Here is a number that should bother every finance leader. Organizations lose about 5% of their revenue to fraud every year, and more than half of those cases trace back to missing or overridden internal controls (ACFE, 2024 Report to the Nations). The median loss per case was $145,000.

Internal financial controls are how you stop that leak. They are the checks that govern how money moves through your business, and they work in two directions: the money going out through accounts payable, and the money coming in through accounts receivable. Most guides on this topic only cover the spending side. That is a mistake, because the money-in side leaks just as quietly.

This article explains what internal financial controls are, the three types that matter, and how to apply them across both AP and AR. It is built on current data, and on what we see across the 11.62 million bills that ran through ApprovalMax in 2024.

Key takeaways

  • Organizations lose an estimated 5% of annual revenue to fraud, and weak or overridden internal controls are present in more than half of all cases, with a median loss of $145,000 per case (ACFE, 2024).
  • Internal financial controls fall into three types — preventive (approval thresholds, segregation of duties), detective (reconciliations, aging reviews), and corrective (clawbacks, policy fixes) — and a resilient system needs all three.
  • Controls that depend on someone remembering to check fail at the exact moments that matter most; building approval rules, duplicate detection, and audit trails directly into the workflow is what makes them hold up under pressure.

What are internal financial controls?

Internal financial controls are the policies and checks a business uses to ensure money is spent, collected, recorded, and reported correctly. They fall into three types: preventive (approval thresholds, segregation of duties), detective (reconciliations, aging reviews), and corrective (fixing an issue after the fact). Missing or overridden controls appear in over half of fraud cases, with a median loss of $145,000 per case. Strong programs apply all three across both accounts payable and accounts receivable.

Internal financial controls are the policies, procedures, and checks that make sure money is spent, collected, recorded, and reported correctly. They protect your assets, keep your numbers accurate, and make audits straightforward.

Most auditors map controls to the COSO Internal Control Framework, which groups them into a control environment, risk assessment, control activities, information and communication, and monitoring. In plain terms, that means three things. Knowing who can authorize what, checking transactions before and after they happen, and keeping a clear record of every decision.

The key word is internal. These are the controls you design and run yourself, not the external audit that checks them once a year.

$145,000
median loss per fraud case, ACFE 2024
More than half of fraud cases trace back to missing or overridden internal controls — the gap this article is built to close.

Why internal financial controls matter

Weak internal financial controls rarely cost you in one visible event; the cost compounds quietly until it shows up in your cash position or your audit.

On the money-out side, the data is stark. The ACFE found that asset misappropriation appeared in 86% of fraud cases, and corruption in 48%, with a median loss of $200,000 per corruption case (ACFE, 2024). Manual processes make these easier to hide, because no one is checking consistently.

On the money-in side, the leak is late or lost cash. In 2025, 47% of B2B invoices in North America were paid late (Atradius, Payment Practices Barometer 2025), and the median days sales outstanding across industries sat around 56 days. The Hackett Group estimated an 18-day DSO gap between top performers and the median, worth roughly $600 billion in trapped working capital (Hackett Group, 2025 Working Capital Survey).

47%
of B2B invoices in North America paid late in 2025, Atradius
Median days sales outstanding sits around 56 days industry-wide — the money-in leak costs just as much as AP fraud, just more quietly.

The three types of internal financial controls

There are three types of internal financial controls: preventive, detective, and corrective. A healthy system uses all three, because each one catches a different problem.

Preventive controls stop a problem before it happens. Approval thresholds, segregation of duties, and credit checks are preventive. They are the most valuable, which is why the ACFE finding matters so much: when more than half of fraud cases involve missing controls, the gap is almost always preventive.

Detective controls find problems after the fact. Reconciliations, exception reports, and aging reviews are detective. They are your safety net for anything that slips through.

Corrective controls fix the issue and close the gap. A clawback on an overpayment, or a policy change after an incident, are corrective. Their job is to make sure the same thing cannot happen twice.

Internal controls over money going out (accounts payable)

Money going out is where most spend risk lives. These controls sit across the accounts payable process, from the moment a cost is committed to the moment it is paid and reconciled. Our guide to accounts payable controls covers the full set.

