Accounts Payable Internal Controls: A Simple Checklist

By Abigail Gamble

Content Writer, AG Consulting

Since so much of your business funds flow through accounts payable (AP), it’s critical to protect the AP function from errors and fraud. This is done by implementing accounts payable internal controls: a way to ensure that your AP process runs smoothly and that your business doesn’t suffer financial losses. ✋ 

AP internal controls take the form of policies, procedures, and software that ensures all money movement is accounted for. 💸 Here at Relay, we work with small businesses and their accounting firms to integrate AP directly into online banking. Having seen first-hand why it’s so important to have strong controls in place, we’re sharing our AP internal control checklist to help you safeguard your AP process.

Let’s dive in!

IN THIS ARTICLE:

What can go wrong with accounts payable?

There are many risks with managing accounts payable. Without strong AP internal controls in place, your business faces an increased risk of fraud, a higher likelihood of payment errors, and a higher potential for regulatory non-compliance. 🚫 

Let’s take a look at how things can go wrong with accounts payable in more depth.

Lack of AP controls can lead to fraud

If your AP process lacks internal controls, bad actors will have an easier time targeting your company. The source of fraud can be either internal — employees embezzling funds — or external, like fraudulent invoices being sent to your company. Internal controls help you put a stop to this. 🕵️

There's a common thread in almost all employee fraud stories: it's usually the person you trust the most. A maintenance man who uses the company card to spend $40,000 on personal items. A trusted marketing executive engaged in a billing scheme. A bookkeeper who embezzles $155,460 from a Kansas nursing center. Sometimes, the financial loss can be so significant that the business is forced to shut down. With proper controls in place, you can rely on strong processes rather than blind trust.

AP without internal controls leads to duplicate payments

Mistakes due to human error are commonplace in many companies. But when those mistakes happen in your AP process, they can become very costly. 💰 This usually takes the form of duplicate payments — someone paying a vendor twice or even more times for the same invoice. Undoing these types of mistakes is usually costly and time-consuming.

You risk regulatory non-compliance without AP controls

In the United States, the IRS mandates specific financial recordkeeping practices for businesses. For example, you may be required to collect W-9 forms from certain payees. And if you fail to collect them due to poor internal controls, you may be on the hook for fines from the IRS.

In short, a poor AP process exposes your business to potential compliance risks. 🧑‍⚖️ With better internal controls in place, you can ensure your business is compliant.

Internal controls are critical for small businesses

Too many small businesses fail to consider the security risks associated with AP. But think about it — AP is how cash leaves your company. If things go wrong, you could be faced with tremendous financial loss, not to mention frustration and a drain of your time. 😔 Next, we’ll take a look at exactly what internal controls are and how you can implement them. 

What are internal controls for accounts payable?

Accounts payable internal controls are a system of internal practices and measures that help a business manage and limit the risks of financial damage. The AP control process can be broken down into three parts:

  1. Obligation to pay controls.

  2. Data entry controls.

  3. Payment controls.

Let’s explore these key elements in more depth.

What are obligation to pay controls?

Obligation to pay controls are measures you take to verify that your business is actually required to pay an invoice that has been received from a vendor. This is the first step in the AP process and can be done by your internal team or an outsourced AP department. 🔏

In short, do you actually owe the creditor the amount listed on the invoice?

Obligation to pay controls can either be weak 👎 or strong, 👍 depending on how your business processes unpaid bills.

Weak obligation to pay controls:

The person approving the bill is only given the supplier invoice and has no way of verifying that the goods or services were actually provided. They also have no way of knowing which account the payment is going to be taken from.

Stronger obligation to pay controls:

The person approving the bill has access to the purchase order (even better if the purchase order was previously approved by the purchasing department), the supplier invoice, and information about the account that will be charged.

What are data entry controls?

Data entry controls ensure that all the relevant information from a supplier's invoice has been correctly entered into the accounts payable system. 🗂️ AP automation can help ensure both the efficiency and accuracy of this step, supporting internal controls. 

Data entry controls will either be weak 👎 or strong. 👍

Weak data entry controls:

The business has no specific coding standards, which means there will be inconsistencies in how invoices are recorded. As a result, invoices may be processed more than once, leading to duplicate payments.

Stronger data entry controls:

To have stronger data entry controls, the business should ensure that your data entry process always follows the same format. ☑️ This could mean recording leading zeros or dashes of an invoice number the exact same way.

For example, a total of 6 digits for every invoice, with zeros always filling in the blanks before the first invoice digit. This helps the AP department actively scan for and detect duplicate invoices.

What are payment controls?

The purpose of invoice payment controls is to ensure that funds are only accessed for legitimate payments. 💳 And that those payments are then reconciled accurately within your general ledger. 📒

As with all others, invoice payment controls can either be weak 👎 or strong. 👍

Weak invoice payment controls:

Weak invoice payment controls are usually the result of a business having no payment approval process, check payments, and no permission model for the team members who are making payments.

