Accounts payable controls protect organizations from fraud, errors, and compliance failures. While the specific controls vary by organization size and industry, certain principles and practices apply universally. This guide covers essential AP controls and implementation considerations.
Control Objectives
AP controls should address four primary objectives:
1. Authorization
Ensure only legitimate, authorized payments are processed.
2. Accuracy
Ensure payments are for the correct amount to the correct recipient.
3. Completeness
Ensure all obligations are captured and processed appropriately.
4. Compliance
Ensure payments comply with policies, regulations, and contracts.
Core AP Controls
Segregation of Duties
Separate key functions to prevent fraud and errors:
- Invoice receipt separate from payment processing
- Vendor setup separate from payment authorization
- Payment execution separate from bank reconciliation
No single individual should control the entire payment process from vendor setup through payment execution.
Authorization Thresholds
Implement approval requirements based on payment amount:
- Define threshold levels (e.g., under $1,000, $1,000-$10,000, over $10,000)
- Assign approval authority at each level
- Require multiple approvers for large payments
- Document all approvals
Vendor Master Controls
Protect vendor master data:
- Restrict access to vendor setup and modification
- Require approval for new vendors
- Verify bank account changes before processing
- Audit vendor master changes regularly
Three-Way Matching
Verify invoices against supporting documentation:
- Purchase order (authorization to purchase)
- Receiving document (confirmation of receipt)
- Invoice (request for payment)
Discrepancies should be investigated before payment.
Payment Controls
Control the payment process:
- Dual signatures for checks above threshold
- Positive pay for check fraud prevention
- ACH payment authorization
- Wire transfer approval requirements
Fraud-Specific Controls
Bank Change Verification
The most critical fraud prevention control:
- Detect all bank account changes
- Verify through trusted channels
- Use contact information from verified records
- Document verification thoroughly
Duplicate Payment Detection
Prevent paying the same invoice twice:
- Check invoice numbers against payment history
- Identify similar amounts to same vendor
- Flag potential duplicates for review
New Vendor Verification
Validate new vendors before first payment:
- Verify business existence
- Confirm bank account ownership
- Obtain tax documentation
- Establish verified contact information
Email Security
Protect against BEC attacks:
- Train staff on phishing recognition
- Verify urgent payment requests
- Don’t trust email alone for payment changes
- Use separate verification channels
Technology Controls
Automated Matching
Use technology to enforce matching requirements:
- Three-way match automation
- Exception identification
- Approval routing
- Documentation capture
Change Detection
Automatically detect changes to payment details:
- Compare invoice details to verified records
- Flag bank account changes
- Identify sender domain changes
- Alert on address modifications
Audit Logging
Maintain complete audit trails:
- Log all system access
- Track master data changes
- Record payment approvals
- Document verification activities
Access Controls
Restrict system access appropriately:
- Role-based access
- Least privilege principle
- Regular access reviews
- Prompt termination of access
Monitoring and Testing
Continuous Monitoring
Monitor for control failures:
- Payment anomaly detection
- Master data change reports
- Exception trend analysis
- User activity monitoring
Periodic Testing
Test controls regularly:
- Control design assessment
- Operating effectiveness testing
- Penetration testing
- Social engineering tests
Internal Audit
Include AP in audit scope:
- Control environment assessment
- Transaction testing
- Compliance verification
- Recommendations for improvement
Documentation Requirements
Policies and Procedures
Document AP controls formally:
- Payment authorization policy
- Vendor master management procedures
- Bank change verification process
- Exception handling guidelines
Evidence Retention
Maintain documentation for audit:
- Invoices and supporting documents
- Approval evidence
- Verification records
- Exception documentation
Control Assessment
Evaluate control effectiveness through:
Key Metrics
- Duplicate payment rate
- Exception rate
- Processing time
- Control bypass frequency
Risk Indicators
- Unmatched invoices
- Master data changes
- Large or unusual payments
- Rush payment requests
Compliance Measures
- Policy adherence
- Documentation completeness
- Audit findings
- Regulatory compliance
Implementation Approach
Strengthening AP controls typically follows this path:
Phase 1: Assessment
- Document current controls
- Identify gaps and weaknesses
- Prioritize risks
Phase 2: Design
- Define target control environment
- Select technology solutions
- Develop procedures
Phase 3: Implementation
- Deploy controls systematically
- Train staff thoroughly
- Test effectiveness
Phase 4: Optimization
- Monitor performance
- Address exceptions
- Continuous improvement
Common Pitfalls
Avoid these common AP control failures:
- Over-reliance on manual controls: Automated controls are more consistent
- Inadequate segregation: Small teams may combine incompatible duties
- Weak verification: Callbacks using unverified contact information
- Documentation gaps: Controls exist but evidence is missing
- Control fatigue: Too many controls leading to workarounds
Effective AP controls balance protection with operational efficiency. The goal is controls that prevent fraud and errors without creating excessive burden on the AP team.