You have Odoo. Great. Now the real question: does your Odoo hold up when an auditor asks, “who did what, when, on what basis, and who approved it”?
In practice, many Geneva SMEs think they have internal control because “everything is in Odoo.” Until the day a disputed supplier invoice stands out, or an audit (even a limited one) requires a clean audit trail. Then, you discover overly broad rights, missing validations, lost supporting documents, or after-the-fact changes.
Let’s get practical: roles, task separation, workflows, supporting documents, risky configurations. With field examples and a quantified case.
Roles, Odoo Access Rights, and Task Separation (Audited and Non-Audited Companies)
Internal control isn’t an “audit option.” It’s first an organizational obligation: the board of directors (or management) must set up an appropriate, documented, and controllable organization. And if you’re subject to a statutory audit, the ICS becomes a formal topic. (source: Legal bases, board organization, and management report (CO, Fedlex))
Odoo doesn’t “do” internal control. It executes it… if you configure it correctly.
Who Should Access What? Fiduciary Logic (Not “We’ll Manage” Logic)
In an SME, you often see this setup:
- the accountant has all rights “because she needs to move forward”;
- the director also has all rights “just in case”;
- the buyer can create suppliers “otherwise it blocks.”
Result? No one knows who’s responsible, and everyone can make (or undo) an entry.
The healthy logic:
- creation (request/order),
- receipt (proof of delivery/service),
- invoice (accounting entry),
- payment (cash outflow),
- validation (control and approval).
You don’t need five people. But you must avoid one person doing the whole chain without control.
Task Separation: What the Auditor Really Looks For
The auditor isn’t looking for perfection. He’s looking for safeguards.
Typically, he’ll test:
- Can the person who creates/edits a supplier also approve an invoice?
- Can the person who records an invoice also pay it?
- Can an invoice be modified after validation without a clear trace?
If the answer is “yes,” you have a weak point. And if you’re under statutory audit, it can appear in the findings.
Odoo: Groups, Roles, and Access Rights — What We Set Up in SMEs
Odoo works with users, groups, and rights (read/write/create/delete) by application and sometimes by model. (source: Access rights, roles, and groups in Odoo 18)
A simple and robust base for a Swiss SME:
- Purchasing – Requester: creates purchase requests/RFQs, no final validation.
- Purchasing – Validator: approves orders according to threshold.
- Accounting – Supplier Entry: records invoices, no payment rights.
- Accounting – Manager: validates invoices, manages closings.
- Treasury/Payments: prepares payments, cannot create suppliers.
- Odoo Admin (very limited): configuration, no operations.
And above all: one account = one person. Shared accounts (“accounting@”, “admin@”) are a classic trap. Result? You lose traceability.
Audited or Non-Audited Companies: Same Battle, Different Level of Requirement
- Without audit: you still need a minimum task separation, especially for payments and supplier creation.
- Statutory audit: a documented ICS, controls, and an exploitable audit trail are expected. (source: Internal control system: Swiss SME & audit requirements)
Field observation: in Geneva, many SMEs “move up” to statutory audit after growth (thresholds, group, banking requirements). They wake up late. And cleaning up Odoo after 3 years of open rights is painful.
Checklist #1 — Access Rights and Task Separation (To Do This Week)
- Each user has a named account (no shared accounts)
- “Administration/Settings” rights limited to 1–2 people
- Supplier creation/editing separated from invoice validation
- Invoice entry separated from payment (at least by validation)
- Validation thresholds defined (amounts, categories, exceptions)
- Change log enabled and reviewable
- Quarterly access review (entries/exits, job changes)
Validation Workflows: Purchasing, Supplier Invoices, Sales Workflow, and Double Validation
A workflow isn’t just a “Validate” button. It’s a chain of decisions. And in Odoo, if you leave default flows without rules, you quickly fall back into “everyone does everything.”
Purchasing: From Request to Order, Without Shortcuts
On purchasing, the classic weak point:
- an order is created,
- it’s validated,
- receipt is done “on paper,”
- and the invoice is recorded without matching.
In practice, this means the invoice can go through even if:
- the goods never arrived,
- the price doesn’t match,
- the quantity is wrong.
