You know the conversation. Your auditors want controls you don’t have. Your team’s stretched. Do we really need automated journal entry approval? Isn’t segregation of duties just box-ticking?
They’re not wrong. And this year it’s getting worse.
The Real Cost of Weak Controls
In fifteen years I’ve seen this pattern: weak controls don’t blow up suddenly. They creep. A missed reconciliation becomes a £50k error nobody spots until year three. A procurement card gets used for personal expenses. A journal entry posts to the wrong cost centre and hides a bad project for two quarters.
The costs aren’t just the error itself. There’s regulatory risk. Reputational damage. Forensic audit bills. Rebuilding stakeholder trust.
But here’s the bit most CFOs miss: weak controls kill your valuation in the investment room.
If you’re raising capital, investors dig into your data room. Your controls stack is one of the first things they examine. A weak control environment destroys valuation faster than a missed revenue target. It signals a team that can’t run tight operations. That’s existential.
Why Auditors Are Pushing Harder This Year
Two things happened:
Audit firms have capacity issues. The Big Four are culling small clients. Fees have jumped. The firms left standing are more selective. They’ll scrutinise you harder because they can’t afford to have your accounts blow up.
Second, regulatory expectations have shifted. ICAEW guidance on audit committee work has tightened. FRC expectations around senior management oversight are now explicit. If you’re a limited company over £2m turnover, expect rigorous audit procedures. This isn’t FTSE theatre anymore. It’s baseline governance now.
Practically, your auditors will push you on:
- Automated controls in cash and payroll (not just catch-up reviews)
- Segregation of duties across transaction cycles
- Journal entry review workflows
- Expense and procurement card reconciliation
- Fixed asset verification
- Intercompany reconciliations where applicable
They’re not doing this to be difficult. They’re managing their liability. Your name is on the accounts. So is theirs.
Which Controls Actually Matter
Cut through the noise. These are the ones auditors care about:
Cash and banking. Bank reconciliation independent of the payment processor. Exceptions investigated within days. If you’re automating, fine—but someone reviews unusual transactions monthly.
Payroll. Someone other than the payroll processor reviews exception reports (starters, leavers, rate changes). Two hours a month. Catches most errors.
Procurement. Large orders (say £10k+) need independent approval. Purchaser and approver can’t be the same person. That’s not a control.
Journal entries. Unusual items—consolidation entries, provisions, period-end adjustments—need a documented business reason and someone to sign off. Essential if you have multiple reporting entities.
Fixed assets. Annual physical count. Disposals matched to records. Catches fraud and errors both.
Period-end. Close timeline. Who reviews management accounts before they reach the board.
That’s the core. Everything else is detail or extension of these.
Automation Helps (If You Do It Right)
You can build solid controls without hiring new people. Use your ERP (Sage, NetSuite), workflow automation (native or Zapier), and document management. Pick the high-volume repeatable controls first: bank matching, payroll exception reporting, purchase order workflow. Manual controls (physical counts, sign-offs) stay manual.
Here’s the problem: automation only works if the process is designed first. You can’t bolt a tool onto chaos. You need to know what the control is, who owns it, what happens when it fails, and how often you review it.
Most teams skip this. They install software and never look again. Your auditors will catch that and ask you to define the actual control.
What Your CFO Owns
This isn’t a finance ops problem. It’s your problem.
- Document what controls actually exist
- Assign an owner to each
- Set a review cycle (usually annual, quarterly for high-risk areas)
- Track exceptions and what you did about them
- Report once a year to the board or audit committee
This takes half a day of your time. Full day if your operation is complex. Beats being blindsided in the audit room when they ask you to explain your controls and you can’t.
The Bottom Line
Your auditors aren’t being obstructive. Their firm’s name is on your accounts. Same as yours. So is the tax break, the loan covenant, the working capital number you gave investors.
Weak controls = downstream risk. That’s not an opinion.
The good news: tight controls don’t have to be complex or expensive. They just need to exist and be reviewed. Document them. Assign owners. Review annually. Let your auditors sign off without the theatre.
Struggling with your control framework? We help CFOs and finance teams build controls that actually work at scale—without the consultancy overhead. Get in touch if you want to discuss what your operation needs.