Internal controls are an essential component of any financial management system. It helps your organisation retain financial integrity, meet regulatory requirements, and compile reports essential for improving the business.
These processes are especially crucial in accounts payable (AP) departments to manage financial transactions and ensure that payments are authorised, accurate and properly documented, says Ryan Mer, CEO of eftsure Africa, a Know Your Payee™ (KYP) platform and B2B payment fraud prevention platform provider.
“Failure to do so may expose your organisation to fraud, theft, and other financial losses – not to mention the far-reaching consequences of reputational damage, regulatory violations, and inefficient operations.”
But even with proper internal controls in place, many organisations are still at risk due to gaps in these processes. In a country like South Africa, with one of the highest cybercrime rates in the world, how can you make sure your internal controls stand up to the task?
Mer gives these essential tips:
Don’t rely on manual systems
Despite the world’s ever-growing reliance on automation, many businesses still use manual controls. But the more manual controls there are, the more opportunities there are for human error, says Mer. “Moreover, these controls aren’t always capable of catching the newer digital techniques used by cyber-criminals. While manual financial controls certainly have their place, relying solely on that won’t protect against modern threats.”
That doesn’t mean you have to spend your annual budget on automated controls. Controls look different in every organisation and you need to identify what works for yours – just make sure you’re covered from more angles and don’t only rely on manual processes, advises Mer.
Don’t overdo it
Adding more controls to secure your business can become a case of ‘too much of a good thing’. Too many internal controls can create a maze of red tape that increases the chance of errors or omissions and impedes efficiency.
When it comes to financial controls, quality trumps quantity, says Mer. “To streamline controls, start by evaluating your current financial processes and pinpointing areas of vulnerability. Then, prioritise which risks are the most likely to occur or could have the most impact if they do. This will allow you to create targeted control measures and allocate resources more efficiently.”
Be fluid
Though staff should never override internal controls because they are annoying, not every conceivable scenario can be prepared for ahead of time. Judgement calls will be necessary at some point, and part of a good internal control system is being prepared for this, too.
Mer says you should ensure that management and staff have a strong understanding of the principles that underpin internal controls. “This will help them know how to respond to unusual situations and make a call that still follows the ethos of the controls that are in place.”
Put it to the test
Controls often look good on paper but then aren’t effective in practice – and fraudsters are on the lookout for such gaps. The only way to know whether your controls can stand up to the task is through pressure testing.
Subject your internal controls to simulated scenarios to test their ability to withstand risks like fraud or cyber-attacks. This will help you identify weaknesses and address them before it’s too late, says Mer.
Third-party auditors can help you conduct such tests. These may include:
- Sending fake emails to your accounts payable team in which they pretend to be a manager requesting an urgent payment be made, to see how it is handled.
- Sending fictitious emails pretending to be a supplier requesting that banking details be updated.
- Sending fake invoices for goods that were never ordered, or multiple invoices for the same goods, to determine whether checks are sufficient.
Have other systems in place
Internal controls can significantly reduce risk, but they can never guarantee complete protection. Internal fraud and business email compromise (BEC) attacks, for instance, are notoriously hard to prevent through in-house procedures only.
“It’s essential to take a multi-layered approach to protecting your organisation,” warns Mer. “A technical security layer that ensures only authorised transfers are sent to authorised beneficiaries is essential. By embracing automated internal controls, you can leverage technology in a way that strengthens your policies, processes, and procedures, thereby providing your organisation with a far more robust anti-fraud posture.”
With a solution like eftsure integrated into your AP processes, for example, you benefit from a technology-enabled layer of security that verifies outgoing payments in real-time, ensuring only approved funds are being sent to the intended recipient.
The question when it comes to risk mitigation, as always, is not whether you can afford to have the necessary preventative measures in place, says Mer. “You should be asking: Can you afford not to?”