What is the COSO internal control framework, and how does it apply to AP?

The five components: (1) Control environment - the tone and structure that make control matter, e.g., a board-approved DOA and a culture where AP can refuse to "just push it through." (2) Risk assessment - identifying what could go wrong in AP (duplicate payments, unauthorized spend, unrecorded liabilities) and how likely and large each risk is. (3) Control activities - the actual AP controls: approval, matching, reconciliation, segregation of duties, access controls. (4) Information and communication - the audit trail and reporting that let the right people see and act on the right information. (5) Monitoring activities - ongoing checks (exception analytics, self-testing) and periodic evaluations (internal audit, access reviews) that confirm the controls keep working. A control framework that's all "control activities" and no risk assessment or monitoring is a common weakness.

The control environment is the foundation - the integrity, values, governance, and accountability structures that determine whether controls are taken seriously. It matters for approvals because the most dangerous AP risk, management override, comes from the top: if executives routinely demand exceptions, pressure AP to bypass workflow, or treat approval as a formality, no downstream control fully compensates. A strong tone-at-the-top - leadership that follows the DOA itself, supports AP when it pushes back, and treats controls as enabling rather than bureaucratic - is what makes every other AP control credible.

Use the principles as a checklist, not a documentation project: for each, ask whether AP has it covered and note where it lives (the DOA covers authority and accountability principles, the audit trail covers information principles, etc.). Map existing controls to principles rather than writing new documentation for each - the goal is coverage assurance, not volume.

Walk the P2P flow and at each step ask what could go wrong: duplicate or fictitious invoices, unauthorized approval, wrong coding, payment to a fraudulent account, liabilities unrecorded at period end. For each, rate likelihood and impact, then confirm a control addresses the significant ones. Gaps between real risks and existing controls are your priorities.

Ongoing monitoring is built into operations: exception reports, anomaly flags, dashboards that surface stuck or unusual items in real time. Separate evaluations are periodic and independent: internal audit reviews, quarterly self-testing, access reviews. A healthy AP function has both - continuous signals plus periodic independent checks.

SOX requires a "suitable, recognized framework," and COSO is the de facto standard; using something else is permitted but invites questions and rarely worth the friction. Almost every U.S. public company uses COSO (2013), and auditors expect it.

Entity-level controls operate across the organization - the DOA policy, the code of conduct, board oversight of spend, the tone that discourages override. Transaction-level controls operate on individual items - approving this invoice, matching that PO. Strong entity-level controls reduce reliance on (and the testing burden of) transaction-level ones; weak ones undermine everything below.

Stampli's position is that accounts payable controls should live in the daily workflow, not in after-the-fact cleanup. When invoice capture, coding, approvals, vendor communication, and audit evidence stay together, finance teams can move faster without losing visibility or accountability.