Home Blog Accounts payable controls and how to build a safer approval process

Accounts Payable Accounting efficiency tips

Accounts payable controls and how to build a safer approval process

By Justin Campbell

5 min read •

Jan 21, 2026

Accounts payable isn’t just back-office admin. For AP managers, controllers, CFOs, and finance leaders, it’s a control point for cash, fraud risk, and financial reporting. As invoice volumes grow and teams become stretched, gaps in process can quickly turn into risks.

The AFP’s 2025 Payments Fraud and Control Survey found that 79% of organizations experienced attempted or actual fraud in 2024. This is why accounts payable controls matter. They set clear boundaries around who can raise spending, who can approve it, and how payments are released. This reduces exposure across your entire organization, whether you’re a small finance team or a complex, multi-entity business.

In this guide, we’ll explain what accounts payable controls are, where they sit across the AP process, and which controls make the biggest difference in practice. We’ll also look at how you can apply them in your growing finance team.

Why it matters: As invoice volumes climb and finance teams stretch thin, weak AP controls turn into fraud risk, duplicate payments, and cash leakage.

The bottom line: Strong controls don't slow you down. They give your team clear boundaries around who can spend, who can approve, and how payments leave your business.

What are accounts payable controls?

Accounts payable controls are the policies, procedures, and system checks that govern how invoices are approved, recorded, and paid. They sit across people, processes, and technology – shaping how money moves out of the business.

In practice, internal controls over accounts payable protect cash, support accurate financial statements, and maintain trust with suppliers. They also reduce the risk of errors, duplicate payments, and fraud – both internally and externally.

You’ll often hear these referred to as AP internal controls, especially in audit and compliance contexts.

The main goals of accounts payable controls are to:

Confirm that only valid and authorized obligations are paid
Keep invoice data complete, accurate, and consistent
Reduce exposure to fraud and unauthorized spend
Support audit, regulatory, and internal reporting requirements

Good AP controls don’t slow teams down. They give structure to everyday work and clarity around who can do what and when.

The 3 core areas of AP controls across the process

AP controls follow the journey of an invoice from receipt to payment. Thinking about controls in three stages helps you see where risks enter and where checks belong.

Obligation-to-pay controls

These controls confirm there is a legitimate reason to pay an invoice in the first place. They sit at the front of the process and stop unauthorized or fake obligations from entering AP.

Common examples include approved purchase orders, confirmed budgets, and valid contracts or supplier agreements.

The goal here is simple: no obligation = no payment.

Data entry and coding controls

Data accuracy becomes the primary focus once an invoice has been accepted. AP controls help to keep records clean and consistent.

This might include standardized GL and cost center rules, required fields, tax validation, and duplicate invoice checks at entry. Clean data ultimately reduces rework and supports reliable reporting later on.

Payment and disbursement controls

This is where cash actually leaves the bank, so controls need to be tight. This can include payment approval thresholds, dual sign-off, restricted bank access, secure payment files, and reconciliations.

These controls protect cash and help catch issues before money leaves your company.

Key accounts payable controls you should have in place

While every organization is different, most mature finance teams rely on a similar set of AP controls. The exact design may vary, but the risks they address stay the same:

Separation of duties in the AP process

Different employees should create vendors, enter invoices, approve spend and release payments. This is known as segregation of duties in AP. Errors and fraud are harder to detect when one person controls every step. In smaller teams, a second review or owner sign-off can offer some level of segregation. We look at practical ways to do this later in the article.

Invoice verification and matching (2-way and 3-way)

Matching confirms that what you’re paying for was actually ordered and received. Two-way matching compares the invoice to the PO. Three-way matching adds the receipt or goods received note, often reserved for higher-risk or higher-value spend.

Approval workflows and authorization limits

Approval workflows control who can approve what and at which value. For example, low-value invoices may need one manager sign-off, while higher amounts require both department and finance approval.

Vendor and vendor master controls

Vendor setup and changes are high-risk points. Controls here often include independent verification of bank details, dual approval for changes and regular reviews of inactive or duplicate suppliers.

Duplicate invoice and duplicate payment checks

Duplicate invoices can slip through when dates or formats change slightly. Automated checks, backed by regular reviews, save time and protect cash.

Payment method and bank access controls

Controls define who can create payment batches, who can approve them and who can access banking platforms. Dual approval for higher-value payments adds another layer of protection.

Reconciliations and AP audits

Regular reconciliation between the AP subledger, general ledger and bank accounts can help you spot errors early. Spot checks and internal AP audits act as detective controls.

Access controls and audit trails in AP systems

Role-based access limits what users can see and do. Audit trails show who approved, edited or paid an invoice – and when, which is important for investigations and audits.

Secure document and data retention

Invoices, POs, contracts and approvals should live in one system with clear retention rules. This supports audits, dispute resolution and long-term compliance.

Using an accounts payable risk and control matrix (RCM)

An accounts payable risk and control matrix (RCM) turns a list of controls into a structured view of risk. It links specific AP risks to the controls that address them and shows how those controls are tested.

An AP RCM answers three key questions:

What can go wrong?
What control reduces that risk?
How do we know the control works?

