AP Internal Controls Checklist
Internal controls protect your organization from fraud, errors, and compliance failures. This guide covers the essential controls every accounts payable function should have in place.
Why AP Controls Matter
Accounts payable is a high-risk area because: - Money flows out of the organization - High transaction volume creates opportunities for errors - External parties (vendors) are involved - Fraud schemes often target AP
Strong controls protect against: - Fraudulent payments - Duplicate payments - Unauthorized purchases - Payment to fake vendors - Errors in amounts or coding - Non-compliance with policies
Core Control Principles
1. Segregation of Duties
No single person should control an entire process from start to finish.
Key Separations:
| Function | Should NOT Also Do |
|---|---|
| Create vendor records | Approve vendors or process payments |
| Approve invoices | Create vendor records |
| Process payments | Sign checks or approve wire transfers |
| Reconcile bank statements | Process payments |
| Receive goods | Approve invoices for those goods |
Minimum Separation (small teams): - Person A: Invoice entry and vendor setup - Person B: Approval and payment authorization - Person C: Bank reconciliation
2. Authorization Limits
Define who can approve what based on dollar thresholds:
| Amount | Approval Required |
|---|---|
| Under $1,000 | Department manager |
| $1,000-10,000 | Director |
| $10,000-50,000 | VP + Controller |
| Over $50,000 | CFO |
Document and enforce these limits in your AP system.
3. Documentation Requirements
Every payment should have: - Original invoice - Approval documentation - PO or contract reference (if applicable) - Receiving confirmation (for goods) - Three-way match evidence
Complete AP Internal Controls Checklist
Vendor Management Controls
Vendor Setup: - [ ] Written procedure for adding new vendors - [ ] Segregation between vendor creation and payment processing - [ ] Required documentation checklist (W-9, banking verification) - [ ] Approval required for new vendor records - [ ] Verification of vendor legitimacy before activation
Vendor Changes: - [ ] Documented process for vendor changes - [ ] Dual approval for banking changes - [ ] Verification callback for banking updates - [ ] Audit trail of all vendor master changes - [ ] Regular review of vendor master changes
Vendor Monitoring: - [ ] Periodic review of vendor master file - [ ] Comparison of vendor addresses to employee addresses - [ ] Review of vendors with PO Box only addresses - [ ] Identification and cleanup of duplicate vendors - [ ] Deactivation of unused vendors
Invoice Processing Controls
Invoice Receipt: - [ ] Centralized invoice receipt point - [ ] Date/time stamp on received invoices - [ ] Logged entry of all invoices received - [ ] Invoices tracked from receipt through payment
Invoice Verification: - [ ] Three-way match required (PO, receipt, invoice) - [ ] Tolerance levels defined for price/quantity variances - [ ] Exception process for invoices without POs - [ ] Verification of invoice mathematical accuracy - [ ] Duplicate invoice detection
Invoice Approval: - [ ] Documented approval authority matrix - [ ] Approval required before payment processing - [ ] Approval evidence maintained (signatures, electronic) - [ ] Approvers cannot approve their own expenses - [ ] Escalation process for delayed approvals
Payment Controls
Payment Authorization: - [ ] Dual signature requirement above threshold ($X) - [ ] Signature stamps/plates secured and controlled - [ ] Check stock secured with limited access - [ ] Positive pay implemented with bank - [ ] Wire transfer dual authorization
Payment Processing: - [ ] Payments processed only from approved invoices - [ ] Supporting documentation reviewed before payment - [ ] Separate person reviews and releases payments - [ ] No payments to new vendors without extra verification - [ ] Urgent payment requests require additional approval
Check Controls: - [ ] Pre-numbered check stock - [ ] Check stock inventory logged - [ ] Voided checks retained and defaced - [ ] Signature plates secured - [ ] Check signing separated from check preparation
