Manual vs Automatic: What are the best Internal Controls for Accounts Payable?
When designing and implementing Internal Controls in Accounts Payable, every CFO should start by asking themselves this question:
Are Manual or Automatic Internal Controls better for Accounts Payable?
In this blog we will examine Internal Controls, and the pros and cons of the different types of Internal Controls. This will help you can make an informed choice about whether Manual, Automatic or a combination of the two, best suits your organisation.
What are Internal Controls?
Internal Controls are the processes an organisation puts in place to mitigate a range of risks that can arise internally within the organisation. They are usually designed in accordance with guidance set down by the organisation’s board or senior management. The purpose of any organisation’s Internal Controls is to provide a strong level of assurance that the organisation’s goals and objectives will be met. In many cases, Internal Controls will also need to align with regulations or standards established by external parties.
Why are Internal Controls Necessary?
A recent survey conducted by KPMG found that whilst many organisations are embracing digital transformation, nearly half of the organisations’ Internal Controls remain “patchy, undocumented, not automated and lacking clear ownership.”
Failure to have the necessary Internal Controls in place may be leaving your organisation exposed to increased risk of fraud or error. This can result in very substantial losses, as well as irreparable damage to your corporate reputation.
What are Internal Controls in Accounts Payable?
Internal Controls are particularly important in Accounts Payable. After all, this is the department responsible for the outflow of funds from the organisation. It is critical that proper procedures are in place to ensure an organisation protects its assets, including financial assets.
According to CPA Australia, there are 7 goals when it comes to Internal Controls:
- Help align objectives of the business – to ensure thorough reporting procedures and that the activities carried out by the business are in line with the business’s objectives.
- Safeguard assets – ensuring the business’s physical and monetary assets are protected from fraud, theft and errors.
- Prevent and detect fraud and error – ensuring the systems quickly identify errors and fraud if and when they occur.
- Encourage good management – allowing the manager to receive timely and relevant information on performance against targets, as well as key figures that can indicate variances from target.
- Allow action to be taken against undesirable performance – authorising a formal method of dealing with fraud, dishonesty or incompetence when detected.
- Reduce exposure to risks – minimising the chance of unexpected events.
- Ensuring proper financial reporting – maintaining accurate and complete reports required by legislation and management, and minimising time lost correcting errors and ensuring resources are correctly and efficiently allocated.
Types of Internal Controls?
There are two primary types of Internal Controls every organisation should seek to implement:
Preventive Internal Controls
Preventive Controls are designed to help your organisation prevent fraud or errors. A good example would be Segregation of Duties. By having different members of your team responsible for different steps in the payment cycle, you can reduce the risk of internal threats, such as malicious staff manipulating invoice payment records. They will also help you identify any errors so incorrect payments are not distributed.
Detective Internal Controls
Detective Controls are designed to identify fraud or errors after the fact, so processes can be enhanced to ensure they don’t happen again. Audits are an important example of Detective Controls. When conducting an audit trail, the auditors will seek to reconcile processed payments with invoices and Purchase Orders. Reconciliation will help identify anomalies which can be investigated further to uncover gaps in Internal Controls that need remediating.
How to Implement Internal Controls?
Many organisations have found that mistakes in their Procure-to-Pay cycle can be very costly, both financially and in terms of the organisation’s reputation.
It is essential that every organisation bring together all relevant internal stakeholders to develop, implement, maintain and adjust Internal Controls that meet the organisation’s unique needs. For the Accounts Payable team, relevant stakeholders will likely include the CFO, Accounts Payable manager and Internal Auditor. Other stakeholders may include the Chief Risk Officer or the Chief Information Security Officer.
The key is to make sure you have clear policies, procedures and processes in place. Equally important is the need to ensure every member of your Accounts Payable team understands what you are trying to achieve with your Internal Controls, and the vital role each of them plays in protecting the organisation. Internal Controls that are not clear or are overly complex to follow will inevitably lead to breaches, raising the likelihood of monetary losses.
Manual Controls may be resource intensive, requiring more time and labour. However, they are indispensable when individual judgement and discretion are needed. Manual Controls also have a role to play in monitoring that Automatic Controls are working correctly. The challenge with Manual Controls is that they may be prone to error. Additionally, malicious insiders may deliberately bypass your Manual Controls.
