AP Fraud Prevention Checklist: 25 Controls Every Finance Team Needs

The most effective AP fraud control at most organizations isn't a system — it's a phone number. ACFE data from 2024 shows 43% of occupational fraud is detected through tips. Internal audit catches 14%. IT controls catch 4%.

Yet most AP fraud prevention checklists don't mention fraud hotlines at all. They focus on system controls, approval workflows, and audit trails — all necessary, all valuable — while ignoring the single detection method that outperforms everything else.

This checklist is organized differently. The 25 controls below are sequenced by where fraud enters your AP process: at the invoice, at the vendor record, at payment, at system access, and at oversight. Controls that most companies already have sit alongside the three or four gaps that make everything else breakable.

Before we get into the controls: mid-market companies processing 100-1,000 invoices per month lose an estimated $280,000 per year to AP fraud and errors. Only 14% of those losses are ever recovered. The controls below aren't compliance theater — they're what determines which number applies to you.

Invoice Controls (Controls 1–5)

Fraud enters most AP processes through the invoice itself. These five controls close the door at the point of entry.

1. Automated duplicate detection across invoice number, amount, vendor, and date

Duplicate payments account for 0.1–0.5% of total AP spend. For a company processing $20 million in payables, that's $20,000–$100,000 per year. The critical word is "automated" — manual cross-checking catches duplicates submitted weeks apart with minor formatting differences only about 60% of the time. AI duplicate detection catches 99%+.

Flag for review: same vendor + same amount submitted within 60 days, even with different invoice numbers.

2. Three-way matching on all PO-backed invoices

Three-way matching verifies that the invoice, purchase order, and receiving report all agree before payment is released. It blocks the most common vendor fraud scheme: billing for goods never delivered. For companies running this manually, the practical threshold is invoices over $5,000. For automated AP, run it on everything.

3. Invoice data validation against vendor master

Before any invoice enters the approval queue, validate that the vendor name, bank account, and payment address match what's on file in your vendor master. A vendor who changes bank details in the middle of processing an invoice should trigger a separate verification step — not automatic approval.

4. AI-assisted extraction with confidence scoring

Human data entry errors create exploitable gaps. When an AP clerk miskeys an invoice amount or vendor ID, the error may not surface until payment. AI extraction with confidence scoring flags low-confidence fields for human review, reducing the error rate from 1–3% (manual) to under 0.5%. Lower errors mean fewer opportunities for manipulation to hide in the noise.

5. Hard stops on invoices missing required fields

Invoices missing a PO number, vendor ID, or GL code should be returned, not processed. Many fraud schemes exploit "exceptions" that get waved through because an approver wants to clear the queue. Build hard stops in your AP system so incomplete invoices can't be submitted for payment, only returned to the submitter.

Vendor Controls (Controls 6–10)

Your vendor master is the most fraud-prone database in your AP system. A single unauthorized change to a bank account or address can redirect thousands of payments before anyone notices.

6. Formal new vendor onboarding with EIN/TIN verification

Every new vendor requires verified EIN/TIN (confirmed via IRS TIN matching), active business registration, and bank account documentation before entering the vendor master. No payments to vendors with unverified status. This step takes 10–15 minutes and blocks the most common ghost vendor scheme: creating a fictitious vendor and routing invoices through it.

7. Bank account change protocol requiring dual authorization and callback

Bank detail changes are the entry point for business email compromise in AP. The protocol: any request to change a vendor's bank account triggers automatic hold on pending payments, requires approval from two people (not just the requestor), and requires a callback to the vendor at a phone number on file — not the number in the change request email. The BEC post has the full callback script.

8. OFAC and debarment screening on all new vendors and quarterly re-screening of active vendors

OFAC SDN list screening is free at sanctions.ofac.treas.gov. SAM.gov covers federal debarment. Both need to run at onboarding and quarterly for active vendors — a vendor who was clean six months ago can appear on either list after that. OFAC violations carry civil penalties up to $1 million and personal liability for approvers.

9. Annual vendor master audit — remove dormant, duplicate, and unverified records

Dormant vendor records are breeding ground for ghost vendor schemes. Any vendor with no payments in 18 months should be flagged for review. Duplicate vendor records (same EIN with different names) should be merged or removed. This annual audit also catches vendor addresses that have shifted to residential locations — a common indicator of employee-run shell companies.