What we aim for:
- Purchase request (if you use it) → RFQ → Order
- Receipt (or service confirmation) → Invoice
- Matching order/receipt/invoice (3-way match when relevant)
Supplier Invoices: Accounting Validation vs. Business Validation
In many SMEs, accounting validates “because it needs to be paid.” Bad habit.
Validation must answer two questions:
- Is the expense legitimate and in line with the budget/contract? (business validation)
- Is the invoice correct from an accounting and tax perspective? (accounting validation)
You can keep it simple:
- the operational manager validates the reality of the service,
- accounting validates compliance (VAT, account, cost center, documents).
Double Validation: When It’s Really Worth It
In our opinion, double validation is useful when:
- you have multiple cost centers,
- you have recurring purchases with contracts,
- you have an invoice volume beyond “we all remember.”
Concrete example (SME in Carouge, B2B services, 18 employees):
- threshold at CHF 2,000: simple validation (manager + accounting)
- threshold at CHF 10,000: validation + management
- above CHF 25,000: validation + management + second signatory (four-eyes principle)
Sales Workflow: Yes, It Also Matters for Internal Control
We’re talking supplier invoices, but the auditor also looks at the sales cycle:
- who can create a customer?
- who can edit a sales invoice?
- who can grant a credit note?
An uncontrolled credit note is a disguised discount. Or worse.
Good practice:
- credit notes subject to validation,
- payment terms and credit limits controlled,
- posted invoices locked.
Step by Step — Setting Up a Clean Validation Workflow in Odoo (SME Version)
- Map your actual flows (not the manual’s): who requests, who orders, who receives, who validates, who pays.
- Define 2–3 thresholds (e.g., CHF 2,000 / 10,000 / 25,000) and who validates at each level.
- Separate “entry” and “validation” for supplier invoices.
- Restrict supplier creation/editing to a small group.
- Enable matching order/receipt/invoice when you manage stock or formalized services.
- Formalize exceptions: emergencies, invoices without orders, subscriptions.
- Test a “simple fraud” scenario: can a user create a supplier, enter an invoice, validate it, and pay it? If yes, you have a gap.
- Document on 1 page: roles, thresholds, controls. This is the document you show in an audit.
Supporting Documents, Document Management, and Audit Trail (Compliance, Traceability, Audit Demonstration)
An invoice without an attachment is an invoice that will cost you time. And sometimes money.
Internal control, from the audit side, often comes down to the ability to demonstrate:
- the reality of the service,
- authorization,
- correct accounting,
- traceability of changes.
Audit Trail: What It Means in Odoo
A usable audit trail is:
- a document (invoice) linked to a transaction,
- dated steps (creation, validation, payment),
- an identified author,
- links to order/receipt/contract,
- reviewable logs.
If you have to reconstruct the story with emails and screenshots, you lose.
Document Management: What’s Expected from a “Clean” SME
For supplier invoices, you want to find in 30 seconds:
- original PDF invoice,
- purchase order or contract (if applicable),
- proof of receipt or service,
- validation (who, when),
- payment proof (order, bank statement, reference).
And yes, even for a CHF 180 invoice. Because small invoices are often where issues start.
Field Anecdote: The Invoice “Modified” After the Fact
Real case: a Geneva SME receives a supplier invoice with a “miscellaneous fees” line. Accounting posts it. Two months later, dispute. The original invoice is missing. In Odoo, the attachment was replaced by a “corrected” version.
Result? Endless discussion with the supplier, and awkwardness during audit: you can no longer prove what was initially received.
Moral: avoid silent replacements. Keep versions, or clearly track changes.
VAT: Supporting Documents and Rate Consistency
Since January 1, 2024, Swiss rates are:
- 8.1% (standard)
- 2.6% (reduced)
- 3.8% (accommodation)
For supplier invoices, VAT internal control mainly means:
- checking that the applied rate matches the service,
- checking supplier consistency (VAT number if relevant),
- avoiding makeshift VAT codes.
A repeated VAT code error over 12 months ends up as a correction at closing. And that’s non-billable time for you.
Ark Fiduciaire
Need help with this topic?
Our experts are available for personalised guidance. First consultation free, no commitment.
