How do I design AP controls for SOX - what makes the invoice approval control "key"?

Precision is how reliably a control would actually catch a misstatement of the size that matters. A "management review" with no threshold, no defined criteria, and no record of what was examined is imprecise - it could miss a material error and leave nothing to test. Auditors push back because an imprecise review provides false comfort: tighten it by specifying what's reviewed, the threshold that triggers scrutiny, what an exception looks like, and what evidence the review leaves. Automated controls (system-enforced matching, authority limits) are inherently more precise and consistent, which is why auditors prefer them and why a benchmark/baseline strategy can let an automated control be tested once plus its change-management controls, rather than re-sampled every period.

Each AP control should tie to the assertion it protects. Completeness - all liabilities incurred are recorded - is AP's signature risk, addressed by the search for unrecorded liabilities and accrual controls. Accuracy and valuation - amounts and coding are right - map to three-way matching and approval. Cutoff - transactions land in the correct period - maps to period-end review and matching of receipt dates. Existence/occurrence - recorded payables are real - maps to approval, matching, and vendor controls. Mapping controls to assertions is what proves your control set actually covers the risks, rather than just listing activities.

Three-way match: "The system matches each PO-backed invoice to the PO and receipt within defined tolerance before posting; out-of-tolerance items route to a buyer for resolution." Approval: "Each invoice is approved in the AP system by an authorizer within their DOA limit before payment; the system blocks completion without sufficient authority." Reconciliation: "Monthly, the AP subledger is reconciled to the GL control account by someone independent of invoice entry; reconciling items are documented and cleared."

Specify the data reviewed, the expectation it's compared against, the threshold for investigation, the evidence of what was examined and concluded, and the reviewer's independence and competence. PCAOB scrutiny of management review controls centers on precision - vague "the controller reviews accruals" fails; documented thresholds, support examined, and outliers investigated survives.

Identify the risk, pick the one or two controls that most precisely address it as key, and reclassify the rest as non-key or retire them. Redundant key controls multiply testing cost without adding assurance; a single well-designed automated control often replaces several manual ones.

Automated controls operate the same way every time, can't get tired or skip a step under pressure, and can sometimes be tested once (the benchmark strategy) if change management around them holds. Shift the mix by configuring authority limits, matching, and routing as system-enforced rather than relying on people to follow policy - then the human controls that remain are genuine judgment, not clerical checks.

If an automated control's logic hasn't changed and the IT general controls over it (access, change management) are effective, auditors may "benchmark" - establish it works once, then in later periods test only that it hasn't changed rather than re-sampling transactions. It's a major efficiency, and it depends entirely on strong change-management evidence for the configuration.

Re-scope after implementation: many manual controls (clerical matching, manual approval routing) become system-enforced automated controls, the key control set usually shrinks, and new ITGC and change-management controls over the platform enter scope. Don't carry the old manual control descriptions forward - they no longer describe how the process works.

Yes. The tolerance defines what the control lets through without human review, so it's a control-design choice. Auditors will ask how the tolerance was set, whether it's appropriate to your risk, who can change it, and whether out-of-tolerance items actually route to a human - a tolerance set too wide is a control weakness regardless of how consistently the match runs.

Stampli's position is that accounts payable controls should live in the daily workflow, not in after-the-fact cleanup. When invoice capture, coding, approvals, vendor communication, and audit evidence stay together, finance teams can move faster without losing visibility or accountability.