10. Vendor self-service portal with verified update workflow

When vendors update their own information through a portal with multi-factor authentication, the risk of social engineering drops significantly. Legitimate vendors can update their own records without going through an AP clerk. Suspicious changes (like a vendor updating banking information the same week a large invoice arrives) trigger a human review flag automatically. See vendor risk assessment for the full onboarding framework.

Payment Controls (Controls 11–15)

Payment is the point of no return. Controls here prevent unauthorized outflows and create a recovery window when something goes wrong.

11. Dual authorization for payments above dollar thresholds

Wire transfers and ACH payments over $10,000 (or your defined threshold) require two authorized approvers. Neither approver should be the person who entered the invoice or set up the vendor. The threshold should reflect your actual risk exposure — a company processing $5M+ in monthly payables should consider dual authorization on anything over $5,000.

12. Positive pay for check payments

Positive pay matches every check presented to your bank against a file of checks you issued. Your bank rejects any check not on the list. For companies still issuing paper checks, this is non-negotiable — check fraud losses in 2024 topped $680 million according to the American Bankers Association, with altered checks and forged signatures representing the majority.

13. Wire transfer callbacks to verified numbers for transactions over threshold

Wire transfers require a callback to a pre-registered phone number for any amount over your defined threshold (typically $25,000–$50,000 depending on volume). The callback number must come from your internal vendor master — not from the payment request. This is the single most effective BEC prevention control, and it stops 91% of business email compromise attempts when applied consistently.

14. Segregated payment approval — no one approves their own payment requests

The person who creates a payment request cannot be the person who approves it. This sounds obvious, but it breaks down when AP managers are out of office, when small teams handle high volumes, and when "just this once" exceptions accumulate into policy. Build this into your AP system as a hard rule, not a procedural guideline.

15. Payment batch review before release

Before any payment batch is sent, a supervisor reviews the batch summary: total amount, number of payments, any payments to vendors added in the past 30 days, and any payments flagged by the system. This review takes 5–10 minutes and catches the category of error that slips past individual transaction controls — the payment that looks fine in isolation but is wrong in context.

Access Controls (Controls 16–20)

Unauthorized access is the enabler of most internal fraud. These controls define who can touch what and create the audit trail that makes unauthorized activity visible.

16. Segregation of duties across invoice entry, approval, and payment release

The person who enters invoices should not approve them. The person who approves payments should not release them. The person who adds vendors should not approve invoices from those vendors. In small teams, these duties overlap — which is why compensating controls (management review, automated exception reporting) become more important, not less.

17. Quarterly access reviews — revoke unnecessary permissions

User permissions accumulate over time. An employee who temporarily handled AP during a colleague's leave still has AP access two years later. Quarterly access reviews compare current permissions to current job functions and revoke anything that doesn't match. Former employees and contractors must have access revoked on the day they leave — not at the next review cycle.

18. System admin restrictions — no AP admin access for payment approvers

System administrators should not be able to approve payments, and payment approvers should not have admin rights to modify approval workflows. When the same person can both set the rules and approve under them, internal controls are meaningless. Separate these roles entirely.

19. Full audit log for all master data changes

Every change to the vendor master, chart of accounts, and payment approval rules must be logged with timestamp, user ID, and before/after values. This log should be immutable — not editable by the person whose changes it records. The AP audit trail guide covers what regulators look for and how to structure the log.

20. Maker-checker workflow for all payment transactions

The maker-checker principle requires that the person who creates a transaction is different from the person who authorizes it. This is redundant with Control 11 but applies at the system level, not just the process level. Your AP platform should enforce this mechanically — not rely on staff to remember to forward approvals to someone else.

Oversight Controls (Controls 21–25)

Oversight controls are the detection layer. They catch what the preventive controls miss — and the data shows that what they miss is significant.

21. Anonymous fraud hotline (internal and external)

This is the control that outperforms everything else in the list. ACFE data shows 43% of fraud is detected via tips. Your hotline needs to be: anonymous (no caller ID, no IP logging), available to vendors and employees, actively promoted (not just a line in the employee handbook), and responded to by someone outside the AP chain of command. Services like EthicsPoint or NAVEX cost $3,000–$8,000 per year. The median occupational fraud case costs $145,000. The math is obvious.

