Internal Controls for Accounts Payable: Best Practices & Tips

Internal controls mitigate business risks. They are standardized operating procedures used by companies in their accounts payable process to mitigate the risk of human error, prevent fraud, reduce improper payments, and ensure regulatory compliance. Many AP departments could improve their overall efficiency by evaluating existing accounts payable procedures and identifying areas for improvement. Let’s dive into the three types of internal controls your AP department should be using and explore some best practices.

Mitigate Fraud Risk Whitepaper CTA


Why are Internal Controls Important?

Internal controls are required to help ensure the safety and security of your organization’s payments and mitigate fraud. According to J.P. Morgan’s 2021 AFP Payments Fraud and Control Survey, 82% of organizations were subject to attempted or successful fraud in 2019.


Security threats are on the rise. Companies and organizations of all sizes are vulnerable. It’s important to have processes in place that ensure your organization is prepared for a worst-case scenario such as internal or occupational fraud attempts, or fraudulent vendor invoices.


Internal controls mitigate risk by creating a system of checks and balances within your AP department. Having a variety of sources to trace back potential mistakes allows for shared responsibility and automatically decreases exposure, both internal and external.


Examining the Three Types of Internal Controls

There are three types of accounts payable internal controls that should be utilized to keep your payments safe and avoid human error.


1. Obligation to Pay Controls

With obligation to pay controls in place, organizations are able to verify the accuracy of invoices and ensure they’re paying for items they’ve truly received. Common steps for obligation to pay controls include:

  1. Purchase order approval – Depending on your business, the procurement department may issue a purchase order which confirms the approval of spending before it occurs. This helps keep track of spending and prevents excess cash from leaving the company. The first step in this process is for the individual or department in need of a good or service to fill out a formal purchase requisition form. If and when the purchase requisition has been approved, it is then routed to the purchasing department. Next, procurement proofs the request for accuracy and compliance of any legal or policy requirements and verifies the request is within budget limitations. The request is then either approved or rejected with the potential for the requester to resubmit. Lastly, the approved purchase order is issued an order number and prepared for submission to the vendor. The vendor approves and processes the order and the purchase order becomes a legally binding agreement.
  2. Invoice approval – The invoice approval process begins when the buying organization receives the supplier invoice. An authorized approver signifies whether or not the supplier invoice is valid and accurate before payment is processed.
  3. Two-way or three-way matching – Matching is a process in which invoices are matched to purchase orders (2-way matching), receiving information (3-way matching), and inspection information (4-way matching). This is done before authorizing a given payment as it allows approvals to be based on more than just the purchase order and verifies the receipt of goods and services. Do note that most organizations only require 2-way matching, and if 3 or 4-way matching is required it should be specified.
  4. Auditing for duplicates – This involves manually checking your files to make sure duplicate payments have not been made. An AP automation platform can offload this task by automatically flagging any duplicate invoices, thereby preventing erroneous payments.

Best practice for obligation to pay controls: There are a lot of moving parts within the obligation to pay control and it’s recommended to store all documents in one digital space that is managed through AP automation. Not only does this populate a digital record of invoices, purchase orders, and shipping receipts in one central location, but it also allows users to assign different personnel to each task and ensure that a true checks-and-balances system is enforced.


2. Data Entry Controls

Once you’ve confirmed that an invoice needs to be paid, there are two different data entry controls that ensure an invoice is successfully recorded in the system.

  1. Record before approval – When an invoice is sent to your organization, it is immediately recorded in the AP system to reference and check for accuracy later on.
  2. Record after approval – This control assumes every incoming invoice has the potential to be an error or duplicate. Therefore, the invoice goes through a verification process by an AP employee who confirms its accuracy before initiating approval. This prevents errors like an inaccurate input of the 9-digit account number or inputting negative amounts for payments which will need to be fixed later on.

Best practice for data entry controls: When it comes to data entry and storage, it’s best practice to store all necessary documents and invoices for approval in one digital system. An automated AP system is able to go through a large volume of invoice items more quickly than a human employee could and also eliminates the possibility of manual data entry errors.


