Mitigate AP Risks by Strengthening Internal Controls

Posted on February 21, 2025August 18, 2025

Accounts Payable (AP) fraud continues to evolve with phishing schemes, fraudulent billing, and payment tampering among the most common attempts used to misappropriate company funds. The 2024 Report to the Nations on Occupational Fraud published by the Association of Certified Fraud Examiners (ACFE) reveals median losses of $155,000 from check and payment tampering, $100,000 from billing schemes, and $66,000 from noncash theft, where employees misuse company assets.

As tactics grow increasingly sophisticated, AAFCPAs advises that clients take proactive steps to strengthen internal controls and review financial systems and processes around AP processing and approvals. Further, we advise clients to avoid complacency. Consider reviewing internal controls on a regular basis to ensure they remain effective and build in a planned time frame for revisiting internal policies to ensure they continuously address new technology and fraud schemes.

Key Threats and Risks

Check and Payment Tampering. Check and payment tampering is another common risk, which occurs when someone intercepts or alters a company’s checks or diverts electronic payments for personal gain. As more organizations adopt cloud-based systems, they may need to update internal controls to address evolving risks.
Billing Schemes. This is another common type of occupational fraud where internal employees cause the organization to make fraudulent payments by setting up fictitious vendors, submitting false invoices, or manipulating invoices. Smaller businesses with insufficient segregation of duties, or where employees handle multiple responsibilities, are particularly vulnerable.
Expense Reimbursement Schemes. Expense reimbursement schemes are a common form of occupational fraud where employees submit false or inflated claims as reimbursable business expenses.

Best Practices for Strengthening Internal Controls

The following best practices can help bolster internal controls and mitigate risk.

Maintain Segregation of Duties. Maintain segregation of duties between those who approve vendor changes or have the authority to create new vendors, those who process payments, and those with access to disbursement accounts. No single individual should have control over all aspects of a transaction, as this increases the risk of fraud and error.
Launch Whistleblower Policies. Implement and publicize a whistleblower policy that protects employees who report fraud. From the 2024 Report to the Nation, tips were the most common way frauds came to light, with 43 percent of cases being uncovered due to a tip from a whistleblower. This is more than three times as many cases as any other detection mechanism.
Verify Vendor Changes. Implement a process to independently verify any requests for changes in vendor details and vendor banking information. Avoid relying on email alone, as this line of communication might be compromised. Instead, establish a policy that requires direct confirmation by phone, video call, or in person prior to making any adjustments. Establish a protocol for who the appropriate contact person is for completing verification.
Review IT General Controls (ITGCs). Along with business controls, review your IT general controls to identify gaps in how systems are secured, who and what kind of access they have, and where your data resides so that you can minimize the risk of breaches. This is part of AAFCPAs’ financial statement audits, and we also help non-audit clients improve ITGCs.
Review Vendor Acceptance Policy. Regularly review and update vendor acceptance policies. Make sure all new vendors undergo thorough vetting, confirming their legitimacy through publicly available sources such as online reviews or references. This helps to ensure fraudulent vendors do not slip through the cracks.
Review and Update Policies. Businesses should not assume their existing internal controls are sufficient. With the shift to more digital payment methods, organizations must update their processes to address new risks. Reviewing and adjusting policies on a routine basis can ensure they stay relevant as risk evolves.
Examine Data Analytics. Also consider conducting internal reviews of expenses and use data analytics to identify significant unexpected variances or to identify unusual payments to vendors.
Conduct Cybersecurity Training. Raise cybersecurity awareness by training staff to recognize phishing attempts and other fraudulent schemes. Setup Phishing campaigns with special tools that will simulate a bad actor. Foster a culture of always verifying with the real source (person or institution) versus through the same channel as the original form of communication.
Review Insurance. Review insurance policies to make sure they cover cybersecurity risks, which can provide an added layer of protection in the event of breach.
Create a Culture of Transparent Communication. Foster an environment where employees feel comfortable reporting suspicious activities without fear of retaliation.
Require Pre-Approval for Certain Expenses. Implement a policy where certain types of expenses need pre-approval before they can be reimbursed.
Conduct Training. Provide anti-fraud training to employees within the organization.