Automatic Controls are ideally suited for circumstances where there are high volumes of transactions, all of which are similar in nature. Whilst setting up and calibrating your Automatic Controls may take some time to begin with, once up and running they can operate much more efficiently than Manual Controls. Automatic Controls reduce the risk that malicious insiders will bypass your controls. Importantly, they can also align with your Segregation of Duties policies, by restricting access to critical data on a need to know basis.
7 Benefits of Automatic Controls:
- Allows for Continuous Controls Monitoring
Best-practice accounting requires Continuous Controls Monitoring. For any Accounts Payable team, it is essential to ensure that the data you entered in your ERP or Vendor Master File at the time of onboarding a supplier remains correct when it comes time to remit funds. Given that there may be an extensive time lapse between these two events, there will be numerous opportunities for malicious insiders or external threat actors to manipulate the data. Continuous Controls Monitoring ensures that the data always remains correct and up to date. However, without Automatic Controls to assist you, Continuous Controls Monitoring can be challenging to implement effectively over long periods of time.
- Avoid Risks of Manual Spot Checks
In many cases, Accounts Payable teams undertake a number of random manual spot checks before uploading an ABA payment file to the online banking portal. Spot checks are good but are by no means foolproof. Clearly, checking a handful of payment details when you may be processing hundreds of payments leaves you exposed to many erroneous payments. Automatic Controls can help you ensure that all payments are accurate at the time of processing, irrespective of the volumes of payments.
- More Efficient
When an Accounts Payable team is responsible for processing hundreds, if not thousands, of invoices each year, it’s a major challenge to ensure that all the data in all those in invoices is accurate. It can consume a large amount of resources, including time and many staff hours. Embracing Automatic Controls can help you achieve significant efficiency dividends, freeing your team to focus on other important priorities.
- Help Ensure Controls Aren’t Circumvented
Increasingly, organisations are concerned about insider threats. One malicious employee with high-level privileges can manipulate data in your ERP or Vendor Master File. This can pave the way for internal fraud against your organisation. Often, employees it takes many months, if not years, to identify employees that engage in internal fraud, as they are adept at covering their tracks. They often know what Manual Controls are in place and understand precisely how to circumvent them. Automatic Controls can reduce this risk by limiting the access of individual staff members to data and systems that can be manipulated.
- Enhance Segregation of Duties
Every Accounts Payable department must have Segregation of Duties policies in place to reduce their risk of fraud and error. Automatic Controls help you enforce Segregation of Duties as you can limit staff access to systems on a need to know basis. By aligning your Segregation of Duties with your Automatic Controls, you have a much better chance of avoiding the risk of malicious insiders conspiring to defraud your organisation.
- More Cost Effective
Whilst the upfront costs of implementing Automatic Controls may be higher than Manual Controls, over time Automatic Controls tend to be much more cost effective. Once an organisation embraces Automatic Controls, they are able to meet their Continuous Control Monitoring and compliance obligations far more efficiently. Furthermore, Automatic Controls require far less staff hours, meaning your team can focus on other priorities and saving you money.
- Regulatory Compliance
Australian regulators are investigating ways to ensure organisations strengthen their Internal Controls. Over coming months and years, it is likely that there will be additional reporting requirements to demonstrate that organisations have appropriate Internal Controls in place. Embracing Automatic Controls is an ideal way to achieve and demonstrate compliance with such regulatory expectations.
How can eftsure help?
By integrating eftsure into your Accounts Payable processes, you will be embracing Automatic Controls to secure many steps in the Procure-to-Pay lifecycle.
eftsure helps automate your Internal Controls by:
- Maintaining an accurate and complete audit trail
- Strengthening your Segregation of Duties
- Providing an extra layer of defence against fraud or error
- Onboarding suppliers securely
- Enabling Continuous Controls Monitoring
- Checking ABN and other essential compliance details in real-time
- Verifying bank account information in real-time
- Ensuring only legitimate and accurate invoices are paid
- Disrupting fraud by aggregating data from multiple sources which increases awareness of potential threats
Contact us today for a no-obligation demonstration of the many ways eftsure can help your organisation embrace the benefits of Automatic Controls in an efficient and cost effective way.