Accounts Payable Audit: Checklist, Procedures, and Controls

An accounts payable audit is a structured review of the AP function that tests whether payables are complete, accurately recorded, properly authorized, and protected from fraud. For a Controller, an AP audit is both a compliance exercise and a diagnostic — the findings point straight at the control gaps that let duplicate payments, ghost vendors, and unrecorded liabilities slip through.

Most teams meet the AP audit at one of two moments. External auditors arrive for the year-end financial-statement audit, or a finding from a prior review creates a remediation obligation that lands on the AP director's desk. Either way, the work is the same underneath. You're confirming that every dollar going out the door was owed, approved at the right level, recorded in the right period, and supported by documentation someone can pull on demand.

Preparation is what separates an easy audit from a painful one. A finance team running clean controls can hand auditors a complete trail in an afternoon. A team reconstructing that trail from email inboxes and spreadsheets can lose a week to it.

Key Takeaways

• An AP audit tests five core assertions about payables: completeness, accuracy, authorization, cutoff, and the segregation of duties across the people who create, approve, and pay.

• The standard checklist runs ten areas, from vendor master integrity and three-way match coverage to duplicate-payment testing and accrual completeness.

• Duplicate payments and ghost-vendor schemes are among the most common findings, and both trace back to specific, fixable control gaps rather than one-off mistakes.

• Asset misappropriation, the category that covers most AP fraud, is the dominant form of occupational fraud, and strong controls measurably cut the losses, according to the ACFE's 2024 Report to the Nations.

• A complete audit trail is far easier to produce when invoice capture, matching, approval, and payment all run through one system that time-stamps and attributes every step.

What is an accounts payable audit?

An accounts payable audit is an examination of the AP process and the payables balance to confirm that recorded liabilities are real, complete, correctly valued, and properly authorized. It looks at both the numbers on the balance sheet and the controls that produced them.

There are two flavors, and confusing them causes a lot of unnecessary anxiety on AP teams. An internal AP audit is a self-assessment, run by AP leadership or an internal-audit function, to validate that controls work and to find gaps before anyone outside the company does. An external audit is the financial-statement audit your independent auditors perform, where accounts payable is one of several balances they test as part of the annual opinion. The internal version is a rehearsal you control; the external version is the graded exam.

How does an internal AP audit differ from an external one?

The internal audit is about control health, while the external audit is about whether the financial statements are fairly stated. An internal AP audit can go as deep as the team wants, sampling 200 invoices, tracing every vendor banking change, and stress-testing the approval matrix. External auditors work from a materiality threshold and a risk assessment, so they sample where the dollars and the risk concentrate. In practice, payables draw the most attention on the completeness assertion. Auditors worry less about payables you've overstated and more about liabilities you've left off the books entirely, and that single concern drives most of the cutoff and unrecorded-liability work described later.

Who runs an AP audit, and when

Internal AP audits are typically run by the Controller's team, an internal-audit group, or AP leadership doing a pre-audit self-assessment, usually quarterly for high-risk areas and once a year as a full sweep. The external audit runs on the company's fiscal-year calendar. The smartest finance teams treat the internal review as a dress rehearsal. They run the same procedures their external auditors will, find the exceptions first, and walk into the external audit with findings already documented and remediation underway. If you've never mapped your own accounts payable process against what an auditor tests, that gap analysis is the cheapest insurance you can buy.

Tired of rebuilding the audit trail by hand every cycle? See how Corpay keeps a complete, exportable record of every invoice, approval, and payment as your AP runs.

What does an AP audit checklist cover?

A complete AP audit covers ten areas, each tied to a financial-statement assertion or a fraud risk. Work through them in order and you've touched every control that matters. Here's what each area tests, what good looks like, and the finding that shows up when the control is weak.

1. Vendor master integrity. Confirm vendor records are complete and accurate — legal name, address, tax ID, banking details, and payment terms. Test for duplicate vendor records, inactive vendors still receiving payments, and records changed without authorization. Duplicate or ghost vendors almost always start here.

2. Invoice completeness and documentation. Every invoice should trace to a valid purchase order or contract, arrive through the AP system rather than a personal inbox, and carry correct GL, cost-center, and project coding. Invoices that bypass central intake are the ones that go missing at period-end.

