| Area | What It Controls | Main Benefit | Main Risk If Weak |
|---|---|---|---|
| Vendor setup | Who can get paid | Blocks fake / duplicate vendors | Shell companies, insider fraud |
| Invoice approval | What gets paid | Prevents bogus or altered invoices | Overpayments, fake services |
| Payment processing | How cash leaves | Protects bank details and amounts | Redirected payments, fake wires |
| Segregation of duties | Who does what | Makes collusion harder | One person can steal and hide it |
| Monitoring & audit | Patterns over time | Spots fraud sooner | Fraud runs for years unnoticed |
Fraud in accounts payable is not a theory problem. Cash leaves your bank. Vendor fraud, duplicate payments, and fake invoices eat margins quietly. You do all this work to grow revenue, then lose it because controls were loose in the one place where money actually goes out. These internal controls are your brakes. They do not grow the business directly, but they stop it bleeding. If you care about profit, you have to care about how you pay bills.
Why accounts payable is such an easy target
Fraud follows money and weak rules. AP has both.
Most teams want to “get vendors paid fast” so operations keep moving. Speed becomes the goal. Controls feel like extra clicks. People bypass them. Over time, bad habits become the normal process.
A few simple facts:
– Almost every fraud scheme touches either revenue or payables.
– Payables is easier. You do not have to fake customer behavior. You only have to push money out the door.
– Internal people often know the gaps better than any outsider.
Fraud usually exploits process gaps, not brilliant schemes.
Let me give you a simple pattern that repeats:
1. One person can create vendors and process payments.
2. Vendor records do not require independent review.
3. Invoices do not tie to contracts or purchase orders.
4. There is little review of vendor changes or payment trends.
You do not need a forensic accountant to guess how this story ends.
Common fraud schemes in accounts payable
Fraud schemes in AP tend to fall into a few categories. When you know the schemes, your controls suddenly make more sense.
Fake or altered vendors
Someone sets up a vendor that should not exist, or alters a real vendor’s details.
Typical patterns:
– Shell vendor set up by an internal person.
– Vendor bank account changed to a personal or related account.
– Vendor name slightly changed to look like an existing supplier.
– Dormant vendor reactivated and used for new payments.
This can be done by:
– Internal staff with system access.
– External attackers who get into your email or vendor portal.
– Collusion between an employee and a vendor.
Fake or inflated invoices
Invoices come in for things you did not order or did not receive, or for amounts higher than agreed.
Examples:
– Billing for services never delivered.
– Billing for more hours than worked.
– Billing twice for the same work.
– Creating invoices close to quarter-end to hide theft under “closing pressure.”
AP can be busy. When the team is under time pressure, these invoices slide through.
Duplicate payments
Not every duplicate payment is fraud. Many are just error. But fraud often hides inside the pile of “mistakes.”
You see:
– Same invoice number paid twice.
– Slight changes to invoice number, date, or amount to bypass system checks.
– Same invoice submitted through different channels.
Fraudsters know the system rules. They test what gets blocked. Then they work around it.
Kickbacks with vendors
This one hurts both cash and integrity.
An employee and a vendor agree that:
– The vendor will overcharge.
– The employee will approve and protect those invoices.
– The vendor will share part of the extra profit with the employee.
Here, pure AP controls help, but culture and vendor selection play a big role too.
Check tampering and payment diversion
Less common as companies move to electronic payments, but it still shows up:
– Checks altered after printing.
– Checks intercepted and endorsed by someone else.
– Wires changed at the last moment based on a fake email.
These often start with compromised email accounts or weak vendor change procedures.
Control principles that actually matter
Before we go into specific controls, there are a few core principles. If you get these right, every control choice becomes easier.
Segregation of duties
One person should not control an entire cash flow from start to finish.
At a basic level:
– One person should not be able to set up a vendor, enter an invoice, and release a payment.
– One person should not both reconcile bank accounts and process payments.
– System admins should not also work in AP processing.
This sounds obvious. In practice, smaller teams struggle. People wear multiple hats. So you compensate with extra reviews and logging.
If one person can both create a record and cover their own tracks, fraud is simple.
Authorization and approval
Money should only move after someone with the right authority agrees.
Healthy practice:
– Clear approval limits by role or position.
– Documented approval paths for invoices and vendors.
– No “rubber stamp” batch approvals without actual review.
Approvals should be traceable, not verbal. Email approval is better than nothing, but you get more control with integrated workflows.
Documentation and traceability
Every payment should leave a trail that stands up to questions later.
This includes:
– Contract or PO.
– Invoice.
– Evidence of receipt (like delivery note or service confirmation).
– Approval record.
