Accounts Payable Internal Controls: Complete Guide

We’ve paired this article with a comprehensive guide to accounts payable. Get your copy of the Accounts Payable Survival Guide!

What are Accounts Payable Internal Controls?

Accounts payable internal controls are broken down into three sequential categories:

  1. Your obligation to pay
  2. Data entry into the system
  3. Payment of the debt

AP controls help to streamline operations, mitigate the risk of losses, and organize the labor force. Continuous supervision of these functions is what drives a successful payables team and ensures a clean audit

In accounts payable, there are a few universal truths:

  • AP wants to pay vendor invoices and suppliers on time
  • AP wants to pay accurately

These two efforts are not mutually exclusive. For example, if you rush to pay on time, you might miss something and pay twice. However, if you manually check every line item, your payables might not get there on time.

This is why procurement controls were created. These procedures create a system of checks and balances to reduce duplicate payments, prevent fraud, ensure regulatory compliance, and minimize human error. 

Every accounts payable department has some form of controls in place. However, many could improve their overall efficiency by taking a hard look at their process and identifying areas ripe for development. As AP technology continues to advance, there are certain tasks that can be automated for reduced workload and increased accuracy.

In this article, we examine the three levels of accounts payable internal controls that mid-market companies are using to manage their expenses. At each level, we’ll provide best practices, examine common scenarios, and identify general issues to ensure your payable process runs smoothly and efficiently.

Why You Need Internal Controls

There are several arguments to be made for why a business needs internal AP controls. Best practices are put in place to help:

Minimize Fraud

According to a survey by the AFP Payments Fraud and Control, 82% of organizations were subject to attempted or actual fraud in 2018. This is following a five-year trend of fraudulent activity. 

If external threats are on the rise, this indicates an increased need to shore up AP processes and do everything you can to prepare for that eventuality. 

Mitigate Risk

More control means more eyes and less risk. Sharing responsibility with multiple sources decreases risk. By creating a system of checks and balances within your internal procedures, you automatically decrease exposure.

Increased Accuracy

AP internal controls enable a brand to exercise a higher level of accuracy. This is especially prevalent when you have digitized the AP process and use automated systems. 

Shared Accountability

Applying the appropriate segregation of duties while adding people into the operation means more shared accountability. It means one or two people aren’t walking around, carrying the financial burden of the whole organization.

Supplier Relationships

Paying a bill late is a dynamic issue in business. Not only does it strain supplier relationships, it keeps you from receiving any early payment discounts or benefits. A streamlined process for AP internal controls ensures all vendors are by the due date (if not early). This means no more angry suppliers or missed opportunities for cost savings.


The more internal controls in place, the more prepared a company is for auditing. If you have a paper trail rife with duplicate payments, short payments, overpayments, late fees, etc., an audit will not be fun. Procurement controls ensure that whenever you have an audit, no matter who performs it, everything is right there for the picking.

Types of Accounts Payable Internal Controls

Obligation to Pay Controls

The first thing to check is that your company owes the debt. It then becomes your obligation to pay. Before cutting a check, there are internal systems that can ensure the debt is truly owed, the goods/services were received, and it’s the correct (and approved) amount. Typically speaking, there are four controls in place for this process:

  1. Approving the invoice
  2. Approving the purchase order
  3. Three-way and four-way matching
  4. Auditing for duplicates

Invoice Approval

The person who is in a position to authorize payment will signify their approval of the supplier invoice. However, this is a weak control if the authorizer has no way to verify if goods were received. How can they approve to pay for anything if they didn’t check the shipment coming in? There should be a receiving report for approval.

Additionally, what if the supplier is charging more than they quoted? How will the person approving the invoice know that either? The approver might also want to know which general ledger account is being charged.

Ideally, you want to have the payables staff first assemble a packet of documents. This should include the supplier invoice, original purchase order, and shipping receipts. The invoice should also be stamped with the account that is to be charged. This way, the approver has everything they need to sign off on the invoice and push it on to get paid.

Purchase Order Approval

For every purchase made, the purchasing department issues a purchase order. They are approving expenditures and preventing others from occurring. This keeps a company from spending out of control and curtails the misappropriation of funds. Since this involves a considerable amount of work by the purchasing staff, they will likely ask employees to request items on a purchase requisition form. 

Three-way Match

This is where the proof of shipping comes in. A payable staff member will match the supplier invoice to the related P.O. and proof of receipt before authorizing the payment. This approach goes above the need for individual invoice approval since it is based on the purchase order requested. 

Three-way matching is better than approving on the P.O. alone as it also verifies the receipt of goods. However, this process can be painfully slow and break down when documents are missing.

Four-way Match

Four-way matching works the same as three-way, but also includes evidence of an inspection report. This process is implemented when a location is using online receiving and inspection to take in goods. In this system, an invoice is matched to the corresponding P.O. for amount and quantity, receiving, and inspection information.


This includes a manual duplicate payment search. A computerized program will conduct an automated search to ensure there are no duplicate numbers in the system. When doing this manually, it can be a difficult endeavor for the accounting department.

