Accounting software for small business in Australia is one of the most competitive software categories in the country. Xero, MYOB, and their competitors have built strong products. The marketing is good. The integrations are extensive. The dashboards look like control.
They are not control.
Xero and MYOB are recording tools. They capture what has already been approved, coded, and authorised. They do not determine whether those approvals should have happened, whether the supplier’s bank details are legitimate, or whether the same invoice has already been paid. That is a different layer entirely - and most Australian small businesses are running accounting software without it.
What accounting software actually does
Accounting software is the system of record. It stores transaction history, reconciles bank feeds, generates BAS, tracks profit and loss, and produces the reports that matter to accountants, shareholders, and the ATO. It does this well.
The operative word is “record.” By the time a transaction appears in Xero or MYOB, a series of human decisions have already happened: someone decided the invoice was legitimate, someone assigned the account code, someone confirmed the bank details, someone approved the payment. Accounting software records the outcome of those decisions. It does not make them, verify them, or prevent the wrong ones.
This distinction sounds abstract until something goes wrong.
Where the gap creates real exposure
Payment redirection fraud is the most direct example. According to the National Anti-Scam Centre’s Targeting Scams Report 2024, payment redirection scams cost Australian businesses AU$152.6 million in 2024 - a 66% increase from AU$91.6 million the year before. The mechanics are simple: an attacker sends an invoice with altered bank account details, often from a spoofed or compromised supplier email. The invoice looks identical to every other invoice from that supplier. A finance team member processes it normally. The payment goes to a fraudster’s account.
Xero does not prevent this. MYOB does not prevent this. Neither platform monitors supplier bank account details against historical records and flags when they change. That monitoring is a financial control. It lives upstream of the accounting system, in the AP process that feeds data into it.
Duplicate invoices are the lower-drama version of the same problem. A supplier resends an invoice after not receiving payment confirmation. A team member processes it. Both invoices reach the ledger and both get paid. The accounting software records two payments accurately - because they did happen. It had no mechanism to flag that the second one was a duplicate before it was approved.
According to DocuClipper’s accounts payable research, manual processing creates errors in 5 to 10% of invoices, most commonly duplicate payments, incorrect amounts, and wrong vendor codes. At 50 invoices a month, that is two to five errors per month reaching the ledger before anyone catches them.
The three controls accounting software cannot enforce
Approval hierarchy by dollar value. A financial control is the requirement that invoices above a certain threshold need approval from a specific role - the CFO signs off on payments over $20,000; a department head approves anything over $5,000. Xero and MYOB cannot enforce this. They have no concept of spending limits tied to user roles. Someone with bill payment access can approve and pay any invoice, regardless of value. That is not segregation of duties. It is shared access.
Vendor bank detail verification. Before any payment is made, a business with proper controls checks that the supplier’s bank account number matches the one on record. This check is manual in every accounting platform. It depends on someone remembering to do it, having access to historical records to compare against, and not being rushed. The fraudster’s advantage is that these conditions are often not met simultaneously.
Pre-approval duplicate detection. Catching a duplicate invoice after it has been paid requires a reversal, a conversation with the supplier, and bank recovery that may or may not succeed. Catching it before approval requires a system that checks incoming invoices against the existing bill register automatically. Accounting software checks against the ledger - which only contains what has already been posted, not what is in the queue.
These three controls describe the difference between a recording system and a controls system. The former is what businesses buy when they subscribe to accounting software small business australia platforms. The latter is what they discover they need when something goes wrong.
What the controls layer looks like in practice
A controls layer sits between invoice intake and the accounting system. It is the set of checks and processes that determine whether an invoice should reach the ledger at all.
For a small Australian business, this layer includes:
- Invoice capture with automated line-item coding based on supplier history, so that coding decisions are consistent rather than dependent on whoever is processing the queue that day
- GST treatment verified at line level, not guessed from the invoice total
- Vendor anomaly detection that compares incoming bank details against what is on record and flags discrepancies before approval
- Duplicate detection that checks incoming invoices against the full approval queue, not just the posted ledger
- Approval routing configured by dollar value and role, so the right people see the right invoices
Pulsify’s validation and exception review operates at this layer. It sits in front of Xero and MYOB, not on top of them. Invoices that pass through cleanly reach the accounting system already coded, matched, and approved. Invoices that trigger an exception are held for human review before they go anywhere.
The result is that what reaches the accounting system’s ledger has been through a structured process, not just a manual queue. The accounting software then does what it does best: records it accurately.
Why this layer is consistently missing
Small businesses make their accounting software decision early. They pick Xero or MYOB based on price, bank feed quality, BAS handling, and advice from their accountant. The controls question does not come up at that stage, because at 10 invoices a month it genuinely does not need to.
By the time the business reaches 50 invoices a month, has multiple suppliers, and has someone besides the founder reviewing payments, the accounting software is already embedded. The assumption hardens that the software is handling the whole problem. It is handling the recording problem. The controls problem is still manual.
According to DocuClipper’s 2024 AP research, 86% of SMBs still enter invoice data manually. That is a symptom of the same underlying issue: the tools businesses use for recording are not designed for the process management that should precede it.
Pulsify was built specifically for this segment - Australian businesses on Xero or MYOB that have outgrown a manual controls process without necessarily knowing they need a dedicated AP automation layer. For more on how the two layers interact, see what a modern accounts payable system needs to do in Australia and AP software: what finance teams need that Xero does not provide.
The accounting system is not the problem. The missing layer before it is.
Frequently Asked Questions
What is the difference between accounting software and financial controls?
Accounting software records transactions that have already been authorised and processed. Financial controls are the rules and checks that determine which transactions should be authorised in the first place. Xero and MYOB are recording tools. The controls layer - approval workflows, vendor validation, duplicate detection - is a separate function that sits upstream.
Does Xero have financial controls built in?
Xero includes basic user permissions and an Awaiting Approval queue but does not enforce multi-level approval chains, validate supplier bank details, detect duplicate invoices, or apply spending limits by role or dollar threshold. These are financial controls that require a dedicated AP automation layer on top of the accounting system.
What financial controls should Australian small businesses have for accounts payable?
The four most important AP controls for a small Australian business are: a documented approval chain with dollar-value thresholds, vendor bank detail verification before payment, duplicate invoice detection before entry, and segregation of duties so no single person both receives and pays an invoice. Most small businesses have none of these in place formally.
How do payment redirection scams target Australian small businesses?
Payment redirection scams work by sending a fraudulent invoice - or compromising a legitimate supplier’s email - and changing the bank account number. The invoice looks genuine. Without a system that monitors supplier bank details against historical records and flags changes, the business pays the fraudster’s account.