Internal Controls Best Practices for Mid-Market Firms

Internal Controls Best Practices for Accounts Payable

There are two truths when it comes to accounts payable: 

  1. AP departments want to pay vendors and suppliers on time
  2. AP departments want to pay accurately

These two truths can exist in contrast, however. For example, if you rush to pay on time, you might miss some details and end up paying invoices twice. But if you manually triple-check every line item on every invoice for every vendor, your payables might not get there on time. 

This is where procurement process controls can help. These internal controls are standard operating procedures that create a system of checks and balances in order to prevent fraud, reduce duplicate payments, minimize human errors, and to ensure regulatory compliance. Every AP department has some form of procurement controls in place, of course, but many could improve their overall efficiency by taking a hard look at their processes and identifying areas ripe for improvement. For example, as AP technology continues to advance, there are certain tasks that can be automated for increased accuracy and reduced workload. 

In this post, we’re going to examine the various procurement process controls mid-market companies are using to manage their expenses. There are three levels of internal controls: 

  1. Obligation to pay 
  2. Data entry
  3. Payment

At each level, we’ll break down common scenarios, identify key watchouts, and provide best practices to ensure your department runs smoothly and efficiently. 

Before we get into the details, here’s a quick primer on the necessity of procurement process controls. 

Why do you need procurement process controls?

First, there’s the issue of fraud. According to the AFP Payments Fraud and Control Survey, 82% of organizations were subject to attempted or actual fraud in 2018. This is following a five-year trend of increased fraudulent activity, perhaps indicating an increased need to shore up your own processes. 

If external threats are on the rise, it’s important to do everything you can to be prepared for that eventuality. 

Second, procurement controls—when implemented properly—mitigate risk by sharing the burden of accuracy with multiple sources. By creating a system of checks and balances within your internal controls procedures, you automatically decrease your exposure. 

Shared responsibility, however, can lead to increased workload for employees in addition to increasing the opportunity for fraud, which is why you want to examine your internal controls as an entire system. With automation there are plenty of opportunities to reduce manual labor, time spent on tasks, and apply the appropriate segregation of duties. Which gives you more room to focus on other high-risk areas. 

That said, let’s take a look at each level of procurement controls processes one at a time. 

Note: Please note the the best practices listed below all require digitization—you can’t complete these processes by hand. Most will require some degree of accounts payable automation

Obligation to pay controls

Obligation to pay controls

First things first—does your company actually owe the amount listed on the invoice? And how do you verify? 

Generally speaking, you’ll need these four controls in place: 

  1. Invoice approval
  2. Purchase order approval
  3. Three-way matching
  4. Duplicate invoice or payment audit

While each completed task increases the accuracy of the overall process, they also add time and expense. Each document may reside in a different department and exist in a different file format (electronic vs. hard copy, for example). Which requires additional time and effort to locate when manually conducted. 

Best practice for obligation to pay controls

If it’s not apparent, the most impactful way to add efficiency to your obligation to pay controls is to house all documents in the same electronic system while also adding some automation into the mix. Ideally, it’s one in the same AP platform.

Invoice approval on its own isn’t very helpful, as the approver may have difficulty in verifying the goods or services were actually delivered. However, if your AP automation software has a digital record of: 

  1. The invoice
  2. The purchase order
  3. The receipt…

…and can match the amounts on each document within the same system, the approval becomes a lot less guesswork and a lot more accurate. Throw in an automated task for searching for duplicate invoices and you’ve reduced your margin for error even more. Moreover, the ability to centrally collaborate in one system around the invoice ensures the required approvers have all the (accurate) information they need to approve the necessary documents faster. 

In short, allowing a computer system to conduct all the tasks involved in verification, as opposed to manually hunting down receipts, has the potential to greatly improve your obligation to pay controls. 

Bonus best practice: For a true system of checks and balances, the tasks above should all be carried out by different personnel using an intelligently designed segregation of duties. Stampli makes this easy with user roles and permissions that can be configured to limit access, send notifications, and automatically assign tasks between teams and individuals. 