Here’s an example RCM in accounts payable:

AP risk

What could go wrong

Key control

Control type

How the control is reviewed or tested

Paying a fraudulent vendor

Fake or altered vendor details lead to unauthorized payments

Independent vendor verification and dual approval for vendor setup and bank detail changes

Preventive

Sample review of recent vendor additions and changes, including supporting evidence

Duplicate invoice or duplicate payment

The same invoice is paid more than once due to format changes or manual error

Automated duplicate invoice checks and exception reporting

Preventive / Detective

Review of duplicate invoice alerts and follow-up actions taken

Who owns AP controls and how often to review them

AP controls only work when someone owns them and reviews them regularly. Ownership usually sits with the AP manager or financial controller, with oversight from the CFO in smaller organizations. Control health should be reviewed and issues escalated when needed.

Here are some practical governance habits:

Review the AP risk and control matrix once or twice a year

Revisit your key AP risks and controls to check they still reflect how invoices are processed today, not how the process looked a year ago.

Test key controls on a sample basis

Pick a small number of invoices, approvals or vendor changes and walk them through the process to confirm controls are working as expected.

Log control exceptions and how they were resolved

When something goes wrong, record what happened, why it happened and what was done to fix it. This helps spot patterns before they turn into bigger issues.

Update controls when things change

New systems, team changes or process updates often create new risks. Adjust your controls at the same time so gaps don’t open up quietly.

AP controls in small and growing finance teams: how to make them work

Many AP processes sit with one or two people, especially in small or growing finance teams. In this case, full segregation of duties might not be possible. This is normal and doesn’t mean you have to accept greater risks.

This is where compensating controls come in. They add oversight without adding unnecessary complexity, and they work with the team you have today.

Here are a few ways you can apply this in your team:

CFO or owner review of higher-value payment runs.
A second set of eyes on payments above a set threshold can catch issues before money leaves the bank.
Independent review of vendor changes.
Periodic checks on new vendors or bank detail updates reduce the risk of fraudulent or incorrect payments.
Exception reports and spot checks.
Reviewing flagged invoices or unusual activity helps highlight problems without checking every transaction.
Clear documentation of responsibilities.
Writing down who reviews what, and when, creates accountability even in very small teams.

The goal here isn’t perfection. It’s reducing risk to a sensible level while keeping the AP process workable and sustainable.

How AP automation supports stronger accounts payable controls

As invoice volumes increase, many AP controls weaken not because they’re poorly designed, but because they rely on manual steps. Approval limits sit in documents. Segregation of duties depends on people remembering who should approve what. Reviews often happen after payment, when fixing issues already means rework or recovery.

This is where automation strengthens internal controls by placing them directly inside the approval workflow. Approval rules are applied consistently, invoices are routed based on value, role, or department, and every decision is recorded as it happens. That reduces reliance on memory and follow-ups, while making controls easier to review and maintain over time.

ApprovalMax supports this approach by linking approvals to accounting data before payments are released. Approval rules are set once and followed every time, creating clear boundaries around who can approve spend and when. Each approval, rejection, and change is logged automatically, giving finance teams the visibility they need as volume grows.

Conclusion: turning AP controls into a practical system

Strong accounts payable controls work best when they operate as a system, not a checklist.

They start with understanding where risk enters the AP process and placing the right checks at each stage, from invoice receipt through to payment. Clear ownership and regular review help those controls stay relevant as teams, systems, and volumes change.

When approvals, checks, and records are part of everyday workflows, controls hold up without adding friction. This allows finance teams to reduce risk, protect cash, and keep payments moving with confidence.

Start a 14-day free trial with ApprovalMax and see how structured approvals help maintain strong accounts payable controls as your team scales.

FAQs

How are accounts payable controls tested?

AP controls are tested through sample-based reviews, not full checks. Teams typically trace a small number of invoices, approvals, or vendor changes to confirm controls were followed and documented. The focus is on whether the control actually worked.

What are preventive and detective controls in accounts payable?

Preventive controls stop issues before they happen. They sit early in the AP process and reduce the chance of errors or fraud entering the system. Examples include segregation of duties, approval limits, invoice matching, and vendor verification.

Detective controls identify issues after they occur. These include reconciliations, duplicate payment reports, and internal AP audits. Most finance teams rely on a mix of both.

How often should AP controls be reviewed?

AP controls should be reviewed at least annually, and whenever teams, systems, or processes change. Regular review helps keep controls aligned with how AP actually operates.

What are common accounts payable control failures?

Common failures include:

One person controlling too many steps
Approval limits not updated as the business grows
Vendor changes without independent review
Duplicate invoices slipping through
Controls documented but not followed

These usually appear as volume increases, not overnight.

Are accounts payable controls required for audits?

Yes. Auditors expect to see documented and operating AP controls. Strong controls reduce audit findings and follow-up testing, while weak controls increase scrutiny and remediation work.

How do approval workflows support AP internal controls?

Approval workflows define who can approve spend and at what value. They support segregation of duties, apply approval rules consistently, and create a clear audit trail of decisions and changes.

How do AP controls change as a business grows?

As businesses grow, controls usually become more formal. Approval thresholds tighten, segregation improves, vendor controls strengthen, and manual reviews are replaced with system-based checks.

Justin Campbell, an experienced accountant with a decade at Xero, blends his deep understanding of finance and technology to simplify processes. He uses his expertise to help businesses work smarter, bringing precision and innovation to every initiative.