Louise Graham’s Tips to Strengthen Internal Controls
Stories of finance fraud hit the headlines regularly, and the start of 2026 is no different. Late last year, Rank Group disclosed that it lost more than €7m following a payment fraud incident in its Spanish business. Like many organizations before them, Rank is now reviewing how the fraud happened and tightening internal controls as a result.
So what does it really mean to strengthen internal controls, and how can your team put them into practice?
We spoke to our COO and Head of Institute, Louise Graham, to get her perspective. Here are four practical steps you can start taking straight away.
1. Tighten vendor set-up controls
Vendor set-up is effectively the gateway to your organization’s bank account, so getting this right upfront is critical. Strong controls should include independent validation of suppliers, clear ownership of vendor master data, and strict processes for verifying bank account details. Relying on email alone is a major risk, particularly with impersonation fraud becoming more sophisticated.
Due diligence should not stop once a vendor is onboarded. Ongoing reviews and revalidation are just as important, especially when details change.
If you want to go deeper, join our upcoming webinar on January 21st, Top Vendor Validation Best Practices for Preventing Fraud in 2026 and learn how other finance teams are tackling vendor risk.
2. Build a strong procure-to-pay process
A strong procure-to-pay process ensures payments are only made for authorized and legitimate purchases. Using purchase orders and enforcing three-way matching between the PO, goods received, and invoice helps prevent fraudulent or incorrect payments from slipping through.
Despite this, many organizations still struggle. In our Accounts Payable Automation Trends 2025 research, only 6 percent of respondents said all their invoices go through a PO process. That leaves a significant gap in control and visibility.
Automating P2P workflows helps enforce approvals, reduce manual intervention, and create a clear audit trail that stands up to scrutiny.
3. Enforce segregation of duties
No single person should be responsible for setting up vendors, approving invoices, and releasing payments. Segregation of duties is one of the most effective ways to reduce both internal and external fraud risk.
A clear segregation of duties matrix should exist, be understood by the business, and be enforced through system controls rather than policy alone. As roles change or teams scale, these controls should be reviewed regularly.
Technology plays an important role here. Role-based access and automated approval workflows reduce reliance on trust and make it much harder for fraud to go unnoticed.
4. Train your people and build an anti-fraud culture
Your people are your biggest asset, but without the right training they can also be your biggest risk. Teams need to know how fraud shows up in the real world, whether that is business email compromise, impersonation of senior leaders, deepfakes, or urgent requests to change bank details. A simple phone call to a known contact can stop a costly mistake.
The recent M&S cyber incident highlights how social engineering can bypass technical controls. In this case, attackers reportedly persuaded staff and suppliers to reset login credentials, giving criminals access to systems and causing widespread disruption.
Ongoing training, clear reporting routes, and a culture where people feel confident to question unusual activity all matter. Technology and AI can help spot anomalies, but informed people are still your first line of defence.
Formal training and certification, such as IFOL’s Certified Fraud Prevention Specialist program, can help teams build the confidence and skills needed to stay one step ahead.
Helping Your Team Stay Ahead
As fraud risks continue to change, we’ll keep supporting our community with the learning, insight, and standards finance teams need to stay one step ahead. Talk to us about training for your team.
