Processes

Evaluating internal controls: the role of pressure testing

Shanna Hall
8 Min
pressure-testing-controls

Financial leaders face an escalating risk of cyber-crime, with tactics becoming more and more sophisticated. As threats grow, there’s an equally fast-growing need for financial leaders to assess and update their internal controls on a regular basis.

When determining whether your organisation is vulnerable to cyber-crime and payment fraud, leaders need to ask themselves a blunt question: how robust are our financial controls, really? Are they updated to protect against rapidly evolving cyber-crime and digital fraudsters? And how do you know whether they’re sufficient, especially since many scams go undetected and unreported?

The uncomfortable truth is that fraudsters are always looking for new ways to circumvent your controls. Many of them have an in-depth understanding of financial processes and corporate structures, and they’re leveraging new technological advances like generative AI to deploy tactics that are increasingly scalable and sophisticated. But too many financial controls are designed for fraud tactics that predate cyber-crime and digital tactics.

The only way to know for sure whether your controls are adequate within this fast-evolving landscape? Pressure testing. It’s one of the best ways to assess how your controls actually perform in the face of a growing range of financial threats.

So let’s dive into what pressure testing looks like in accounts payable (AP), including how to implement it and why it’s important for securing your organisation against fraud, cyber-crime and error.

What is pressure testing?

In accounting, pressure testing is a process that evaluates the effectiveness of internal controls. It involves subjecting financial procedures and processes to simulated scenarios and testing their ability to withstand risks like fraud or cyber-attacks.

Financial leaders are responsible for overseeing financial operations and often conduct regular pressure tests as part of their responsibilities to ensure that effective control measures are in place. Pressure testing was widely introduced into the banking sector following the 2008 global financial crisis as a way to determine whether a bank had sufficient capital reserves to withstand major economic shocks, such as a deep recession or a financial market crash. The practice falls under the umbrella of auditing and compliance. The goal is to identify weaknesses in controls and processes, and then address them before an actual risk event occurs.

This sort of routine testing helps organisations know – and demonstrate to regulators – that they have strong internal controls in place. Pressure testing can happen in a variety of ways, performed by internal or external auditors. The process can be as structured as a formal audit or as casual as a CFO sending test emails from their own email account.

In some ways, pressure testing is similar to risk assessment. Whereas a risk assessment identifies potential risks and what sort of controls are needed, pressure testing is a little more focused on existing policies, processes and procedures. Pressure testing is also a bit similar to penetration testing, a cybersecurity practice in which “ethical hackers” hunt for vulnerabilities through simulated cyber-attacks.

Why Should Accounts Payable Conduct Pressure Testing?

The release of AS8001:2021, the standard issued by Standards Australia for fraud and corruption control, makes it clear that organisations should embrace pressure testing as a way to assess their controls’ effectiveness.

When pressure testing an AP function, auditors carry out certain actions to evaluate whether your policies, processes and procedures are working as intended. The goal is to determine whether or not, in a real-world scenario, your organisation would be able to identify and prevent potentially fraudulent activity.

Pressure testing also plays an important role in assessing risk tolerance. It enables financial officers to determine their organisation’s ability to absorb losses or overcome unforeseen events without significant disruptions to operations or finances. Throughout this process, financial leaders can identify areas that need additional safeguards, updates or contingency plans.

This is one of the most effective ways to determine whether your policies, processes and procedures are strong enough to defend against popular fraud tactics – especially digital ones.

  • Policies – Think of policies as the law that direct how individual employees, departments, or the entire organisation should operate. With clear, centralised policies in place, leaders can improve compliance, efficiency and visibility in day-to-day operations.

  • Processes – These build out policies by providing operational steps: who, what and when. Processes should be developed by management, including the AP manager, and detail which specific tasks need to be executed, who has responsibility for executing each specific task, and when each task needs to be executed.

  • Procedure – Whereas a process is a high-level overview, your organisation’s procedures are even more granular. Procedures outline the “how” of different processes, with step-by-step approaches for how each task needs to be executed. Because procedures tend to have the most direct impact on how employees carry out their responsibilities, many organisations seek input from staff when drafting their procedures.

Types of pressure testing activities in finance

There are multiple ways your organisation could undertake pressure testing to assess your anti-fraud controls.

  • Testers may send fictitious emails to your Accounts Payable team in which they spoof your organisation’s CEO or CFO and request an urgent payment be processed.
  • Testers may send fictitious emails to your Accounts Payable team in which they spoof one of your suppliers and request that banking details be updated.
  • Testers may deliberately send invoices with manipulated phone numbers to your Accounts Payable team to determine whether the necessary call-back controls are being adhered to.
  • Testers may deliberately send fake invoices to your Accounts Payable team for goods that were never ordered or delivered to determine whether 3-way matching is being adhered to.
  • Testers may deliberately send multiple invoices to your Accounts Payable team to determine whether duplicate invoice checking is taking place.
  • Testers may send invoices with false GST or ABN details to determine whether regulatory compliance checking is taking place.
  • Testers may phone your Accounts Payable team, pretending to be a supplier, and ask for their bank details to be modified.

types-of-pressure-testing-methods

These are just some of the pressure tests you can use when auditing your financial controls. You might need to adjust tactics based on your organisation’s processes, workflows and the specific risks that you’re more likely to face. This is where engaging with third-party auditors can be useful. We don’t know what we don’t know, but external specialists are usually in a good position to identify vulnerabilities or gaps that might otherwise get overlooked.

