A man in glasses is looking at a computer screen. curve

Accounts Payable Internal Controls: Complete Guide

Internal controls play a critical role in mitigating risk in your accounts payable processes. But optimizing your AP processes as a whole is the key to ultimate security and efficiency.

Internal controls help finance teams mitigate and nullify risk in accounts payables and other accounting processes, as well as ensure consistency when producing financial statements.

What are Accounts Payable Internal Controls?

Accounts payable internal controls are broken down into three sequential categories:

  1. Your obligation to pay
  2. Data entry into the system
  3. Payment of the debt

AP controls help to streamline operations, mitigate the risk of losses, and organize the labor force. Continuous supervision of these functions is what drives a successful payables team and ensures a clean audit

In accounts payable, there are a few universal truths:

  • AP wants to pay vendor invoices and suppliers on time
  • AP wants to pay accurately

These two efforts are not mutually exclusive. For example, if you rush to pay on time, you might miss something and pay twice. However, if you manually check every line item, your payables might not get there on time.

This is why procurement controls for procure-to-pay were created. These procedures create a system of checks and balances to reduce duplicate payments, prevent fraud, ensure regulatory compliance, and minimize human error. 

Every accounts payable department has some form of controls in place. However, many could improve their overall efficiency by taking a hard look at their process and identifying areas ripe for development. As AP technology continues to advance, there are certain tasks that can be automated for reduced workload and increased accuracy.

In this article, we examine the three levels of accounts payable internal controls that mid-market companies are using to manage their expenses. At each level, we’ll provide best practices, examine common scenarios, and identify general issues to ensure your payable process runs smoothly and efficiently.

Why You Need Internal Controls

There are several arguments to be made for why a business needs internal AP controls. Best practices are put in place to help:

Minimize Fraud

According to a survey by the AFP Payments Fraud and Control, 82% of organizations were subject to attempted or actual fraud in 2018. This is following a five-year trend of fraudulent activity. 

If external threats are on the rise, this indicates an increased need to shore up AP processes and do everything you can to prepare for that eventuality. 

Mitigate Risk

More control means more eyes and less risk. Sharing responsibility with multiple sources decreases risk. By creating a system of checks and balances within your internal procedures, you automatically decrease exposure.

Increased Accuracy

AP internal controls enable a brand to exercise a higher level of accuracy. This is especially prevalent when you have digitized the AP process and use automated systems. 

Shared Accountability

Applying the appropriate segregation of duties while adding people into the operation means more shared accountability. It means one or two people aren’t walking around, carrying the financial burden of the whole organization.

Supplier Relationships

Paying a bill late is a dynamic issue in business. Not only does it strain supplier relationships, it keeps you from receiving any early payment discounts or benefits. Although there may be a little leeway, a streamlined process for AP internal controls ensures vendors are paid by the due date (if not early). This means no more angry suppliers or missed opportunities for cost savings.


The more internal controls in place, the more prepared a company is for auditing by its CPA firm. If you have a paper trail rife with duplicate payments, short payments, overpayments, late fees, etc., an audit will not be fun. Procurement controls ensure that whenever you have an audit, no matter who performs it, everything is right there for the picking.

How can your company improve internal controls?

Use AP automation software with workflow best practices to start. The secret is in taking a holistic approach to accounts payable efficiency. How streamlined are your AP processes?

Types of Accounts Payable Internal Controls

Obligation to Pay Controls

The first thing to check is that your company owes the debt. It then becomes your obligation to pay. Before cutting a check, there are internal systems that can ensure the debt is truly owed, the goods/services were received, and it’s the correct (and approved) amount. Typically speaking, there are four controls in place for this process:

  1. Approving the invoice
  2. Approving the purchase order
  3. Three-way and four-way matching
  4. Auditing for duplicates

Invoice Approval

The person who is in a position to authorize payment will signify their approval of the supplier invoice. However, this is a weak control if the authorizer has no way to verify if goods were received. How can they approve to pay for anything if they didn’t check the shipment coming in? There should be a receiving report for approval.

