Accounts Payable Audit Guide: Steps, Process & Checklist

Audit pressure doesn’t build gradually; it compounds. Rising invoice volumes increase workloads and quietly erode control, until the gaps are too large to ignore. By the time audit season arrives, mid-market finance teams are often reacting instead of preparing.

Today, according to APQC benchmarking data, only 92% of invoices are processed error-free the first time, meaning approximately 1 in 12 invoices requires correction or rework, creating delays and additional processing costs.

There’s no room for mistakes when expanding. Issues are quickly compounded at scale.

This article covers what an accounts payable audit actually looks like, how to conduct one step by step, which assertions and procedures matter most, what to look for in your documentation, and what to do after findings come in.

By the end, you will have a working framework for running a stronger AP audit and building the kind of controls that make the next one faster and less disruptive.

What Is an Accounts Payable Audit?

An accounts payable audit is an in-depth review of your AP records, workflows, and controls. The goal is to ensure that invoices are accurately recorded, properly authorized, correctly classified, and legitimately paid in the correct amounts. Make a habit out of doing this a few times a year so your records are always on track.

An AP audit is not a forensic investigation, though it can uncover fraud. But it is more than just an administrative check. A thorough AP audit shows you where controls are working, where your records are weak, and where payment risks are highest.

What an AP Audit Typically Covers

• Invoice records and supporting documentation
• Purchase orders (POs) and three-way match evidence
• Approval workflows and authorization history
• Payment records and disbursement details
• Vendor master file, including setup history and bank detail changes
• Account reconciliations and period-end close records
• Exception logs and prior audit findings

Why Companies Perform AP Audits

Most AP audits are driven by a mix of compliance and operational needs. Common reasons to run an audit are:

• Catching duplicate payments before they go undetected
• Identifying unsupported or unauthorized spend
• Confirming that period-end invoices are recorded in the correct accounting period
• Reviewing vendor master accuracy after data changes or staff turnover
• Responding to audit committee or external auditor requests

Audits also help you diagnose gaps in your control before they escalate into material risk.

Why Mid-Market Finance Teams Need AP Audits

Big companies run formal AP audits as a matter of course. They’re typically supported by large internal audit teams and a dedicated compliance infrastructure. Mid-market and growth-stage finance teams face entirely different challenges.

These teams are scaling quickly, often without a big increase in headcount, and the controls that worked at lower invoice volumes are no longer effective.

Growing Invoice Volume and More Moving Parts

As invoice volume grows, so does the likelihood that something slips through. Approval queues get longer. Vendor master maintenance gets harder to keep up with.

The risk of duplicate payments, miscoded invoices, and missed cutoffs increases when manual processes are stretched. An AP audit creates a checkpoint that forces your company to confirm controls are keeping pace with volume.

Manual Workflows and Documentation Gaps

Teams that rely on email, shared drives, and spreadsheets for tracking will definitely struggle during audit prep. Records are scattered. Approval evidence is buried in inboxes.

Vendor history requires manual reconstruction. These gaps do not just slow the audit down. They signal real weaknesses that external auditors and regulators will flag.

Stronger Controls Without Enterprise Complexity

79% of businesses reported payment fraud attacks in 2024, according to the AFP 2025 Payments Fraud and Control Survey. Audits prevent these things from occurring.

However, the goal of mid-market finance is not to build an audit infrastructure that rivals that of a Fortune 500 company. It is to implement controls that are consistent, documented, and enforceable using the available resources, in order to prevent fraud and waste.

A regular AP audit creates accountability, and surfaces issues early enough to fix them before they get out of control.

Accounts Payable Audit vs. Internal Audit vs. Recovery Audit

People can often confuse the different types of audits you can run, but there are three distinct types to check your AP work. Knowing the differences helps teams choose the right approach and better communicate with auditors, advisors, and finance leadership.

Standard Accounts Payable Audit

A standard AP audit looks at everything to do with your AP function. It examines whether:

• Invoices are accurately recorded
• Invoices are properly authorized
• Invoices are correctly classified
• Invoices are backed up with records

External auditors will usually conduct some form of AP audit as part of a financial statement audit. Internal teams can also run these reviews as part of ongoing financial oversight.

