Accounts Payable Internal Controls Checklist

Accounts payable internal controls are the policies, procedures, and system safeguards that prevent fraud, errors, duplicate payments, and unauthorized disbursements in the AP process. Strong AP controls protect cash, ensure accurate financial reporting, and satisfy audit and compliance requirements including SOX.

This checklist covers the controls that every AP function should have in place, organized by control type and process area. Use it as a baseline assessment, an audit preparation tool, or a guide for designing controls in a new AP automation implementation.

Why AP Internal Controls Matter

Accounts payable is where money leaves the organization. Every weakness in AP controls creates an opportunity for:

• Fraud — fictitious vendors, inflated invoices, unauthorized payments
• Errors — duplicate payments, wrong amounts, incorrect GL coding
• Compliance failures — SOX deficiencies, audit findings, regulatory penalties
• Cash leakage — overpayments, missed discounts, late payment penalties

Organizations without systematic AP controls lose an estimated 1 to 2 percent of total disbursements to errors and fraud. For a company processing $50 million in annual payables, that is $500,000 to $1 million in avoidable losses.

Master Checklist: AP Internal Controls

Use this checklist to assess your current control environment. Each control should be documented, consistently applied, and testable by auditors.

1. Segregation of duties between invoice entry, approval, and payment release
2. Mandatory PO matching before payment for all goods purchases
3. Vendor master file change controls with secondary approval
4. Automated duplicate invoice detection before posting
5. Approval authority limits by dollar threshold and expense category
6. Three-way match enforcement for physical goods
7. Exception escalation and resolution tracking with SLA targets
8. Payment batch review and dual authorization before release
9. Bank account verification for new vendors and bank detail changes
10. Monthly reconciliation of AP subledger to general ledger
11. Role-based access controls for AP system and banking portals
12. Complete audit trail for every approval, override, and payment
13. Document retention for all invoices, POs, receipts, and approvals
14. Periodic vendor statement reconciliation
15. Aging review of open payables with investigation of outliers

Preventive vs Detective Controls

AP controls fall into two categories. Both are necessary.

Preventive controls are stronger because they block problems at the source. Detective controls catch what preventive controls miss. A robust AP control environment uses both.

Invoice Approval Controls

Invoice approval is where most AP fraud and error risk concentrates. These controls govern who can approve what and under what conditions.

Approval Authority Matrix

Every organization should define a clear matrix specifying who can approve invoices at each dollar level. A typical structure:

Delegation Rules

Approvers will be unavailable. Plan for it:

• Define temporary delegation rules for vacation and travel
• Require delegation to be pre-authorized, not ad hoc
• Set expiration dates on all delegations
• Ensure delegates cannot approve their own expenses
• Log all delegated approvals separately for audit

Approval Routing

Invoices should route automatically based on PO data, department, GL code, or project. Manual routing creates bottlenecks and bypass opportunities. Automated routing ensures every invoice reaches the right approver without AP staff making judgment calls about who should see it.

Vendor and Payment Controls

Vendor and payment controls prevent the two most damaging AP fraud schemes: fictitious vendors and unauthorized payments.

Vendor Master Controls

• Require secondary approval for all new vendor additions
• Verify vendor tax ID, address, and bank details before first payment
• Require secondary approval for any change to vendor bank account information
• Periodically review the vendor master for dormant vendors, duplicate entries, and vendors matching employee addresses
• Restrict vendor master editing access to a small number of authorized users

Payment Controls

• Require dual authorization for payment batches above a defined threshold
• Run duplicate invoice checks before every payment run
• Verify that all invoices in a payment batch have completed the approval workflow
• Separate payment batch preparation from payment release — different people
• Use positive pay or ACH filters to prevent unauthorized debits
• Establish and enforce procedures for rush and emergency payments

Audit Evidence Requirements

Auditors need to see that controls exist, are consistently applied, and are effective. For each control in your AP process, maintain:

• Policy documentation — Written description of the control, who is responsible, and how it operates
• Evidence of execution — System logs, approval records, reconciliation sign-offs, exception reports
• Evidence of monitoring — Periodic review reports, control testing results, remediation records
• Evidence of remediation — Documentation of control failures and corrective actions taken

Common Audit Findings in AP

These are the findings auditors report most frequently:

• Segregation of duties violations — same person entering and approving invoices
• Missing or incomplete approval documentation
• Invoices paid without PO matching
• Vendor master changes without secondary approval
• No evidence of periodic duplicate payment review
• AP subledger not reconciled to GL monthly

Each finding is avoidable with the controls in this checklist.

How Automation Strengthens AP Controls

Manual AP controls rely on people following procedures consistently. AP automation embeds controls into the system so they cannot be bypassed.

• Segregation of duties — Role-based access controls enforce separation by design, not by policy
• PO matching — Automated three-way matching with configurable tolerances replaces manual comparison
• Duplicate detection — System scans every invoice against historical records before posting
• Approval routing — Rules-based routing ensures every invoice reaches the right approver at the right threshold
• Audit trail — Every action is logged automatically with timestamp, user, and decision — no manual documentation required
• Exception management — Exceptions are flagged, routed, tracked, and resolved within the system with full visibility

Automation does not eliminate the need for control design. It makes controls more reliable by removing the human variability that causes control failures.

Organizations evaluating AP automation should map their control requirements before implementation. The [AP automation implementation checklist](#) provides a structured approach to designing controls into the automated workflow from the start.