Back to Resources

Financial Controls for Remote-First Companies: Fraud Risk and Authorisation Frameworks

Raymond Shuai July 2025 7 min read Sources: CIMA Internal Controls Guide · ICAEW Fraud Risk Management · Verizon Data Breach Report 2025

Finance Fundamentals

The Control Gap That Remote Work Creates

Share
The fraud risks are real and specific. Business email compromise attacks on remote companies have increased significantly since 2020. The controls described here are not theoretical best practice; they are the minimum framework a 50-person remote company should have in place. If you recognise gaps in your current setup, address them in priority order starting with payment authorisation.

Remote-first companies face a fundamentally different financial control environment from office-based businesses. The informal oversight mechanisms that traditionally supported financial controls, such as physical proximity, visible activity, and face-to-face relationships with suppliers and colleagues, are absent. In their place is a digital environment where identity is harder to verify, payments can be initiated from any location, and social engineering attacks are more effective because teams have weaker interpersonal familiarity.

The Verizon Data Breach Report 2025 confirms that business email compromise remains the leading cause of significant financial loss for small and mid-size businesses. The typical loss per incident has increased year on year since 2019. For remote-first companies, the risk profile is higher than average because the very features that make remote work efficient, such as fast digital communication, cloud-based payments, and distributed decision-making, are also the features that fraudsters exploit.

This article sets out the specific fraud risks that remote-first companies face, the control framework required to address them, how to build a culture of financial control in a distributed team, and how to test that the controls actually work. It includes a controls matrix for a 50-person remote company.

The Fraud Risks Specific to Remote Companies

Four categories of fraud are disproportionately prevalent in remote-first companies:

Business Email Compromise

Business email compromise (BEC) involves an attacker impersonating a trusted party, typically a senior executive, a supplier, or a bank, to trick an employee into making an unauthorised payment or changing bank account details. In a remote-first company, these attacks are more effective because employees cannot walk across the office to verify the instruction, the CEO's email tone in a Slack message is harder to question, and the sense of urgency that BEC attackers create is amplified by asynchronous communication norms.

Fake Supplier Scams

New supplier onboarding is a high-risk moment. Remote-first companies frequently onboard suppliers they have never met, based entirely on digital communication and documentation. Fraudsters exploit this by creating convincing supplier profiles, submitting fake invoices for legitimate-sounding services, or inserting themselves into a legitimate supplier relationship and diverting payments by submitting changed bank details.

Identity Fraud in Employee Onboarding

Remote onboarding creates opportunities for identity fraud that would be much harder in an office context. Payroll fraud, where a person onboards with fraudulent identity documents and later diverts their salary to a different account, is rare but financially significant when it occurs. More common is ghost employee fraud, where an employee who has left continues to receive payroll because the offboarding process lacks a control requiring finance sign-off on final pay.

Expense Fraud

Expense fraud is the most common form of fraud in remote-first companies and is often low-level and opportunistic. Without physical receipt checks, manager proximity, or visible spending patterns, remote employees can overstate expenses or claim for personal purchases with relatively low detection risk. CIMA research suggests expense fraud accounts for around 15-20% of all employee fraud incidents by volume.

BEC average loss (UK)
£125kMedian loss per incident for SMEs in 2024
Remote fraud risk premium
2.5xHigher BEC incidence rate vs office-first companies (Verizon 2025)
Detection lag
14 monthsAverage time to detect internal fraud in remote companies (ACFE)
Control failure root cause
67%Of frauds enabled by absent or overridden controls, not technology failures

The Control Framework: Four Pillars

A robust financial control framework for a remote-first company rests on four pillars: payment authorisation, supplier verification, expense management, and access controls. Each pillar has specific control requirements that must be implemented procedurally, not just as a policy document.

Pillar 1: Payment Authorisation

Payment authorisation is the highest-risk control area for remote companies. The core principles are separation of duties and dual authorisation for material payments. The specific thresholds will depend on company size, but a standard framework for a 50-person remote company is:

  • Payments under £2,500: single authoriser (finance team member) with system logging
  • Payments £2,500 to £25,000: two-person sign-off (finance + department head)
  • Payments over £25,000: two-person sign-off (finance + C-suite), with a mandatory voice or video verification call for new payees
  • Any change to an existing supplier's bank account details: mandatory callback to the supplier on their previously registered telephone number, regardless of payment amount
  • Emergency payments outside normal process: require CEO and CFO both to authorise, with a written exception log

The bank account change control is the single most important preventive measure against BEC fraud. The majority of BEC losses involve fraudsters redirecting payments by submitting false bank account change requests. A procedural requirement to call back on the pre-existing registered number, not the number provided in the change request, defeats this attack almost completely.

Pillar 2: Supplier Onboarding Verification

Supplier onboarding must include: Companies House verification of the supplier entity, confirmation of VAT registration number via the HMRC VAT checker, a signed supplier agreement with the actual legal entity name, bank account confirmation via a bank statement or paying-in slip on company letterhead, and a video call with a named contact at the supplier before the first payment is made. For suppliers over a material threshold (£25,000 in annual spend), consider also running a Dun and Bradstreet or similar credit reference check.