Accounts Payable Internal Audit

An accounts payable internal audit is conducted by your own team. The focus is on control design and effectiveness. Key questions to include:

• Are approval workflows being followed?
• Is the segregation of duties maintained?
• Are exception items being reviewed and resolved?
• What is the current error rate, and which process steps generate the most exceptions?
• Where are approval or processing delays most concentrated?

The end result is usually an internal audit report of accounts payable processes, with findings, risk ratings, and recommended control improvements.

Accounts Payable Recovery Audit

An AP recovery audit takes a narrower focus. Instead of reviewing the AP control environment, it specifically looks for money that has already left the company in error: duplicate payments, overpayments, missed vendor credits, and discounts that were not applied.

Recovery audits are typically run by third-party specialists who work on a contingency basis and are paid a percentage of what they recover.

Accounts Payable Audit Checklist

A strong accounts payable audit checklist keeps the team organized before and during the review. The goal is not to check every box for compliance optics. It is to make sure the right records are in hand, the key controls have been reviewed, and the transactions most likely to carry risk have been sampled.

Documents to Gather

• Invoices with corresponding purchase orders, receipts, inspections.
• Approval records for all transactions, including electronic approvals
• Vendor master file, including a history of changes
• Payment register and disbursement details
• Bank and AP subledger reconciliations
• Prior audits and documented remediation actions
• Vendor contracts and pricing agreements for high-spend suppliers
• Credit memo log and any outstanding credits owed by vendors

Controls to Review

• Invoice approvals and whether they are consistently applied
• Segregation of duties between vendor setup, invoice approval, and payment release
• Three-way PO match process and how exceptions are documented and resolved
• Vendor setup controls, including who can add new vendors or change bank details
• Payment authorization limits and whether delegated authority is documented
• Exception handling procedures and how flagged items are escalated and resolved

Transactions to Test

• Invoices with duplicate vendor names, invoice numbers, or payment amounts
• Manual payments and check runs
• Invoices from vendors that have been added to the master file
• Invoices received near the period-end, where timing and recording may be at risk
• Credit memos and whether they were applied to open invoices or recovered
• Transactions with round-dollar amounts or unusual payment patterns
• Any changes to the vendor bank account or payment details during the audit period

How to Conduct an Accounts Payable Audit (Step-by-Step)

The steps below are organized for finance teams running a practical AP audit internally, whether as a standalone review or as preparation for an external audit.

Step 1. Define Scope and Objectives

Start by deciding what the audit will and will not cover. Key scope decisions include:

• Define the review period
• Which entities or cost centers are in scope
• Which vendor populations will be reviewed
• Which risk areas are the priority

A detailed and well-defined scope is more actionable than a broad review that doesn’t go deep enough to matter.

Step 2. Gather AP Records and Supporting Documentation

Pull the records you need before testing begins. Scattered or incomplete documentation is the most common reason AP audits take longer than expected.

If your team cannot retrieve an invoice and its approval history in a few minutes, that retrieval lag is itself a finding worth noting.

Step 3. Review Policies, Workflows, and Controls

Before testing individual transactions, review whether the AP policies and workflows in place are documented, up to date, and designed to support the controls you rely on.

A control that exists on paper, but is not enforced in practice, is not a control. Look for gaps between what the policy says and what the workflow data shows.

Step 4. Test Transactions and Supporting Evidence

Select a sample of transactions and test them against the controls and criteria defined in your audit scope.

This means reviewing actual invoices, approval records, POs, receiving documents, and payment history, not just running summary reports. Transaction-level testing is where most substantive findings surface.

Step 5. Identify Exceptions and Red Flags

Document every transaction that does not pass a test, or that shows a pattern worth investigating.

A single missing approval may be an oversight. A pattern of missing approvals across a vendor or department is a control breakdown. Patterns matter more than individual exceptions.

Step 6. Summarize Findings and Recommend Fixes

Compile findings with enough evidence to explain what was found, why it matters, and what needs to change.

Assign owners and set timelines for remediation. An audit that produces a list of findings but no accountability or follow-through will produce the same findings next time.

*Note: Document findings with enough evidence to explain what was found, why it matters, and what needs to change. Assign owners and set remediation timelines. As you work, record the process itself. A well-documented audit becomes a reusable template that makes the next review faster.

Accounts Payable Audit Procedures and Assertions

Accounts payable audit procedures and assertions are the claims your financial statements make about AP balances. Testing those assertions confirms whether the claims are accurate.
The chart below shows you each assertion to its plain-language meaning and the procedures typically used to test it:

Completeness

Completeness testing asks whether everything that should be recorded actually is. For AP, this means reviewing whether all invoices received during the period have been entered, regardless of whether payment has been made.