22. Surprise AP audits — quarterly, unannounced

Scheduled audits catch deliberate concealment because fraudsters hide activity in the audit window. Surprise audits, conducted quarterly, remove that timing advantage. The audit scope doesn't need to be comprehensive — a random sample of 50 invoices per quarter, reviewed for proper documentation, approval, and vendor verification, is enough to make the risk of discovery feel real to anyone considering fraud.

23. Automated exception reporting for management review

Set up automated reports that flag: invoices approved outside normal business hours, payments to vendors added within the past 30 days, invoices with round-dollar amounts over $5,000, payments that bypass the normal approval chain, and vendors with no physical address or only a PO box. Management should review these weekly — not quarterly. Exceptions that feel routine are often where the pattern is hiding.

24. Vendor statement reconciliation quarterly

Your accounts payable records and your vendors' accounts receivable records should match. Discrepancies — vendors who show you owe them more than your records reflect — are a signal that invoices are being diverted or duplicated. Quarterly reconciliation with your top 20 vendors by spend catches this category of fraud before it compounds.

25. Annual external AP process audit

An external auditor reviewing your AP controls once per year brings independence that internal review can't provide. They see patterns that internal staff normalize over time, compare your controls against current fraud schemes, and document gaps before regulators or a fraud event do it for you. For mid-market companies, this runs $5,000–$15,000 per year — less than the median fraud loss in the first month of an undetected scheme.

The Gap Most Teams Leave Open

Run through the 25 controls above and you'll likely find 20 you already have, 3 you know you should implement, and 2 you've never heard anyone mention.

The two most commonly missing: the fraud hotline (Control 21) and the surprise audit (Control 22). Both are detection controls. Companies that focus exclusively on prevention — system blocks, dual approvals, vendor verification — build a strong wall with no alarm system. When something gets through the wall, it runs for 12 months before anyone notices.

The median time to detect occupational fraud is 12 months (ACFE 2024). A company losing $280,000 per year to AP fraud loses $23,000 per month. A 12-month detection window costs $276,000. Cutting detection time to 3 months through active oversight controls saves $207,000 on a single incident.

Controls 21 and 25 — hotline and external audit — are where that detection time reduction comes from.

FAQ

What is the most common type of accounts payable fraud?

Billing fraud — submitting fictitious or inflated invoices — is the most common form of AP fraud, accounting for 22% of all occupational fraud cases per ACFE's 2024 data. Within billing fraud, the most frequent schemes are invoices from shell companies controlled by employees, duplicate invoice submissions, and invoices for services never rendered. In mid-market companies, billing fraud typically runs 6–18 months before detection, with median losses of $145,000 per scheme.

How do you prevent business email compromise in accounts payable?

The most effective BEC prevention in AP combines three controls: first, a bank account change protocol that requires dual authorization and a callback to a verified phone number before any routing information is updated; second, vendor communication training so AP staff recognize the social engineering patterns attackers use (urgency, authority claims, routine-seeming requests); third, automated holds on payments to vendors whose bank details changed within the last 30 days. Technical controls like email authentication (DMARC, DKIM) reduce spoofed email delivery but don't stop attackers who have compromised a legitimate vendor email account.

How often should accounts payable controls be tested?

Preventive controls (dual approval, duplicate detection, three-way matching) should be tested at least annually through a formal controls review — verify that the control is active, applied consistently, and hasn't been bypassed through exception accumulation. Detective controls (fraud hotline, exception reporting, vendor reconciliation) should be reviewed quarterly to confirm they're operating and that exceptions are being investigated, not just acknowledged. Surprise audits work precisely because they're unscheduled — quarterly random samples, not quarterly calendar items. Access reviews should run quarterly. Vendor master audits run annually at minimum, semi-annually for companies with high vendor turnover.

What does a fraud hotline cost and how do you implement one?

Third-party ethics hotline services (NAVEX EthicsPoint, Convercent, EthicsGlobal) run $3,000–$8,000 per year for mid-market companies. Implementation takes 2–4 weeks: set up the platform, configure anonymous reporting channels (web form, phone, email), establish who receives and investigates reports (typically internal audit, legal, or HR — not AP management), and communicate the hotline to employees, vendors, and contractors. Post the hotline number in vendor communications, onboarding packets, and AP team workspaces. A hotline that nobody knows about catches nothing. Promotion is as important as the technology.