– Payment record with date, amount, method, and who processed it.
If you cannot reconstruct why you paid a vendor, the control is weak.
Independent review
Someone not involved in day-to-day AP should look at patterns and exceptions.
This might be:
– Controller reviewing vendor changes.
– CFO reviewing exception reports.
– Internal audit sampling payments quarterly.
Fraud loves silent systems. Reports and reviews make noise.
Use of system controls
Manual controls rely on people. People get tired. Systems do not.
You want systems to:
– Block exact duplicate invoices.
– Flag vendor name or tax ID duplicates.
– Restrict who can change vendor bank details.
– Log every important change with who, what, and when.
Humans then review logs and alerts, not raw data.
Internal controls across the AP cycle
Now, let us walk through the AP flow and plug controls into each step.
Vendor onboarding and maintenance controls
This is the gate. If bad vendors get in, you are already behind.
Vendor creation process
Key controls:
– Standard vendor setup form with required fields and supporting documents.
– Unique vendor ID assigned by the system, not by staff.
– Vendor data validation before activation.
Typical required documents:
– Tax ID / VAT number.
– Business registration or license, where relevant.
– Bank account proof (voided check, bank letter, or official statement).
– Contact info that you can verify independently.
The easiest fraud is to pay a fake vendor. Strong vendor onboarding makes that much harder.
Segregation around vendor setup
Good practice:
– One person initiates vendor data entry.
– Another person reviews and approves vendor activation.
– Changes to critical fields like bank account, address, and tax ID go through the same two-step process.
In small teams, the second person might be a finance manager who approves in the system.
Vendor change controls
Fraud often comes from changing an existing vendor, not creating a new one.
Key steps:
– Never change bank details based only on email.
– Confirm changes through a second channel. Call the vendor using a phone number from your master data, not from the email requesting the change.
– Log who requested, who changed, and who approved.
Run a monthly report of:
– All vendors with changed bank accounts.
– All new vendors added.
– Vendors with no activity for a long time that suddenly get large payments.
Have someone senior scan these for anything that feels off.
Vendor master data reviews
At least once or twice a year:
– Identify vendors with duplicate tax IDs, addresses, or bank accounts.
– Clean out dormant vendors not used for, say, 18 to 24 months.
– Review vendors with similar names.
You might find:
– Same bank account used by multiple unrelated vendors.
– Many vendors at the same address with different names.
– Personal addresses for “corporate” vendors.
These are all flags for further review.
Purchase order and contracting controls
This part sits before AP but drives AP risk heavily.
Use of purchase orders
A purchase order is a simple control: it says what you agreed to buy and at what price.
Helpful rules:
– Require POs for goods and larger service engagements above a set threshold.
– Match invoices to POs before approval.
– If an invoice lacks a PO, route it through extra review.
POs are not needed for every tiny expense. You can define a threshold like “all spend over 1,000” or similar, based on your context.
Contract terms and rate cards
For services:
– Keep rate cards and agreed fees in a central, accessible place.
– AP or approvers should be able to see the contract when checking invoices.
– If the invoice format is vague, ask for more detail.
This way, someone can quickly check:
– Is this rate agreed?
– Is this volume realistic?
Without this, service invoices are basically guesses.
Invoice receipt and processing controls
This is where most fraud actually enters.
Centralized invoice receipt
Try to funnel all invoices through one intake channel:
– A shared AP email address.
– Vendor portal.
– Physical mailroom scanning point.
Avoid invoices going directly to individuals. Private inboxes are easier to manipulate and harder to audit.
Invoice validation checks
Before any approval, have AP run basic checks:
– Vendor exists in the system and is active.
– Invoice number not used before for that vendor.
– Dates make sense relative to service period.
– Tax and totals add up.
– PO number present when required.
System rules can automate much of this. For manual setups, a short checklist helps.
Three-way and two-way matching
For goods:
– Three-way match links purchase order, goods receipt, and invoice.
– System pays only if all three match within defined tolerances.
For services:
– Two-way match links PO or contract with invoice and a service confirmation from the business owner.
This does not have to be perfect. Start with high-value or high-risk categories and expand over time.
Duplicate invoice controls
Your system should block obvious duplicates based on:
– Vendor ID.
– Invoice number.
– Invoice date.
– Amount.
Fraudsters often try to work around this by:
– Slightly changing the invoice number (add a letter or zero).
– Changing the amount slightly.
– Using a different vendor variation.
So, some companies add extra reviews for:
– Same amount, same date, same vendor, different invoice number.
– High volume of small invoices to the same vendor.
Invoice approval controls
This is where business knowledge and AP process meet.
