Internal Controls for Accounts Payable: Types, Best Practices, & More

Internal controls for accounts payable mitigate business risks. While many AP departments could reduce risk and improve their overall efficiency by evaluating existing accounts payable procedures and identifying areas for improvement, most don’t know where to start. Let’s dive into the 3 types of internal controls your AP department should be using and explore some best practices.


What are Internal Controls in Accounts Payable?

Internal controls are standardized operating procedures used by companies in their accounts payable workflow to mitigate the risk of human error, prevent fraud, reduce improper payments, and ensure regulatory compliance.


What are the Biggest Risks in Accounts Payable?

The top accounts payable risks you need to look out for include:

  • Internal Fraud
  • Missing or Late Payments
  • Conflicts of Interest
  • Duplicate Payments
  • Lack of an Audit Trail
  • Poor Visibility into Invoice Payments


Why are Internal Controls in AP Important?

Internal controls in AP are required to help ensure the safety and security of your organization’s payments and mitigate fraud. According to J.P. Morgan’s 2022 AFP Payments Fraud and Control Survey, 71% of organizations were victims of payment fraud attacks or attempts in 2021.

With security threats on the rise, companies of all industries and sizes are vulnerable. That’s why it’s important to have processes in place that prepare your organization for a worst-case scenario such as internal or occupational fraud attempts, or fraudulent vendor invoices.

Internal controls mitigate risk by creating a system of checks and balances within your AP department. Having a variety of sources to trace back potential mistakes allows for shared responsibility and automatically decreases exposure, both internal and external.

What are the 3 Types of Internal Controls in Accounts Payable?

There are three types of accounts payable internal controls that can keep your payments safe and minimize human errors.

1. Obligation to Pay Controls

With obligation to pay controls in place, organizations are able to verify the accuracy of invoices and ensure they’re paying for items they’ve truly received. Common steps for obligation to pay controls include:


Purchase Order Approval

Depending on your business, the procurement department may issue a purchase order which confirms the approval of spending before it occurs. This helps track spending and prevent excess cash from leaving the company. The first step in this process is for the individual or department in need of a good or service to fill out a formal purchase requisition form. If and when the purchase requisition has been approved, it is then routed to the purchasing department.

Next, procurement proofs the request for accuracy and compliance with any legal or policy requirements and verifies the request is within budget limitations. The request is then either approved or rejected with the potential for the requester to resubmit. Lastly, the approved purchase order is issued an order number and prepared for submission to the vendor. The vendor approves and processes the order and the purchase order becomes a legally binding agreement.


Invoice Approval

The invoice approval process begins when the buying organization receives the supplier invoice. An authorized approver signifies whether or not the supplier invoice is valid and accurate before payment is processed.


Two-Way or Three-Way Matching

Matching is a process in which invoices are matched to purchase orders (2-way matching), receiving information (3-way matching), and inspection information (4-way matching). This is done before authorizing a given payment as it allows approvals to be based on more than just the purchase order and verifies the receipt of goods and services.


Auditing for Duplicates

This involves manually checking your files to make sure duplicate payments have not been made. An AP automation platform can offload this task by automatically flagging any duplicate invoices, thereby preventing erroneous payments.


2. Data Entry Controls

Once you’ve confirmed that an invoice needs to be paid, there are 2 different data entry controls that ensure an invoice is successfully recorded in the system.


Record Before Approval

When an invoice is sent to your organization, it is immediately recorded in the AP system to reference and check for accuracy later on.


Record After Approval

This control assumes every incoming invoice has the potential to be an error or duplicate. Therefore, the invoice goes through a verification process by an AP employee who confirms its accuracy before initiating approval. This prevents errors like an inaccurate input of the 9-digit account number or inputting negative amounts for payments which will need to be fixed later on.


3. Payment Entry Controls

Once your invoice is approved and put into the system, you now need to pay the bills. If your AP department is still using paper checks and a manual process for payments, there are a number of controls you’ll want to implement to increase security.


Segregation of Duties

Referring to the assignment of various tasks in the payment process. In regard to payment entry, it is a best practice to assign tasks based on role, the need and appropriateness of the given person being exposed to the information they’ll have access to, and who can be granted the least amount of privileges required to complete the task. These tasks may overlap by necessity depending on the size of your organization.

Segregation of duties ensures different staff members are responsible for initiating and authorizing payments in the system. Similarly, if your business makes paper check payments, there should be one person who prepares the check and another person who signs the check. By doing so, you can mitigate fraud, theft, or the possibility of having one person taking too much control over the process. Having multiple eyes on an invoice can also help to catch a last-minute payment or entry error.


Track Check Numbers

When processing checks, keep a log of all check numbers going out. This helps you identify if certain checks are missing or if you missed a payment. One way MineralTree has implemented this payment entry control is through its PositivePay feature, which provides extra security and ensures that any check sent matches the one being deposited.


Manual Check Signing and Double Signing

It’s best practice to manually sign a check rather than using a stamp or signature stamp that could fall into the wrong hands. It’s also a good idea to have more than one person sign a check – especially if the payment exceeds a certain amount. These steps reduce the risk of error, fraud, and duplicate payments.


Secure Check Storage

All physical checks should be stored in a lockbox to maximize protection and avoid fraud. Additionally, all signature plates and stamps should be stored in a secure location to eliminate the risk of unauthorized usage. While MineralTree processes the bulk of the checks on behalf of the customer, it’s recommended to keep some check stock on hand for the occasional exception where you have to physically write a check.


Vendor Payment Information Updates

When sensitive vendor information changes — like account numbers and addresses — you’ll need to call the vendor and confirm accuracy as this can be an indicator of fraud. A benefit to using an automated system like MineralTree’s TotalAP is that you are notified when a sensitive change has been made. This allows you to confirm and update the information as soon as possible.

