Critical Gaps
0 of 50 controls in place
Of 35 controls Ken automates, you have 0 in place
Material risk. Start with the eight Vendor Master items and the seven Payment Execution items — these are the controls auditors and fraudsters both hit first.
Every new vendor has tax documentation on file before any disbursement.
Callback to a number you already had on file, not a number provided in the email request.
Fuzzy match on name, tax ID, and bank account against existing vendors.
Quarterly or better. Look for stale records, missing fields, suspicious changes.
Twelve or eighteen months without activity should auto-flag for review and lock.
The number-one fraud vector in AP. Two sets of eyes, every time.
Sanctions lists change. A vendor cleared on day one can become problematic later.
Tagging tax status in January for the prior year is the source of most 1099 scrambles.
No scattered personal inboxes. One address, one Slack channel, one portal.
Auditors and disputes both want the source document. Keep it.
Target above 95 percent on key fields. If you do not measure it, you do not know.
Match on vendor plus amount plus date plus invoice number, with fuzzy tolerance.
Blocks silent overwrites where a corrected invoice gets reused with the same number.
When it arrived, how it arrived, who handled it. Non-negotiable for audit trails.
Missing PO when required, no tax ID, expired vendor — bounced back automatically with a reason.
Invoice, PO, goods receipt — all three reconcile before the invoice clears.
Exception-handling SLA prevents the queue from becoming a graveyard.
Price, quantity, and freight tolerances should be explicit numbers, not folklore.
Maverick spend is the leak everyone tolerates. Measure it monthly.
No GR, no payment for tangible goods. Closes a major fraud surface.
Aged exceptions are the audit finding that always lands. Review them out loud.
Target above 80 percent for PO-eligible spend. Below that, your PO process is broken.
Every dollar threshold has a named role. Updated when org changes.
No single person can create a vendor, approve an invoice, and release payment.
If the system lets a manager approve above their stated limit, the matrix is theater.
Recurring subscriptions and utilities under a hard ceiling — nothing else.
Holidays should not stall the close. Named delegates with documented handoff.
Auditors will ask. "Manager clicked approve" is not enough — what did they see?
Headcount doubled? New entity? Acquisition? Re-baseline the matrix.
Either explicit attestation language or workflow evidence that approval was substantive.
Typical: $5K or $10K. Below that, single-approver if controls upstream are strong.
Not just released as-batched. Someone scans the file before it ships to the bank.
First wire to any new beneficiary gets a callback to a known number, every time.
Bank rejects unauthorized checks and ACH debits by default.
The person who builds the batch is not the person who clicks send.
Cancellations are a fraud signal. Track them, justify them, approve them.
Manual one-offs bypass controls. Measure the trend; investigate spikes.
Run a dry pass in October. Fix data quality before January arrives.
Auditors will pick a sample. Each sample should have a documented rationale.
Public or pre-IPO companies. The control narrative must match what the system does.
Belgium is live. France goes live September 2026. Germany 2027. Audit your supplier base now.
Typical: 7 years for tax records. Enforced by system, not by goodwill.
FBAR, FATCA, sanctions, beneficial-ownership reporting — one named owner, not "the team".
Received, coded, matched, approved, paid — with timestamps and actors at every step.
Weekly cadence. Aging buckets greater than 30, 60, 90. Action items per bucket.
Days payable outstanding tracked, trended, benchmarked against industry.
Concentration risk. Sole-source dependencies. Pricing creep. Quarterly review.
Manual JEs to the AP subledger are the highest-risk transaction in finance. Dual control, no exceptions.
What gets accrued, what gets deferred, how the cutoff line is enforced. Tested at quarter-end.
Open findings rot if not assigned. Every finding has an owner, a date, a status.
You have 0 of 50 controls in place (0%).
Of the 35 controls Ken handles natively, you have 0 already. Ken would close the remaining 35.
How to Use This Checklist
- 1
Be honest, not aspirational. Tick the box only if the control exists, is enforced, and someone could prove it in a five-minute walkthrough. “We are working on it” is not in place.
- 2
Read the description, not just the title. Some items look obvious until the description spells out the specific threshold or evidence the auditor expects. The description is the part that matters.
- 3
Download the report. The markdown file captures every checked and unchecked item with detail. Paste it into a remediation tracker. The unticked items become your prioritised work plan.
