Controls / Banking

Bank Reconciliation and Payment Controls

CA Nikhil Gupta·June 2026·3 min readControls / Banking

A bank balance is not controlled because the CFO can see it. Every account and payment route needs independent reconciliation and access governance.

Quick View

Owner

Treasury lead and CFO

Cadence

Daily monitoring, monthly certification

First control

Maintain the bank-account register.

Core evidence

Bank statements and confirmations.

Why It Matters

Maintain a complete bank-account register including current, deposit, escrow, card, payment gateway and dormant accounts. Identify signatories, tokens, limits and purpose.

Bank reconciliation should match ledger and bank records and explain outstanding cheques, deposits, fees, interest, reversals and unidentified entries by age.

Payment preparation, approval and release should be separated. Beneficiary changes and bulk files need independent verification before release.

Control Framework

ControlWhat it coversOperating rule
Account governanceEvery account, user and limit is authorised.Remove dormant access.
ReconciliationBank and ledger differences are aged.Escalate unidentified items.
Payment workflowMaker, approver and releaser are separated.Use transaction limits.
Fraud responseBank and cyber reporting routes are ready.Preserve logs and timing.

Action Checklist

  1. Maintain the bank-account register.
  2. Review user access quarterly.
  3. Reconcile high-volume accounts daily.
  4. Verify new beneficiaries independently.
  5. Use dual approval for material payments.
  6. Escalate suspicious transactions immediately.

Practical Example

A finance employee uploads a correct payment file but a compromised approver token releases it to changed beneficiaries. Segregation without device and beneficiary controls is incomplete.

Evidence to Keep

  • Bank statements and confirmations.
  • Bank reconciliation files.
  • User and token register.
  • Beneficiary verification record.
  • Payment approvals and bank output.
  • Fraud incident and complaint log.

Warning Signs

  • Leaving dormant accounts open.
  • Allowing shared banking credentials.
  • Approving from mobile screenshots only.
  • Ignoring old reconciling items.
  • Calling the bank after internal investigation is complete.

Management Decision

Use transaction alerts independent of the payment preparer. Large or unusual payments should reach senior management instantly.

Run periodic payment-recall and fraud-response drills so staff know the bank, 1930 and evidence-preservation steps.

Record the decision, owner, due date and evidence expected. A verbal explanation should become an approved working, board note, contract amendment, statutory filing or reconciliation before the item is treated as closed.

Rules, forms, thresholds and procedures can change. Use the latest official source and the actual company facts rather than copying a prior-year control or another entity’s legal position.

Exception Review

Classify every exception as a timing difference, data error, missing document, legal non-compliance, control-design gap or control-operating failure. This prevents management from treating fundamentally different problems as one ageing list.

The exception file should show amount or exposure, root cause, immediate correction, preventive action, owner and board-escalation threshold. Repeated low-value issues can become material when they reveal weak systems or management override.

Close the item only after the evidence agrees across source documents, books, portal data and management reporting. A screenshot or email promise is not equivalent to a completed filing, lender waiver, signed contract or reconciled ledger.

Board Escalation

The control should operate across the full transaction population, not only the samples management expects a reviewer to inspect. For this topic, the key stages are account governance, reconciliation, payment workflow, fraud response. Each stage should identify the source system, preparer, reviewer, deadline and evidence retained.

A useful management review asks whether the legal document, accounting entry, bank movement, tax treatment and public filing describe the same event. Differences may be valid, but they should be reconciled through a dated working rather than explained from memory during audit or diligence.

Materiality should determine escalation, not whether the company keeps a record. Repeated small exceptions can show weak master data, unclear authority, system bypass or management override. Root cause and preventive action should therefore be documented separately from the immediate correction.

Control evidence should show operation, not merely design. A policy document proves what management intended; a reconciliation, access review, approval log or exception report proves whether the control actually worked during the period.

Manual journals, spreadsheet uploads, administrator access and post-close changes deserve additional scrutiny because they can bypass automated workflows. The reviewer should assess both the entry and the reason normal processing was not used.

Frequently Asked Questions

How quickly should accounts be reconciled? â–¼
High-risk and high-volume accounts may need daily review; all accounts should close monthly.
Can the same person prepare and release payments? â–¼
Avoid it where possible; compensating review should be strong and evidenced in small teams.
What is an old reconciling item? â–¼
An unexplained item past the normal settlement period requiring investigation and escalation.
What should happen after suspected fraud? â–¼
Contact the bank immediately, preserve evidence and use official cybercrime channels.