Electronic Payment Controls: - [ ] ACH file creation separated from release - [ ] Wire transfer dual authorization - [ ] Banking details verified before first payment - [ ] Virtual card controls and reconciliation - [ ] Electronic payment audit trail maintained
Reconciliation Controls
Account Reconciliation: - [ ] Monthly AP subledger to GL reconciliation - [ ] Bank reconciliation by someone outside AP - [ ] Outstanding check follow-up procedures - [ ] Vendor statement reconciliation (key vendors) - [ ] Investigation and resolution of variances
Period-End Controls: - [ ] Cutoff procedures documented - [ ] Accrual process for uninvoiced receipts - [ ] Review of aged payables - [ ] Management review of AP balance
System Controls
Access Controls: - [ ] User access based on job responsibilities - [ ] Unique user IDs (no shared accounts) - [ ] Regular review of user access rights - [ ] Terminated employee access removed promptly - [ ] Sensitive functions restricted (vendor setup, payment release)
System Configuration: - [ ] Approval workflows enforced by system - [ ] Duplicate invoice detection enabled - [ ] Audit trail enabled and retained - [ ] Integration controls with ERP/banking - [ ] Regular system access review
Monitoring Controls
Management Review: - [ ] Monthly review of AP aging - [ ] Review of exception reports - [ ] Analysis of payment trends - [ ] Budget to actual variance review - [ ] Vendor spend analysis
Audit Trail: - [ ] All transactions traceable to source - [ ] Changes to records logged with user/date - [ ] Approval history maintained - [ ] Document retention policy followed - [ ] Audit trail retention adequate
Control Testing Guide
How to Test Controls
For each control, verify: 1. Control is documented in policy 2. Control is actually operating 3. Evidence exists of control execution 4. Exceptions are identified and resolved
Sample Testing Procedures
Test: Segregation of Duties - Review user access reports - Verify no user has incompatible access - Check that vendor setup and payment are separate
Test: Three-Way Match - Select sample of payments - Verify PO, receipt, and invoice exist - Confirm amounts match within tolerance
Test: Approval Authority - Select sample of invoices - Verify approver had authority for amount - Confirm approval preceded payment
Test: Banking Change Verification - Review vendor master changes - Select banking changes - Verify callback documentation exists
Common Control Weaknesses
High-Risk Gaps
| Weakness | Risk | Remediation |
|---|---|---|
| No segregation of duties | Fraud | Separate functions or add compensating controls |
| No dual signature on checks | Unauthorized payments | Implement threshold-based dual signature |
| Banking changes via email accepted | BEC fraud | Require verification callback |
| No positive pay | Check fraud | Implement with bank |
| Shared system logins | No accountability | Unique user IDs |
| No duplicate check | Double payments | Enable system detection |
Compensating Controls
When ideal controls aren’t possible (small teams):
| Ideal Control | Compensating Control |
|---|---|
| Full segregation | Detailed management review of all payments |
| System-enforced approval | Manual approval log reviewed by manager |
| Dual signature on all checks | Owner/manager reviews check register |
Control Environment by Company Size
Small Business (1-3 AP staff)
Focus on: - Owner/manager review of all payments - Bank reconciliation by non-AP person - Basic duplicate detection - Vendor verification for new vendors - Monthly review of AP aging
Mid-Market (4-10 AP staff)
Add: - Full segregation of duties - System-enforced approvals - Positive pay - Regular control testing - Documented policies
Enterprise (10+ AP staff)
Add: - Internal audit testing - SOX compliance (if public) - Advanced analytics - Continuous monitoring - Formal control framework
Key Takeaways
- Segregation of duties is the foundation of AP controls
- Every payment needs documentation and approval
- Verify banking changes independently—never trust email alone
- Reconcile regularly and investigate variances
- Test controls periodically to ensure they’re working
- Document everything for audit trail
Want to add a controlled intake layer to strengthen your AP controls? See how BillerPlus creates accountability from invoice receipt →