Evaluating internal controls: the role of pressure testing

What is pressure testing?

Pressure testing in accounting is a process that evaluates the effectiveness of internal controls. It involves subjecting financial procedures and processes to simulated scenarios and testing their ability to withstand risks like fraud or cyber-attacks. Pressure Testing was widely introduced into the banking sector following the 2008 Global Financial Crisis as a way to determine whether a bank had sufficient capital reserves to withstand major economic shocks, such as a deep recession or a financial market crash.

Pressure testing falls under the umbrella of auditing and compliance. The goal is to identify weaknesses in controls and processes, and then address them before an actual risk event occurs. Financial leaders are responsible for overseeing financial operations and often conduct regular pressure tests as part of their responsibilities to ensure that effective control measures are in place.

This sort of routine testing helps organisations know – and demonstrate to regulators – that they have strong internal controls in place. Pressure testing can happen in a variety of ways, performed by internal or external auditors. The process can be as structured as a formal audit or as casual as a CFO sending test emails from their own email account.
In some ways, pressure testing is similar to a risk assessment. Whereas a risk assessment identifies potential risks and what sort of controls are needed, pressure testing is a little more focused on existing policies, processes and procedures.

Pressure testing is also similar to penetration testing, a cybersecurity practice in which “ethical hackers” hunt for vulnerabilities through simulated cyber-attacks.

Why should accounts payable conduct pressure testing?

The recent release of AS8001:2021, the standard issued by Standards Australia for fraud and corruption control, makes it clear that organisations should embrace pressure testing as a way to assess their controls’ effectiveness.

When pressure testing an Accounts Payable function, auditors carry out certain actions to evaluate whether or not your policies, processes and procedures are working as intended. The goal is to determine whether or not, in a real-world scenario, your organisation would be able to identify and prevent potentially fraudulent activity.

Pressure testing also plays an important role in assessing risk tolerance. It enables financial officers to determine their organisation’s ability to absorb losses or overcome unforeseen events without significant disruptions to operations or finances. Throughout this process, financial leaders can identify areas needing additional safeguards or updates and can prepare contingency plans accordingly.

This is one of the most effective ways to determine whether your policies, processes and procedures are strong enough to defend against popular fraud tactics – especially digital ones.

• Policies – Think of policies as the law that direct how individuals employees, departments, or the entire organisation should operate. With clear, centralised policies in place, leaders can improve compliance, efficiency and visibility in day-to-day operations.

• Processes – These build upon the organisation’s policies by providing a high-level overview in terms of what, who and when. Processes should be developed by management, including the accounts payable manager, and detail what specific tasks need to be executed, who has responsibility for executing each specific task, and when each task needs to be executed.

• Procedures – Whereas a process is a high-level overview, your organisation’s procedures are more granular. Procedures outline the ‘how’ of different processes, with step-by-step approaches for how each task needs to be executed. Because procedures tend to have the most direct impact on how employees carry out their responsibilities, many organisations seek input from staff when drafting their procedures.

When pressure testing your Accounts Payable function, testers will carry out certain actions to ascertain whether or not your policies, processes and procedures are successfully operating as intended. The objective is to determine whether or not, in a real-world scenario, your organisation would be able to identify and prevent potentially fraudulent activity.

Types of pressure testing activities for accounts payable

There are multiple ways your organisation could undertake Pressure Testing to determine your ability to prevent fraud.

• Testers may send fictitious emails to your Accounts Payable team in which they spoof your organisation’s CEO or CFO and request an urgent payment be processed.
• Testers may send fictitious emails to your Accounts Payable team in which they spoof one of your suppliers and request that banking details be updated.
• Testers may deliberately send invoices with manipulated phone numbers to your Accounts Payable team to determine whether the necessary call-back controls are being adhered to.
• Testers may deliberately send fake invoices to your Accounts Payable team for goods that were never ordered or delivered to determine whether 3-way matching is being adhered to.
• Testers may deliberately send multiple invoices to your Accounts Payable team to determine whether duplicate invoice checking is taking place.
• Testers may send invoices with false GST or ABN details to determine whether regulatory compliance checking is taking place.
• Testers may phone your Accounts Payable team, pretending to be a supplier, and ask for their bank details to be modified.