Approval and authorization controls

Every payment should be authorized by the right person before it is made. Rules-based routing sends each invoice or purchase to the correct approver based on amount, department, or vendor. This is also where the efficiency case lives: best-in-class AP teams using automation cut invoice cycle time to 2.9 days, against an industry average of 8.2 days (Ardent Partners, State of ePayables 2025).

Clear automated approval workflows also create a record of who approved what and when. Across ApprovalMax, a new bill enters a workflow every 2.72 seconds, and 25% are approved within two hours. Speed and control are not opposites when the control is built into the flow.

Segregation of duties

No single person should be able to raise, approve, and pay the same transaction. Splitting these steps removes the easiest route to internal fraud and error, and it is one of the first things an auditor checks.

In practice, the person entering a bill is not the person approving it, and neither one releases the payment. Our walkthrough on segregation of duties for accounts payable shows how to set this up without slowing the team down.

Payment and fraud controls

Outgoing payments need their own checks. Duplicate detection across invoice numbers and amounts stops you paying the same bill twice. Flagging changes to vendor bank details catches one of the most common fraud tactics, since invoice and payment fraud often start with a quiet change of account details.

These checks should run automatically, not depend on someone remembering to look. When they are built into the workflow, they protect every payment by default.

Budget and delegation controls

Spend should be checked against budget at the point of decision, not discovered at month end. Tying purchase orders to budgets gives you that early warning, as we explain in purchase orders vs budgets.

A delegation of authority policy sets who can approve what, and up to which limit. Our guide on how to establish a delegation of authority policy covers how to define and document it.

Internal controls over money coming in (accounts receivable)

Controls do not stop at money out. Revenue you cannot collect is not really revenue, and the numbers above show how much is at stake. Accounts receivable controls protect the value you have already earned.

Credit and customer onboarding controls

Decide who gets credit, and how much, before you ship or deliver. A credit check and an approval step for new customers or higher limits prevents bad debt later. With 47% of North American B2B invoices paid late in 2025, the customers you extend terms to are the single biggest driver of your DSO.

Set credit limits in writing and review them as relationships change. The point is to make the decision deliberate, not automatic.

Invoicing and revenue recognition controls

Invoices should go out accurately and on time, because billing errors delay payment and damage trust. Controls here include checking prices, quantities, and tax before an invoice is sent, plus consistent revenue recognition rules that keep reported income accurate.

A second review on large or unusual invoices catches mistakes before they reach the customer. Small checks here protect both cash flow and your numbers.

Collections and reconciliation controls

Track what is owed and act on it early. An accounts receivable aging report is a detective control that shows which invoices are overdue and by how much, so collections become routine rather than a scramble.

Reconcile receipts against invoices regularly so nothing is missed or misapplied. Watching the right accounts receivable KPIs, like DSO, tells you whether your controls are working. For teams short on capacity, accounts receivable outsourcing is one way to keep these controls consistent.

The real reason internal controls fail

Here is the insight most articles miss. Internal controls rarely fail because they are missing on paper. They fail because they are not applied the same way every time.

A control that depends on a busy person remembering to check is not really a control. It works on a quiet Tuesday and breaks at month end, when an approver is on leave, or when a payment is urgent. That inconsistency is the gap fraud and error walk through, and it is why the ACFE keeps finding weak controls behind half of all cases.

The fix is to move controls from policy into the workflow, so they cannot be skipped. That is the difference between writing down a rule and enforcing it.

Internal financial controls examples: a checklist

Use this checklist to spot gaps across both sides of the ledger. For a broader walkthrough of financial controls beyond AP and AR, see our guide to essential financial controls for businesses.

Money out (accounts payable):

  • Approval thresholds for every purchase and invoice
  • Segregation of duties between entry, approval, and payment
  • Duplicate invoice detection
  • Vendor bank detail change verification
  • Purchase order to invoice matching (2-way and 3-way)
  • Budget checks at the point of approval

Money in (accounts receivable):

  • Credit checks and approved credit limits for new customers
  • Review of large or unusual invoices before sending
  • Consistent, documented revenue recognition rules
  • Scheduled aging report reviews
  • Regular reconciliation of receipts to invoices

Across both:

  • A complete, time-stamped audit trail for every transaction
  • Defined delegation of authority
  • Periodic testing that each control still works

How to implement internal financial controls in six steps

You do not need a finance transformation project to start. Work through these steps in order.

