Accounts Payable Audit: Procedures and Evidence Checklist

An accounts payable audit reviews AP records, invoices, vendor files, payments, approvals, controls, and supporting documents to test whether liabilities are complete, accurate, authorized, recorded in the right period, and protected from fraud. For the AP team, preparation means more than pulling a few invoice PDFs. It means connecting each audit procedure to evidence that can be inspected, sampled, reconciled, and explained.

The practical evidence set usually includes invoice numbers, invoice dates, vendor names, vendor IDs, amounts, tax, PO references, receipt or GRN references, approval identities and timestamps, match results, exception notes, ERP posting references, payment references, vendor master changes, supplier statements, AP aging, and cutoff support. Those details are what turn an accounts payable audit from a last-minute document hunt into a controlled evidence exercise.

There are three common contexts, and they should not be treated as the same job. Internal audit readiness looks at whether AP processes and controls are working before a problem reaches the financial statements. External financial-statement audit support focuses on assertions such as completeness, accuracy, cutoff, authorization, and valuation. Post-payment recovery audit looks backward for overpayments, duplicate payments, missed credits, or supplier statement discrepancies after money has already left the business.

In each case, the AP team is closest to the source evidence. Auditors may decide the scope, sample, materiality, and conclusions, but AP owns much of the underlying trail: who approved an invoice, what it matched to, when goods or services were received, whether the vendor record changed, when the liability was posted, and how the payment was made.

Build the audit request list from AP evidence

A useful accounts payable audit checklist starts with source records, not generic audit phases. Before the request list arrives, AP should know which documents prove the transaction existed, was approved, was recorded correctly, and was paid through the proper process.

The core evidence usually falls into a few groups:

• Supplier invoices and credit memos
• Purchase orders, contracts, or statements of work
• Goods receipts, receiving reports, or service confirmation records
• Approval logs, including identity, timestamp, and delegation support
• ERP voucher, coding, and posting records
• Payment confirmations, bank file evidence, and remittance records
• Vendor master setup and change history
• Supplier statements and reconciliation notes
• AP aging, open items, and exception reports
• Notes explaining holds, disputes, manual overrides, or match exceptions

For invoice evidence, the most useful fields are the ones that let a reviewer connect one record to another: invoice number, invoice date, vendor name, vendor ID, amount, tax, currency, PO reference, receipt reference, due date, approval identity, approval timestamp, payment reference, and posting reference. If those fields are scattered across PDFs, email approvals, spreadsheets, and ERP screens, the audit team can still test them, but AP will spend more time proving basic links between records.

Independent public-auditor guidance points in the same direction. The Washington State Auditor accounts payable guide says accounts payable policies should describe required support for payment requests, including purchase orders, original detailed receipts or source records, evidence goods or services were received, three-way match controls, duplicate prevention, data-entry review, and statement reconciliation.

This is where structured invoice extraction can help audit preparation without changing the audit judgment. Invoice Data Extraction lets teams upload invoices and financial documents, describe the fields they need in a prompt, and download structured Excel, CSV, or JSON data. That output gives AP a consistent field set for sampling, duplicate checks, reconciliations, and auditor request lists, while the finance team and auditors still evaluate whether the evidence is sufficient.

Core accounts payable audit procedures

Accounts payable audit procedures vary by objective, but the main procedure areas are familiar across internal audit, external audit support, and AP control reviews. The difference is emphasis: an external auditor may focus on financial-statement assertions, while internal audit may spend more time on process design, policy compliance, and control operation.

Planning and scope define which AP processes, entities, periods, vendors, systems, and risk areas are in view. The AP team should confirm which records will be pulled from the ERP, which supporting documents sit outside the system, and who owns explanations for exceptions.

Process walkthroughs trace a transaction from vendor setup or purchase order through invoice receipt, approval, posting, and payment. Walkthroughs show whether the documented process matches how work actually happens, including manual workarounds and exception paths.