3. Three-way match coverage. Test whether invoices match a purchase order and a goods receipt before payment clears. Pull the match-exception report and look at its volume, dollar value, and how exceptions get resolved. A healthy program resolves most exceptions through a defined queue, not through one person waving them through. The mechanics of three-way matching are worth getting right, because match coverage is where overbilling and quantity errors surface.

4. Approval-threshold compliance. Verify each invoice was approved by the right person at the right dollar level, per a documented authorization matrix. Watch for invoices split into smaller amounts to stay under an approval ceiling — a classic way to route spend around a control.

5. Duplicate-payment testing. Run a systematic test for duplicates: same vendor, same amount, same invoice number, plus the trickier cases of the same vendor and amount under a slightly altered invoice number. Recovery audit firms exist almost entirely because this control fails so often, and IOFM benchmarking has long flagged duplicate payments as a recurring drain on AP departments.

6. Cutoff testing. Confirm invoices received before period-end land in the correct period. Review disbursements made just after the balance-sheet date to catch liabilities that should have been recorded but weren't. This is the completeness assertion in action.

7. Segregation of duties. Check that no single person controls vendor setup, invoice entry, approval, payment execution, and bank reconciliation. Where one role spans several of those steps, you have a fraud exposure regardless of how trustworthy the individual is.

8. Vendor master change log review. Audit who changed vendor records, when, which fields, and whether the change was authorized. Banking-detail changes deserve the most scrutiny, since redirected payments usually begin with a quiet edit to a vendor's account number.

9. Payment method and banking controls. Confirm bank-account changes go through documented change control with dual authorization. Look for payments to personal accounts or to accounts that don't match the vendor master.

10. Accruals and unrecorded liabilities. Test the AP aging and open purchase orders for goods or services received but not yet invoiced. Anything received before period-end belongs in the period's liabilities, invoice in hand or not.

You don't need to weight all ten equally every cycle. A risk-based approach concentrates effort on vendor master changes, duplicate payments, and approval compliance, which are the areas where findings cluster, and samples the rest.

What are the most common AP audit findings?

The most common AP audit findings are duplicate payments, ghost-vendor disbursements, approval bypass through invoice splitting, unrecorded liabilities, and bank-account redirection. None of these is random. Each traces to a specific control gap, which means each has a specific fix. The table below maps the finding to its root cause and the control that closes it.

The pattern worth noticing: almost every finding maps back to two underlying weaknesses — invoices entering through too many uncontrolled doors, and decisions (coding, matching, banking changes) made by one person with no second check. Fix those two structural problems and most of the table takes care of itself. Many of these gaps overlap directly with the fraud schemes that target accounts payable, which is why audit findings and fraud-prevention controls tend to be the same controls viewed from two angles.

What is segregation of duties in accounts payable?

Segregation of duties in accounts payable means dividing the AP workflow so that no single person can create a payment, approve it, and execute it without anyone else involved. It's the single most important fraud control in the function, because AP is where the money physically leaves the company.

The stakes here aren't abstract. Asset misappropriation — the category that covers duplicate payments, ghost vendors, and billing schemes — accounts for 89% of all occupational fraud cases, according to the ACFE's 2024 Report to the Nations. The same study found that organizations with strong anti-fraud controls cut their fraud losses roughly in half compared with those without. Segregation of duties is the foundation those controls sit on.

Protect cash flow with modern AP

Modernize AP to cut costs, speed approvals, and mitigate payment risk — gaining the real-time visibility to protect cash flow and scale with confidence.

Download the whitepaper

Which duties should AP keep separate?

Four separations carry most of the weight in AP, and each one removes a path a single person could otherwise use to move money unchecked:

• Vendor master maintenance, kept apart from invoice entry, so the person who can add a vendor can't also push an invoice through against it.

• Invoice entry and coding, kept apart from approval, so whoever records the liability isn't the one signing off on it.

• Approval, kept apart from payment execution, so authorizing a payment and releasing it stay in two different hands.

• Payment execution, kept apart from bank reconciliation and GL posting, so the person who sends money isn't the one reconciling whether it matched.

Those four boundaries map cleanly onto the audit checklist, which is why an auditor's first move is often to pull the user-access report and look for one name showing up across conflicting roles.