Secure Your Environment

AAFCPAs offers a breadth of resources to strengthen your organization’s control environment. Some clients choose to fully outsource their accounting and finance function through our Outsourced Accounting and Fractional CFO practice, gaining expertise, bandwidth, and clear separation of duties. Others engage us for targeted advisory support in areas such as business process improvement, internal controls consulting, IT and cyber security consulting, and VMaaS. We help clients enhance efficiency, reinforce internal controls, and safeguard against fraud—including risks such as billing and payment tampering. Whether you need comprehensive outsourcing or focused, right-sized solutions, AAFCPAs is committed to helping your organization stay protected and ahead of potential threats.

If you have questions, please contact Lauren M. Duplin, CPA, Partner & Consulting CFO, Destiny J. Flood, CPA, Partner, Commercial Outsourced Accounting & Fractional CFO, Amy Staunton, CPA, Director & Consulting CFO—or your AAFCPAs Partner. AAFCPAs offers a wealth of resources on business process improvement. Subscribe to get alerts in your inbox.

About the Authors

Lauren M. Duplin, CPA

Lauren is a leader in AAFCPAs’ Outsourced Accounting & Fractional CFO practice, where she provides high-level Fractional CFO services and advisory support to nonprofits, foundations, and grant-making organizations. She brings specialized expertise in the education, community and economic development, and human and social services sectors. Lauren serves as an active partner to CEOs of AAFCPAs’ nonprofit clients, recognized for her forward-looking and proactive approach to financial management. Prior to joining AAFCPAs’ Fractional CFO & Outsourced Accounting …

Destiny J. Flood, CPA

Destiny leads AAFCPAs’ Commercial Division of the firm’s growing Outsourced Accounting & Fractional CFO practice providing “right-size” outsourced accounting and fractional CFO services, designed to optimize the effectiveness of the modern finance function. A service-driven leader, she manages the firm’s commercial team of fractional CFOs, controllers, and transactional accountants who collectively deliver accounting and advisory support to companies in diverse industries nationally. She leverages the resources of AAFCPAs’ 300+ employee firm to provide specialized resources …

Amy Staunton, CPA

Amy is a senior member of AAFCPAs’ Outsourced Accounting & Fractional CFO practice, providing high-level, outsourced CFO services for nonprofits, foundations, and grant-making organizations. She serves as an active partner to the CEOs of AAFCPAs’ nonprofit Outsourced Accounting & Fractional CFO clients, bringing a forward-looking and proactive stance to managing the agency’s finances. Amy understands the nuances inherent in the sometimes-exasperating world of nonprofit finance, including innumerable compliance requirements, resource constraints, and nonprofit culture challenges. She …

Related Insights

How Close Automation Tools Support Smarter Nonprofit Operations

The nonprofit month-end close has become an exercise in endurance—manual checklists, spreadsheet reconciliations, and long hours spent assembling reports under deadlines. For lean finance teams, the process is not only inefficient but difficult to sustain. Close automation platforms help reduce that burden by bringing structure, consistency, and transparency to the process. These tools organize workpapers, […]

Is Your Tech Stack Built for Real-Time Decision Making?

Finance leaders face increasing pressure to produce faster, accurate reports and maintain strong internal controls—all while managing lean teams and limited resources. Technology should help ease this burden. However, when systems are disconnected, it often creates more work. Teams spend more time managing data across platforms than leveraging it for decision-making. Reconciliations get delayed. Reports […]

Seminar Recap: Embracing Continuous Close for Real-Time Financial Insights

During AAFCPAs’ recent Nonprofit Seminar (April 2025), Joyce Ripianzi, CPA, Amy Staunton, CPA, and Lauren M. Duplin, CPA of AAFCPAs’ Outsourced Accounting & Fractional CFO practice presented to more than 550 attendees practical guidance on how nonprofit finance teams may adopt a continuous close model to improve accuracy, timeliness, and efficiency. Many nonprofits are already […]