A Complete Checklist for Your Accounts Payable Internal Controls

A Complete Checklist for Your Accounts Payable Internal Controls

In 2008, the owners of Quail Ridge Books & Music in Raleigh, N.C. made a shocking discovery — their former bookkeeper had managed to embezzle $348,975 over the course of a few years.

The bookkeeper was able to pilfer the cash because she was responsible for both writing and approving checks, allowing her to write checks to herself — and the store owners were none the wiser.

Better accounts payable controls could have prevented the losses and uncovered the fraud much earlier.

Why Internal Controls Matter

When it comes to AP, the devil really is in the details. In fact, those details are often where fraud, duplicate invoices, and improper payments slip through. The goal of internal controls is to reduce risk — but why are they so important?

Reduce Fraud

Weak internal controls make it easier for fraudsters to steal. ACFE’s 2018 Global Fraud Study found that half of all frauds were a result of internal control weakness. Much like a house without a security system, without internal controls, the chances of payments fraud only multiplies.

Why Internal Controls Matter


But remember that fraud risk is not limited to outsiders — your own employees know your systems and processes best. They know where potential loopholes lie and how to exploit them. While most employees would never dream of taking advantage of that knowledge, it happens every day and all too often from the employee you least expect.

Limit Duplicate Payments

Weakened internal controls also make it easier to process duplicate payments — and that can have unintended ramifications. Maybe it starts with an honest mistake; for example, a vendor sends a second invoice because you’re closing in on the payment due date. Your processes aren’t quite perfect, so a second payment goes through.

A less-than-scrupulous vendor might realize your accounts payable internal controls are not up to par and send a few extra invoices a year. If you don’t notice, you could lose thousands of dollars just on duplicate payments alone.

SOX Regulatory Noncompliance

In 2002, Congress passed the Sarbanes-Oxley Act (SOX), aimed at protecting stockholders from accounting errors — and it upped corporate requirements for internal controls.

Other internal control audits such as the Service Organization Control (SOC) report serve similar purposes. While both SOX and SOC audits ensure compliance with regards to data and internal controls, SOX is government-issued, but both require tight internal controls.

When internal controls are weak, your SOX and SOC certifications may be in jeopardy, but so is your ability to conform with a whole slew of other regulatory requirements. In some cases, losing current or new business due to non-compliance.

When internal controls are tight, your company is better protected and your risk of running into a regulatory issue is diminished.

Inaccurate Financial Reporting

Your company, like most, makes critical business decisions based on financial documents like your balance sheet, P & L statement, and cash flow position. What if those documents are wrong due to poor internal controls? You could be inadvertently steering your company in the wrong direction.

Inaccurate financial statements and financial reporting can create huge issues for executives who rely on faulty information to make critical business decisions. Tighter internal controls can lead to more accurate reporting, which allows executives to make the right decisions regarding the future of the company.

Tax Issues

Failure to abide by accounting best practices could land your company in hot water with the IRS or state taxing authorities. These agencies do not look kindly towards businesses who try to skate over their responsibilities, and for good reason. A recent report found the annual tax gap, which is the difference between taxes paid and taxes owed, tops $500 billion a year.

Lack of proper controls or inaccurate financial reports could result in you under- or overpaying on your taxes, neither of which is good for your bottom line.

Given the impact of poor internal controls, it’s critical that firms ensure their accounts payable controls are, well, under control. Here’s how to improve your internal controls. 

Types of Internal Controls for Accounts Payable (and how to improve them)

So, how do you make sure your company is well-protected from fraudsters, tax implications, and is regulation-compliant? It’s all about those internal controls — which may sound boring, but these are critical best practices to protect your company’s assets and best interests.

There are many different levels of accounts payable internal controls that can be put in place to mitigate fraud and duplicate payments. In short, the variance depends on the specific organization and its processes, and in the next section, we highlight several internal controls we find particularly important to follow no matter the organization or internal processes.

Segregation of Duties

One of the biggest risks of fraud is when employees have access to conflicting functions. For example, when the person who signs the checks is also responsible for verifying payments — or when two fraudsters work together to perpetrate a fraud scheme. In fact, losses are significantly higher when fraudsters collude.

Sometimes companies get lulled into a false sense of security because an employee with conflicting responsibilities is a long-standing employee. This can be a costly mistake, as fraud by employees with more than five years’ tenure results in twice the losses than employees with less than five years tenure.

Types of Internal Controls for Accounts Payable


How to Improve the Segregation of Duties:

Ideally, employees should never be responsible for conflicting duties. There should always be a system of checks and balances in place to ensure that even long-time employees do not have access to multiple aspects of the AP process.