Clear approval limits
Set limits like:
– Managers can approve up to X.
– Directors up to Y.
– Anything above Z needs CFO.
Do not let system access override policy. If your system cannot enforce the limits, you at least need reports that show approvals above limit for follow-up.
Approval based on ownership
In short:
– The person who owns the budget should approve the spend.
– AP should not be asked to “just pay it” without owner approval.
Approvers should check:
– Did we actually get this product or service?
– Is the amount correct vs PO or contract?
– Does this match what we expected from this vendor?
It sounds basic, but many approvers just check the amount and click approve. You fix that with clear expectations and simple guidance.
Avoiding rubber-stamp behavior
When approvers get too many invoices, they stop paying attention.
Tactics:
– Limit the number of approvers per cost center.
– Keep approval queues short and timely.
– Rotate periodic extra checks by finance on approved invoices.
If someone approves everything within 2 minutes of receipt every time, that is a red flag.
Payment processing controls
This is the final gate. Strong controls here can block fraud that slipped past earlier steps.
Payment run preparation
Before running payments:
– Generate a preliminary payment proposal or list.
– Have someone independent of invoice entry review it.
– Look for unusual patterns: new vendors with big amounts, payments just under approval thresholds, multiple payments to same vendor in one run.
This review does not need to be slow. A focused 10 minute scan catches a lot.
Segregation in payment processing
Typical split:
– AP staff prepare the payment batch in the ERP.
– A manager or controller reviews and approves the batch.
– Another person releases the payment in the bank.
In small teams where tech limits roles, at least:
– Require two separate people to approve larger payments at the bank.
– Reconcile bank transactions daily or weekly by someone not processing payments.
Treat the link between your system and your bank as a high-risk zone. Extra eyes here save you money.
Control over payment methods
Each method has its own risks.
– Checks: risk of forgery and theft. Limit use, lock check stock, and log every check.
– ACH / SEPA: protect bank detail changes, use templates, and use approvals.
– Wires: require two approvals for wires above certain amounts, and verify new beneficiary details by phone.
You do not have to choose only one method, but you should know where the weak spots are.
Bank reconciliations
Reconciliations are both control and early warning.
Healthy practice:
– Reconcile main operating bank accounts at least monthly. Weekly or daily for high volume.
– Someone not approving payments should do or review the reconciliation.
– Investigate unknown transactions quickly.
Fraud often shows up first as “unexplained reconciling items.”
Controls over access and systems
Fraud in AP often hides behind access rights.
User access management
You want:
– Role-based access: roles defined by job, not by person.
– Least privilege: each user only gets what they need.
– Regular access reviews to remove old or changed users.
Watch for:
– Generic accounts shared by many users.
– Dormant user accounts that suddenly become active.
Audit trails and logs
Systems should record:
– Vendor creations and changes.
– Invoice entries and edits.
– Payment batch creation and approvals.
Make someone actually look at these logs from time to time. Focus on:
– Changes to bank details.
– Manual overrides or forced postings.
– Payments created outside standard processes.
Integration between systems and bank
Where payments are sent automatically from ERP to bank:
– Protect integration credentials.
– Restrict who can change integration settings.
– Test changes in a non-production environment first.
A misconfigured integration can allow large unauthorized payments to slip through.
Monitoring, analytics, and red flags
Controls are not just gates. You also need radar.
Key reports for AP fraud detection
Some simple recurring reports provide a lot of value:
– Vendors with payments just below approval thresholds.
– Vendors paid without POs, sorted by total amount.
– Vendors with large month-over-month increases.
– Employees with high levels of manual adjustments or overrides.
– All changes to vendor bank details in the period.
Have finance or internal audit review these regularly.
Data patterns that signal risk
Patterns to watch:
– Many small invoices from the same vendor, all under a review threshold.
– Vendors with no tax ID where one should exist.
– Personal email domains for commercial vendors (like gmail, yahoo) when that is unusual for your sector.
– Repeated late-night or weekend system activity by AP users.
These patterns are not proof of fraud. They are prompts for closer look.
Use of simple analytics
You do not need fancy tools at the start.
Basic steps:
– Export AP data to a spreadsheet or BI tool.
– Look at top 20 vendors by volume and count.
– Compare this year vs last year.
– Look for vendors where count of invoices exploded without a clear business reason.
Over time, you can add more:
– Benford’s law tests for invoice amounts.
– Text analysis of invoice descriptions for repeated wording.
– Correlation between specific approvers and flagged invoices.
You can start very small and build this up.
Building controls that people actually follow
Controls fail when people see them as pointless.
Explain the “why” to the team
AP teams often feel blamed for fraud that touches their area. That hurts morale.