3. Payment Entry Controls

Once your invoice is approved and put into the system, you now need to pay the bills. If your AP department is still using paper checks and a manual process for payments, there are a number of controls you’ll want to implement to increase security.

  1. Segregation of duties – Referring to the assignment of various tasks in the payment process. In regard to payment entry, it is a best practice to assign tasks based on role, the need and appropriateness of the given person being exposed to the information they’ll have access to, and who can be granted the least amount of privileges required to complete the task. Depending on the size of your organization these tasks may overlap by necessity.
    Segregation of duties is present when there is a separate person for initiating payments and authorizing payments in the system. Similarly, if your business makes paper check payments, there should be one person who prepares the check and another person who signs the check. By doing so, you can mitigate fraud, theft, or the possibility of having one person taking too much control over the process. Having multiple eyes on an invoice can also help to catch a last-minute payment or entry error.
  2. Track check numbers – As checks are being processed, keep a log of all check numbers going out. This helps you identify if certain checks are missing or if you missed a payment. One way MineralTree has implemented this payment entry control is through its PositivePay feature, which provides extra security and ensures that any check sent matches the one being deposited.
  3. Manual check signing and double signing – It’s a best practice to manually sign a check rather than using a stamp or signature stamp that could fall into the wrong hands. It’s also a good idea to have more than one person sign a check – especially if the payment exceeds a certain amount. These steps reduce the risk of error, fraud, and duplicate payments. And when using an automated system like MineralTree, customers don’t even have to write or sign checks – it’s safely done on their behalf.
  4. Secure check storage – All physical checks should be stored in a lockbox to maximize protection and to avoid fraud. Additionally, all signature plates and stamps should be stored in a secure location to eliminate the risk of unauthorized usage. While MineralTree processes the bulk of the checks on behalf of the customer, it’s recommended to keep some check stock on hand for the occasional exception where you have to physically write a check.
  5. Vendor Payment Information Updates – When sensitive information regarding vendor information, like account numbers and addresses, changes you’ll need to call the vendor and confirm accuracy as this can be an indicator of fraud. A benefit to using an automated system like MineralTree’s invoice-to-pay is that you are notified when a sensitive change has been made. This allows you to confirm and update the information as soon as possible.

Best practice for payment entry controls: The best way to mitigate risk at the payment level is to move to an electronic payment system. There are a number of benefits to going digital — there’s no risk of losing a check in the mail, you’re alerted of a duplicate invoice, and you can schedule when your suppliers receive their invoice payments. This improves the relationship you have with suppliers and boosts cash flow.



Internal Controls and Accounts Payable Automation

The finance landscape is constantly changing, and security and compliance have become a top priority for organizations. It’s important to remember that, as the industry evolves, tools and processes will change as well. It’s worthwhile to regularly evaluate your internal processes and procedures to see what’s working and what’s not.


Organizations are increasingly shifting to an automated AP system and it’s no wonder why. At MineralTree security is in our DNA. We’ve created a solution where security is built into the framework. Internal controls are accounted for and are a natural part of the Accounts Payable workflow. This includes the ability to safeguard user access with strong passwords and facilitates automatic logouts after a period of inactivity. It also automatically creates an audit trail, which is essential and useful to look back on should something go wrong. Users are able to review the audit trail to see what specific actions were taken and note where a mistake was made. With all of these internal controls set in place, you can maximize your time and create a system of checks and balances designed to reduce duplicate payments, prevent fraud, minimize human error, and ensure compliance.


Mitigate Fraud Risk Whitepaper CTA

Kevin Ebermen, Director of Operations

Kevin Eberman has proven ability and an enduring enthusiasm for Information Security. A Certified Information Systems Security Professional (CISSP), Kevin has more than 20 years of experience managing Information Security, Operations, and IT groups at startups and large technology companies. He has extensive technical knowledge of security, software development, cloud operations, networking, and high-availability solutions. As MineralTree’s Senior Director of Information Security, Kevin has shepherded the entire organization through a number of security certifications, including SOC 1, SOC 2, and PCI-DSS Level 1 Service Provider. As technology continues to evolve in new and exciting ways, Kevin and his team will continue playing a pivotal part in keeping MineralTree and its customers’ data secure. Follow Kevin on Twitter @Manager_of_it.