Additionally, what if the supplier is charging more than they quoted? How will the person approving the invoice know that? The approver might also want to know which general ledger account is being charged.

If your company is still using time-consuming paper documents, you want to have the payables staff first assemble a packet of documents. This should include the supplier invoice, original purchase order, and shipping receipts. The invoice should also be stamped with the account that is to be charged. This way, the approver has everything they need to sign off on the invoice and push it on to get paid. (Later we discuss efficiencies from AP automation software that uses electronic documents and guided approvals routing.)

Purchase Order Approval

For every purchase made, the purchasing department issues a purchase order. They are approving expenditures and preventing others from occurring. This keeps a company from spending out of control and curtails the misappropriation of funds. Since this involves a considerable amount of work by the purchasing staff, they will likely ask employees to request items on a purchase requisition form. 

Three-way Match

This is where the proof of shipping comes in. A payable staff member will match the supplier invoice to the related P.O. and proof of receipt before authorizing the payment. This approach goes above the need for individual invoice approval since it is based on the purchase order requested. 

Three-way matching is better than approving on the P.O. alone as it also verifies the receipt of goods. However, this process can be painfully slow and break down when documents are missing.

Four-way Match

Four-way matching works the same as three-way, but also includes evidence of an inspection report. This process is implemented when a location is using online receiving and inspection to take in goods. In this system, an invoice is matched to the corresponding P.O. for amount and quantity, receiving, and inspection information.


This includes a manual duplicate payment search. A computerized program will conduct an automated search to ensure there are no duplicate numbers in the system. When doing this manually, it can be a difficult endeavor for the accounting department.

A clerk must search through a vendor file and unpaid invoices to determine if an invoice that has just been received, has already been paid. In many cases, the sheer volume of invoices coming in makes this difficult, especially for small businesses. Duplicates fall through the cracks on a regular basis.

Best Practices for Obligation to Pay Controls

While each of these tasks improves the overall accuracy of the AP process, it also adds a considerable amount of time and expenses. Every document could live in different departments and worse, exist in different file formats (i.e. hard copy vs. electronic). 

The most impactful way to add efficiency to your obligation to pay controls is to house all documents in one digital repository and manage them with automation. Ideally, this should be using the same accounting system as your invoice processing. 

The AP software has a digital record of the invoice, purchase order, shipping receipt, and inspection report. It will match the documents in the system and send it to the appropriate parties for approval. Simultaneously, an efficient AP program will search the database for duplicates and flag it on the original invoice. 

Allowing a computer to conduct all the jobs involved with verification has the potential to greatly improve your controls over the obligation to pay suppliers. 

A successful workflow will also enforce a true system of checks and balances by assigning different personnel to different tasks. This segregation of duties ensures you don’t have to put all your eggs in one basket. It also means a single individual isn’t solely accountable for the AP department’s success.

Data Entry Controls 

Once you have identified an invoice as something that must be paid, the information has to make its way into your AP system. There are generally two AP controls for data entry:

Record Invoice Before Approval

As soon as an invoice hits the AP department, it is recorded in the payables system. The invoice is immediately documented and coded as a double-entry bookkeeping debit and credit. This puts a greater priority on paying suppliers over authorization and works best when you have a purchase order process in place. 

Record Invoice After Approval

This control assumes every invoice coming in could be a duplicate or an error. It must go through an approval process before it can be recorded. The AP employee will verify the approval of the invoice before entering it into the system. This invoicing system involves a greater separation of duties and thus more control. Most companies record invoices before approval. 

Best Practices for Data Entry Controls

Whichever method you choose to implement, there is still the issue of actually entering the data. Even the most diligent AP employee isn’t as fast or accurate as a computer. It’s nearly impossible to avoid typographical errors when keying in such a high volume of financial statements. There are just too many steps from the eyes to the brain to the hand. 

Hosting all of your necessary documents for approval in one digital space is the best practice when it comes to data storage. A centralized and digital system is one solution to the problem of manual data entry. 