Be clear:
– The goal is to protect the company and the team.
– Everyone has a role. Fraud that goes on for years often leads to job losses and deep stress.
– Good controls also reduce errors and rework.
Share real anonymized stories. Numbers stick when people connect them to real cases.
Balance control with workflow
If a control adds 30 minutes for a 50 payment, people will find ways around it.
Look for:
– Automating the boring checks.
– Putting heavier controls on larger or riskier payments.
– Keeping low-value, low-risk payments straightforward, but still traceable.
For example:
– Maybe invoices under a low threshold need one approval and a simple check.
– Invoices above that threshold need matching and higher-level approval.
You do not treat a 200 payment the same as a 200,000 payment.
Training for approvers and AP staff
Most fraud gets through because someone did not know what to look for.
Train on:
– How to check a vendor change request.
– How to read an invoice vs contract or PO.
– Common fraud schemes in your industry.
– What to do if something feels off.
You do not need huge seminars. Short targeted sessions with real examples work better.
Special cases: small businesses and fast-growing companies
The theory is easier when you have big teams and systems. Reality gets trickier when you are small or growing fast.
If your team is very small
You might think “we cannot segregate duties with 2 people.” You still have options.
Examples:
– Founder or CEO reviews bank statements monthly, independent of AP.
– External accountant does monthly or quarterly reconciliations.
– Any vendor bank change requires external confirmation and owner approval.
If you cannot separate every task, separate at least review and payment release.
Focus your limited effort on:
– Vendor setup and change controls.
– Payment review and bank reconciliation.
– Clear records for approvals.
During rapid growth
Growth often breaks controls that worked before. Volume increases, new people join, systems lag behind.
Watch for:
– Employees asking for “temporary exceptions” that never go away.
– Approvers overwhelmed with too many invoices.
– New staff given broad system access “for now.”
You might need to pause and redesign:
– Approval thresholds.
– Role definitions in your system.
– Use of POs for more categories.
Growth is when fraud risk spikes, because chaos hides things.
Culture and ethics around AP
You cannot separate fraud prevention from culture.
Tone from the top
If leaders cut corners, staff do too.
Staff watch for:
– Leaders pressuring AP to “just pay and we’ll sort later.”
– Tolerance of vendors who break rules because they are “strategic.”
– Reaction when issues are raised: punishment or learning.
A simple principle helps: if you are not comfortable with your AP process being printed in a newspaper, you probably need stronger controls.
Whistleblowing and speak-up channels
Many frauds are found because someone spoke up, not through controls.
Provide:
– A clear way to report concerns confidentially.
– Assurance that concerns will be reviewed fairly.
– Feedback where possible that reports are taken seriously.
Encourage AP staff to speak up when:
– Approvers override controls repeatedly.
– Vendors push for unusual payment paths.
– They feel uneasy but cannot fully explain why.
Their instincts are often right, even if the details are fuzzy.
Designing your AP control improvement plan
You do not need to fix everything at once. In fact, trying to do so often leads to half-built controls that no one fully uses.
Here is a simple approach.
Step 1: Map your current AP process
Write down:
– How vendors are created and changed.
– How invoices are received, checked, and approved.
– How payments are generated, reviewed, and sent.
– Who does each step and what system they use.
This does not have to be fancy. A simple flow with names and steps is enough.
Step 2: Identify the highest risk spots
Look for:
– Steps where one person controls the full flow.
– Places with no record or approval.
– Manual workarounds outside the system.
Combine this with actual incidents, near misses, or audit findings, if you have them.
Step 3: Prioritize a short list of control changes
Pick a small number of high-impact changes, such as:
– Introducing independent approval for vendor creation and bank changes.
– Setting approval limits and enforcing them.
– Adding review of payment runs over a threshold.
– Tightening bank reconciliations.
You can add more controls later, but this core set already blocks a large share of fraud patterns.
Step 4: Roll out with clear ownership
For each new or improved control:
– Assign an owner.
– Document the steps simply.
– Train the people involved.
– Set a start date and then stick with it.
Measure whether people actually follow the new process. If not, find out why. Maybe the step is too heavy, or the benefit is not clear to them.
Step 5: Review and adjust
Fraud schemes evolve. So should your controls.
Once or twice a year:
– Review incidents and near misses.
– Ask AP and approvers what feels risky or awkward.
– Update your control design based on what you learn.
Treat controls as a living part of how you run the business, not as a checklist from last year.
AP internal controls are not about distrust. They are about making it hard to steal and easy to be honest.
When you tighten AP, you protect profit, you protect your team, and you sleep a bit better when large payments leave the bank.