Four advantages of pressure testing for accounts payable

When undertaking regular pressure testing of your accounts payable function, you can expect a range of benefits.

What are they?

1) Stronger internal controls

Reviewing transaction processes, assessing document retention policies and evaluating segregation of duties policies are all key steps in understanding your vulnerabilities. It’s important to thoroughly examine each area to ensure that all bases are covered and vulnerabilities are identified.

Pressure testing identifies weaknesses and vulnerabilities in your internal controls so you can implement remediation measures that strengthen your resilience to an ever-shifting threat landscape. When reviewing processes, consider the following:

  • Are there any duplicate payments or transactions?
  • Are there any unauthorised transactions?
  • Is there proper documentation for all transactions?

When assessing document retention policies, ask yourself:

  • Is this sensitive information properly stored?
  • Who has access to this information?
  • How long does the company retail documents?

Finally, when evaluating your segregation of duties, consider:

  • Are there appropriate checks and balances in place?
  • Are employees assigned tasks beyond their skillset or authority level?
  • How is the policy enforced? Are there technical solutions that centralise rules and automate workflows?

By addressing these areas thoroughly during a pressure testing exercise, AP managers can identify potential weaknesses within their organisation’s internal controls.

2) Better protection against cyber threats

Conducting regular vulnerability assessments is a critical step in protecting against the cyber threats that your IT or security teams aren’t in a good position to mitigate – that is, the threats that primarily affect AP teams and financial processes.

Hackers and cyber-criminals know that your IT team can’t prevent risks like human error. For instance, even if a security team has successfully fortified an organisation’s infrastructure, systems and data against malicious actors, they can’t protect AP employees from scammers who’ve infiltrated a supplier’s systems or data. You’ll need to know if your internal controls are adequately protecting against these types of threats.

Plus, financial pressure testing can reveal any gaps in your broader cybersecurity defences, such as any areas that aren’t currently protected by multi-factor authentication or workflows that inadvertently reveal sensitive data to unauthorised employees. Pressure testing can help leaders know how to refine or adjust staff training, which is a crucial part of good security hygiene. Regular training sessions should cover topics such as recognising suspicious emails, creating strong passwords and avoiding phishing scams.

3) Enhancing staff awareness of fraud

When financial leaders conduct pressure testing, it’s a great opportunity to communicate the potential for scams and fraud.

Depending on the type of test you conduct, it can be a concrete example of the tactics that staff should be noticing. The greater their awareness, the likelier that staff can identify, thwart and report potentially fraudulent actions. In addition, routine pressure testing acts as a regular reminder to stay alert and keeps cyber-threats front-of-mind even during hectic periods.

Just remember that you’ll need measures in place to ensure your organisation doesn’t experience any actual loss of funds as a result of the testing activities.

4) Clearer risk tolerance

Defining acceptable levels of financial risk is crucial when assessing risk tolerance. Financial officers must identify the level of risk that their organisation can handle without compromising its financial stability. This involves determining the amount of loss that the organisation can bear and remain operational. Setting acceptable levels of financial risk will require weighing multiple factors, including industry standards, regulatory requirements and company objectives.

Analysing the potential impact of insufficient controls is another critical aspect of assessing risk tolerance. Internal controls are put in place to minimise risks and ensure accurate financial reporting. But weaknesses in your internal controls could leave an organisation vulnerable to fraud or errors that can seriously impact the bottom line.

How can Eftsure help?

Many organisations struggle to ensure their internal controls are fit-for-purpose. This is particularly so when those internal controls are supposed to protect the organisation from fraudulent activities that are constantly adapting to take advantage of potential vulnerabilities. Ensuring your internal controls are sufficiently robust requires ongoing monitoring and vigilance.

By embracing automated internal controls, you can leverage technology in a way that strengthens your policies, processes and procedures, thereby providing your organisation with a far more robust anti-fraud posture.

With Eftsure integrated into your AP processes, you benefit by having a technology-enabled layer of security that ensures that all outgoing funds are remitted to the right person. Irrespective of what tactics a fraudster may adopt to try and deceive your AP team, Eftsure centralises and ensures strong anti-fraud processes – without slowing down workflows.

accountants-segregation-of-duties
See how you can streamline and strengthen your financial controls.
Scammers are racing to find new ways to circumvent your controls. If your organisation is overly reliant on manual controls, you might be even more vulnerable to those scammers. See a demo of Eftsure and find out how you can quickly strengthen your anti-fraud controls.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.