Ryan Mer | Managing Director | eftsure Africa | mail me |

Internal controls are an essential component of any financial management system. It helps your organisation retain financial integrity, meet regulatory requirements, and compile reports essential for improving the business.

These processes are especially crucial in accounts payable (AP) departments to manage financial transactions and ensure that payments are authorised, accurate and properly documented. Failure to do so may expose your organisation to fraud, theft, and other financial losses – not to mention the far-reaching consequences of reputational damage, regulatory violations, and inefficient operations.

But even with proper internal controls in place, many organisations are still at risk due to gaps in these processes. In a country like South Africa, with one of the highest cybercrime rates in the world, how can you make sure your internal controls stand up to the task

Don’t rely on manual systems

Despite the world’s ever-growing reliance on automation, many businesses still use manual controls. But the more manual controls there are, the more opportunities there are for human error. Moreover, these controls aren’t always capable of catching the newer digital techniques used by cyber-criminals.

While manual financial controls certainly have their place, relying solely on that won’t protect against modern threats. That doesn’t mean you have to spend your annual budget on automated controls.

Controls look different in every organisation and you need to identify what works for yours – just make sure you’re covered from more angles and don’t only rely on manual processes.

Don’t overdo it

Adding more controls to secure your business can become a case of ‘too much of a good thing’. Too many internal controls can create a maze of red tape that increases the chance of errors or omissions and impedes efficiency. When it comes to financial controls, quality trumps quantity.

To streamline controls, start by evaluating your current financial processes and pinpointing areas of vulnerability. Then, prioritise which risks are the most likely to occur or could have the most impact if they do. This will allow you to create targeted control measures and allocate resources more efficiently.

Be fluid

Though staff should never override internal controls because they are annoying, not every conceivable scenario can be prepared for ahead of time. Judgement calls will be necessary at some point, and part of a good internal control system is being prepared for this, too.

You should ensure that management and staff have a strong understanding of the principles that underpin internal controls. This will help them know how to respond to unusual situations and make a call that still follows the ethos of the controls that are in place.

Put it to the test

Controls often look good on paper but then aren’t effective in practice – and fraudsters are on the lookout for such gaps. The only way to know whether your controls can stand up to the task is through pressure testing.

Subject your internal controls to simulated scenarios to test their ability to withstand risks like fraud or cyber-attacks. This will help you identify weaknesses and address them before it’s too late.

Third-party auditors can help you conduct such tests. These may include:

• Sending fake emails to your accounts payable team in which they pretend to be a manager requesting an urgent payment be made, to see how it is handled.
• Sending fictitious emails pretending to be a supplier requesting that banking details be updated.
• Sending fake invoices for goods that were never ordered, or multiple invoices for the same goods, to determine whether checks are sufficient.

Have other systems in place

Internal controls can significantly reduce risk, but they can never guarantee complete protection. Internal fraud and Business Email Compromise (BEC) attacks, for instance, are notoriously hard to prevent through in-house procedures only.

It’s essential to take a multi-layered approach to protecting your organisation. A technical security layer that ensures only authorised transfers are sent to authorised beneficiaries is essential. By embracing automated internal controls, you can leverage technology in a way that strengthens your policies, processes, and procedures, thereby providing your organisation with a far more robust anti-fraud posture.

With a solution integrated into your AP processes, for example, you benefit from a technology-enabled layer of security that verifies outgoing payments in real-time, ensuring only approved funds are being sent to the intended recipient. The question when it comes to risk mitigation, as always, is not whether you can afford to have the necessary preventative measures in place. You should be asking: Can you afford not to?

Related FAQs: Internal controls and cybercrime

Q: What is the role of internal controls in managing cyber risk?

A: Internal controls play a crucial role in managing cyber risk by establishing processes and procedures that help organisations detect, prevent and respond to cyber threats. These controls ensure that data protection measures are in place to mitigate the risks associated with cyber incidents.

Q: How does internal audit contribute to cyber security efforts?

A: Internal audit contributes to cyber security efforts by assessing the effectiveness of an organisation’s cybersecurity policies and practices. They provide assurance to senior management and the audit committee that adequate controls are in place to manage cyber risks and protect against data breaches.

Q: What are some common cyber threats that organisations face?

A: Organisations commonly face cyber threats such as phishing attacks, ransomware, data breaches and advanced persistent threats. These threats can compromise information security and disrupt business operations if not adequately managed through effective cyber security practices.

Q: How does risk management relate to internal audit and cyber resilience?

A: Risk management is closely related to internal audit and cyber resilience as it involves identifying, assessing and mitigating risks associated with cyber incidents. Internal auditors evaluate the risk management framework to ensure that the organisation is prepared to respond effectively to cyber threats and enhance its overall cyber resilience.

Q: What is the importance of an audit plan in the context of cybersecurity?

A: An audit plan is essential in the context of cybersecurity because it outlines the approach and scope of the internal audit function. It ensures that the audit office focuses on key areas of cyber risk, helping to secure regulatory compliance and enhance the organisation’s overall cyber security posture.

Q: What role do chief audit executives play in managing cyber risks?

A: Chief audit executives play a vital role in managing cyber risks by leading the internal audit function and ensuring that audits are conducted on cybersecurity controls. They provide insights to senior management and the board regarding the effectiveness of the organisation’s information security measures and any areas needing improvement.

Q: How can organisations ensure effective oversight of their cybersecurity efforts?

A: Organisations can ensure effective oversight of their cybersecurity efforts by establishing a robust audit committee and engaging internal auditors to regularly review and assess cyber security practices. This oversight helps maintain accountability and fosters a culture of continuous improvement in managing cyber risk.

Q: What is the significance of data protection in the context of cyber incidents?

A: Data protection is significant in the context of cyber incidents as it involves safeguarding sensitive information from unauthorised access and breaches. Effective data protection measures are essential for mitigating the impact of cyber attacks and ensuring compliance with regulatory requirements.