These are just some of the pressure testing you can use when auditing your financial controls. You might need to adjust tactics based on your organisation’s processes and the specific risks that you’re more likely to face. This is where engaging with third-party auditors can be helpful. We don’t know what we don’t know, but external specialists can help you identify vulnerabilities or gaps that might otherwise get overlooked.

Four advantages of pressure testing for accounts payable

When undertaking regular pressure testing of your accounts payable function, you can expect a range of benefits.

What are they?

1) Stronger internal controls

Reviewing transaction processes, assessing document retention policies and evaluating segregation of duties policies are all key steps in understanding your vulnerabilities. It’s important to thoroughly examine each area to ensure that all bases are covered and vulnerabilities are identified.

Pressure testing identifies weaknesses and vulnerabilities in your internal controls so you can implement remediation measures that strengthen your resilience to an ever-shifting threat landscape. When reviewing processes, consider the following:

• Are there any duplicate payments or transactions?
• Are there any unauthorised transactions?
• Is there proper documentation for all transactions?

When assessing document retention policies, ask yourself:

• Is this sensitive information properly stored?
• Who has access to this information?
• How long does the company retail documents?

Finally, when evaluating your segregation of duties, consider:

• Are there appropriate checks and balances in place?
• Are employees assigned tasks beyond their skillset or authority level?
• How is the policy enforced? Are there technical solutions that centralise rules and automate workflows?

By addressing these areas thoroughly during a pressure testing exercise, AP managers can identify potential weaknesses within their organisation’s internal controls.

2) Better protection against cyber threats

Conducting regular vulnerability assessments is a critical step in protecting against the cyber threats that your IT or security teams aren’t in a good position to mitigate – that is, the threats that primarily affect AP teams and financial processes.

Hackers and cyber-criminals know that your IT team can’t prevent risks like human error. For instance, even if a security team has successfully fortified an organisation’s infrastructure, systems and data against malicious actors, they can’t protect AP employees from scammers who’ve infiltrated a supplier’s systems or data. You’ll need to know if your internal controls are adequately protecting against these types of threats.

Plus, financial pressure testing can reveal any gaps in your broader cybersecurity defences, such as any areas that aren’t currently protected by multi-factor authentication or workflows that inadvertently reveal sensitive data to unauthorised employees. Pressure testing can help leaders know how to refine or adjust staff training, which is a crucial part of good security hygiene. Regular training sessions should cover topics such as recognising suspicious emails, creating strong passwords and avoiding phishing scams.

3) Enhancing staff awareness of fraud

When financial leaders conduct pressure testing, it’s a great opportunity to communicate the potential for scams and fraud.

Depending on the type of test you conduct, it can be a concrete example of the tactics that staff should be noticing. The greater their awareness, the likelier that staff can identify, thwart and report potentially fraudulent actions. In addition, routine pressure testing acts as a regular reminder to stay alert and keeps cyber-threats front-of-mind even during hectic periods.

Just remember that you’ll need measures in place to ensure your organisation doesn’t experience any actual loss of funds as a result of the testing activities.

4) Clearer risk tolerance

Defining acceptable levels of financial risk is crucial when assessing risk tolerance. Financial officers must identify the level of risk that their organisation can handle without compromising its financial stability. This involves determining the amount of loss that the organisation can bear and remain operational. Setting acceptable levels of financial risk will require weighing multiple factors, including industry standards, regulatory requirements and company objectives.

Analysing the potential impact of insufficient controls is another critical aspect of assessing risk tolerance. Internal controls are put in place to minimise risks and ensure accurate financial reporting. But weaknesses in your internal controls could leave an organisation vulnerable to fraud or errors that can seriously impact the bottom line.

How can Eftsure help?

Many organisations struggle to ensure their internal controls are fit-for-purpose. This is particularly so when those internal controls are supposed to protect the organisation from fraudulent activities that are constantly adapting to take advantage of potential vulnerabilities. Ensuring your internal controls are sufficiently robust requires ongoing monitoring and vigilance.

By embracing automated internal controls, you can leverage technology in a way that strengthens your policies, processes and procedures, thereby providing your organisation with a far more robust anti-fraud posture.

With Eftsure integrated into your AP processes, you benefit by having a technology-enabled layer of security that ensures that all outgoing funds are remitted to the right person. Irrespective of what tactics a fraudster may adopt to try and deceive your AP team, Eftsure centralises and ensures strong anti-fraud processes – without slowing down workflows.