- 4
Re-run quarterly. AP controls degrade. People change roles, systems change, exceptions become norms. A quarterly re-score is the lightest possible way to catch drift before auditors do.
Why These 50 Controls
The list is not academic. Every control here maps to either a documented audit finding pattern from the Big Four AP walkthroughs, a known fraud scheme that AP teams have lost real money to, or a regulatory requirement (SOX, 1099, EU e-invoicing) that costs more in penalty than in implementation.
The seven categories follow the operating model auditors use during AP testing: trace a payment from vendor onboarding through invoice capture, matching, approval, release, and reporting — and verify that controls and evidence exist at every handoff.
We left out controls that sound impressive but rarely move audit outcomes. No “establish an AP center of excellence.” No “cultivate a culture of compliance.” If a control could not be tested with sample evidence in a one-hour walkthrough, it did not make the list.
What Auditors Actually Look For
Segregation of Duties
The single most common AP audit finding. If the same person can create a vendor, approve an invoice, and release a payment, you have a material weakness on paper before any fraud happens.
Vendor Banking Changes
The single most common AP fraud vector. Auditors will trace recent banking changes and ask for the dual-approval evidence and the out-of-band verification log. If neither exists, expect a finding.
Approval Authority Match
Auditors compare the documented Delegation of Authority matrix against actual system-enforced approval limits. Documented limits that the system does not enforce are theater, and auditors flag them.
Audit Trail Completeness
For sampled invoices, every step of the lifecycle should be reconstructable from system logs without manual collation. If you have to email three people to assemble the trail, you do not have an audit trail.
Frequently Asked Questions
What does this AP audit checklist cover?
Fifty controls across seven areas: vendor onboarding and master data, invoice receipt and capture, three-way matching and PO compliance, approval controls and segregation of duties, payment execution and bank controls, compliance and tax (including 1099 readiness and e-invoicing), and audit trail and reporting. The categories follow the operating risk model auditors use during AP walkthroughs.
Who is this checklist for?
AP managers, controllers, and CFOs who want to self-assess their AP function before an external audit, after a fraud incident, during a system migration, or as part of an annual controls review. It also works for finance leads at growing companies who are formalising AP controls for the first time and want a baseline before the first SOX cycle.
Is the score audit-grade?
No. The score is a self-assessment heuristic that gives you a defensible internal baseline. A real audit will sample transactions, walk through controls, and test design and operating effectiveness — none of which a checklist can replicate. Use this to find gaps and prioritise remediation, not as a substitute for an external audit opinion.
Why are some controls marked "Ken automates"?
Of the 50 controls, the ones tagged with the orange Ken badge are controls that Ken from Finance handles natively as part of the AP automation workflow — duplicate detection, audit trails, segregation of duties enforcement, exception routing, and similar. The other controls require human policy decisions, organisational structure, or external integration. The tag is informational; tick whichever boxes match your actual operating reality.
Can I save my progress?
The checklist is stateless within the page — it does not store your score on a server. Use the "Download report" button to save a markdown file with your score, your readiness band, and a complete checked-state record of every control. Open it in any markdown editor or paste it into your internal wiki, Google Doc, or Notion page.
How often should we run this?
At minimum once a year as part of your annual controls review. More usefully: after any material organisational change (acquisition, new entity, ERP migration, leadership change in AP), after any fraud or near-miss incident, and roughly 60 days before any planned external audit, so the remediation list has time to land.
Related Resources
- AP Fraud Prevention Checklist: 25 Controls Every Finance Team Needs
The fraud-specific cousin of this audit checklist — narrower scope, deeper detail
- What is a Delegation of Authority Matrix? AP Edition with Templates
The matrix that drives most of the approval-control items in this checklist
- AP Audit Trail: What It Is and Why Regulators Want One
Deep dive on the audit-trail items in the Audit Trail and Reporting category
- Wire Fraud Prevention for AP Teams: 12 Controls Every CFO Should Demand
Pairs with the Payment Execution category — particularly the wire callback control
- AP Automation ROI Calculator
Estimate the cost of closing the gaps this checklist surfaces
Want most of these controls handled for you?
Ken automates roughly 32 of the 50 controls in this checklist — duplicate detection, segregation of duties, approval workflows, audit trails, and exception routing — out of the box. Start a free trial and see your score move.
Try Ken Free