Relay
    CustomersPricing
Log inRequest a DemoSign Up
Relay
Log inSign Up
April 7, 2022•6 minute read

Accounts Payable Internal Controls: A Simple Checklist

Abigail Gamble Headshot
Abigail Gamble Headshot
Abigail Gamble

Content Writer at AG Consulting

Cover Image for Accounts Payable Internal Controls: A Simple Checklist

Written by: Abigail Gamble

Abigail Gamble is an internationally-based writer, editor and content strategist.

Share this Article
In this article
  1. What can go wrong with accounts payable?
  2. What are internal controls for accounts payable?
  3. Best practices for your AP process
  4. Automating AP internal controls
  5. AP internal control checklist
Topics on this page
    Small & Medium Business Growth

Since so much of your business funds flow through accounts payable (AP), it’s critical to protect the AP function from errors and fraud. This is done by implementing accounts payable internal controls: a way to ensure that your AP process runs smoothly and that your business doesn’t suffer financial losses. ✋ 

AP internal controls take the form of policies, procedures, and software that ensures all money movement is accounted for. 💸 Here at Relay, we work with small businesses and their accounting firms to integrate AP directly into online banking. Having seen first-hand why it’s so important to have strong controls in place, we’re sharing our AP internal control checklist to help you safeguard your AP process.

Let’s dive in!

<!-- EMBEDDED_ENTRY_INLINE:5qdcoavT6oK1xTtxyS8FUK:inlineCta -->

What can go wrong with accounts payable?

There are many risks with managing accounts payable. Without strong AP internal controls in place, your business faces an increased risk of fraud, a higher likelihood of payment errors, and a higher potential for regulatory non-compliance. 🚫 

Let’s take a look at how things can go wrong with accounts payable in more depth.

Lack of AP controls can lead to fraud

If your AP process lacks internal controls, bad actors will have an easier time targeting your company. The source of fraud can be either internal — employees embezzling funds — or external, like fraudulent invoices being sent to your company. Internal controls help you put a stop to this. 🕵️

There's a common thread in almost all employee fraud stories: it's usually the person you trust the most. A maintenance man who uses the company card to spend $40,000 on personal items. A trusted marketing executive engaged in a billing scheme. A bookkeeper who embezzles $155,460 from a Kansas nursing center. Sometimes, the financial loss can be so significant that the business is forced to shut down. With proper controls in place, you can rely on strong processes rather than blind trust.

AP without internal controls leads to duplicate payments

Mistakes due to human error are commonplace in many companies. But when those mistakes happen in your AP process, they can become very costly. 💰 This usually takes the form of duplicate payments — someone paying a vendor twice or even more times for the same invoice. Undoing these types of mistakes is usually costly and time-consuming.

<!-- EMBEDDED_ENTRY_INLINE:5Yi6fNhwY7dkbra0UxJLJw:unknown -->

You risk regulatory non-compliance without AP controls

In the United States, the IRS mandates specific financial recordkeeping practices for businesses. For example, you may be required to collect W-9 forms from certain payees. And if you fail to collect them due to poor internal controls, you may be on the hook for fines from the IRS.

In short, a poor AP process exposes your business to potential compliance risks. 🧑‍⚖️ With better internal controls in place, you can ensure your business is compliant.

Internal controls are critical for small businesses

Too many small businesses fail to consider the security risks associated with AP. But think about it — AP is how cash leaves your company. If things go wrong, you could be faced with tremendous financial loss, not to mention frustration and a drain of your time. 😔 Next, we’ll take a look at exactly what internal controls are and how you can implement them. 

What are internal controls for accounts payable?

Accounts payable internal controls are a system of internal practices and measures that help a business manage and limit the risks of financial damage. The AP control process can be broken down into three parts:

  1. Obligation to pay controls.

  2. Data entry controls.

  3. Payment controls.

Let’s explore these key elements in more depth.

What are obligation to pay controls?

Obligation to pay controls are measures you take to verify that your business is actually required to pay an invoice that has been received from a vendor. This is the first step in the AP process and can be done by your internal team or an outsourced AP department. 🔏

In short, do you actually owe the creditor the amount listed on the invoice?