Once your obligation to pay has been confirmed, it’s time to enter the data into the accounts payable system. 

Data entry controls

Data entry controls

As we mentioned earlier, timely vendor payments, while maintaining accuracy, is a crucial part of the AP process. You need a way to ensure the financial data gets fed into your payment system, and there are two main data entry controls you can use: 

  1. Record after approval: This method requires the AP employee to verify the approval of the invoice before it can be entered into the system. 
  2. Record before approval: This method allows the AP employee to input invoices into the system before verifying approval. Typically, you’ll only use this method if you use purchase orders. 

Whichever control you choose to implement, there is still the issue of the actual data entry. Even for the most diligent AP employee, it’s nearly impossible to avoid typographical errors when keying in a ton of data by hand. From the eye to the brain to the fingers and back to the eye, there are just too many steps for each entry to ensure 100% accuracy. 

As we hinted earlier in this post, hosting your AP documents in a centralized and digital system is the obvious solution to this problem. Computers are much better at tedious data-entry tasks because of their accuracy, but also because they can search the system for supporting documents to match invoice numbers with amounts and receipts. 

Bonus best practice: Still receiving a lot of hard-copy invoices? Stampli uses technologies such as AI, ML, and Advanced OCR to capture and match invoice data to your (ERP or accounting systems) financial and management accounting codes.

Lastly, with the accurate amounts in place, it’s time to get your vendors paid. 

Payment controls

Payment controls

Up through this point, all the internal controls listed have been put in place to ensure vendor invoices are valid and accurate. Now it’s time to ensure delivery of those funds. 

If you’re still issuing checks, there are several controls you might consider implementing for added security: 

Segregation of duties: The person who prepares the check should be separate from the person who signs the check. Adding a second pair of eyes to the process can help catch a last-minute error. 

Track check numbers: As you issue checks, keep a log of all check numbers going out. This helps you identify if certain checks are missing, which could indicate theft or help you catch a missing payment. 

Double signing: If a check exceeds a certain amount, you might consider requiring a manager to sign. By adding a senior-level staff member into the process, you’re (theoretically) reducing your risk to losing a large sum of money to a fraudulent or duplicate payment. 

If you’re serious about mitigating risk at the payment level, however, you’ll want to strongly consider moving to electronic payments. Switching to a system like ACH has a number of different benefits. 

First, there’s virtually no such thing as “lost in the mail” with an electronic transaction. While mail fraud isn’t as common as some of the others we’ve listed, it’s not a bad idea to eliminate the possibility altogether. 

Next, ACH actually creates a more secure transaction via a technology called tokenization. Basically, tokenization restricts each payment to a one-time use number for a fixed amount, which ensures you can’t accidentally duplicate payments. 

Another added bonus of electronic transactions is the immediacy of payment. By increasing your ability to pay vendors faster, you open up opportunities to manage your cash in a more strategic way that maximizes the benefit to your company. 

Bonus best practice: Integrate your AP invoice management processing system with your financial accounting system (or ERP) for a seamless handoff between capture, verification, approval, and payment, thus increasing efficiency while reducing risk. Learn more about how the Stampli AP automation platform integrates with other accounting and ERP systems.

Next steps 

Implementing internal controls at any level of your AP processes can help you mitigate risk, but the controls can also potentially add additional steps to your workflow and slow you down. This is why you need to consider each control as part of the whole if you want to maintain (or likely increase) your departmental efficiency. 

AP automation is the key to streamlining your workflows while increasing the accuracy of your work. Take a look at how Stampli’s accounts payable automation software allows you to take control of invoice processing and bill processing, or check out our accounts payable internal control checklist

ap fraud preventation

Questions about AP platforms?

Get instant answers from your AP expert.

Ready to Talk?

Take the first step towards better Accounts Payable.
Meet with one of our AP experts.