Accounts Payable Internal Controls

Jul 10, 2026

Try it now: upload an invoice and get the data in Excel or CSV

PDF, JPG, PNG, BMP, HEIC, TIFF

Upload your invoices

Accounts payable internal controls are the policies, approvals, and system restrictions that make sure a company pays only real invoices, from approved vendors, at the correct amount, once. The core control is segregation of duties: the person who adds a vendor, the person who approves an invoice, and the person who releases the payment must be three different people. Every other AP control exists to catch what segregation of duties alone would miss.

Last updated July 2026.

AP is where cash leaves the building, which makes it the most attractive process in the company to attack and the first place an auditor looks. Most US finance teams organize these controls using the COSO Internal Control framework, which the SEC and PCAOB recognize as a suitable basis for evaluating internal control over financial reporting under Sarbanes-Oxley Section 404. You do not need to be a public company for the structure to be useful. The failure modes are identical at ten invoices a week and ten thousand.

What are the internal controls for accounts payable?

Eight controls do most of the work. The first four prevent bad payments, the last four detect them.

ControlTypeWhat it stops
Segregation of dutiesPreventiveOne person creating a fake vendor and paying it
Vendor master file controlsPreventiveFictitious vendors and fraudulent bank detail changes
Authorization and approval limitsPreventiveUnbudgeted or unauthorized spend
Purchase order and three-way matchingPreventivePaying for goods never ordered or never received
Duplicate invoice detectionDetectivePaying the same invoice twice
Bank and AP subledger reconciliationDetectiveUnrecorded, altered, or misapplied payments
Role-based system accessPreventiveSegregation of duties defeated inside the software
Complete, immutable audit trailDetectiveChanges nobody can trace or explain

What is segregation of duties in accounts payable?

Segregation of duties means no single person controls a transaction from start to finish. In AP, four functions must be split so that committing fraud requires collusion rather than a single decision.

FunctionTypical roleMust never also do
Set up and change vendorsVendor master administratorApprove invoices or release payments
Enter and code invoicesAP clerkApprove their own entries
Approve invoices for paymentBudget owner or managerCreate vendors or execute payment
Execute and release paymentsTreasury or controllerCreate vendors or approve invoices
Reconcile bank accountsAccountant, independent of APEnter invoices or release payments

The combination that matters most is vendor creation plus payment release. Anyone holding both can invent a supplier, invoice the company, and pay themselves, and the transaction will look perfectly ordinary in the ledger. If you can only enforce one separation, enforce that one.

How do small companies segregate duties with only two people?

They compensate rather than pretend. Full segregation needs three or four people, and most small businesses do not have them. The workable substitute is owner oversight applied to a small number of high-leverage checkpoints, done consistently.

  • The owner, not the bookkeeper, receives the bank statement or holds read-only bank access, and reviews it monthly.
  • The owner reviews and approves every new vendor added to the master file, and every change to vendor bank details.
  • The owner reviews the payment run before release, comparing the vendor list against known suppliers.
  • Nobody uses a shared login. Every action in the accounting system carries a name.
  • An outside accountant reconciles the bank account, or reviews the reconciliation the bookkeeper prepared.

These are compensating controls. They do not eliminate the risk, they make it much harder to run undetected past one month. Auditors accept them when they are documented and actually performed, and the evidence of performance is what gets tested.

What are vendor master file controls?

The vendor master file is the highest-risk table in the accounting system, because a payment can only go where a vendor record points. Controls belong at three moments.

At creation. Require a completed W-9 before a vendor is paid, verify the legal name and TIN against IRS records, screen the address against employee addresses, and require documented approval from someone outside AP. A vendor sharing an address or bank account with an employee is the classic fictitious-vendor signature.

At change. Bank detail changes are the single most exploited weakness in AP. Business email compromise works by sending a plausible "we changed banks" request from a spoofed or genuinely compromised supplier mailbox. The control is a callback to a phone number already on file, never a number supplied in the request itself, performed by someone who cannot release payments. Log the callback.

Continuously. Review the file quarterly for duplicates, inactive vendors, one-time vendors that became recurring, and records with missing tax information. Deactivate anything unused for a year. A file that only grows becomes a place to hide. The mechanics of onboarding are covered in the vendor onboarding process, and reporting obligations in 1099 vendor requirements.

How does three-way matching prevent fraud?

Three-way matching compares the purchase order, the receiving document, and the supplier invoice before payment is approved. The invoice is paid only when all three agree on item, quantity, and price within a defined tolerance.

It works because a fraudulent or erroneous invoice must reconcile with two documents created by different departments at different times. Invoicing for goods never ordered fails the PO check. Invoicing for goods ordered but never delivered fails the receiving check. Inflating the price fails the PO check. To defeat it, someone in purchasing, someone in receiving, and someone in AP have to cooperate.

