There's a certain kind of client every firm has. The books are immaculate. Everything coded, everything reconciled, filed a fortnight early, not a single query outstanding. If a colleague asked you to describe a model client, you'd describe this one.
And then one day you notice they've paid the same invoice twice. Or wired a deposit to a supplier that, when you actually look, nobody in the business seems to have checked. Or run a payment out through the bank that, had anyone asked you first, you'd have stopped.
None of it shows up as a problem, because none of it is a bookkeeping problem. The books did exactly what books do. They recorded what happened, faithfully, to the penny. What they didn't do, what they were never built to do, is tell you whether any of it should have happened in the first place.
That distinction is easy to miss, because for most of us accuracy and control have always travelled together. Get the books right and you've done the job. But a clean ledger and a controlled business are not the same animal, and once you've seen the difference in one client, you start seeing it everywhere.
Key takeaways
- Clean, reconciled books confirm that transactions were recorded accurately — they say nothing about whether each payment should have been approved in the first place.
- The control gap sits between approval and payment: a bill gets an informal yes, someone else pays it, and nothing on record ever connects the authorisation to the money leaving the account.
- Real-time payment rails like RTP and FedNow have shrunk the window to catch a bad payment to almost nothing — turning a long-overlooked weakness into a live client risk only the accountant, who sees the pattern across every client, is positioned to name.
Why clean books hide the problem
Bookkeeping looks backwards. That's the whole point of it. Its job is to capture what already happened, accurately and completely, so that everything downstream, the reporting, the tax, the compliance, has firm ground to stand on. Done well, it's the reason clients trust you with anything else.
But there's a quiet assumption buried in every ledger, which is that each transaction sitting in it was meant to be there. Reconciliation checks that the money moved the way the records say it moved. It has nothing to say about whether the payment should have been approved, or who approved it, or against what budget, or whether anyone with the authority to say no ever got the chance to. Those questions were settled days or weeks before the transaction ever reached you, usually by someone you never spoke to, often with no record that a decision was made at all.
So a business can have books you'd frame on the wall and still have almost no grip on what leaves its bank account. The two feel like the same virtue. One is about getting the record right after the fact. The other is about who gets to move money before it's gone — which is what financial control actually means.
What the gap looks like inside a real client
It's rarely dramatic, which is exactly why it goes unnoticed for years.
A bill arrives. Someone approves it, in an email, or a corridor, or a thumbs-up on a message thread. Then someone else, more often than not a different person entirely, logs into the banking portal and pays it. Nothing joins the two events. There is no thread running from "yes, pay this" to the payment itself, and if you went looking for who authorised it, the trail would go cold somewhere around the corridor.
Or there's no second person at all. One individual raises the bill, approves the bill, and pays the bill. In a small business that doesn't just feel normal, it feels efficient, right up until the morning it very much doesn't. That single-handed control has a name and a fix — how to set up segregation of duties for accounts payable — though that's a later post, not this one.
Or a supplier gets added to the payment run and paid, and nobody confirmed the bank details, or checked the entity was real, or matched it against anything at all. The payment clears. The books balance. It all reconciles beautifully. And nothing in that ledger entry so much as hints that a control failed, because as far as the record is concerned, nothing did.
These aren't unlucky exceptions. They're the ordinary condition of most small and mid-sized businesses running on QuickBooks Online or Xero. And they're invisible in the one place you spend most of your time looking.
You're the only one positioned to see the pattern
Here's what makes this yours rather than the client's to worry about.
Your client sees one business, their own, and from the inside it looks fine because it has always looked like that. You see fifty. Or two hundred. You watch the same gap surface in a construction firm, a dental practice, a nonprofit, and a software company growing faster than its processes can keep up, and at some point the obvious lands: this isn't one client being sloppy. It's structural. It's how businesses of this size work when nobody has told them otherwise.
And you're already standing right next to it. You're the one who spots the duplicate. You're the one who emails to ask whether they really meant to pay that. You have, without ever putting a name to it or an invoice against it, been doing the control work all along, quietly, unpaid, filed under "just part of the service."
Why it matters more now than it used to
Money leaves faster than it used to. Between ACH, same-day settlement, and the arrival of real-time rails like RTP and FedNow, the gap between a payment being triggered and a payment being gone for good has shrunk to almost nothing. The mistake you once had a day or two to catch is now cleared before lunch, and there is no undo button on money that has already landed in someone else's account.
At the same time, the work that used to fill your calendar is thinning out. Routine compliance is being automated and commoditised in front of us, and the clients who used to pay handsomely for it now expect it fast, cheap, and largely invisible. What they increasingly want instead is someone who will tell them what to do next, not just what already happened. The whole profession is being pulled away from record-keeping and toward something closer to advice.
Put those two shifts together and the control gap changes character. It was always there, and it was always easy to overlook, because the cost of it only showed up occasionally and after the fact. But faster money makes the downside land harder, and the move toward advisory makes the upside of closing it far more interesting. The thing you've been fixing for free is quietly becoming one of the more valuable things you could be doing for a client, at precisely the moment the rest of your work is getting harder to charge for.
So what do you do with it
You're left with something slightly awkward. You can see a weakness that runs through nearly every client you have, that none of them have asked you to fix, and that doesn't fit neatly into any line on your current engagement letter.
The instinct is to keep doing what you've always done. Catch it when you catch it, flag it when you spot it, and absorb the rest as part of the service. But the work you're already giving away for nothing might be the most valuable thing you're not selling, and it's worth asking why it sits in the "just part of the service" pile at all. That's where the next post picks up: the work you're already doing for free is a service.
See it in practice
See how ApprovalMax enforces approval controls automatically
A required approval path before any payment leaves the account — with a timestamped trail at every step.
See it in actionBook a demo