Obligation to pay controls can either be weak 👎 or strong, 👍 depending on how your business processes unpaid bills.

Weak obligation to pay controls:

The person approving the bill is only given the supplier invoice and has no way of verifying that the goods or services were actually provided. They also have no way of knowing which account the payment is going to be taken from.

Stronger obligation to pay controls:

The person approving the bill has access to the purchase order (even better if the purchase order was previously approved by the purchasing department), the supplier invoice, and information about the account that will be charged.

What are data entry controls?

Data entry controls ensure that all the relevant information from a supplier's invoice has been correctly entered into the accounts payable system. 🗂️ AP automation can help ensure both the efficiency and accuracy of this step, supporting internal controls. 

Data entry controls will either be weak 👎 or strong. 👍

Weak data entry controls:

The business has no specific coding standards, which means there will be inconsistencies in how invoices are recorded. As a result, invoices may be processed more than once, leading to duplicate payments.

Stronger data entry controls:

To have stronger data entry controls, the business should ensure that your data entry process always follows the same format. ☑️ This could mean recording leading zeros or dashes of an invoice number the exact same way.

For example, a total of 6 digits for every invoice, with zeros always filling in the blanks before the first invoice digit. This helps the AP department actively scan for and detect duplicate invoices.

<!-- EMBEDDED_ENTRY_INLINE:5qdcoavT6oK1xTtxyS8FUK:inlineCta -->

What are payment controls?

The purpose of invoice payment controls is to ensure that funds are only accessed for legitimate payments. 💳 And that those payments are then reconciled accurately within your general ledger. 📒

As with all others, invoice payment controls can either be weak 👎 or strong. 👍

Weak invoice payment controls:

Weak invoice payment controls are usually the result of a business having no payment approval process, check payments, and no permission model for the team members who are making payments.

For example, if the same person is responsible for both printing checks and signing them, this opens up the payment process to human error or abuse. 😵‍💫

Stronger invoice payment controls:

To have strong payment controls, you should require a cross-check or additional check signer before cash is released from your business account.

Better yet, eliminate checks from your payments process altogether. One example for doing this would be to use Relay Pro, which allows for AP automation, approval workflows, and same-day ACH. 

Best practices for your AP process

There are three tried and true approaches to accounts payable internal controls:

  1. Establishing a separation of duties.

  2. Reviewing your approval process.

  3. Implementing strong payments solutions.

Beyond the three, investing in AP automation 🔄 is another strategy to tighten up AP controls in your business and comes with other benefits.

Here are the AP best practices in more detail:

1. Establish separation of duties

You reduce the risk of fraud when you assign different elements of the AP process to different parties. 🙆

For example, UC San Diego, which pays out around $2 million USD to vendors every day, suggests that the following tasks should all be overseen by a different person:

  • Purchase approvals.

  • Receipt of ordered materials or services.

  • Invoice approvals for payment.

  • Review and reconciliation of financial records.

When duties are separated and you have multiple people cross-referencing the process, you reduce the risk of unauthorized payments. 

2. Review your approvals strategy  

If you take a look at your approvals strategy you may find there are holes in your current approach that would allow unscrupulous parties to commit fraud. 👀

To start, the CPA practice advisor recommends you avoid paper or even emails for approvals. ✉️ Automation is helpful here if you use tools that have built-in approval options (more on this later).

You can implement a lot of best practices for your approval strategy:

  • Different people should be approving your invoices and payments.

  • Whoever ordered a product or service should be involved in approving the expense. 

  • Senior management approval should be required for purchases over a certain amount.

  • Assign more than one person to approve payments, increasing accountability in your AP process.

  • Make sure invoices are matched based on price, quantity, and terms to an approved purchase order (PO) before they are paid (also known as the "three-way match").

3. Consider payment alternatives

While 24.7% of all B2B payments are made by check, other options are not only more efficient but can enable better internal controls. 

The CPE Store, a registered accounting and tax educator lists wire transfers and electronic payments made via ACH as two alternative payment methods that are both safer and faster than sending a check. 🚗💨

Some internal control best practices associated with ACH payments include:

  • If you are using other payment methods besides ACH, double-check for duplicate payments. Ideally, every vendor should be paid using just one payment method.