Table #1 — What a “Supplier Invoice” File Should Contain (Audit Version)
| Element | Where in Odoo | Who Provides It | Expected Internal Control |
|---|---|---|---|
| Original PDF invoice | Attachment on invoice | Supplier / accounting | Present, readable, not replaced without trace |
| Order / contract | Order link or attachment | Purchasing / management | Price/terms consistency |
| Receipt / proof of service | Stock receipt, timesheet, report | Operations | Proof it’s delivered/done |
| Validation | Status + log + approver | Manager / accounting | Four-eyes by threshold |
| Payment | Recorded payment + reference | Treasury | Entry/payment separation |
| Accounting allocation | Entries / analytic accounts | Accounting | Consistent with chart of accounts |
Checklist #2 — “Supplier Invoice” Audit Trail
- Each invoice has its original PDF attached
- Invoices without orders are tagged and justified (exception)
- Validations are visible (approver + date)
- Modifications after validation are blocked or tracked
- Payments are linked to the invoice (bank reference)
- VAT codes are standardized and reviewed
- Supplier credit notes follow the same level of control
Risky Settings and Common Errors Identified in Swiss SMEs
Here’s the heart of the matter: the settings that derail an ICS in Odoo. The ones you always find in SMEs.
Error 1: “Too Broad” Rights on Accounting
Symptom: several users can post, edit, cancel, delete.
Correction:
- limit posting to a small group,
- block deletion,
- set up a cancellation/credit note procedure.
Error 2: Supplier Creation Open to Too Many People
Symptom: the buyer quickly creates a supplier, without control, without complete details.
Risk: fake supplier, duplicates, payments to the wrong IBAN.
Correction:
- a “Supplier master data” group (1–2 people),
- internal validation for IBAN changes,
- periodic duplicate checks.
Error 3: Invoices Without Orders… and Without Justification
Symptom: 60% of invoices go “directly” to accounting.
Risk: unauthorized expenses, blown budgets, disputes.
Correction:
- set a rule: above CHF 1,000 (example), order required,
- documented exceptions (rent, insurance, taxes, subscriptions).
Error 4: Modifications After Validation (The Slow Poison)
Symptom: validated, then the account, amount, or VAT is changed.
Risk: broken audit trail.
Correction:
- lock posted entries,
- corrections via adjustment entries, not rewriting.
Error 5: “Bulk” Payments Without Clear Link to Invoices
Symptom: grouped payments, missing references, manual bank reconciliation.
Risk: double payments, unpaid invoices slipping through.
Correction:
- reference discipline,
- regular bank reconciliation,
- separation of payment preparation/validation.
Error 6: VAT Journal and Makeshift VAT Codes
Symptom: a “temporary” VAT code becomes permanent.
Risk: reporting errors, corrections, unnecessary discussions.
Correction:
- 3–5 standard VAT codes,
- quarterly review,
- targeted control on “sensitive” suppliers (catering, accommodation, mixed services).
Table #2 — Simple “Role vs. Action” Matrix (SME 10–50 Employees)
| Action | Purchasing | Operations | Accounting | Treasury | Management |
|---|---|---|---|---|---|
| Create purchase request | Yes | Yes | No | No | Yes |
| Approve order > CHF 10,000 | No | No | No | No | Yes |
| Receive (proof) | Yes | Yes | No | No | No |
| Enter supplier invoice | No | No | Yes | No | No |
| Approve supplier invoice | No | Yes (business) | Yes (accounting) | No | Yes (threshold) |
| Prepare payment | No | No | No | Yes | No |
| Release payment (2nd validation) | No | No | No | No | Yes |
| Edit supplier IBAN | No | No | Yes (restricted) | No | Yes (control) |
Practical Case (Geneva): Securing 1,200 Supplier Invoices/Year in Odoo
Typical SME: service company in Geneva, 25 employees, 1,200 supplier invoices/year, 2 entities (GE + VD), no statutory audit today but banking requirement.
Initial problem (seen 100 times):
- 4 users with extended accounting rights,
- no validation thresholds,
- 35% of invoices without attachment,
- payments prepared and validated by the same person,
- duplicate suppliers (e.g., “ABC SA” and “A.B.C. SA”).
