Accounting

Is your company’s money protected?

Anni Vaiksaar
By:
Anni Vaiksaar
08 Jan 20264 min read
insight featured image
Contents

Protecting company funds is not just an accounting or IT task – it is a direct responsibility of the management board.

Recently, there has been an increase in cases where companies lose money not due to the misuse of internal information, but as a result of fraud originating from outside the organisation. A common denominator in such fraud cases is that bank payments can be executed with the approval of just one person.

Why are single-approval payments a risk?

In practice, we often see situations where:

  • the same person prepares and approves payments;
  • that person is experienced and trusted;
  • the process has always worked this way and everything has been fine so far.

According to good practice, bank payments should be organised so that one person prepares the payment and another approves it (a two-signature requirement at the bank).

Such segregation of duties significantly reduces:

  • human error;
  • malicious actions;
  • and increasingly – fraud originating from outside the organisation.

A new risk: fraud that starts with a private individual

Recent fraud cases no longer begin with a company email address or an accounting system (although these still occur). A common scenario, widely covered in the media, involves a board member or accountant receiving a Smart-ID or Mobile-ID notification that appears to come from the Health Insurance Fund, a courier company, a bank, a state portal or another seemingly trustworthy institution or company.

The individual confirms the action as a private person – often unsuspectingly, in a hurry and while multitasking – allowing fraudsters to gain access to authentication tools. The company’s internet bank is then accessed and payments are executed.

The media has repeatedly reported cases where:

  • tens or hundreds of thousands of euros have been transferred from company accounts;
  • the transactions were formally approved correctly;
  • banks have no grounds to compensate the loss, as authentication was performed using valid credentials.

A risk-based approach to payment approvals

It is entirely understandable that a board member may ask whether every payment really needs to pass through two desks. It is true that double approvals add an extra step to the process and may slightly slow down daily operations.

For this reason, a risk-based approach can also be considered. The key is to find a balance point – determining from which amount onwards a payment requires double approval.

We recommend that the board sets a clear threshold and defines amount limits in the bank, above which payments require two approvals. The purpose of such a threshold is to prevent large and irreversible losses.

In practice, a single additional approval is often sufficient to:

  • stop a payment initiated by fraud;
  • notice an illogical amount or recipient;
  • give the board real control over the movement of company funds.

Test your current payment system with three control questions

  1. Is a two-signature requirement in place for our bank payments?
  2. Do we have a defined monetary threshold above which a second approver is required?
  3. Have we considered that fraud may start from a private individual’s Smart-ID or Mobile-ID, rather than from a company system?

If the answer to any of these questions is “I don’t know” or “no”, this indicates a simple but important opportunity to improve internal controls.

Conclusion: double approvals are not a sign of distrust or unnecessary bureaucracy.

They are:

  • a conscious risk management decision;
  • a responsibility assumed by the board;
  • inexpensive insurance against a very costly mistake.

Sometimes, a single additional approval is enough to prevent damage that could no longer be remedied after the fact.

TAGS  
Authors
  • Anni Vaiksaar
    Anni Vaiksaar Anni joined Grant Thornton Baltic in 2019. Before that, she worked for PricewaterhouseCoopers for years, starting out as an audit assistant immediately after her graduation from the University of Tartu. Anni has taken part in audit projects in various sectors, for example logistics, manufacturing, energy and foundations. Anni has experience as an auditor for the public interest unit as well. View Profile

Related Insights

View more
How to assess whether the consolidated company's equity complies with the law?
Accounting How to assess whether the consolidated company's equity complies with the law?
Year-end is the time when the management of every company must ensure that the company’s equity complies with the minimum net asset requirements set out in the Commercial Code.
Anni Vaiksaar
Janno Greenbaum
| 5 min read | 05 Dec 2025
Last call to request bank confirmation letters
Practical advice Last call to request bank confirmation letters
According to the guidelines of the Accounting Standards Board, every accounting entity must ensure that the information presented in the annual report is fair and reliable. This also includes confirmations issued by banks regarding account balances, loans, collateral, and other financial assets and liabilities.
Meeli Tali-Aruväli
Meeli Tali-Aruväli
| 2 min read | 05 Dec 2025
Year-end reminder: review your loan covenant compliance
Accounting Year-end reminder: review your loan covenant compliance
Year-end means preparing financial statements, but many businesses overlook one critical aspect: whether the covenants of long-term loans are compliant with the indicators agreed with the bank as at the balance sheet date.
Anni Vaiksaar
Martin Luik
| 4 min read | 03 Dec 2025
    View more