Technologies like optical character recognition (OCR), artificial intelligence, and machine learning will capture and match invoice data to your financial and accounting codes. Automated disbursements free up staff to focus more on business growth.

Invoice Numbering

Another best practice for data entry is to adopt an invoice numbering guideline. Even though most accounting software can detect and match the same invoice number, there are times when you can trip up the system. 

For example, do you record invoice numbers with leading zeros (0001) or do you drop them (1)? If the same invoice is recorded twice, in those two separate ways, the program will not flag them as duplicate invoices. It is that precise. The same problem can arise when you use dashes too, like (123-999) vs. (123999).

Match to Budget

The supplier invoice should always be charged to the right ledger. One way to ensure there is no disparity is to match the invoice to the department budget. This will tell you whether the right department was charged for the expense.

Payment Controls

Once the invoice is matched and the data is in the system, it’s time to pay your bills. Up to this point, all internal controls listed have been in place to ensure invoices are accurate, valid, and that the debt is owed. The final step is paying the bills.

The following are some of the more common payment controls (centered around payment with checks):

Segregation of Duties

Segregation of duties, also called separation of duties, is essential when performing financial transaction processes. No one person should ever wholly take responsibility for any process. Accounting practices can be split quickly without introducing significant downtime or delays. For example, bookkeeping, deposits, reporting, and auditing, accompanied by managerial oversight, can be split using separation of duties. Separation of duties helps to minimize any single employee from committing fraudulent acts.

The person who prepares the check should always be separate from the one that signs it. Adding a second pair of eyes not only catches last-minute errors but also mitigates risk and reduces fraud. It’s a cross-check on the issuance of cash.

Access Controls

Access controls determine which groups and accounts have access to particular processes and procedures within the company. Access control can restrict which employees can access a private data center and which employees can sign off on computer processes like accessing logs, for example. Access to sensitive computer records is often restricted, so that information is only made available to those who need it to conduct specific tasks. Doing so reduces the risk of information theft and the risk of asset theft by modifying ownership records. Access control is a tradeoff between accessibility and security, giving temporary access to those who need it.

Manual Check Signing

All checks should be manually signed rather than using a stamp or signature plate. If you must have a stamp, it’s important to also have a purchase order system in place. In that way, the purchasing staff becomes the de facto invoice approvers by issuing P.O’s earlier in the payables process flow.

Store all Checks Securely

All checks (including unused check stock) should always be stored in a locked cabinet, drawer, or safe. Otherwise, they can be stolen and used for fraudulent purposes. All signature plates and stamps should also be stored in the same secure location.

Track the Check Numbers

As checks are issued, keep a log of all sequence numbers going out. List the range used for each check run. This will help AP staff identify if certain checks are missing or stolen. The log should never be kept in the same place as the stored checks since someone could steal both.

Double Signing

It’s always a good idea to have more than one person approve and sign a check. This is especially the case if it exceeds a certain amount. Then you may want to have a higher-level manager sign off on it. By adding a senior-level staff member, you’re reducing the risk of loss and duplicate payments. Your company policy should indicate the dollar level at which two signatures are required. 

Best Practices for Payment Controls

If you’re serious about mitigating risk at this level, it may be best to move to an electronic payment system. Switching to a process like ACH electronic bank-to-bank transfers, a type of EFT (electronic fund transfer), has a number of advantages, including:

Mail Fraud

A check “lost in the mail” doesn’t exist in the electronic payments sphere. While mail fraud is not as common as other types, eliminating the possibility completely is not a bad idea.


ACH enables more secure transactions via a technology called tokenization. This restricts each payment to a one-time-use number that’s set at a fixed amount. This also ensures you cannot accidentally duplicate payments.

Payment Immediacy

By increasing the ability to pay vendors faster, you open up opportunities to manage cash flow in a more strategic way.