  • On accounts where ACH debits are allowed, reconcile banks accounts daily with accounting daily.

  • If possible, use a separate device for your online banking activities.

<!-- EMBEDDED_ENTRY_INLINE:5qdcoavT6oK1xTtxyS8FUK:inlineCta -->

Automating AP internal controls

Implementing best practices is a great idea, but it can get cumbersome to execute. 😪 

You can rely on automation instead. Relay Pro is one accounts payable solution that can help your small business implement best practices and put internal controls on autopilot. 

With Relay Pro, your AP process is built directly into banking and comes with role-based permissions for users, automated single- and multi-step approval workflows, same-day ACH payments, and automatic reconciliation with QuickBooks Online and Xero. 🧾

Accounts Payable Internal Controls: Simple Checklist | Relay

Platforms like Relay can help you implement internal controls — but they also help you respond quickly in the event of fraud. In one case study involving employee fraud, Relay helped a business secure its funds in days — while other institutions took weeks.

Comparing the security response rate with Relay vs. traditional banks

AP internal control checklist

To help you establish internal controls for your business, below you will find a bulleted checklist of key questions to ask yourself and keep you on track. ✅

Separation of duties

Have you made different people responsible for:

  • Purchase approvals?

  • Receipt of ordered materials or services?

  • Invoice approvals for payment?

  • Review and reconciliation of financial records?

Approvals 

Have we made it policy that:

  • Staff who order a product or service are involved in approving their expense?

  • If the purchase is over a certain amount senior management approval is required?

  • More than one person is set to approve payments?

  • Invoices are always three-way matched to an approved purchase order (PO)?

Payments

Have we moved away from checks, and switched to ACH, wire, or same-day ACH payments, and do we:

  • Double-check for duplicate payments if other payment methods are also utilized? 

  • Do daily bank account reconciliations?

  • If possible, use a separate device for online banking activities? 

  • Look into and stay up-to-date on any fraud protection products offered by our bank?

Final questions

  • Have we otherwise automated our AP process, achieving greater accuracy, efficiency and security overall?

  • Have we codified these internal controls and outlined them as policy so that all employees are aware of what they are?

Now that you understand how to create strong internal controls for your accounts payable process, you are ready to continue on your AP journey. If you're looking to simplify AP while ensuring your business is secure from fraud and human error, check out Relay's money management platform and learn how it can automate your AP process.

More about the author
Abigail Gamble Headshot
Abigail GambleContent Writer at AG Consulting
Abigail Gamble is an internationally-based writer, editor and content strategist.View more articles by Abigail Gamble

Related Articles

Cover Image for You Bought a Business—Now Here’s Wow to Modernize It
Guides & How-tos
You Bought a Business—Now Here’s Wow to Modernize It
By: Lisa Tanh
Cover Image for Scale Your Accounting Firm Without Burnout: 9 Systems
Insights & Trends
Scale Your Accounting Firm Without Burnout: 9 Systems
By: David White
logo
What is Relay
  • Business checking
  • Business savings
  • Profit First banking
  • Accounts payable
  • Expense management
  • Invoices
  • Payment Requests
  • Pricing
  • Integrations
  • Xero
  • QuickBooks Online
  • Gusto
  • Plaid & Yodlee
Accountants & Bookkeepers
  • Client banking
  • Partner program
  • Get certified
  • Guides
  • Accounts payable
  • Data security
  • Growth playbook
  • Becoming a cash flow advisor
Resources
  • Everyday business blog
  • Advisor directory
  • Advisor hub
  • FAQs
  • Bi-weekly webinar
  • Support center
  • Banking for real estate investors
  • Banking for e-commerce
  • Banking for home services
  • Banking for agencies
  • Switch to Relay
  • Cash Flow Compass
Company
  • About us
  • Customer stories
  • Careers
  • Affiliate program
  • Contact us
  • Why Relay
  • Trust Center
  • Safety & Security
Legal
  • Terms of Service
  • Privacy Policy
  • Deposit Agreement
  • Savings Account Agreement
  • Cardholder Agreement
  • Electronic Communications Agreement
  • Relay Visa® Credit Card Cardholder Agreement
  • Visa® Signature Card Rewards Program Terms & Conditions