Teams typically test completeness by reconciling vendor statements to the AP subledger and by reviewing receiving records near period-end for invoices that may have been delayed in processing.

Accuracy

Accuracy testing verifies that the numbers in the AP ledger match the source documents. This includes checking that invoice totals, quantities, unit prices, and tax amounts are correctly recorded.

It also means confirming that GL coding reflects the actual nature of the purchase and matches the approved PO.

Cutoff

Cutoff testing focuses on period-end timing. An invoice received on December 30 should be recorded in December, not January, even if it does not get processed until the new year.

Cutoff errors are common in high-volume environments where invoice-processing queues extend beyond the month-end close. They distort expense recognition and liability balances.

Existence or Occurrence

Existence testing will show you that recorded payables relate to real transactions. Test this by selecting items from the AP ledger and working backward to the source documents: the invoice, purchase order, receiving record, and contract. Any of your payables without supporting documentation is a red flag that warrants further investigation.

Classification

Classification testing looks at whether expenses are coded to the correct GL accounts. Misclassification can affect budget reporting, tax treatment, and financial statement presentation.

Common classification errors include things like:

• Coding operating expenses to capital accounts
• Misallocating costs across departments
• Coding personal or non-business expenses

Authorization

Authorization testing confirms that every invoice in the sample was approved by someone with the authority to approve it at that amount.

This means checking not just whether an approval exists, but whether the approver’s authorization level covers the invoice amount and category. Approval by someone outside their delegated limit is an authorization failure, even if the expense was legitimate.

Substantive Audit Procedures for Accounts Payable

Substantive audit procedures for accounts payable go deeper than control reviews. They test the actual transactions and balances in the AP ledger to detect misstatements, unauthorized activity, or control failures that did not get caught upstream.

For lean finance teams, substantive testing is where the most useful findings typically come from.

Search for Unrecorded Liabilities

This procedure is designed to identify invoices that have been received or services rendered but not yet recorded in the AP ledger.

AP teams will typically review disbursements in the period immediately after the close date, look for receiving documents without corresponding invoices, and request open invoice reports from key vendors. Unrecorded liabilities understate accounts payable and overstate net income.

Test Period-End Cutoff

Choose your sample. Select a group of invoices received within a certain window before and after the period-end date. For each invoice, confirm that the recording date in the AP system matches the date the invoice was received or the service was performed (not the date it was processed or paid). Consistent late recording is a control failure, not just a timing preference.

Review Duplicate and Unusual Payments

Run your payment data through a duplicate analysis, looking for repeated invoice numbers from the same vendor, same-vendor same-amount combinations within a short window, and invoice numbers that appear in multiple payment runs.

You should also flag manual payments, rush payments, and payments to vendors that do not appear in your standard purchasing activity. Manual payments in particular are a high-risk category that warrants individual review.

Reconcile Vendor Statements and AP Balances

Request statements from your highest-spend vendors and reconcile them to open AP balances.

Differences can reveal invoices the vendor received, but your team never entered, credits not applied, or timing discrepancies that indicate cutoff issues. Persistent reconciling items that your team cannot explain are worth escalating.

Inspect Approvals and Supporting Documentation

For each transaction in your sample, confirm the following:

1. An approval record exists
2. The approver had the authority to approve that amount and category
3. The supporting documentation is complete

Missing approvals, incomplete backup, and invoices without corresponding POs are the most common documentation failures in mid-market AP environments. They are also among the most correctable with workflow and process changes.

Accounts Payable Audit Questions to Ask

The accounts payable checklist and questions below are organized around the three areas. These are where AP audit findings most commonly originate: controls, transactions, and documentation readiness.
Here are some quick questions a finance leader, controller, or AP manager should be able to answer before the audit begins.

Questions About Controls

• Who has the authority to approve invoices, and at what dollar thresholds?
• Who can create new vendors or modify existing vendor records?
• Who can initiate payments, and is that person separate from whoever approves invoices?
• How are exceptions to standard approval workflows handled and documented?
• What controls prevent a vendor from being paid before approval is complete?
• How is segregation of duties enforced when headcount is limited?

