Internal Controls

Internal controls are the policies, procedures, and systems a business puts in place to protect its assets, ensure the accuracy of its financial records, and prevent or detect fraud and errors. In the context of accounts payable, internal controls are the rules and checks that govern how supplier invoices are received, validated, approved, and paid.

The term sounds formal, but the underlying concept is simple: internal controls are the things you do to make sure money goes to the right place for the right reasons with the right authority. A business with no internal controls processes invoices based entirely on trust: trusting that suppliers invoice correctly, trusting that employees approve appropriately, and trusting that payments go where they are intended. Controls replace trust with verification.

The main categories of AP internal controls

AP internal controls fall into three categories. Preventive controls stop errors and fraud from occurring in the first place. Detective controls identify errors and fraud after they have occurred. Corrective controls fix problems once they have been detected.

Preventive controls in AP include: requiring purchase orders before goods are ordered, segregating the duties of invoice entry and invoice approval, requiring dual authorisation for high-value payments, verifying supplier bank details before adding them to the vendor master, and configuring approval workflows with explicit thresholds and routing rules.

Detective controls include: bank reconciliation (which identifies payments that do not match expected transactions), supplier statement reconciliation (which identifies discrepancies between the supplier's records and the business's), periodic audits of the vendor master, and duplicate invoice checks that compare all invoices processed within a time window.

Corrective controls include: the process for raising credit notes when an error is discovered, the procedure for recovering funds from a mistaken payment, and the escalation path for investigating a suspected fraud incident.

Why internal controls matter for small Australian businesses

There is a common assumption in small business that internal controls are only necessary for large organisations with complex operations. The evidence does not support this. The ACCC data on business email compromise and payment fraud in Australia shows that small businesses are disproportionately targeted, precisely because they typically have fewer controls and less scrutiny over individual transactions than larger organisations.

A small business processing 100 invoices per month with no segregation of duties, no purchase order matching, and no supplier bank detail validation is carrying a level of fraud exposure that is real and measurable. The cost of implementing basic controls is low relative to the cost of a single successful fraud event, which in the Australian context averages in the tens of thousands of dollars.

Internal controls and the ATO

The ATO expects businesses to maintain records that support their tax reporting. This includes records of how payments were authorised, which supports the legitimacy of deductions claimed for business expenses. A business that has paid a fraudulent invoice and claimed the GST as an input tax credit may find that the ATO disallows the credit on the basis that the business lacked the controls to verify the legitimacy of the transaction.

Building basic AP internal controls is therefore not just a fraud prevention measure; it is also a compliance measure that supports the integrity of the business's tax reporting and reduces the risk of disallowed credits or deductions in an ATO audit.