What are Best Practices for Internal Controls in AP?

The best practices for accounts payable internal controls are dependent on the type of control. Here we outline the different steps your organization should take to ensure secure and safe payments.

Store Documents in a Central Location

When it comes to data entry and storage, it’s best practice to store all necessary documents and invoices for approval in one digital system. An AP Documentation Management System is able to go through a large volume of invoice items more quickly than a human employee could and also eliminates the possibility of manual data entry errors. Not only does this populate a digital record of invoices, purchase orders, and shipping receipts in one central location, but it also allows users to assign different personnel to each task and ensure that a true checks-and-balances system is enforced.

Have Good Processes in Place

Good processes start with vendor enrollment. Information should be verified to ensure that all bank data and supplier details are correct. Once vendor profiles are set-up, all subsequent changes to bank details should go through a review process. With the right technology in place, companies can quickly detect fake invoices, reducing their risk for fraud. For example, AP technology can scan this information and set-up alerts for discrepancies in vendor data as invoices come in.

Use Checks & Balances through a Segregation of Duties Matrix

As noted above, it’s best practice to segregate duties in the AP workflow. To prevent fraud, at least two people must be involved in the payment of each invoice. Not only does this reduce human error, but it also mitigates the risk of internal fraud.

The pandemic created an opportunity for fraudsters to take advantage of a global transition for companies everywhere. 68% of those surveyed by PwC noted that they experienced increased misconduct risk as a result of COVID-19.

Companies need to set up checks and balances to ensure they have strong internal controls in place. Below are some examples:


Move to Electronic Payments

The best way to mitigate risk at the payment level is to move to an electronic payment system. There are a number of benefits to going digital — there’s no risk of losing a check in the mail, you’re alerted of duplicate invoices, and you can schedule when your suppliers receives their invoice payments. This improves the relationship you have with suppliers and boosts cash flow.

Adopt a Paperless Process

A paperless accounts payable process offers organizations numerous benefits. Not only is it easier to track invoice payments through a digital system, but tools such as AP automation results in information automatically updated and posted to your ERP system. With the right technology partner, you can also store all relevant documentation related to the invoice for easy access.

Automate the End-to-End AP Process

There are several areas within the manual AP process that require AP staff to intervene. But by automating the entire end-to-end AP process, your business can cut manual tasks, improving efficiency and reducing human error. Other benefits from automating the AP process include visibility into payment status, which not only allows your AP team to spot duplicate invoices and payments, but it also gives your vendors insight into when they can expect payment.

Internal Controls and Accounts Payable Automation

The finance landscape is constantly changing, and security and compliance have become a top priority for organizations. It’s important to remember that, as the industry evolves, tools and processes will change as well. It’s worthwhile to regularly evaluate your internal processes and procedures to see what’s working and what’s not, so your team can continue to effectively manage accounts payable.

Organizations are increasingly shifting to an automated AP system and it’s no wonder why. At MineralTree, security is in our DNA. We’ve created a solution where security is built into the framework. Internal controls are accounted for and are a natural part of the accounts payable workflow. This includes the ability to safeguard user access with strong passwords and facilitates automatic logouts after a period of inactivity. It also automatically creates an audit trail, which is essential and useful to look back on should something go wrong. Users are able to review the audit trail to see what specific actions were taken and note where a mistake was made. With all of these internal controls set in place, you can maximize your time and create a system of checks and balances designed to reduce duplicate payments, prevent fraud, minimize human error, and ensure compliance.

Internal Controls in Accounts Payable FAQs


What are Accounts Payable Controls?

Accounts payable controls are designed to help mitigate fraud and reduce risk across the entire AP department.

What is an Internal Control Over Accounts Payable?

Internal controls mitigate business risks. They are standardized operating procedures used by companies in their accounts payable process to mitigate the risk of human error, prevent fraud, reduce improper payments, and ensure regulatory compliance.

What is an Internal Audit in Accounts Payable?

An internal audit is a comprehensive look at invoice payments made via an organization. An internal audit will inspect all transactions to ensure that they are accurate and error-free.

What are the Types of Accounts Payable Internal Controls?

There are 3 different types of internal controls in accounts payable: Obligation to Pay Controls, Data Entry Controls, and Payment Entry Controls.

What is an Accounts Payable Risk Assessment?

An AP risk assessment analyzes your current process to determine what risks may affect your organization. This includes all steps in the invoice payment process, including invoice capture, payment, approval, and the facilitation of the payment. The goal of this assessment is to future-proof your organization from potential fraud risk.

What are the Biggest Risks in Accounts Payable?

The top accounts payable risks you need to look out for include:

  • Internal Fraud
  • Missing or Late Payments
  • Conflicts of Interest
  • Duplicate Payments
  • Lack of an Audit Trail
  • Poor Visibility into Invoice Payments

Kevin Ebermen, Director of Operations

Kevin Eberman has proven ability and an enduring enthusiasm for Information Security. A Certified Information Systems Security Professional (CISSP), Kevin has more than 20 years of experience managing Information Security, Operations, and IT groups at startups and large technology companies. He has extensive technical knowledge of security, software development, cloud operations, networking, and high-availability solutions. As MineralTree’s Senior Director of Information Security, Kevin has shepherded the entire organization through a number of security certifications, including SOC 1, SOC 2, and PCI-DSS Level 1 Service Provider. As technology continues to evolve in new and exciting ways, Kevin and his team will continue playing a pivotal part in keeping MineralTree and its customers’ data secure. Follow Kevin on Twitter @Manager_of_it.