Questions About Transactions

• How does your team detect and investigate potential duplicate payments?
• How are vendor credits tracked, and how is it confirmed?
• How is period-end cutoff managed, especially for invoices received close to month-end?
• How are manual or off-cycle payments handled and reviewed?
• When vendor bank details change, what approval process governs the update?
• How are new vendors validated before their first invoice is processed?

Questions About Documentation and Readiness

• Where are invoice records, approval histories, and payment confirmations stored?
• How quickly can your team retrieve a specific invoice and its full approval history?
• Are prior audit findings documented, and has remediation been confirmed?
• Are AP policies current, and has your team been trained on the latest version?
• Is the vendor master file reviewed and cleaned on a regular schedule?

What an Accounts Payable Audit Program Should Include

An accounts payable audit program is the plan behind the audit. It defines what will be reviewed, how it will be tested, who is responsible for each area, and what documentation is required at each step. A well-structured program makes the audit repeatable and defensible.

Scope, Timing, and Risk Areas

Your AP audit program should define the review period, the entities and vendor populations in scope, and the risk areas identified as priorities for this particular review cycle. Risk prioritization should be based on volume, dollar value, prior findings, and known control weaknesses. Not every area needs the same depth of testing; some things can be skipped for now.

Testing Methods and Sample Selection

Specify how transactions will be selected for testing. Random sampling is appropriate for populations with no known concentration of risk.

Judgmental sampling is more appropriate when your AP team wants to focus on high-value transactions, specific vendors, or categories with a history of exceptions. Document which method was used and why.

Roles, Evidence, and Follow-Up

Define who is responsible for each part of the AP audit, what evidence will be retained, and what date it should be done. Ownership matters. A finding without an assigned owner and a deadline tends to remain open indefinitely.

What to Include in an Accounts Payable Audit Report

The accounts payable audit report translates findings into action. It should help leadership understand what was found, why it matters, and what needs to happen next. A report that lists findings without context or prioritization is difficult to act on.

Consider some of these high-level touchpoints when putting your report together:

Executive Summary

Open with a concise summary of the audit scope, the period reviewed, and the most significant findings. Finance leadership and the audit committee should be able to read the executive summary and understand the overall control posture of the AP function without having to read the full report.

Key Findings and Supporting Evidence

Each finding should be tied to specific evidence: the tested transaction, the failed control, and the missing or inconsistent documentation. Findings without evidence are difficult to defend and difficult for management to remediate effectively.

Risk Level and Business Impact

Assign a risk rating to each finding: high, medium, or low.

• High-risk findings are those with the potential for material financial impact, regulatory exposure, or reputational harm.
• Lower-risk findings are control gaps that do not require immediate escalation.

Prioritization helps management act quickly.

Recommended Actions and Owners

Each finding should be paired with a specific recommended action, an assigned owner, and a target completion date. Vague recommendations, like “improve controls” or “enhance documentation,” are not actionable.

Specific recommendations, such as updating the vendor setup approval workflow for dual authorization or implementing a duplicate invoice detection rule, give teams concrete actions to take.

Common Accounts Payable Red Flags to Watch

Red flags in an AP audit are not always obvious in individual transactions. They tend to emerge as patterns across a population of invoices, vendors, or payment records.

The categories below represent the highest-frequency risk areas in mid-market AP environments.

Duplicate Payments

Even the most diligent teams can fall victim to duplicate payments. They occur when the same invoice is entered and paid more than once. Common causes include manual data entry, invoices received through multiple channels, and vendor resubmissions that are not flagged as duplicates.

Look for repeated invoice numbers from the same vendor, same-vendor same-amount payments within a 30-day window, and split invoices where a single invoice has been divided across multiple payment entries. These are your tell-tale signs.

Missing or Inconsistent Approvals

Invoices that move through the workflow without a valid approval record represent a control failure, even if the underlying expense is legitimate. Steps were missed.

Common patterns include invoices approved after payment has already been made, approvals from individuals who exceed their delegated authority limits, and entire invoice populations for a specific department or cost center in which approval rates are significantly lower than average.

Vendor Master File Issues

The vendor master file is a high-risk area because it is often maintained manually and is not subject to frequent independent review.

Red flags include duplicate vendor records with similar names or tax IDs, vendors with missing or incomplete required fields, and any changes to bank details that were not authorized through a documented approval process.

Unauthorized changes to vendor payment details are one of the most common mechanisms in AP fraud schemes.