Relay Financial Technologies, Inc. © 2026

Download mobile app from Apple app storeDownload mobile app from Google Play store

Relay is a financial technology company and is not an FDIC-insured bank. Banking services provided by Thread Bank2, Member FDIC. FDIC deposit insurance covers the failure of an insured bank. Certain conditions must be satisfied for pass-through deposit insurance coverage to apply. The Relay Visa® Debit Card is issued by Thread Bank, member FDIC, pursuant to a license from Visa U.S.A. Inc. and may be used anywhere Visa debit cards are accepted. The Relay Visa Credit® Card is issued by Thread Bank, Member FDIC, pursuant to a license from Visa U.S.A. Inc and may be used anywhere Visa credit cards are accepted.

1For Relay Subscription Plans with an interest-bearing deposit account, the interest rate and Annual Percentage Yield on your account are accurate as of 12/11/2025 and are variable and subject to change based on the target range of the Federal Funds rate. Fees may reduce earnings:

  • When you are subscribed to the Starter Plan, the interest rate on your savings accounts is 0.91% with an APY of 0.91%.
  • When you are subscribed to the Grow Plan, the interest rate on your savings accounts is 1.53% with an APY of 1.55%.
  • When you are subscribed to the Scale Plan, the interest rate on your savings accounts is 2.65% with an APY of 2.68%.

2 Your deposits qualify for up to $3,000,000 in FDIC insurance coverage when Thread Bank places them at program banks in its deposit sweep program. Your deposits at each program bank become eligible for FDIC insurance up to $250,000, inclusive of any other deposits you may already hold at the bank in the same ownership capacity. You can access the terms and conditions of the sweep program at https://thread.bank/sweep-disclosure/ and a list of program banks at https://thread.bank/program-banks/. Please contact customerservice@thread.bank with questions on the sweep program. Certain conditions must be satisfied for pass-through deposit insurance coverage to apply.

*Terms and conditions apply to the cash back rewards program. Monthly cash back rewards will be automatically deposited into your Relay checking account within 30 days of the end of the credit card billing cycle. ATM transactions, the purchase of money orders or cash equivalents made with your Relay Visa® Credit Card are not eligible for cash back. Please refer to the Visa® Signature Rewards Program Terms & Conditions for more details.

**Relay is not affiliated with SoFi, or OnDeck, and Relay’s privacy and security policies may differ from SoFi’s, and OnDeck's, privacy and security policies. Relay will be paid a fee from SoFi, and OnDeck if you obtain a product through either of these links. All rates, terms, and conditions vary by provider. Approval for a loan is not guaranteed.

Payment services (non banking/checking accounts or services) are provided by The Currency Cloud Limited. Registered in England No. 06323311. Registered Office: The Steward Building 1st Floor, 12 Steward Street London E1 6FQ. The Currency Cloud Limited is authorised by the Financial Conduct Authority under the Electronic Money Regulations 2011 for the issuing of electronic money (FRN: 900199).

Payment services in the United States are provided by Visa Global Services Inc. (VGSI), a licensed money transmitter (NMLS ID 181032) in the states listed here. VGSI is licensed as a money transmitter by the New York Department of Financial Services. Mailing address: 900 Metro Center Blvd, Mailstop 1Z, Foster City, CA 94404. VGSI is also a registered Money Services Business (“MSB”) with FinCEN and a registered Foreign MSB with FINTRAC. For live customer support contact VGSI at (888) 733-0041.

3 Please note that funds relating to Currencycloud's services are not FDIC insured or protected by the Visa Zero liability protection policy. In regards to Currencycloud's services when funds are posted to your account, e-money is issued in exchange for these funds, by an Electronic Money Institution who we work with, called Currencycloud. In line with regulatory requirements, Currencycloud safeguards your funds. This means that the money behind the balance you see in your account is held at a reputable bank, and most importantly, is protected for you in the event of Currencycloud’s, or our, insolvency. Currencycloud stops safeguarding your funds when the money has been paid out of your account to your beneficiary’s account.

All testimonials, reviews, opinions or case studies presented on our website may not be indicative of all customers. Results may vary and customers agree to proceed at their own risk.