Depending on the size of your company, it may be necessary to assign tasks to another group to achieve full segregation of duties. Or assign responsibilities in such a manner that deters the possibility of a fraudulent act being committed. Background checks on new hires and screening during the hiring process can also limit fraud by ensuring you don’t hire a known fraudster.

Obligation to Pay Controls

The accounts payable invoice payment process is generally broken down into three parts — the obligation to pay, entering the information into a system, and actually paying invoices. Separating these duties is the first step to preventing fraud, but each step should also have its own controls to prevent fraud and honest mistakes.

For example, obligation to pay controls follow:

  • Invoice approval
  • Three-way matching
  • Duplicate payment search

How to Improve Obligation to Pay Controls

Implement the three-way matching approach when using purchase orders (POs), which matches the invoice amount and PO number to the issued PO itself, and the receiving report to ensure that goods or services were received. A duplicate payment search can help reduce double payments as well.

Using an automated accounts payable process can further reduce the risk of fraud by limiting the amount of time it takes to match all three documents and limiting human error.

Data Entry Controls

One of the most time consuming and error-prone aspects of the AP process is data entry. Even a small error can result in double payments, late fees, or massive overpayments. The standard data control entries increase accuracy — but are extremely time-consuming.

The standard data entry controls include:

  • Record Prior to Approval: Record before sending the invoices off for approval
  • Record After Approval: Often used with POs, purchasing approval has already been issued and the invoice is verified before entering it into the system.
  • Use Consistent Invoice Numbering Guidelines: This helps reduce double payments by ensuring all invoices numbers follow the same format are exactly the same.

Following these steps will prevent many of the major issues. But, is there an easier way? There is.

How to Improve Data Entry Controls

Using automated accounts payable software can eliminate much of the manual data entry process. This saves time, but is often far more accurate, as computers don’t make typographical errors, such as transposing two numbers or failing to add a dash to an invoice number.

Stampli’s AI helper Billy the Bot, for example, can automatically capture invoices from email, match those invoices to the PO, and then send it off for approval in seconds. Billy does this by matching POs to the respective invoice by the amount and PO number. In the case of a partial PO, AP can select the items received and process the remaining PO line items with the subsequent invoices and items upon receipt.

Payment Controls

The vast majority of AP controls fall under payment controls — that is, the controls placed on the process of actually sending money to vendors. There are a variety of factors to consider, including who pays, how payments are processed, and whether additional sign-offs are required.

How to Improve Payment Controls

So, how can your company ensure your payments are accurate, on time, and protect your company from fraud?

  • Switch to Electronic or ACH Payments: These are easier to track and easier to process.
  • Split Check Printing and Signing Duties: If you can’t get away from checks, make sure to segregate conflicting duties.
  • Store Checks in a Secure Location: This will prevent theft and make it easier to verify check numbers on a regular basis.
  • Require Additional Check Signers: In certain conditions, for example, checks over a certain amount, require an additional signer.
  • Ensure the person who manages the Master Vendor File is not an approver: Otherwise, they can submit a fraudulent invoice and approve it for payment.

In addition to the above payment controls, automating the AP process can also improve payment controls. For example, Stampli’s AP automation tool looks for changes or trends that look suspicious and flags them so your team can verify the change — or dig deeper if there’s an issue.

Fraud Prevention Controls

The 2018 ACFE report found companies that fall victim to fraud lost an average of $130,000 in 2018. And if you think your business is safe because you’re a small business, you’re wrong — small businesses (less than 100 employees) lost twice as much per scheme with a median loss of $200,000, compared to businesses with more than 100 employees where the median loss was $104,000.

So, how do you protect your business and limit fraud opportunities?

How to Improve Fraud Prevention Controls in AP

While it is impossible to eliminate the risk of fraud entirely, there are several steps your firm can take to limit risk, including:

  • Leverage technology: Use automated accounts payable software that creates an accounts payable audit trail and puts the businesses in control of its sensitive data.
  • Establish an anonymous tip hotline: The 2018 ACFE report found that 40% of fraud is detected due to an anonymous tip. An anonymous tip line allows anyone to report suspected fraud.
  • Mandatory vacations: Forced vacation improves mental health, but can also prevent employee theft by making it easier to spot issues or identify fraud while they’re on vacation.


Creating internal controls is not about a lack of trust in your employees — it is about protecting your business and reducing overall risk. Even honest mistakes can result in regulatory issues or overpayments.

The most effective line of defense is an automated AP system that reduces human errors and creates a streamlined system of checks and balances that protects your firm from all types of errors — including honest and less-than-honest.

ap fraud prevention
Share this story

Ready to Talk?

Take the first step towards better Accounts Payable.
Meet with one of our AP experts.

Let's Talk