Internal Controls Checklist Every Australian Business Should Have

Table of Content

1. Introduction to Internal Controls Checklist Every Australian Business Should Have

Internal controls are the policies, procedures, and system checks used to prevent, detect, and correct financial and operational errors and fraud in a business’s financial and operational processes. In practice, the Internal Controls Checklist that most small and medium-sized Australian businesses have in practice found themselves adopting is informal and incomplete: some controls have been adopted based on a particular incident or the preference of a manager, others are assumed to have been adopted, but have never been tested, and many gaps that would otherwise be immediately obvious to an experienced auditor have simply not been identified. What this means is that an exposed business is more susceptible to fraud, errors, and compliance failures than its owners are inclined to realise.

The Control Environment of a business – the culture, tone and dedication to integrity and accountability that overall run how controls are designed and followed, are the basis on which every specific control is built. A good Control Environment implies that the individuals in the business know the importance of controls, adhere to them, and report when they notice something is amiss. A weak one implies that the paper controls are frequently circumvented in practice due to the culture’s tolerance. To develop effective Financial Control Systems, therefore, involves not only the right policies but also the right culture to facilitate them.

The article is written to appeal to finance professionals, business owners, and junior advisors who want to understand what a functional Internal Controls Checklist would look like, which controls are the highest priority in most Australian businesses, and how to evaluate and improve the control environment in a practical, structured manner. The frameworks in these cases apply to businesses of any size and in any industry, and the lessons reflect the patterns that internal auditors, external auditors, and fraud investigators consistently encounter.

2. The Foundations of Internal Control

What internal controls are designed to achieve

Internal controls are used to achieve three overlapping goals: protecting assets against loss due to fraud or error, supporting the reliability and accuracy of the financial reporting and supporting Audit and Compliance Controls requirements. Most Australian and international corporate governance guidance is based on the COSO Internal Control – Integrated Framework, which organises internal controls into five components: the Control Environment, risk assessment, control activities, information and communication, and monitoring. The most practically significant of these elements for most SMEs is the Control Environment, which determines whether the Control activities are actually implemented.

Preventive control: Preventive controls are established to prevent errors or fraud before they occur; examples include controls requiring dual authorisation to make payments above a specified limit, controls that allow system access only to the functions needed by each role, and controls that require identity verification before onboarding a supplier.
Detective controls are put in place to detect errors or fraud after they occur; examples include bank reconciliations, expense claim audits, inventory counts, and management review of financial reports.
A system that does not detect any errors but prevents most of them is composed of both preventive and detective controls.

Segregation of Duties: the most important single control

The principle of ensuring that no individual has end-to-end control over a financial transaction or process is called Segregation of Duties, as the risk of both undetected error and intentional fraud is much greater when the same individual controls all three steps. The most frequently cited weakness in the investigation of fraud at the SME level is Segregation of Duties. This is because, in most cases, small businesses lack the staff needed to segregate their duties adequately, and therefore face a higher risk of fraud and errors that they may not fully appreciate.

3. Priority Control Areas and What Each Should Include

Financial Control Systems: cash, payments, and procurement

Cash and payment systems: Financially, this area is most vulnerable for businesses, since most fraud cases originate here. The best controls in this field are a combination of approval authorities, system-level access controls, and frequent reconciliation.

Payment approval: Any payment over the specified threshold must be dual-approved; no one should have unilateral authority to make payments exceeding that threshold without a second approver.
Bank account access: the individual who initiates online banking payments must not have the capability to add new payees without a separate approval step; payee lists should be reviewed by the person who initiates the online banking payments at least once every quarter.
Procurement: Purchase orders must be required for all significant expenditures, and the person who raises a purchase order should not be the same person who approves the corresponding invoice for payment.

Fraud Prevention Controls in payroll and expense management

The two most prevalent types of internal fraud in Australian SMEs are payroll fraud and expense reimbursement fraud. The Fraud Prevention Controls in these areas should be specific and operationally implemented: a general policy against fraud without specific controls to detect or prevent it is not an effective control.

Control Area	Specific Risk Control Measures	Who Should Own the Control	Common Control Gap
Payroll	Manager or HR review of payroll changes before processing; bank account number changes require written authorisation with secondary approval; payroll report reviewed by someone independent of payroll processing	HR manager and finance director jointly, independent of the payroll processor	Payroll changes processed by the same person who prepares the payroll; no secondary review of payroll runs before payment; ghost employees not detected
Expense claims	Receipts required for all claims above a threshold; claims reviewed by the claimant’s direct manager; unusual patterns (high frequency, round numbers, consistent near-policy-maximum amounts) flagged for review	Direct manager reviews, finance audits, and sample claims	Claims approved by the same manager who submitted them; no review for patterns; policy limits applied as maximum claim targets rather than genuine expense caps
Supplier payments	New supplier onboarding requires proof of entity existence and bank account verification; changes to supplier bank details require secondary authorisation independent of accounts payable	Accounts payable and finance manager separately; procurement approval is separate from payment	Supplier bank details changed without verification; the accounts payable person both onboards suppliers and processes their payments
Petty cash	Petty cash fund reconciled weekly; supporting receipts required for all disbursements; fund balance counted by someone other than the custodian at least monthly	Finance team member independent of the custodian	Petty cash reconciled only when the fund runs low; no independent count; receipts not consistently maintained.

