Accounts Payable Internal Controls and Why They Should Start Before the Invoice

Accounts payable controls are often ineffective because they are implemented too late—typically only when an invoice reaches Accounts Payable internal controls. At that stage, finance is responding to risk rather than managing it proactively. Effective controls should be established earlier, at the point when a purchase need is first identified. This is where spending intent originates and where controls are most effective in preventing unexpected invoices, reducing fraud risk, and ensuring that approvals remain robust and defensible.

For mid-sized finance teams (200–2,000 employees), this timing problem is especially acute. You’re managing fast growth, more spend owners, and increasing SaaS and services spend happening outside finance—often without the headcount to enforce perfect processes. Policies may be in place, but accounts payable controls often fail because they rely on reactive checks rather than preventive design, despite common best-practice guidance.

This article focuses specifically on how to design internal controls in accounts payable that work upstreamwithout adding friction for the business. Instead, it outlines how to redesign control timing, align controls with real-world constraints, and establish a practical foundation that prevents issues rather than merely detecting them—shifting from invoice handling to strategic spend management.

Essential AP internal controls

Most accounts payable internal controls are presented as a checklist—but without a clear sense of when they should apply or how they connect. The missing piece is timing. Control doesn’t start when the invoice arrives; it starts at spend intent, within your purchase approval workflow and broader procure to pay controls.

In a recent conversation between Payhawk’s Product Marketing Manager Kat and Nikolay Pohlupkov (Niki), General Manager of Accounts Payable, this shift is made explicit: “Control starts with a simple moment: ‘I need to purchase this.’ That’s where it actually begins.”

When you design controls around that principle, each one plays a role across the end-to-end process—not just at the invoice stage:

Segregation of duties (SoD)

In mid-market teams, perfect segregation of duties in accounts payable is not always feasible. The priority is to separate key risk points—requesting, approving, processing, and paying—even if that requires system-enforced approvals or post-review checks as compensating controls. Effective approaches make segregation of duties practical and workable, rather than purely theoretical.

Invoice approval controls and escalation rules

Approvals should be tied to the original request, budget owner, and business context—not recreated from scratch at the invoice stage. Role-based rules and clear escalation paths ensure that invoices don’t sit in inboxes or get approved without proper scrutiny.

2-way and 3-way match as an internal control

The three-way match control (PO, invoice, receipt)—a core 3 way match internal control—and its simpler 2-way counterpart are critical, but only work when upstream data exists. Without an approved purchase request or PO, matching becomes guesswork. This is why these controls depend on strong pre-invoice steps, not just AP execution.

Duplicate invoice prevention controls

Duplicate payments often stem from weak intake and inconsistent documentation. Standardised submission channels, automated duplicate detection, and enforced reference fields help prevent the same invoice from being processed twice.

Payment approval controls and payment run controls

Payment is the final control gate—and one of the highest risk points. Dual approvals, threshold-based authorisations, and controlled payment runs ensure that only validated, approved invoices are paid, with a clear audit trail.

Change of bank details controls

Vendor fraud risk is highest when bank details change. Strong vendor onboarding controls and verification steps—often supported by modern financial ai agents—are essential to prevent unauthorised changes slipping through.

What competitors often miss is how these accounts payable controls link together. Each control depends on the one before it: without upstream approval and context, downstream checks become reactive and inconsistent.

Just as important is adoption. Even well-designed controls fail if employees bypass them. If the process is too rigid, unclear, or disconnected from how spend actually happens, people will go off-system—creating blind spots that no invoice-stage control can fix. Effective procure to pay controls are not just about coverage, but about designing a process people will actually follow—something often overlooked in the broader procurement agent conversation.

Common risks without controls

When accounts payable internal controls are weak or start too late, finance teams are pushed into reactive mode—trying to catch issues after the fact instead of preventing them. The result isn’t just inefficiency; it’s real financial and governance risk.

Paying fake or duplicate invoices

Without strong intake and verification steps, AP teams can process invoices that shouldn’t be paid at all. Duplicate submissions, invoice resends, or even fraudulent invoices can slip through when there’s no consistent validation against approved spend or prior payments.

Unauthorized payments

If approvals aren’t tied to a clear request, budget owner, or defined authority, payments can be made without proper oversight. This is especially risky in fast-growing companies where spend decisions are distributed across teams.

Misstated financials

When invoices arrive without context—no linked request, contract, or budget—finance teams are forced to code and classify spend after the fact. This increases the risk of errors, misallocations, and inaccurate reporting.

Vendor fraud

Weak vendor onboarding controls and poorly governed bank detail changes create openings for fraud. A single unchecked change request can redirect payments to fraudulent accounts, with limited ability to recover funds.

Cash leakage

All of these risks ultimately lead to leakage—through overpayments, missed duplicates, late fees, or unapproved spend. Without effective accounts payable controls, small gaps compound into material financial impact over time.

