What are the most common AP fraud schemes, and how do approval controls stop them?

Self-approval fraud is approving spend you initiated or benefit from - buying something, then signing off on its own invoice. It survives in workflow systems through gaps people exploit: a workflow that routes by amount but doesn't prevent the entry-clerk from also being an assigned approver; a manager who is both requester and approver because the rule never separated the roles; delegation that hands an approver their own subordinate's queue including items the approver requested; or an admin who can edit the workflow to route invoices to themselves. The fix is structural - the system should make it impossible for the same identity to enter and approve the same invoice, and approval rights should never collapse into entry or vendor-setup rights for the same person.

Patterns, not single events. Approvals clustered after hours or on weekends; amounts that hug just under an approver's limit (deliberate threshold-hugging to avoid a second reviewer); a sudden velocity spike in one approver's or one vendor's activity; approvals that take seconds across large batches (rubber-stamping); a vendor whose invoices always route to the same lone approver; round-dollar invoices and round-dollar credits; and new vendors that immediately receive high-volume or high-value invoices. None is proof, but each is a query you should be able to run - and a fraud monitoring program is largely the discipline of running them on a schedule rather than waiting for a tip.

Combine policy and system: a conflict-of-interest policy requiring disclosure and recusal, a routing rule so that vendor's invoices go to an independent approver, and monitoring for approver-vendor relationships (same surname, address overlaps, a vendor that only ever routes to one approver). The structural defense is ensuring no single person owns both the vendor relationship and the authority to pay it.

Collusion is two or more people combining to defeat separation - e.g., the person who sets up a shell vendor and the person who approves its invoices working together. Because it defeats preventive SoD by design, detection leans on monitoring: vendor-to-employee relationship analytics, unusual approver-vendor pairings, mandatory vacation and duty rotation (concealment usually breaks when one party is absent), and tips from a whistleblower channel - the single most common way occupational fraud is caught.

Measure dwell time and correction behavior: approvers whose median time-to-approve is a few seconds across large volumes, or whose correction/rejection rate is implausibly near zero, are likely not reviewing. Sample their approved invoices for re-review, and pair the metric with making real review easy so remaining speed is a genuine red flag, not a friction artifact.

Contain first: suspend the involved access and freeze further payments to the vendor. Preserve evidence (the immutable audit trail, documents, communications) without alerting the suspect prematurely. Engage legal, HR, and likely external forensic/counsel; quantify the loss; and notify the parties your policies and obligations require (audit committee, insurer, auditor). Don't let well-meaning staff "investigate" informally and contaminate evidence.

Inform those charged with governance (audit committee) and your external auditor promptly - fraud, even immaterial in dollars, speaks to the control environment and may affect the audit. Assess whether prior financials were misstated, whether disclosure is required, and what control failure allowed it. Document the response; auditors evaluate not just the fraud but how management reacted.

A fictitious (shell) vendor scheme invents a payee the fraudster controls and bills the company for nothing real. Vendor-onboarding controls are the first line, but approval-side controls matter too: separating vendor creation from approval (so the creator can't also authorize payment), independent approval of the spend, duplicate/anomaly detection on the invoices, and monitoring for vendors that only ever route to one approver or appeared just before activity spiked.

Both, layered. Continuous analytics catch patterns fast and cover the whole population (after-hours approvals, threshold-hugging, velocity spikes); periodic internal audit reviews bring human judgment and investigate what analytics flag. Continuous-only misses context; periodic-only is too slow and samples too thin to catch deliberate concealment.

Policy must make clear that AP can and should decline to bypass controls, with an escalation path above the pressuring manager and a whistleblower channel that protects against retaliation. The structural protection is a system where AP cannot bypass the workflow even if pressured - removing the discretion removes the pressure point. Tone-at-the-top that visibly backs AP is the cultural half.

Management override is leadership using its authority to circumvent controls - the hardest fraud risk because the people who could stop it are often the ones doing it. Design defenses that don't depend on subordinates resisting superiors: board/audit-committee oversight of large or unusual transactions, mandatory independent review of executive-approved spend, journal-entry and override monitoring, an immutable trail no executive can edit, and a whistleblower channel reporting outside the management chain.

Widely cited occupational-fraud research (the ACFE's biennial study) estimates organizations lose roughly 5% of revenue to fraud annually, with billing schemes - most of which run through AP and disbursements - among the most common and costly categories. Treat the exact figure as indicative; the operative point is that AP is a primary fraud channel, which is why approval and payment controls earn their keep.

Stampli's defenses against approval fraud are built into the workflow rather than bolted on. Segregation of duties is enforced by role-based permissions - entry, approval, payment, and administration are separable, users can't escalate their own roles, and invoice approval and payment approval are distinct gates. Duplicate Detection & Fraud Prevention surfaces likely duplicates at multiple points (upload through export), flags first-time vendors and invoice documents that don't match a vendor's historical pattern, and alerts when an amount materially exceeds a vendor's baseline - and these fraud signals suppress the skip-approval recommendation so risky invoices can't slide through automation. Every action lands in an immutable, attributable activity record, which is the data a fraud review or auditor works from.