Most fraud frameworks are written for companies with audit committees and internal audit departments. They are useless to a business where one person raises the invoices, pays the bills, and reconciles the bank. Yet that business is exactly where fraud and payment errors do the most damage, because nobody is positioned to catch them.
The good news: you do not need a big team to build real controls. You need a handful of deliberate rules about who can move money, who checks the mover, and what gets verified before funds leave the account.
Published: June 2026
Internal controls are the processes that protect your business from errors, fraud, and loss. In practice they answer three questions: who can commit the business to spending money, who can move money, and who independently checks that what moved matches what was approved.
In a large company these roles are split across departments. In a small business the goal is the same separation achieved with fewer people, supported by software, and topped up with owner-level review where a second person simply does not exist.
Three structural features make small teams vulnerable.
Concentration of duties. When one trusted person handles invoicing, payments, payroll, and reconciliation, that person can both make and conceal an error or a theft. Most internal fraud in small businesses is committed by long-tenured, trusted staff precisely because trust replaced verification.
No independent reconciliation. If the person who pays the bills also reconciles the bank account, the reconciliation stops being a control. It becomes a tidy-up performed by the only person who knows what really happened.
Owner distraction. Owners review the P&L but rarely review the payments themselves. A fraudulent supplier or an inflated invoice hides comfortably inside a normal-looking expense line. Our guide to reading your profit and loss statement covers what the P&L can tell you, but the P&L will not catch a payment redirected to the wrong bank account.
External attackers know all of this. Payment redirection scams, where a fraudster impersonates a supplier and emails "updated bank details", remain one of the most financially damaging scam types reported by Australian businesses to the ACCC. The invoice is real, the amount is right, and only the BSB and account number have changed.
Nobody should be able to approve their own payment. The minimum standard: one person prepares the payment batch, a different person (usually the owner) authorises its release in the bank. If you are a sole operator working with an external finance team, the split is natural: the team prepares, you release.
Tools make this easy to enforce. Approval workflows in platforms like ApprovalMax, Weel, or Airwallex create a digital record of who requested and who approved every payment. We compare the options in our guide to payment and approval software for Australian SMEs.
This single rule defeats the payment redirection scam. When a supplier emails new bank details, someone must call the supplier on a number sourced independently (from their website or a prior invoice, never from the email itself) and confirm the change verbally before the master file is updated.
Apply the same rule to new suppliers above a dollar threshold, say $5,000. The 60 seconds this takes is the cheapest insurance your business will ever buy.
Changes to supplier records (bank details, ABNs, contact emails) should be restricted to one or two people and logged. In Xero, review user roles so that staff who process invoices cannot also edit contact bank account details. A quarterly export of supplier bank details, compared against the previous quarter, surfaces any change nobody remembers authorising.
The bank reconciliation should be performed, or at minimum reviewed, by someone who does not process payments. If your structure makes that impossible internally, this is one of the strongest arguments for an outsourced finance team: the people reconciling your accounts have no ability to move your money, and the people in your business who move money do not control the records.
The owner's monthly job is a 15-minute scan: every payment over a set threshold, all payments to new payees, and any round-dollar or duplicate amounts. Fraudsters rely on nobody looking.
Payroll is the other place money leaks. The controls mirror the supplier rules: changes to employee bank accounts or pay rates require documented approval from someone other than the person processing payroll, and a monthly comparison of headcount and gross pay against the prior month flags ghost employees or unapproved rate changes. Timesheet manipulation is its own risk category, which we cover in our timesheet fraud guide for Australian employers.
Consider a hypothetical $4M revenue services business with 15 staff. The office manager handles AP end to end. A fraudster monitors the business's email (via a compromised mailbox), waits for a genuine $38,000 supplier invoice, then sends a follow-up "from" the supplier with new bank details. The office manager updates the record and pays.
The supplier chases payment 30 days later. The money is gone, the bank cannot recall it, and the business still owes the original $38,000. Total cost: $76,000, against a control that costs one phone call. On a 15% net margin, the business needs roughly $507,000 of new revenue to recover that loss.
Several controls require no software spend at all. Set bank payment limits so that any single transfer above a threshold requires two authorisers. Turn on multi-factor authentication for your accounting software, bank, and email, since most payment fraud begins with a compromised mailbox. Require invoices to quote a purchase order or approval email before payment. Take leave seriously: fraud is frequently discovered when the person concealing it finally takes a holiday and someone else touches their work.
Finally, document the rules in a one-page payments policy. A control that lives in one person's head leaves with them.
An embedded finance team is itself a structural control. Preparation, processing, and reconciliation sit with people outside your business who have no payment release authority, while release authority stays with you. Every transaction touches at least two unrelated parties by default. If you want to compare the cost of that structure against an internal hire, run the numbers in our hire vs outsource calculator, or browse the rest of our free tools for business owners.
What are internal controls in a small business?
Internal controls are the rules and processes that govern who can approve spending, who can move money, and who independently verifies transactions. In a small business the core controls are payment approval separation, supplier bank detail verification, restricted master file access, independent bank reconciliation, and payroll change approval.
How do you segregate duties with only 2 or 3 staff?
Split the two highest-risk steps: the person who prepares payments should not release them, and the person who processes transactions should not reconcile the bank. The owner typically holds release authority, and an external bookkeeper or finance team can perform reconciliation independently.
What is a payment redirection scam?
A fraudster impersonates a genuine supplier, usually by email, and provides updated bank details so the business pays a real invoice to the fraudster's account. It is defeated by verbally confirming any bank detail change using a phone number sourced independently of the email.
Should the bookkeeper and the person paying bills be the same person?
No. If the same person records transactions, pays bills, and reconciles the bank, no independent check exists. Either split the roles internally or place recording and reconciliation with an external provider while payment release stays with the owner.
How often should a business owner review payments?
Monthly at minimum. Review all payments above a set threshold, payments to new payees, and any changes to supplier or employee bank details. The review takes around 15 minutes once the reports are set up.
Do small companies in Australia need an audit?
Generally no. Most small proprietary companies have no audit requirement under the Corporations Act, which is exactly why internal controls matter more: no external party is checking. Audit obligations apply to large proprietary companies meeting ASIC's size thresholds.
What software helps with internal controls?
Approval workflow tools (ApprovalMax, Weel, Airwallex), accounting software user-role restrictions in Xero, and bank-level dual authorisation on payments. Software enforces the rules consistently, but the verification phone call for bank detail changes remains a human step.
Is fraud covered by business insurance?
Some crime or cyber policies cover employee fraud or social engineering losses, but coverage varies widely, often carries sub-limits, and usually requires you to demonstrate that reasonable controls were in place. Controls come first; insurance is the backstop.
About Scale Suite
Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
We review and check this guide periodically. At the time of writing (June 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.
Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.
Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.
30 minutes with our team.
We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.
You'll leave with a clear view of what's working, what's missing, and where you'd save.
No lock-in contracts. 30-day money-back guarantee.
Prefer to book directly? Grab a time here.
