The importance of internal controls when making payments

24 November 2020

Assistant director for audit and assurance, Stuart Cutts, tells us why internal controls on payments are so important

Organisations routinely make payments. The processes, and controls, that help make those payments accurately may be seen as routine.

But we need to remain vigilant, and stress the importance of strong internal controls on payments to all those involved.

Internal controls on payments cover a number of areas. Our reviews on payments regularly focus on the effective operation of payment controls. For example we:

  • Evaluate the arrangements to help prevent duplicate payments
  • Ensure appropriate separation of duties exist
  • Interrogate all expenditure using computer software to help provide assurance these controls are working

The importance of strong payment controls was highlighted in two local cases. In York, a local NHS surgery had £46,000 diverted by the practice manager to his own account. Part of the fraud involved duplicating payments to legitimate suppliers. The manager was jailed for 20 months.

In another case the Whitby Wildlife Sanctuary was subject to a bank mandate fraud [source: BBC News]. The sanctuary was in email conversation with a regular supplier. It appears these emails were intercepted by a hacker who impersonated the supplier and provided their own BACs details resulting in £13,000 being lost. This is known as whaling.

Always remain vigilant. Ensure your own internal controls are well known and followed in every instance.

How else can you prevent this type of fraud?

Look out for:

  • A request to change payee details which is unexpected, or which involves pressure to make a change quickly.
  • Phone calls which are not from your normal contact or from numbers which cannot be verified.
  • Emails or letters which originate from unusual addresses or which are not in keeping with the usual style and quality of the genuine supplier.


  • Question any request to change payee details regardless of the source or circumstance, even if the request comes from someone more senior in your organisation or has already passed through other internal departments.
  • Independently verify the request through established channels. Do not trust contact details contained within the request. If the request is received over the phone, end the call and attempt to re-connect with the individual through the creditor’s main switchboard number.

And never:

  • Assume that a request is safe because a colleague trusts the source. It is the responsibility of the person changing the creditor details to verify that the request is genuine.
  • Allow yourself to be pressured into bypassing agreed verification processes and procedures.

Need some guidance on your internal controls? We provide assurance services to over 500 public sector clients in Yorkshire and beyond. Get in touch, or read more about internal audit