Accounts Payable Internal Controls
Jul 10, 2026
Try it now: upload an invoice and get the data in Excel or CSV
PDF, JPG, PNG, BMP, HEIC, TIFF
Upload your invoices
Drop files here or click to upload
Up to 50 files
Uploading...
Accounts payable internal controls are the policies, approvals, and system restrictions that make sure a company pays only real invoices, from approved vendors, at the correct amount, once. The core control is segregation of duties: the person who adds a vendor, the person who approves an invoice, and the person who releases the payment must be three different people. Every other AP control exists to catch what segregation of duties alone would miss.
Last updated July 2026.
AP is where cash leaves the building, which makes it the most attractive process in the company to attack and the first place an auditor looks. Most US finance teams organize these controls using the COSO Internal Control framework, which the SEC and PCAOB recognize as a suitable basis for evaluating internal control over financial reporting under Sarbanes-Oxley Section 404. You do not need to be a public company for the structure to be useful. The failure modes are identical at ten invoices a week and ten thousand.
What are the internal controls for accounts payable?
Eight controls do most of the work. The first four prevent bad payments, the last four detect them.
| Control | Type | What it stops |
|---|---|---|
| Segregation of duties | Preventive | One person creating a fake vendor and paying it |
| Vendor master file controls | Preventive | Fictitious vendors and fraudulent bank detail changes |
| Authorization and approval limits | Preventive | Unbudgeted or unauthorized spend |
| Purchase order and three-way matching | Preventive | Paying for goods never ordered or never received |
| Duplicate invoice detection | Detective | Paying the same invoice twice |
| Bank and AP subledger reconciliation | Detective | Unrecorded, altered, or misapplied payments |
| Role-based system access | Preventive | Segregation of duties defeated inside the software |
| Complete, immutable audit trail | Detective | Changes nobody can trace or explain |
What is segregation of duties in accounts payable?
Segregation of duties means no single person controls a transaction from start to finish. In AP, four functions must be split so that committing fraud requires collusion rather than a single decision.
| Function | Typical role | Must never also do |
|---|---|---|
| Set up and change vendors | Vendor master administrator | Approve invoices or release payments |
| Enter and code invoices | AP clerk | Approve their own entries |
| Approve invoices for payment | Budget owner or manager | Create vendors or execute payment |
| Execute and release payments | Treasury or controller | Create vendors or approve invoices |
| Reconcile bank accounts | Accountant, independent of AP | Enter invoices or release payments |
The combination that matters most is vendor creation plus payment release. Anyone holding both can invent a supplier, invoice the company, and pay themselves, and the transaction will look perfectly ordinary in the ledger. If you can only enforce one separation, enforce that one.
How do small companies segregate duties with only two people?
They compensate rather than pretend. Full segregation needs three or four people, and most small businesses do not have them. The workable substitute is owner oversight applied to a small number of high-leverage checkpoints, done consistently.
- The owner, not the bookkeeper, receives the bank statement or holds read-only bank access, and reviews it monthly.
- The owner reviews and approves every new vendor added to the master file, and every change to vendor bank details.
- The owner reviews the payment run before release, comparing the vendor list against known suppliers.
- Nobody uses a shared login. Every action in the accounting system carries a name.
- An outside accountant reconciles the bank account, or reviews the reconciliation the bookkeeper prepared.
These are compensating controls. They do not eliminate the risk, they make it much harder to run undetected past one month. Auditors accept them when they are documented and actually performed, and the evidence of performance is what gets tested.
What are vendor master file controls?
The vendor master file is the highest-risk table in the accounting system, because a payment can only go where a vendor record points. Controls belong at three moments.
At creation. Require a completed W-9 before a vendor is paid, verify the legal name and TIN against IRS records, screen the address against employee addresses, and require documented approval from someone outside AP. A vendor sharing an address or bank account with an employee is the classic fictitious-vendor signature.
At change. Bank detail changes are the single most exploited weakness in AP. Business email compromise works by sending a plausible "we changed banks" request from a spoofed or genuinely compromised supplier mailbox. The control is a callback to a phone number already on file, never a number supplied in the request itself, performed by someone who cannot release payments. Log the callback.
Continuously. Review the file quarterly for duplicates, inactive vendors, one-time vendors that became recurring, and records with missing tax information. Deactivate anything unused for a year. A file that only grows becomes a place to hide. The mechanics of onboarding are covered in the vendor onboarding process, and reporting obligations in 1099 vendor requirements.
How does three-way matching prevent fraud?
Three-way matching compares the purchase order, the receiving document, and the supplier invoice before payment is approved. The invoice is paid only when all three agree on item, quantity, and price within a defined tolerance.
It works because a fraudulent or erroneous invoice must reconcile with two documents created by different departments at different times. Invoicing for goods never ordered fails the PO check. Invoicing for goods ordered but never delivered fails the receiving check. Inflating the price fails the PO check. To defeat it, someone in purchasing, someone in receiving, and someone in AP have to cooperate.