Common Issues With Internal Control Systems

Internal controls, like any auditing system, are not perfect. There is always room for improvement. For example, control activities in the attempt to control environments sets may frequently slow down the natural process flow, which can reduce its overall efficiency. However popular a metric, efficiency is not the only factor a company has to consider when determining success. 

The development of a system of internal control requires management to balance risk reduction with efficiency. Adding internal controls might result in management accepting a certain amount of risk to create a strategic profile that allows a company to compete more effectively.

Smaller operations may employ purely manual accounting and analog financial processing. This may increase the potential risk of fraudulent activities, human error, or discrepancies that fintech or standardized financial systems may pick up on. For example, Daniel Berenbaum, Vice President Finance and Asia Pacific Chief Financial Officer of Global Foundries, believes that “the risk of human error is high with manual processes. Additionally, you don’t always achieve the level of transparency that you would like.” 

Tradeoffs are typical, but a company must expect them to dissuade lower morale and improve internal control mechanisms. 

Finally, cutting corners can be an issue, as internal controls may delay processes. Employees required to complete specific tasks within a period may flaunt rules and regulations to accomplish work faster, even if that means increasing financial risk to the company. 

However, controls, internal or not, only work if stakeholders like employees are obeying them. If an employee does not understand the internal control procedures or completely bypasses them, the accounting system becomes inaccurate and does not pass through the proper reviews, increasing the possibility of fraud like embezzlement.

Where to Start When Establishing an Internal Controls Framework

Accounts Payable has a critical role in the internal controls of a business as the custodian of funds leaving the finance organization. Much like trying to get water back into a leaky pipe, once payments are sent to suppliers, any opportunity for retrieving funds becomes increasingly complex. 

Yet data entry errors and payment fraud do happen. An internal accounts payable controls framework provides the basis for minimizing risk and error in AP controls. This includes approval workflows, signatory rights, and payment processes, all of which ensures financial compliance before payment.

When your business makes payments on invoices in accounts payable, cash is used to pay your suppliers and vendors. For more information on internal controls, consider cash controls as part of your enterprise risk management (ERM) system using the COSO framework. 

Determining Roles and Responsibilities

From the CFO to Controller to AP staff, there are considerations for each to build strong internal accounts payable controls. 

Senior staff set the tone for the organization as well as ensure the segregation of duties (SoD). SoD enables points between entities to check each other’s work. That way, no one person becomes the source for releasing funds. It also double-checks for potential errors. 

The most effective way is to enable approval workflows for any supplier-based transactions. This way, they are verified by multiple entities. Automating such approvals streamlines efforts and creates a digital audit trail for your records.

Exercising a Well-Defined Supplier Onboarding Program

Knowing who your suppliers are is important when developing better business relationships. Particularly when working with cross-border suppliers where access is more limiting. In this case, making them demonstrate authenticity may not be a bad thing. 

This may require things like validating business addresses and banking details for electronic payments during the supplier onboarding process. One benefit to the Foreign Account Tax Compliance Act (FATCA) is that additional information can be requested such as where the supplier is doing business and their tax IDs. While it may seem like a formality, it can be useful in determining who you’re doing business with and help your company avoid tax penalties.

Leveraging Known Blacklists

Verifying any supplier against the OFAC SDN database will ensure the payee hasn’t been blacklisted for illegal activities. This minimizes the risk of money laundering and fraud. It may be wise to consider an internal database depending on the amount of supplier churn.

With a frequent turnover of AP staff, visual checks may not be enough to sustain controls over sending funds to bad actors. Checking both the SDN database, as well as internal risk lists, for each payment should close any loopholes.

Proactive Steps for Detecting Fraud

The most basic internal control involves an adequate and detailed payment reconciliation process. Knowing the state of funds and transactions is critical to monitoring activities. All of this should be reported back to the general ledger or ERP system as soon as possible. 

If an organization waits until month-end to reconcile, that’s a 30-day head-start for anyone attempting to defraud the organization.