When the team is too small for full segregation

Plenty of mid-market AP teams can't fully separate every duty, and auditors know it. The answer is compensating controls: a manager who reviews every payment run before release, dual authorization on any payment above a set dollar threshold, and a monthly vendor master reconciliation that a second person signs off on. Automation also closes gaps that headcount alone can't. A system that enforces an approval matrix and flags split invoices doesn't care that the same employee wears three hats, because the rules run independently of the people. That's often the most practical path for a lean team that still needs to pass an audit. The broader question of how to staff and structure these controls is part of managing accounts payable effectively as volume grows.

What does a complete AP audit trail include?

A complete AP audit trail records the full life of an invoice, from receipt through posting, with a time stamp and a responsible party at each step. When any of those links lives in someone's inbox or a side spreadsheet, the trail breaks, and reconstructing it for auditors is where teams lose days.

Seven elements make a trail auditor-ready:

• The time-stamped moment of invoice receipt

• The captured data extracted from the invoice

• The match result, whether pass, exception, or override

• The approver's identity and approval time

• The payment method and confirmation

• The ERP posting reference

• Any exception notes explaining a deviation

Manual processes capture maybe half of these by default. An invoice emailed to one person, approved by a forwarded reply, and paid from a separate banking portal leaves three different systems holding three fragments of one story.

Why SOC 2 Type II matters when payment data leaves your walls

When invoice and payment data flows through an outside platform, SOC 2 Type II is the report that tells you the vendor's security, availability, and confidentiality controls were independently tested over a period of time, not just described at a single point. SOC 2 Type I confirms controls exist on paper; Type II confirms they actually operated as intended across months of real activity, which is the version that matters for a system touching your payments. For an AP team whose audit scope now includes third-party processors, that distinction is worth confirming for every vendor on your shortlist — ask for the current Type II report, not a Type I attestation or a security white paper.

How do you audit accounts payable, step by step?

You audit accounts payable by defining scope, pulling the underlying records, running a fixed set of tests, and mapping every exception to a control gap and a remediation owner. The ten steps below are the working procedure an internal audit follows; external auditors run a similar arc against their materiality and risk thresholds.

1. Define scope and period. Set the audit window, the population (all vendors or a risk-stratified sample), and the assertions you're testing for completeness, accuracy, cutoff, and authorization.

2. Pull the source records. Obtain the AP sub-ledger, open-PO report, vendor master list, and AP aging as of the audit date.

3. Run the duplicate-payment test. Sort transactions by vendor, amount, invoice number, and date, then surface duplicates inside your defined window.

4. Test three-way match coverage. Pull the match-exception report, sample both matched and unmatched invoices, and trace them to the PO and goods receipt.

5. Perform cutoff testing. Select invoices received within roughly ten days of period-end and confirm each was recorded in the correct period.

6. Review vendor master changes. Pull the change log for the period and verify authorization and dual approval on new vendors and banking edits.

7. Test approval-threshold compliance. Sample invoices across dollar tiers and confirm each was approved at the correct level per the authorization matrix.

8. Assess segregation of duties. Map who holds vendor maintenance, invoice entry, approval, payment, and reconciliation, and flag any conflicts.

9. Document findings against controls. For each exception, record the finding, the root-cause control gap, the risk, and the recommended fix.

10. Issue the report. Lay out findings, control gaps, and remediation priorities with named owners and due dates.

The discipline that separates a useful audit from a checkbox exercise lives in steps nine and ten. Anyone can list exceptions. The value is in tracing each one to the control that failed and assigning a person and a date to fix it.

How does AP automation make audits faster and findings fewer?

AP automation makes audits faster by producing a complete audit trail as a byproduct of the process, and it makes findings fewer by enforcing the controls that manual processes rely on people to remember. The two effects compound: fewer exceptions to find, and a cleaner record of the ones that did occur.

The cost case is well documented. Top-tier AP organizations process an invoice for $2.78 versus $12.88 for average performers, and they clear invoices in 3.1 days against 17.4 days for laggards, according to Ardent Partners' 2025 State of ePayables report. Roughly three-quarters of AP departments now run some form of AI or automation tooling, the same body of research found, which means a manual shop is increasingly the outlier an auditor flags. Top-performing finance organizations also operate at meaningfully lower cost than their peers, according to the Hackett Group's 2025 research on digital finance, a gap driven in large part by how few exceptions their automated controls generate.

Speed isn't really the point for audit, though. The point is that the same automation removing manual touches also removes the control gaps behind the most common findings. Centralized intake kills the unrecorded-liability problem. Duplicate-detection rules catch the repeat invoice before payment, not six months later in a recovery audit. An enforced approval matrix flags the split invoice at submission. Each automated control answers a specific finding on the table above, which is what closing the audit-readiness gaps in your AP operation actually looks like in practice.