A clerk must search through a vendor file and unpaid invoices to determine if an invoice that has just been received, has already been paid. In many cases, the sheer volume of invoices coming in makes this difficult, especially for small businesses. Duplicates fall through the cracks on a regular basis.

Best Practices for Obligation to Pay Controls

While each of these tasks improves the overall accuracy of the AP process, it also adds a considerable amount of time and expenses. Every document could live in different departments and worse, exist in different file formats (i.e. hard copy vs. electronic). 

The most impactful way to add efficiency to your obligation to pay controls is to house all documents in one digital repository and manage them with automation. Ideally, this should be using the same accounting system as your invoice processing. 

The AP software has a digital record of the invoice, purchase order, shipping receipt, and inspection report. It will match the documents in the system and send it to the appropriate parties for approval. Simultaneously, an efficient AP program will search the database for duplicates and flag it on the original invoice. 

Allowing a computer to conduct all the jobs involved with verification has the potential to greatly improve your controls over the obligation to pay suppliers. 

A successful workflow will also enforce a true system of checks and balances by assigning different personnel to different tasks. This segregation of duties ensures you don’t have to put all your eggs in one basket. It also means a single individual isn’t solely accountable for the AP department’s success.

Data Entry Controls 

Once you have identified an invoice as something that must be paid, the information has to make its way into your AP system. There are generally two AP controls for data entry:

Record Invoice Before Approval

As soon as an invoice hits the AP department, it is recorded in the payables system. The debit is immediately documented. This puts a greater priority on paying suppliers over authorization and works best when you have a purchase order process in place. 

Record Invoice After Approval

This control assumes every invoice coming in could be a duplicate or error. It must go through an approval process before it can be recorded. The AP employee will verify the approval of the invoice before entering it into the system. This invoicing system involves a greater separation of duties and thus more control.

Best Practices for Data Entry Controls

Whichever method you choose to implement, there is still the issue of actually entering the data. Even the most diligent AP employee isn’t as fast or accurate as a computer. It’s nearly impossible to avoid typographical errors when keying in such a high volume of financial statements. There are just too many steps from the eyes to the brain to the hand. 

Hosting all of your necessary documents for approval in one digital space is the best practice when it comes to data storage. A centralized and digital system is one solution to the problem of manual data entry. 

Technologies like optical character recognition (OCR), artificial intelligence, and machine learning will capture and match invoice data to your financial and accounting codes. Automated disbursements free up staff to focus more on business growth.

Invoice Numbering

Another best practice for data entry is to adopt an invoice numbering guideline. Even though most accounting software can detect and match the same invoice number, there are times when you can trip up the system. 

For example, do you record invoice numbers with leading zeros (0001) or do you drop them (1)? If the same invoice is recorded twice, in those two separate ways, the program will not flag them as duplicates. It is that precise. The same problem can arise when you use dashes too, like (123-999) vs. (123999).

Match to Budget

The supplier invoice should always be charged to the right ledger. One way to ensure there is no disparity is to match the invoice to the department budget. This will tell you whether the right department was charged for the expense.

Payment Controls

Once the invoice is matched and the data is in the system, it’s time to pay your bills. Up to this point, all internal controls listed have been in place to ensure invoices are accurate, valid, and that the debt is owed. The final step is paying the bills.

The following are some of the more common payment controls (centered around payment with checks):

Segregation of Duties

The person who prepares the check should always be separate from the one that signs it. Adding a second pair of eyes not only catches last-minute errors, it mitigates risk and reduces fraud. It’s a cross-check on the issuance of cash.

Manual Check Signing

All checks should be manually signed rather than using a stamp or signature plate. If you must have a stamp, it’s important to also have a purchase order system in place. In that way, the purchasing staff becomes the de facto invoice approvers by issuing P.O’s earlier in the payables process flow.

Store all Checks Securely

All checks (including unused check stock) should always be stored in a lockbox. Otherwise, they can be stolen and used for fraudulent purposes. All signature plates and stamps should also be stored in the same secure location.

Track the Check Numbers

As checks are issued, keep a log of all sequence numbers going out. List the range used for each check run. This will help AP staff identify if certain checks are missing or stolen. The log should never be kept in the same place as the stored checks since someone could steal both.

Double Signing

It’s always a good idea to have more than one person sign off on a check. This is especially the case if it exceeds a certain amount. Then you may want to have a manager sign off on it. By adding a senior-level staff member, you’re reducing the risk of loss and duplicate payments. 

Best Practices for Payment Controls

If you’re serious about mitigating risk at this level, it may be best to move to an electronic payment system. Switching to a process like ACH has a number of advantages, including:

Mail Fraud

A check “lost in the mail” doesn’t exist in the electronic payments sphere. While mail fraud is not as common as other types, eliminating the possibility completely is not a bad idea.


ACH enables more secure transactions via a technology called tokenization. This restricts each payment to a one-time-use number that’s set at a fixed amount. This also ensures you cannot accidentally duplicate payments.

Payment Immediacy

By increasing the ability to pay vendors faster, you open up opportunities to manage cash flow in a more strategic way.

