over long periods of time.
Avoid risks of manual spot checks In many cases, AP teams do a number of random manual spot checks before uploading an ABA payment file to the online banking portal. Spot checks are good but are by no means foolproof. Checking a handful of payment details when you may be processing hundreds of payments leaves you exposed to erroneous payments. Automatic controls can help you ensure that all payments are accurate at the time of processing, irrespective of the volume of payments.
Greater efficiency When an Accounts Payable team is responsible for processing hundreds if not thousands of invoices each year, it's a major challenge to ensure that all the data on every invoice is accurate. It can consume a large amount of resources, including time and many staff hours. Embracing automated controls can free your team to focus on other important priorities.
Greater security Increasingly, organisations are concerned about insider threats. One malicious employee with high-level privileges can manipulate data in your ERP or vendor master file. This can pave the way for internal fraud against your organisation. Often, it takes many months, if not years, to identify employees that engage in internal fraud, since an in-depth understanding of the organisation's inner workings can make them more adept at covering their tracks. They often know which manual controls are in place and understand precisely how to circumvent them. Automated controls can reduce this risk by limiting the access of individual staff members to data and systems. It's also important to note that insider threats aren't the only concern. Your team may be totally trustworthy, but allowing greater access than necessary can put your organisation at serious risk if an outside threat actor does manage to infiltrate your systems. Why leave a door unlocked if an employee doesn't actually need to use it?
Enhanced segregation of duties policies Every accounts payable department should have segregation of duties policies in place to reduce their risk of fraud and error. Automated controls help you enforce these policies because you can automatically limit staff access to systems on a need-to-know basis.
Greater cost efficiencies Even when the costs of implementing automated controls are higher than those of manual controls, automated controls tend to be much more cost-effective over time. Once an organisation embraces automated controls, it becomes easier and less costly to achieve continuous control monitoring and compliance obligations far more efficiently. Furthermore, automated controls require fewer staff hours, meaning your team can focus on other priorities and save you money.
Regulatory compliance Australian regulators are investigating ways to ensure organisations strengthen their internal controls. Over the coming months and years, it's likely that there will be additional reporting requirements to demonstrate that organisations have appropriate internal controls in place. Automated controls can help organisations achieve and demonstrate compliance with these sorts of regulatory requirements.

Disadvantages of automated financial controls

Automated controls are better suited for circumstances where there are high volumes of transactions, all of which are similar in nature.

Think of it this way. When there are many simple decisions to be made, such as whether to process a payment after cross-checking supplier payment details, automated controls are better. When there are a few complex or multi-faceted decisions to be made, then manual controls are better.

There will always be exceptions, but it’s a general rule of thumb that can help you find the right mix between manual and automated controls.

How do you implement an automated control process?

It’s essential to bring together all relevant internal stakeholders to develop, implement, maintain, and adjust internal controls that meet the organisation’s unique needs. For the AP team, relevant stakeholders will likely include the CFO, Accounts Payable manager, and Internal Auditor. Other stakeholders may include the Chief Risk Officer or the Chief Information Security Officer.

The key is to start with clear policies, procedures, and processes in place. Equally important is ensuring every member of your AP team understands what you’re trying to achieve with your internal control activities, and the vital role each of them plays in protecting the organisation.

You’ll also want to evaluate your tech stack to make sure you have the necessary tools and systems for setting up automated controls. For instance, solutions like Eftsure help automate supplier verifications, payment processing, and onboarding new suppliers, adding an additional layer of security while removing some of the more manual elements of financial controls.

Want to reevaluate some of your controls and ensure they're up to scratch?
Check out our call-back control procedure template to make sure your team is performing this critical financial control the right way.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.