Financial Controls and Fraud Prevention: Protecting SaaS Company Assets

Building Financial Controls for SaaS Companies

Protecting company assets without creating bureaucratic overhead. **Financial control framework** Control categories: Preventive controls (stop fraud/errors before they happen): - Approval workflows - Access restrictions - Segregation of duties - Vendor verification Detective controls (find fraud/errors after they occur): - Bank reconciliation - Revenue reconciliation - Expense audits - Anomaly detection Corrective controls (fix issues when found): - Investigation procedures - Adjustment processes - Policy updates - Training programmes **Core controls by process** Control 1: Cash and banking | Control | Frequency | Owner | Details | |---|---|---|---| | Bank reconciliation | Monthly | Finance (not AP) | Match bank to books | | Dual signatory | Per transaction >£5K | 2 authorised signers | Both must approve | | Payment authorisation | Per payment | Budget holder + finance | Two-step approval | | Bank access review | Quarterly | CFO | Review who has access | Bank reconciliation process: 1. Download bank statement at month end 2. Match each transaction to accounting record 3. Investigate unmatched items 4. Document reconciliation 5. Second person reviews and signs off 6. Complete within 5 business days of month end Red flags: - Unmatched transactions (payments with no invoice) - Round number payments (£5,000 exactly — may be fabricated) - Payments to unknown parties - Duplicate payments - Unusual payment timing (weekends, holidays) Control 2: Accounts payable | Control | Frequency | Owner | Details | |---|---|---|---| | Invoice approval | Per invoice | Budget holder | Verify goods/services received | | Three-way match | Per invoice >£1K | AP | PO + invoice + receipt match | | Vendor verification | New vendors | Finance manager | Verify legitimacy before first payment | | Payment batch review | Per payment run | CFO | Review before release | Vendor setup process: 1. Request from department with business justification 2. Finance verifies vendor (company registration, VAT number) 3. Obtain bank details directly from vendor (not from email chain) 4. Set up in accounting system 5. CFO approves vendor setup Fraud prevention: - Never change vendor bank details based on email alone (phone call verification required) - Match invoice amounts to PO/contract - Review vendor addresses (PO Box or residential = investigate) - Periodic vendor audit (are all vendors legitimate?) CEO fraud (common SaaS scam): - Scammer sends email appearing to be from CEO - Requests urgent payment to new bank account - "Need you to process this wire immediately, will explain later" - Prevention: Verbal confirmation for any unusual payment request Control 3: Revenue and billing | Control | Frequency | Owner | Details | |---|---|---|---| | Billing reconciliation | Monthly | Finance | Stripe/billing system vs accounting | | Contract review | Monthly | Finance + Sales | New contracts match system | | Discount approval | Per deal | VP Sales or CFO | Discount >15% needs approval | | Credit note review | Monthly | CFO | All credit notes reviewed | Revenue reconciliation process: 1. Extract billing data (Stripe, Chargebee) 2. Extract accounting revenue (Xero, NetSuite) 3. Reconcile: Billing total = Accounting total ± timing differences 4. Investigate discrepancies 5. Document and sign off Common discrepancies: - Timing differences (payment received but not yet recognised) - Failed payments (billed but not collected) - Manual adjustments (credits, refunds) - Currency differences Control 4: Payroll | Control | Frequency | Owner | Details | |---|---|---|---| | Payroll review | Monthly | Finance manager | Verify headcount and amounts | | New hire verification | Per hire | HR + Finance | Match offer letter to payroll | | Leaver processing | Per departure | HR + Finance | Remove from payroll promptly | | Payroll reconciliation | Monthly | Finance | Payroll system vs bank vs accounting | Ghost employee fraud: - Fictitious employee added to payroll - Salary paid to fraudster's account - Prevention: Monthly headcount verification by department managers - Each manager confirms their team list is correct Control 5: Expenses | Control | Frequency | Owner | Details | |---|---|---|---| | Expense approval | Per expense | Manager | Approve before reimbursement | | Receipt requirement | Per expense >£25 | Employee | Attach receipt to claim | | Policy compliance | Per expense | Finance | Check against expense policy | | Expense audit | Quarterly | Finance | Sample check 10% of expenses | Expense policy essentials: - Spending limits by category (meals: £50pp, travel: economy class) - Pre-approval for >£500 expenses - No personal expenses on company card - Alcohol limits (reasonable with meals) - Same-day submission of receipts **Access controls** Financial system access matrix: | System | Role | Access level | |---|---|---| | Banking (Barclays) | CEO, CFO | Admin (payments) | | Banking (Barclays) | Finance manager | View + prepare (no release) | | Accounting (Xero) | CFO, Controller | Admin | | Accounting (Xero) | Finance team | Standard (no delete) | | Billing (Stripe) | CFO, Head of Sales | Admin | | Billing (Stripe) | Sales reps | View only | | Payroll (PayFit) | HR manager, CFO | Admin | | Payroll (PayFit) | Managers | View own team only | Access review: - Quarterly: Review who has access to each system - On departure: Immediately revoke all financial system access - On role change: Adjust access to match new role **Control environment by company stage** Stage 1: Pre-Series A (5-15 people) Minimum controls: - Dual signatory on bank account (2 founders) - Monthly bank reconciliation - Expense approval by founder - Separate personal and company finances Time investment: 2 hours/month Cost: £0 (founder time) Stage 2: Series A (15-50 people) Add: - Formal expense policy - Vendor verification process - Revenue reconciliation (billing vs accounting) - Segregation of duties (where possible) - Quarterly access review Time investment: 4-8 hours/month Cost: Finance manager handles (part of role) Stage 3: Series B (50-150 people) Add: - Full segregation of duties - Documented control procedures - Internal control testing (quarterly) - Board audit committee (or finance subcommittee) - External audit preparation Time investment: 15-20 hours/month Cost: Controller/compliance role (part of team) Stage 4: Series C+ (150+ people) Add: - Internal audit function (or outsourced) - SOX-lite control framework - Continuous monitoring and automation - Whistleblower hotline - Regular fraud risk assessment Time investment: Full-time role Cost: Internal auditor (£50-80K) or outsourced (£30-60K/year) **Fraud risk assessment** Common SaaS fraud risks: | Risk | Likelihood | Impact | Control | |---|---|---|---| | Expense fraud | Medium | Low | Approval + audit | | Vendor fraud | Medium | Medium | Verification + SoD | | Payroll fraud | Low | Medium | Manager verification | | Revenue manipulation | Low | High | Revenue reconciliation | | CEO email fraud | High | High | Verbal confirmation | | Card misuse | Medium | Low | Spending limits + review | Annual fraud risk review: - Identify top 10 fraud risks - Assess likelihood and impact - Review controls in place - Identify gaps - Implement improvements - Report to board Cost-benefit of controls: Investment in controls: £30-60K/year (team time + tools) Average prevented loss: £100-250K/year (based on SME fraud statistics) ROI: 3-8x (controls pay for themselves) Additional benefits: - Audit readiness (cleaner financials) - Investor confidence (governance) - Insurance benefit (lower premiums with good controls) - Operational efficiency (less fixing errors)