Pillar 3: Expense Management Controls

Expense management controls should include: a receipt requirement for all expenses above £10 (zero exceptions), manager approval before finance processing rather than after, a randomised 10% sample review of all approved expenses by the CFO or Finance Director each month, a clear policy document that every employee acknowledges annually, and an anonymous reporting mechanism for concerns about colleagues' expense behaviour.

Pillar 4: Access Controls for Financial Systems

Access controls for banking and financial systems must be reviewed at least quarterly. The specific requirements: no shared login credentials for any financial system, multi-factor authentication required for all banking access (hardware token preferred), immediate revocation of all system access on employee departure with a finance sign-off checklist, and regular (quarterly) user access reviews of all persons who have payment initiation or approval rights in banking systems, Xero/Sage/QuickBooks, expense management systems, and payroll.

"The most costly financial control failure I see in remote companies is not fraud at all. It is the absence of a bank account change callback procedure, discovered after a BEC loss. The control costs nothing to implement and defeats the most common attack vector."

Controls Matrix: 50-Person Remote Company

#
Control
Priority
1
Dual authorisation for payments >£2,500 Two approvers required in banking system before release. No exceptions.
Critical
2
Bank account change callback Voice call to pre-registered number required before processing any supplier bank detail change.
Critical
3
Supplier onboarding checklist Companies House + VAT check + bank statement + video call before first payment.
Critical
4
MFA on all financial systems Mandatory multi-factor authentication for banking, accounting software, and payroll.
Critical
5
Quarterly user access review Finance reviews all payment initiation and approval rights across all systems every quarter.
Important
6
Expense receipt requirement + sample audit Receipt required for all expenses >£10. Monthly 10% sample reviewed by CFO.
Important
7
Offboarding access revocation checklist Finance sign-off required within 24 hours of departure. Payroll removal confirmed in writing.
Important

Building a Culture of Financial Control in a Distributed Team

Controls that exist only on paper are not controls. In a remote-first company, financial control culture requires deliberate effort because the informal social enforcement mechanisms of an office are absent. Three practices make the most difference:

Make controls visible and unambiguous. Every employee should know the payment authorisation thresholds, the supplier onboarding process, and the expense policy without having to search for them. A single internal page with the key controls, updated annually, is more effective than a 40-page policy document that nobody reads.

Name and thank people for good control behaviour. When an employee catches a suspicious supplier email or correctly escalates an unusual payment request, acknowledge it explicitly. In a remote environment, visible positive reinforcement is more powerful than it might seem because it normalises the behaviour and signals that management is paying attention.

Treat control breaches as training opportunities, not primarily as disciplinary matters. Most control breaches in well-intentioned companies are the result of unclear guidance or process pressure rather than malicious intent. A post-mortem conversation that identifies why the control was bypassed and what needs to change is more useful than a formal warning, for all but the most serious cases.

Testing Controls Remotely

Controls that are not tested are not controls. Remote control testing requires a structured approach because the normal mechanisms of observation are unavailable. Effective remote control testing for a 50-person company includes:

  1. Annual walkthrough testing: Select three to five controls and walk through them end-to-end with the relevant employees. Ask them to demonstrate the process rather than describe it. This reveals gaps between documented procedures and actual practice.
  2. Simulated phishing and BEC testing: Run a simulated BEC attack (a fake email from "the CEO" asking for an urgent payment) to test whether employees follow the dual authorisation and callback procedures. This is available through third-party services at modest cost and is the most effective way to identify training gaps.
  3. Surprise account reconciliation: Periodically reconcile a sample of supplier accounts without advance notice to the team. Review payments in the period against invoices and purchase orders. Look for duplicate payments, round-sum payments, and payments to payees not on the approved supplier list.
  4. Access control audit: At least once a year, export the full user list from all financial systems and validate it against current employees. Look for departing employees whose access was not removed and current employees with access levels beyond their role requirements.
One practical insight on BEC simulation: in every company where this test has been run, at least one person clicks the link or attempts to process the payment. That is not cause for alarm; it is valuable information about where training is needed. The goal is to identify the gaps before a real attacker does.

Key Takeaways

  • Business email compromise is the primary financial fraud risk for remote-first companies, with median losses significantly higher than for other fraud types. The most effective single preventive control is the bank account change callback procedure.
  • Four control pillars are required: payment authorisation (with dual sign-off thresholds), supplier onboarding verification, expense management controls, and access controls for financial systems.
  • Payments above £25,000 or to new payees should require voice verification with the counterparty in addition to dual internal authorisation.
  • Multi-factor authentication is non-negotiable for all financial system access. The absence of MFA on banking or payroll systems in a remote company is a material control failure.
  • Controls must be tested, not just documented. Annual walkthrough testing, simulated BEC attacks, and surprise reconciliation reviews are the most effective testing methods for remote companies.
  • Control culture in a distributed team requires deliberate effort: visible, simple documentation; positive reinforcement of good control behaviour; and post-mortem learning when controls are bypassed.
  • Quarterly user access reviews and an offboarding checklist with finance sign-off are the two controls most frequently absent in early-stage remote companies and the most commonly exploited.

Work Together

Financial controls that
actually work remotely

Building a distributed finance function that can withstand fraud attempts requires the right framework and the right culture. Let's assess where you stand.

Book a Free Discovery Call →