Build audit-ready AP with Corpay

The fastest way to fail an AP audit is to run controls that depend on people remembering to apply them. Corpay AP Automation moves those controls into the process itself, so the audit trail is a permanent record rather than something your team reconstructs the week before fieldwork begins.

A few capabilities map directly to the findings auditors look for. AI-driven invoice capture creates a time-stamped, role-attributed record from the moment an invoice arrives. Configurable duplicate-payment detection screens on vendor, amount, and a window you define. Two-way and three-way matching with tolerance settings routes exceptions into a queue with a resolution trail, so invoice processing leaves an auditor-ready exception report instead of a backlog. Approval workflows enforce your authorization matrix and flag split invoices at submission. And every invoice, match decision, approval, and payment is time-stamped, attributed, and exportable on demand.

Because Corpay is an ERP complement rather than a replacement, that audit trail posts back into the system you already run. Whether your books live in Acumatica, NetSuite, Sage Intacct, Microsoft Dynamics 365, QuickBooks, or SAP, the controls and the trail sit on top of your existing close. Corpay maintains 180+ ERP integrations, and the way an audit trail carries through a NetSuite-connected AP workflow or a fully managed Sage ERP process is the same principle applied to your stack.

To see how automated controls and a permanent audit trail apply to your AP operation, explore Corpay AP Automation and its ERP integration options. Teams running a broader spend program can find the same controls inside the integrated Corpay Complete platform.

Frequently Asked Questions

What is an accounts payable audit?

An accounts payable audit is a structured review of the AP function and the payables balance that tests whether liabilities are complete, accurately recorded, properly authorized, and protected from fraud. It examines both the numbers and the controls that produced them, and an internal AP audit serves as a self-assessment before external auditors run the financial-statement version.

What does an AP audit include?

An AP audit covers ten areas: vendor master integrity, invoice completeness and documentation, three-way match coverage, approval-threshold compliance, duplicate-payment testing, cutoff testing, segregation of duties, vendor master change review, payment and banking controls, and accruals or unrecorded liabilities. Each area ties to a financial-statement assertion or a specific fraud risk.

How do you audit accounts payable?

You define the scope and period, pull the AP sub-ledger and supporting reports, then run a fixed set of tests that covers duplicate-payment screening, match-coverage sampling, cutoff testing, vendor master change review, approval-compliance sampling, and a segregation-of-duties assessment. Each exception is documented against its control gap, with a remediation owner and due date.

What are the most common AP audit findings?

The most common findings are duplicate payments, ghost-vendor disbursements, approval bypass through invoice splitting, unrecorded liabilities, and payments redirected to incorrect bank accounts. Each traces to a specific control gap, such as uncontrolled invoice intake or missing dual authorization on banking changes, rather than to one-off error.

What is segregation of duties in accounts payable?

Segregation of duties means dividing the AP workflow so no single person can set up a vendor, enter an invoice, approve it, and execute payment without a second person involved. The four core boundaries separate vendor master maintenance, invoice entry, approval, and payment execution. Small teams that can't fully separate every duty use compensating controls like management review of payment runs and dual authorization above a dollar threshold.

What is cutoff testing in accounts payable?

Cutoff testing confirms that invoices received before period-end are recorded in the correct period. Auditors review disbursements made just after the balance-sheet date to catch liabilities that should have been accrued but weren't, since the completeness of payables is the assertion external auditors weight most heavily.

How often should you audit accounts payable?

At a minimum, accounts payable is audited annually as part of the financial-statement audit. Best practice adds quarterly self-assessment of the highest-risk areas — duplicate payments, vendor master changes, and approval-threshold compliance — so the AP team finds and fixes exceptions before external auditors arrive.

How can AP automation help with audits?

Automation produces a complete, time-stamped audit trail as a byproduct of the process and enforces the controls that manual workflows depend on people to remember. Centralized intake, duplicate-detection rules, enforced approval matrices, and match-exception queues each close a common audit finding, which means fewer exceptions to find and a cleaner record of the ones that occur.

David Luther

Product Marketing Program Manager

David Luther, MBA is a product marketing program manager with years of experience in commercial banking, finance, and technology sectors, with research and writing appearing in financial publications.

AP Automation

Risk management