These risks rarely appear in isolation. They’re usually symptoms of the same root issue: controls that rely on invoice-stage checks instead of preventing problems earlier in the process.

Why accounts payable internal controls should start before the invoice

If your first control point is an invoice, finance is already reacting. By the time an invoice reaches AP, the commitment has often been made, the supplier engaged, and the budget impact locked in. At that stage, internal controls can only validate, question, or delay—not prevent.

Upstream controls change that dynamic. When accounts payable controls are applied at the point of spend intent—through request approval, budget checks, and vendor verification—finance teams reduce risk before it materialises.

• If the first control point is an invoice, finance is already reacting
• Upstream controls reduce surprise liabilities, approvals chaos, and fraud windows
• Controls must be designed so employees actually follow them

Instead of chasing context after the fact, every invoice arrives with a clear owner, purpose, and approval history. This is where fraud controls become most effective—closing gaps before they turn into duplicate payments, unauthorised spend, or vendor fraud.

As highlighted in Payhawk’s conversation with Niki, General Manager of Accounts Payable: “If the invoice reaches your finance team and they’re surprised, it’s all too late.”

But timing alone isn’t enough. Controls must also be designed for adoption. If the process is too rigid, unclear, or disconnected from how employees actually initiate spend, it will be bypassed. Effective internal controls strike a balance: strong enough to prevent risk, but intuitive enough that teams follow them without friction.

What “good” AP control looks like in a scaling company

As companies grow, accounts payable controls need to evolve from reactive checks into a structured, end-to-end system that scales with complexity. The goal isn’t to add more steps—it’s to create clarity, accountability, and consistency without slowing the business down.

Strong accounts payable best practices share a common foundation:

• Every invoice can be traced back to a request, owner, and business context
• Approval rules are role-based and enforced automatically, not manually chased
• Vendor onboarding and bank detail changes are controlled, verified, and fully auditable
• Exceptions are managed through defined workflows, not scattered across inboxes or ad hoc decisions

In this model, control is embedded into the process itself. Finance teams don’t need to reconstruct the story behind a payment, because the context is already there—from the initial request through to approval and payment.

This is what separates scalable accounts payable controls from fragile ones. Instead of relying on individual diligence or after-the-fact reviews, control becomes systematic, visible, and repeatable—giving finance leaders confidence as the organisation grows.

Accounts payable internal controls checklist

A strong internal controls checklist for accounts payable processes should reflect the full lifecycle of spend—not just what happens when an invoice arrives. The most effective approach is to group controls by when they apply, and to link them to clear ownership and outcomes.

Pre-invoice controls (preventive)

• ☐ All spend starts with a documented request in a defined purchase approval workflow
• ☐ Requests are approved by the correct budget owner before commitment
• ☐ Budget availability is checked at the request stage, not after the fact
• ☐ Vendors go through controlled onboarding and verification before first use
• ☐ Contract terms and pricing are reviewed and agreed before purchase
• ☐ Segregation of duties is enforced at request and approval stages (or compensated where needed)

Invoice-to-pay controls (detective + enforcement)

• ☐ Every invoice is linked to an approved request, PO, or contract
• ☐ 2-way or three-way match control is applied where relevant
• ☐ Invoice approvals follow role-based rules and escalation paths
• ☐ Duplicate invoice detection is in place (reference number, amount, vendor checks)
• ☐ Payment runs require appropriate approvals based on thresholds
• ☐ Vendor bank detail changes are independently verified and logged

Monitoring controls (monthly reviews)

• ☐ % of invoices without a linked request or PO
• ☐ Approval cycle time and bottlenecks
• ☐ Duplicate invoice rate or near-duplicate flags
• ☐ Vendor bank detail change frequency and audit trail
• ☐ Exception rate (invoices outside workflow)
• ☐ Off-system spend or retrospective approvals

In practice, making this level of control work consistently requires more than policies—it requires orchestration across the entire procure-to-pay lifecycle. Platforms like Payhawk help embed internal controls for your accounts payable directly into the flow of spend, connecting requests, approvals, vendor checks, invoices, and payments into a single, auditable system—often leveraging advances in ai in finance.

Accounts payable internal controls: why timing determines effectiveness

Internal controls fail when they start at the invoice. By that point, finance is no longer in control—only responding to decisions that have already been made.

Preventive control is ultimately a timing and adoption problem. Controls need to be applied at the moment of spend intent, and they need to be designed in a way that employees actually follow. Without both, even well-defined accounts payable controls will break under real-world pressure.

The good news is that mid-market teams don’t need enterprise-level complexity to get this right. With the right structure, clear ownership, and connected workflows, it’s possible to build internal controls for accounts payable that scale—without adding unnecessary friction or overhead.

Book a demo to see how growing finance teams enforce AP controls before invoices arrive — with clear approval rules, controlled vendor changes, and audit-ready trails end to end.