Not every invoice can be matched. Utilities, legal fees, rent, and subscriptions arrive with no PO. Those need a different control, usually approval by the budget owner against a contract or a recurring schedule, and they deserve more scrutiny precisely because the match cannot help. The mechanics are in what is three-way matching and the software side in invoice matching software.
How do you prevent duplicate invoice payments?
Duplicates are usually error, not fraud, and they are common enough that most AP teams have paid one. The invoice arrives by email and by mail, or a vendor resends it as a statement, or the same invoice is entered with and without a leading zero on the number.
The controls are unglamorous and effective: enforce uniqueness on the combination of vendor, invoice number, and amount at the point of entry rather than at payment; normalize invoice numbers by stripping spaces, dashes, and leading zeros before comparison; block the same invoice number against the same vendor even when the amount differs; run a pre-payment duplicate report on every payment run; and reconcile vendor statements monthly, since the supplier usually notices the double payment first. See how to prevent duplicate invoice payments for the detail.
Manual entry is what makes duplicates hard to catch, because a human retyping an invoice number introduces the very variations that defeat exact matching. Automated capture returns the invoice number as it appears on the document, consistently, which is why extraction and duplicate detection tend to arrive together.
How does the COSO framework apply to accounts payable?
COSO organizes internal control into five components. Mapping them to AP turns an abstract framework into a checklist.
| COSO component | What it looks like in AP |
|---|---|
| Control environment | A written AP policy, defined approval authority, tone from management that exceptions are not routine |
| Risk assessment | Identifying where AP can fail: fictitious vendors, duplicates, bank-detail fraud, unauthorized spend |
| Control activities | Segregation of duties, matching, approval limits, duplicate checks, reconciliations |
| Information and communication | Complete audit trail, approval evidence, timely reporting of exceptions |
| Monitoring | Periodic testing that controls still operate, plus internal audit and management review |
Under SOX Section 404, management asserts that internal control over financial reporting is effective, and AP is a core process auditors test. The distinction that trips teams up is design versus operating effectiveness. A policy stating that invoices above $5,000 require VP approval is a designed control. It is only an operating control if, when the auditor pulls a sample of thirty invoices, every one above the threshold carries a timestamped approval from someone with that authority. Undocumented approval is an exception even when the payment was entirely legitimate.
What evidence do auditors ask for?
- A current AP policy and delegation of authority matrix showing approval limits by role.
- A system access report proving that no user holds conflicting roles, and evidence it is reviewed periodically.
- A sample of invoices with matching PO, receiving document, and timestamped approval.
- Evidence of vendor bank-detail change callbacks, with who performed them.
- Completed monthly bank reconciliations, signed by a preparer and a separate reviewer.
- The vendor master change log for the period.
- Duplicate payment reports and the resolution of any items found.
Notice how much of this is evidence of performance rather than evidence of intent. Teams tracking control obligations across frameworks often move this out of spreadsheets and into a system that maps each control to its owner and testing evidence, because reassembling it during fieldwork is the expensive way to do it.
Where automation strengthens AP controls, and where it weakens them
Automation improves controls when it removes discretion and creates evidence. Automated capture eliminates transcription error and records exactly what the document said. System-enforced matching cannot be talked out of a variance. Approval routing produces a timestamped, immutable trail that no email chain matches. Duplicate detection runs on every invoice rather than on the ones someone remembered to check.
Automation weakens controls in two specific ways, both worth watching. First, it concentrates power in whoever configures the system: the person who can edit approval routing or matching tolerances has effectively granted themselves approval authority, so configuration changes need the same segregation and logging as payments. Second, straight-through processing means invoices post without a human ever seeing them, which is the goal, but it makes the exception queue the entire control surface. If nobody works the exception queue, or if tolerances are set wide enough that nothing lands there, the control exists on paper only.
The step to automate first is capture, because it is high volume, purely mechanical, and the source of the errors that later masquerade as control failures. Our invoice data extraction software reads the invoice number, vendor, dates, line items, and totals off any layout and returns structured data, so the number in your system is the number on the document. From there, accounts payable automation software covers routing, matching, and approval.
The short version
Split vendor creation, invoice approval, and payment release across different people, and if you cannot, put the owner on the bank statement and the vendor master. Verify vendors before you pay them and call back every bank-detail change on a number you already had. Match against the PO and the receiving document where one exists, and apply harder approval scrutiny where one does not. Check for duplicates at entry, not at payment. Reconcile monthly with a separate reviewer. Then automate capture, because a control that depends on someone accurately retyping an invoice number is not a control. Related reading: the accounts payable audit, how to prevent invoice fraud, and the invoice approval workflow.
This article is general information about internal control practice, not legal, audit, or accounting advice for your specific circumstances.