Implementation (6 weeks, without redoing the whole ERP):
- Separate roles: invoice entry (2 people), accounting validation (1), business validation (department heads), payments (1) + management release.
- Thresholds: CHF 2,000 (department head), CHF 10,000 (management), CHF 25,000 (double management signature).
- Rule: invoice > CHF 1,000 without order = justified exception + management validation.
- Attachments: PDF required before validation.
Measurable result over 3 months:
- Invoices without attachment: from 35% to 3%.
- Double payments: 2 cases/quarter → 0.
- Supplier closing time (month-end): -6 hours.
- Supplier disputes: clear drop, because order/receipt can be found.
Hidden cost avoided (very concrete):
- 6 hours/month closing saved x CHF 120/h (fully loaded internal cost) = CHF 720/month, or CHF 8,640/year.
- Not counting payment errors and stress.
Periodic Controls: What I Recommend in 2026 (Simple, Sustainable)
A working ICS is one you can maintain over time. So avoid over-complicated systems.
Monthly Review (30–45 Minutes)
- List of invoices validated without order (and justification)
- Top 10 suppliers by amount
- Invoices modified after validation (if allowed)
- Payments made without linked invoice
Quarterly Review (1–2 Hours)
- User access review (entries/exits)
- IBAN change review
- VAT codes used (anomalies)
- Duplicate suppliers
Annual Review (Before Closing)
- “Simple fraud” test (scenario)
- Numbering sequence control (invoices, entries)
- Supporting document check on a sample
ICS Documentation: The Minimum That Saves You in an Audit
We’re not talking about a 200-page binder.
What you want:
- one page “who does what” (roles),
- one page “thresholds and validations,”
- one page “exceptions and handling,”
- one page “periodic reviews.”
And you keep the evidence: exports, logs, Odoo reports.
For ICS requirements and the SME approach, you can rely on official bases. (source: Internal control system: Swiss SME & audit requirements) and implementation guides. (source: Practical guide to implementing an ICS (OFAS))
Frequent Errors + Corrections (No-Nonsense Version)
“We’re Too Small to Separate Tasks”
False. Even with 5 people, you can at least separate:
- entry vs. validation,
- payment preparation vs. release.
“The Director Must Have All Rights”
No. The director should supervise, validate, arbitrate. Not necessarily edit posted entries.
“We’ll See at Audit Time”
Bad idea. During an audit, you don’t “set up.” You demonstrate.
“We Have PDFs on a Server, No Need in Odoo”
You can, but you lose searchability and consistency. In control, you want the document in the right place, linked to the transaction.
“Validations Slow Things Down”
Yes, a bit. But they prevent errors that slow things down much more. And they protect management.
FAQ: Odoo Internal Control – Legal Obligations, Best Practices, Application Cases, Typical Errors
1) Is internal control mandatory for an Sàrl or SA in Geneva?
Yes, organizationally: management must organize the company and keep reliable accounts. If you’re subject to statutory audit, the ICS becomes a formal and tested topic. (source: Legal bases, board organization, and management report (CO, Fedlex))
2) Is Odoo sufficient as “proof” in case of an audit?
Odoo helps a lot if rights, validations, and supporting documents are well managed. Otherwise, Odoo is just a data entry tool, and you have to prove things elsewhere.
3) What’s the minimum task separation for supplier invoices?
In our opinion: one person enters, another validates, and payment is released by a second person (management or co-signer). If you don’t have enough people, you compensate with documented periodic controls.
4) Can you keep shared user accounts to “go faster”?
Technically yes. In internal control, it’s a very bad idea: you lose action attribution. When there’s a problem, no one can decide.
5) What VAT rates should be set and controlled in 2026?
Applicable Swiss rates are 8.1% (standard), 2.6% (reduced), and 3.8% (accommodation). Internal control mainly means avoiding inconsistent VAT codes and documenting exceptions.
6) What are the most penalizing Odoo errors in an audit?
The top three: overly broad rights (everyone can do everything), invoices without attached supporting documents, and modifications after validation without a clear trace. That’s exactly what breaks the audit trail.