A white paper from IOFM (Institute of Finance and Management) and the APP2P network (sponsored by Tipalti) includes a full list of internal control processes to support the accounts payable record to Report (R2R) effort. It also provides a deeper set of guidelines for establishing internal controls and compliance.

Strategies for Streamlining Your Internal Controls

When you run a business without strong internal controls, you are handing over full access to your most valuable asset. Even if you lack the resources to implement a comprehensive internal controls system, there are still things you can do to effectively provide your business with a level of oversight. 

This starts with knowing the difference between preventative and detective controls.

Detective Controls

If you run a small or midsize business, you may want to consider implementing an infrastructure of detective controls. These are typically put in place to review data for human error while ensuring that assets remain secure. 

Detective controls constitute internal control that highlights any significant issues in the company’s accounting process. These controls commonly involve legal compliance, quality control, and fraud prevention. Detective controls are high-level and top-down.

One example of detective controls is a reconciliation review. If you run a smaller organization, chances are a few employees are in charge of deposits, issuing checks, payroll, and performing monthly bank reconciliations. Having a third-party review helps take the weight off of one or two trusted employees.

Preventative Controls

Preventive controls are a form of internal control that patch “holes” in the financial management system before becoming a problem. Preventive controls are performed regularly to maintain organization and proactive prevention of errors and irregularities.

These controls are established by organizations seeking to ensure something does not happen in advance. One example of preventative controls is setting transaction limits and segregating duties. Although it can be effective, it’s oftentimes harder for smaller companies to commit to such a strategy.

Corrective Controls

Corrective controls are a form of internal control that aims to resolve any errors found by internal detective controls. Corrective processes run a fine-tooth comb with accounting controls to ensure the same mistakes or potential hiccups do not happen again.

Tips for Implementing Internal Controls 

You don’t need to break the bank to use internal controls in your AP process. It simply takes a little time and effort. Here are a few ways to get started:

  1. Use an internal control checklist. 
  2. Establish transaction limits and have supervisors and managers sign off on large amounts.
  3. Do not limit your resources to one employee in the event of unforeseeable circumstances, like sickness or job loss. Make sure a few people understand how the operation works.
  4. Reconcile key accounts monthly, then have a third party review them, including:
    • Receivables
    • Cash
    • Payables
    • Inventory
    • Payroll
  5. Restrict access to the general ledger.
  6. Assign an individual to review standard and nonstandard journal entries.
  7. Update the vendor list to ensure it is current and accurate.
  8. Form a policy for customer credit (with limits). Review it regularly.

Putting internal controls to work doesn’t have to be a daunting task and you don’t need to hire more people. Start by picking a few controls you can easily weave into regular operations. 

Begin implementing more changes over time and adjust those that aren’t working. Before you know it, aspects of internal controls will become commonplace.


What are good internal controls?

Having any combination of strong detective, preventative, or corrective controls works to ensure an organization’s financial security and efficiency. This can include processes put in place to ensure compliance and prevent fraud.

What are key internal controls?

Key internal controls include the three-way matching process. Matching the goods received note (GRN) to the purchase order and supplier invoice prior to issuing invoice payment is a way to prevent fraud and keep more accurate records for spend forecasting and auditing purposes.

What do internal controls do?

An organization will implement internal controls in order to protect themselves and their various processes from risk, ensure operations run more efficiently, as well as ensure employees follow company and legal policies.

Internal Controls and AP Technology

When you begin developing an infrastructure for internal controls, it can increase the workload for employees and the chances for fraud. This is why you want to examine internal controls as a universal system. Each control is part of a greater good.

Accounts payable automation is the answer to streamlining workflows and increasing AP efficiency. There are plenty of opportunities to reduce time spent on tasks, cut back on manual labor, and apply the appropriate segregation of duties. This gives a business more room to focus on high-risk areas, increase employee satisfaction, and develop strong vendor relationships

To learn more about improving accounts payable internal controls with AP automation, download our eBook, “The Ultimate Accounts Payable Survival Guide.”

About the Author

  • Linkedin