Not every invoice can be matched. Utilities, legal fees, rent, and subscriptions arrive with no PO. Those need a different control, usually approval by the budget owner against a contract or a recurring schedule, and they deserve more scrutiny precisely because the match cannot help. The mechanics are in what is three-way matching and the software side in invoice matching software.

How do you prevent duplicate invoice payments?

Duplicates are usually error, not fraud, and they are common enough that most AP teams have paid one. The invoice arrives by email and by mail, or a vendor resends it as a statement, or the same invoice is entered with and without a leading zero on the number.

The controls are unglamorous and effective: enforce uniqueness on the combination of vendor, invoice number, and amount at the point of entry rather than at payment; normalize invoice numbers by stripping spaces, dashes, and leading zeros before comparison; block the same invoice number against the same vendor even when the amount differs; run a pre-payment duplicate report on every payment run; and reconcile vendor statements monthly, since the supplier usually notices the double payment first. See how to prevent duplicate invoice payments for the detail.

Manual entry is what makes duplicates hard to catch, because a human retyping an invoice number introduces the very variations that defeat exact matching. Automated capture returns the invoice number as it appears on the document, consistently, which is why extraction and duplicate detection tend to arrive together.

How does the COSO framework apply to accounts payable?

COSO organizes internal control into five components. Mapping them to AP turns an abstract framework into a checklist.

COSO componentWhat it looks like in AP
Control environmentA written AP policy, defined approval authority, tone from management that exceptions are not routine
Risk assessmentIdentifying where AP can fail: fictitious vendors, duplicates, bank-detail fraud, unauthorized spend
Control activitiesSegregation of duties, matching, approval limits, duplicate checks, reconciliations
Information and communicationComplete audit trail, approval evidence, timely reporting of exceptions
MonitoringPeriodic testing that controls still operate, plus internal audit and management review

Under SOX Section 404, management asserts that internal control over financial reporting is effective, and AP is a core process auditors test. The distinction that trips teams up is design versus operating effectiveness. A policy stating that invoices above $5,000 require VP approval is a designed control. It is only an operating control if, when the auditor pulls a sample of thirty invoices, every one above the threshold carries a timestamped approval from someone with that authority. Undocumented approval is an exception even when the payment was entirely legitimate.

What evidence do auditors ask for?

  • A current AP policy and delegation of authority matrix showing approval limits by role.
  • A system access report proving that no user holds conflicting roles, and evidence it is reviewed periodically.
  • A sample of invoices with matching PO, receiving document, and timestamped approval.
  • Evidence of vendor bank-detail change callbacks, with who performed them.
  • Completed monthly bank reconciliations, signed by a preparer and a separate reviewer.
  • The vendor master change log for the period.
  • Duplicate payment reports and the resolution of any items found.

Notice how much of this is evidence of performance rather than evidence of intent. Teams tracking control obligations across frameworks often move this out of spreadsheets and into a system that maps each control to its owner and testing evidence, because reassembling it during fieldwork is the expensive way to do it.

Where automation strengthens AP controls, and where it weakens them

Automation improves controls when it removes discretion and creates evidence. Automated capture eliminates transcription error and records exactly what the document said. System-enforced matching cannot be talked out of a variance. Approval routing produces a timestamped, immutable trail that no email chain matches. Duplicate detection runs on every invoice rather than on the ones someone remembered to check.

Automation weakens controls in two specific ways, both worth watching. First, it concentrates power in whoever configures the system: the person who can edit approval routing or matching tolerances has effectively granted themselves approval authority, so configuration changes need the same segregation and logging as payments. Second, straight-through processing means invoices post without a human ever seeing them, which is the goal, but it makes the exception queue the entire control surface. If nobody works the exception queue, or if tolerances are set wide enough that nothing lands there, the control exists on paper only.

The step to automate first is capture, because it is high volume, purely mechanical, and the source of the errors that later masquerade as control failures. Our invoice data extraction software reads the invoice number, vendor, dates, line items, and totals off any layout and returns structured data, so the number in your system is the number on the document. From there, accounts payable automation software covers routing, matching, and approval.

The short version

Split vendor creation, invoice approval, and payment release across different people, and if you cannot, put the owner on the bank statement and the vendor master. Verify vendors before you pay them and call back every bank-detail change on a number you already had. Match against the PO and the receiving document where one exists, and apply harder approval scrutiny where one does not. Check for duplicates at entry, not at payment. Reconcile monthly with a separate reviewer. Then automate capture, because a control that depends on someone accurately retyping an invoice number is not a control. Related reading: the accounts payable audit, how to prevent invoice fraud, and the invoice approval workflow.

This article is general information about internal control practice, not legal, audit, or accounting advice for your specific circumstances.