Cutoff and Timing Errors

Invoices recorded in the wrong period distort liability balances and expense recognition. The most common pattern is invoices received in the final week of the period that are not recorded until the following period because the AP team is already in close.

Systematic late recording is a process-discipline issue that requires a workflow fix, not just a one-time journal-entry correction.

Segregation-of-Duties Gaps

Segregation of duties requires that no single individual controls vendor setup, invoice approval, and payment release. This is an effective part of basic accounts payable strategies that every team should be practicing.

In lean finance teams, this separation is sometimes difficult to maintain, but the risk of collapsing these roles into a single role is significant. An employee who can create a vendor, approve an invoice, and release the payment has the access necessary to execute a fraudulent disbursement.

Where full separation is not possible, compensating controls such as independent payment review and management approval for new vendors are essential.

What to Do After the Audit

The audit findings are the beginning of the improvement cycle, not the end. Teams that treat the audit report as a compliance deliverable to be filed and forgotten will face the same findings in the next review.

Teams that use findings to drive process and control improvements build progressively more audit-ready AP functions.

Prioritize the Most Urgent Issues

Sort findings by risk level and financial impact. High-risk findings, especially those involving authorization failures, vendor master file integrity, or duplicate payment exposure, should be addressed immediately.

Medium and lower-risk findings can be sequenced into a remediation plan with realistic timelines based on team capacity.

Fix Control Breakdowns

Control fixes should target the root cause, not just the symptom. If duplicate payments were found, the fix is not just to recover the overpayments.

It is to implement a duplicate-detection rule that prevents duplicates. If approval gaps are found, the fix is to update the workflow to make approval a required step before the invoice can be advanced. Remediation that addresses symptoms without fixing the underlying process will not hold.

Monitor Progress Over Time

Assign someone to track remediation status against the commitments made in the audit report. Schedule a follow-up review 60 to 90 days after findings are issued to confirm that fixes have been implemented and are working as intended.

AP audit readiness improves through repeatable follow-through, not one-time cleanup. Consider building a regular internal review cadence, quarterly or semi-annually, so that the next external or formal audit does not catch your team unprepared. This kind of planning and monitoring will also help you determine what kind of accounts payable outsourcing you’ll need as the business grows.

How Automation Can Improve AP Audit Readiness

Automation does not eliminate the need for AP audits. It changes what the audit finds. Teams running automated AP workflows tend to have better documentation, more consistent controls, and faster retrieval times.

Finance teams operating on automated workflows spend less audit time reconstructing records and more time on substantive review.

Better Documentation and Searchability

Automated AP systems centralize invoice images, approval histories, payment confirmations, and exception records in a single searchable repository.

When an auditor requests supporting documentation for a specific invoice, the retrieval takes seconds instead of hours. Centralized records also make it easier to confirm that documentation is complete before the audit begins.

More Consistent Workflows and Controls

Workflow automation enforces the approval process as a required step rather than a best practice that individuals can bypass.

Routing rules ensure that invoices above certain thresholds require additional authorization. Exception handling is logged automatically. The result is a control environment that is more consistent across the team and more defensible to external reviewers.

Faster Response During Audit Prep

For smaller AP teams, audit prep can consume weeks of bandwidth when records have to be manually compiled and organized. Automation reduces that burden in a major way.
Teams with electronic workflows can pull transaction populations, filter by vendor or date range, and quickly produce approval history reports. Less time on prep means more time on the work that actually reduces risk.

Conclusion: Why a Strong AP Audit Matters

Auditing is about being prepared for success with stronger controls. It tells you whether your AP process is accurate, consistent, and robust enough to withstand growth and increasing invoice volumes.

The AP recovery audit market reached $1.05 billion in 2024 and is projected to grow to $1.50 billion by 2030, driven by economic pressures and AI advancements.

For mid-market finance teams, the value of an AP audit is highly practical: it shows duplicate payments, document gaps, and issues with who’s doing what. It gives finance leadership a clear, evidence-based picture of where controls are working and where they are not.

The teams that get the most out of AP audits are the ones that treat them as a continuous improvement tool, not a one-time event. Build the controls. Document the process. Follow through. Your next audit will be faster, cheaper, and less disruptive because the previous one improved your AP process.

See how Yooz automates AP controls and gives your team audit-ready documentation from day one. Book a free demo.