Where to Start When Establishing an Internal Controls Framework

Accounts Payable has a critical role in the internal controls of a business as the custodian of funds leaving the finance organization. Much like trying to get water back into a leaky pipe, once payments are sent to suppliers, any opportunity for retrieving funds becomes increasingly complex. 

Yet data entry errors and payment fraud do happen. An internal accounts payable controls framework provides the basis for minimizing risk and error in AP controls. This includes approval workflows, signatory rights, and payment processes, all of which ensures financial compliance before payment.

Determining Roles and Responsibilities

From the CFO to Controller to AP staff, there are considerations for each to build strong internal accounts payable controls. 

Senior staff set the tone for the organization as well as ensure the segregation of duties (SoD). SoD enables points between entities to check each other’s work. That way, no one person becomes the source for releasing funds. It also double-checks for potential errors. 

The most effective way is to enable approval workflows for any supplier-based transactions. This way, they are verified by multiple entities. Automating such approvals streamlines efforts and creates a digital audit trail for your records.

Exercising a Well-Defined Supplier Onboarding Program

Knowing who your suppliers are is important when developing better business relationships. Particularly when working with cross-border suppliers where access is more limiting. In this case, making them demonstrate authenticity may not be a bad thing. 

This may require things like validating business addresses and banking details for electronic payments during the supplier onboarding process. One benefit to the Foreign Account Tax Compliance Act (FATCA) is that additional information can be requested such as where the supplier is doing business and their tax IDs. While it may seem like a formality, it can be useful in determining who you’re doing business with.

Leveraging Known Blacklists

Verifying any supplier against the OFAC SDN database will ensure the payee hasn’t been blacklisted for illegal activities. This minimizes the risk of money laundering and fraud. It may be wise to consider an internal database depending on the amount of supplier churn.

With a frequent turnover of AP staff, visual checks may not be enough to sustain controls over funds to bad actors. Checking both the SDN database, as well as internal risk lists, for each payment should close any loopholes.

Proactive Steps for Detecting Fraud

The most basic internal control involves an adequate and detailed payment reconciliation process. Knowing the state of funds and transactions is critical to monitoring activities. All of this should be reported back to the general ledger or ERP system as soon as possible. 

If an organization waits until month-end to reconcile, that’s a 30-day head-start for anyone attempting to defraud the organization.

This whitepaper from IOFM and the APP2P network includes a full list of internal control processes to support the accounts payable record to Report (R2R) effort. It also provides a deeper set of guidelines for establishing internal controls and compliance.

Strategies for Streamlining Your Internal Controls

When you run a business without strong internal controls you are handing over full access to your most valuable asset. Even if you lack the resources to implement a comprehensive internal controls system, there are still things you can do to effectively provide your business with a level of oversight. 

This starts with knowing the difference between preventative and detective controls.

Detective Controls

If you run a small or midsize business, you may want to consider implementing an infrastructure of detective controls. These are typically put in place to review data for human error while ensuring that assets remain secure. 

One example of detective controls is a reconciliation review. If you run a smaller organization, chances are a few employees are in charge of deposits, issuing checks, payroll, and performing monthly bank reconciliations. Having a third-party review helps take the weight off of one or two trusted employees.

Preventative Controls

These controls are established by organizations seeking to ensure something does not happen in advance. One example of preventative controls is setting transaction limits and segregating duties. Although it can be effective, it’s oftentimes harder for smaller companies to commit to such a strategy.

Tips for Implementing Internal Controls 

You don’t need to break the bank to use internal controls in your AP process. It simply takes a little time and effort. Here are a few ways to get started:

  1. Establish transaction limits and have supervisors sign off on large amounts.
  2. Record and re-evaluate your AP processes annually.
  3. Do not limit your resources to one employee in the event of unforeseeable circumstances, like sickness or job loss. Make sure a few people understand how the operation works.
  4. Reconcile key accounts monthly, then have a third party review them, including:
    • Receivables
    • Cash
    • Payables
    • Inventory
    • Payroll
  5. Restrict access to the general ledger.
  6. Assign an individual to review standard and nonstandard journal entries.
  7. Update the vendor list to ensure it is current and accurate.
  8. Form a policy for customer credit (with limits). Review it regularly.

Putting internal controls to work doesn’t have to be a daunting task and you don’t need to hire more people. Start by picking a few controls you can easily weave into regular operations. 

Begin implementing more changes over time and adjust those that aren’t working. Before you know it, aspects of internal controls will become commonplace.

Internal Controls and AP Technology

When you begin developing an infrastructure for internal controls, it can increase the workload for employees and the chances for fraud. This is why you want to examine internal controls as a universal system. Each control is part of a greater good.

Automation is the answer to streamlining workflows and increasing AP efficiency. There are plenty of opportunities to reduce time spent on tasks, cut back on manual labor, and apply the appropriate segregation of duties. This gives a business more room to focus on high-risk areas, increases employee satisfaction, and develop strong vendor relationships.

About the Author

  • Linkedin