For example, if the same person is responsible for both printing checks and signing them, this opens up the payment process to human error or abuse. 😵‍💫

Stronger invoice payment controls:

To have strong payment controls, you should require a cross-check or additional check signer before cash is released from your business account.

Better yet, eliminate checks from your payments process altogether. One example for doing this would be to use Relay Pro, which allows for AP automation, approval workflows, and same-day ACH. 

Best practices for your AP process

There are three tried and true approaches to accounts payable internal controls:

  1. Establishing a separation of duties.

  2. Reviewing your approval process.

  3. Implementing strong payments solutions.

Beyond the three, investing in AP automation 🔄 is another strategy to tighten up AP controls in your business and comes with other benefits.

Here are the AP best practices in more detail:

1. Establish separation of duties

You reduce the risk of fraud when you assign different elements of the AP process to different parties. 🙆

For example, UC San Diego, which pays out around $2 million USD to vendors every day, suggests that the following tasks should all be overseen by a different person:

  • Purchase approvals.

  • Receipt of ordered materials or services.

  • Invoice approvals for payment.

  • Review and reconciliation of financial records.

When duties are separated and you have multiple people cross-referencing the process, you reduce the risk of unauthorized payments

2. Review your approvals strategy  

If you take a look at your approvals strategy you may find there are holes in your current approach that would allow unscrupulous parties to commit fraud. 👀

To start, the CPA practice advisor recommends you avoid paper or even emails for approvals. ✉️ Automation is helpful here if you use tools that have built-in approval options (more on this later).

You can implement a lot of best practices for your approval strategy:

  • Different people should be approving your invoices and payments.

  • Whoever ordered a product or service should be involved in approving the expense. 

  • Senior management approval should be required for purchases over a certain amount.

  • Assign more than one person to approve payments, increasing accountability in your AP process.

  • Make sure invoices are matched based on price, quantity, and terms to an approved purchase order (PO) before they are paid (also known as the "three-way match").

3. Consider payment alternatives

While 24.7% of all B2B payments are made by check, other options are not only more efficient but can enable better internal controls. 

The CPE Store, a registered accounting and tax educator lists wire transfers and electronic payments made via ACH as two alternative payment methods that are both safer and faster than sending a check. 🚗💨

Some internal control best practices associated with ACH payments include:

  • If you are using other payment methods besides ACH, double-check for duplicate payments. Ideally, every vendor should be paid using just one payment method.

  • On accounts where ACH debits are allowed, reconcile banks accounts daily with accounting daily.

  • If possible, use a separate device for your online banking activities.

Automating AP internal controls

Implementing best practices is a great idea, but it can get cumbersome to execute. 😪 

You can rely on automation instead. Relay Pro is one accounts payable solution that can help your small business implement best practices and put internal controls on autopilot. 

With Relay Pro, your AP process is built directly into banking and comes with role-based permissions for users, automated single- and multi-step approval workflows, same-day ACH payments, and automatic reconciliation with QuickBooks Online and Xero. 🧾

AP Internal Controls with Relay Pro - Approval Rules

Platforms like Relay can help you implement internal controls — but they also help you respond quickly in the event of fraud. In one case study involving employee fraud, Relay helped a business secure its funds in days — while other institutions took weeks.

Comparing the security response rate with Relay vs. traditional banks

AP internal control checklist

To help you establish internal controls for your business, below you will find a bulleted checklist of key questions to ask yourself and keep you on track. ✅

Separation of duties

Have you made different people responsible for:

  • Purchase approvals?

  • Receipt of ordered materials or services?

  • Invoice approvals for payment?

  • Review and reconciliation of financial records?

Approvals 

Have we made it policy that:

  • Staff who order a product or service are involved in approving their expense?

  • If the purchase is over a certain amount senior management approval is required?

  • More than one person is set to approve payments?

  • Invoices are always three-way matched to an approved purchase order (PO)?

Payments

Have we moved away from checks, and switched to ACH, wire, or same-day ACH payments, and do we:

  • Double-check for duplicate payments if other payment methods are also utilized? 

  • Do daily bank account reconciliations?

  • If possible, use a separate device for online banking activities? 

  • Look into and stay up-to-date on any fraud protection products offered by our bank?

Final questions

  • Have we otherwise automated our AP process, achieving greater accuracy, efficiency and security overall?

  • Have we codified these internal controls and outlined them as policy so that all employees are aware of what they are?


Now that you understand how to create strong internal controls for your accounts payable process, you are ready to continue on your AP journey. If you're looking to simplify AP while ensuring your business is secure from fraud and human error, check out Relay's money management platform and learn how it can automate your AP process.