  1. Map your cash-in and cash-out processes. Write down every step from order to cash and from purchase to payment, and mark where money or commitments move.
  2. Define authority and approval thresholds in a delegation of authority policy.
  3. Separate duties so no one person controls a transaction end to end.
  4. Add preventive checks: duplicate detection, budget checks, credit limits, and bank detail verification.
  5. Make records audit-ready with a single, time-stamped trail for every approval and payment.
  6. Review and test each control on a schedule, and update it after any incident.

How automation enforces internal financial controls

Automation enforces internal financial controls by building each check into the workflow itself, so it runs on every transaction instead of depending on someone to remember it. That consistency is exactly where manual processes break down.

We built ApprovalMax to enforce internal financial controls inside the workflow, so they cannot be skipped. More than 19,000 businesses use it to control how money moves, and it processed over 11.62 million bills in 2024.

11.62M+
bills processed through ApprovalMax in 2024
A new bill enters an approval workflow every 2.72 seconds, and 25% are approved within two hours — proof that speed and control are not opposites.

On prevention, our audit and fraud control features run duplicate detection, flag vendor bank detail changes, and enforce coding rules at the point of approval. Our budget checking software shows the budget impact of a decision before it is approved, so overspend is caught early rather than explained later.

On the record side, every approval is captured with a time stamp, creating an audit trail that is ready by default. That reliability is why advisors named ApprovalMax Most Recommended by Advisors on Xero's 2024 app lists. For accounting firms, the effect is concrete: one practice, Le Contrôleur, moved client approvals out of email and cut monthly management reporting from a month to a week, while more than halving approval processing time.

Getting started is simple. Connect your accounting system, set your approval rules and thresholds, switch on the fraud and budget checks, and route your first transactions. Pricing is tiered for QuickBooks Online and Xero users, and a free trial is available.

Free trial
See how ApprovalMax enforces approval controls automatically
No credit card required. Works with Xero, QuickBooks Online, and NetSuite.
Start free trial Book a demo

Frequently asked questions

What are internal financial controls?

Internal financial controls are the policies and checks a business runs itself to ensure money is spent, collected, recorded, and reported correctly. They cover both accounts payable and accounts receivable.

What are the three types of internal financial controls?

The three types are preventive, detective, and corrective. Preventive controls stop problems before they happen, detective controls find them after the fact, and corrective controls fix the issue and prevent a repeat.

What are examples of internal financial controls?

Common examples include approval thresholds, segregation of duties, duplicate invoice detection, credit checks, aging report reviews, and regular reconciliation. A complete audit trail underpins them all.

Do internal financial controls only apply to spending?

No. Strong internal financial controls cover both sides of the ledger. Accounts payable controls protect money going out, and accounts receivable controls protect money coming in.

Why do internal controls fail?

Most controls fail not because they are missing on paper, but because they are not applied consistently. Building controls into a workflow, rather than relying on people to remember them, is what makes them reliable.

How do small businesses set up internal financial controls?

Start by mapping your cash-in and cash-out processes, then set approval thresholds and separate duties so no one person controls a transaction end to end. Add preventive checks and review them on a schedule.

Conclusion

Internal financial controls are not red tape. They are how you protect the money you spend and the money you are owed, and how you keep your numbers trustworthy.

The data is clear on the cost of getting this wrong, on both sides of the ledger. Start with clear approvals, separated duties, and checks on money in and money out. Then move those controls into the workflow so they hold up on your busiest day, not just your quietest one. See how automated approval workflows put your internal financial controls to work.

  • ACFE, Occupational Fraud 2024: A Report to the Nations
  • Ardent Partners, State of ePayables 2025
  • Atradius, Payment Practices Barometer 2025
  • The Hackett Group, 2025 Working Capital Survey
  • COSO Internal Control — Integrated Framework
approvalmax blog avatar

Written by

ApprovalMax

Product expert

ApprovalMax is a trusted Xero, Quickbooks and NetSuite partner who helps finance teams implement structured approval workflows and financial controls across the entire Money Out lifecycle - not just at the point of payment. 
LinkedIn