4. Five Key Internal Controls Every Australian Business Needs

The Internal Controls Checklist below highlights the five controls most consistently found to be absent or deficient in Australian SME businesses, which address the highest-consequence risks when properly implemented. Each control is outlined at a level of specificity that renders it operational rather than aspirational.

Control 4 – Segregation of Duty in the procure-to-pay cycle – is the most recognised control, with most SMEs acknowledging it in principle but failing to implement it in practice, usually citing staff numbers as the limiting factor. Where real segregation cannot be effected, the compensating control must be substantive: a monthly management review of all payments made by a single individual must actually occur, must cover a material sample of the transactions, and must be documented. A compensating control, written as a policy but not executed in practice, does no good — it gives the illusion of being in control without actually being in control.

5. Process, Real Cases, and Lessons for Practitioners

The Internal Audit Process and Control Review Workflow

A good Internal Audit Process for an SME does not necessarily require a dedicated internal audit department. It involves a systematic, written analysis of whether the key controls in the business are functioning as intended. The following four-phase workflow is indicative of how this work occurs in practice, whether conducted by an internal team or an external advisor during a control review.

Phase 1	Phase 2	Phase 3	Phase 4
Control Mapping	Control Testing	Gap Analysis & Remediation	Ongoing Monitoring & Review
Document all current controls in the Operational Controls Framework; identify the financial processes covered and the specific controls applied; map each control to the risk it addresses; identify Control Environment gaps	Test each documented control to verify it is operating as described: review payment approval records, inspect bank reconciliations, verify access lists, interview staff responsible for key controls in the Segregation of Duties framework	Identify controls that are absent such as skill gap between teams, not operating as documented, or insufficient for the risk they address; prioritise gaps by risk consequence; design and implement remediation actions with named owners and deadlines	Implement a Risk Monitoring System for key controls: define frequency of control reviews; establish a reporting line for control failures; conduct Governance Best Practices review annually or after material business changes

Case 1: The payroll fraud that lasted three years

One professional services firm of 45 employees discovered that a payroll manager had been creating fictitious employees and diverting payroll payments to accounts controlled by them. The fraud had been ongoing for more than 3 years before being uncovered by an incoming CFO during a routine bank reconciliation. The overall loss was estimated to be around $340,000. The company lacked Segregation of Duties in its payroll process: the same person set up new employee records, ran payroll, and reconciled the payroll bank account. There was no independent check of changes to payroll or of the payroll reports before payment. The current Fraud Prevention Controls were purely preventive, including detective features that detected abnormal patterns in payroll output. The moral of the story: Segregation of Duties in payroll is not optional, even on small teams; the compensating control, independent management review of payroll changes and reports, must be truly practised and documented.

Case 2: The supplier fraud that bypassed the policy

One of the construction materials businesses had documented an Internal Controls Checklist that mandated secondary approval for any change to supplier bank account details. The accounts payable manager received a convincing email that appeared to be written by one of the trusted suppliers, informing the business of a change to their bank account. The manager approved the change without the necessary secondary approval by referring to the email message’s actual appearance and the requested urgency. The money was further channelled to the fraudulent account through subsequent payments totalling $280,000 before the fraud was unearthed. The Control Environment, i.e., the culture that allowed people to bypass controls when they decided the circumstances were good enough to do so, had been compromised and had sabotaged the system itself. The moral: controls that may be overcome by man in his judgment are not controls – they are guides.

6. Conclusion

A good Internal Controls Checklist is not a report that is kept in a policy file somewhere – it is a set of working practices that are literally followed, periodically tested, and constantly enhanced. The Control Environment, which influences whether controls are consistently adhered to, is at least as important as the controls themselves, and businesses where the culture allows controls to be circumvented are open to the same risks as businesses where controls have never been implemented.

The five highest priority controls – payment authorisation, bank reconciliation, management account review, Segregation of Duties, and access management – are addressing the risks that cause most of the financial loss events in Australian SME businesses; making full implementation of all five of them the most effective starting point in any control improvement programme.
Fraud Prevention Controls should have both preventive and detective components, and most SME fraud cases are ultimately detected by the detection components rather than the prevention components.
To advisors and junior professionals gaining experience in this space, the Governance Best Practices literature, ACFE fraud survey data, and the results of recent high-profile audit failures all provide useful patterns for day-to-day work control advisory practice, more helpful than theoretical frameworks alone.