Vendor master review looks at vendor setup, approval, bank account changes, inactive vendors, duplicate vendor records, tax information, and segregation of duties. The evidence is not only the current vendor record, but also the change history and the approval trail behind it.

Invoice approval testing checks whether invoices were approved by the right person before posting or payment. PO and receipt matching tests whether the invoice agrees to authorized purchasing and evidence that goods or services were received. Teams that need a deeper control-design view can use an accounts payable controls framework to separate preventive controls, detective controls, and monitoring controls.

Payment file and bank control review checks whether approved AP items were released through the right payment process. The evidence may include payment-run approval, bank file release logs, remittance records, payment references, user access, segregation of duties, and reconciliation from released payments back to posted AP items.

Cutoff and unrecorded-liability testing asks whether liabilities belong in the period where they were recorded. Duplicate-payment testing looks for repeated payments or suspiciously similar invoice records. AP aging review evaluates open balances and stale items, while supplier statement reconciliation checks whether vendor records agree to the supplier's view. Exception follow-up and remediation close the loop by documenting why an item failed a check, who resolved it, and whether the underlying process needs correction.

Procedure selection depends on risk, materiality, system design, reliance on controls, and the audit objective. AP does not need to predict every sample, but it does need records that make each sampled item traceable without rebuilding the transaction from scratch.

Match invoice, PO, receipt, and approval evidence

Invoice approval testing is strongest when the invoice, purchase order, receiving evidence, approval log, exception note, and ERP posting record point to the same transaction. A clean trail lets the reviewer see what was bought, who authorized it, whether it was received, how the amount was calculated, and why any exception was accepted.

For PO-backed invoices, the important evidence is field-level. The invoice should connect to the vendor record, PO number, item or service description, quantity, unit price, tax, currency, receipt date, and posting record. The approval trail should show the approver, timestamp, authority level, and any delegation or override. If a match exception occurred, the record should preserve the match result, exception reason, resolution, and person responsible for clearing it.

That evidence matters because matching is not only an operational workflow. In an audit context, it supports accuracy, authorization, and receipt of goods or services. The mechanics of the invoice matching process determine whether AP can show that an invoice was paid because it agreed to the underlying purchase and receiving evidence, or whether it was paid through a manual exception that needs separate support.

Non-PO invoices and service invoices need a different evidence trail. Auditors may inspect contracts, statements of work, recurring service agreements, budget-owner approvals, proof of service period, or management approval for discretionary spend. The goal is still the same: connect the invoice to an authorized obligation and show why the amount and period are reasonable.

Structured extraction is useful before this review because it turns invoice files into a consistent dataset. An AP team can extract invoice number, date, vendor, amount, tax, PO reference, due date, and other fields into Excel, CSV, or JSON, then compare those fields against ERP exports, approval logs, and receipt records. The extraction does not decide whether a control worked, but it reduces the time spent finding and normalizing the invoice facts auditors need to test.

Test cutoff and unrecorded liabilities with period evidence

Cutoff testing asks whether expenses and liabilities were recorded in the correct accounting period. For accounts payable, that question often turns on timing evidence rather than the invoice amount alone. A valid invoice can still create an audit issue if the goods were received, services were performed, or liability was incurred in a different period from the posting date.

The AP evidence around period end should connect invoice date, receipt date, service period, goods receipt or GRN, PO status, posting date, payment date, vendor statement, unmatched receipt, and subsequent disbursement. A payment made after period end may point back to a prior-period liability. An unmatched receipt may indicate goods received before the invoice arrived. A supplier statement may show an unpaid balance that does not appear in the AP ledger.

Unrecorded-liability testing looks from the other direction. Instead of starting with AP ledger items and vouching them to support, the reviewer searches after period end for invoices, payments, receiving records, or supplier balances that should have been accrued earlier. AP teams prepare by keeping period-end receiving reports, invoice receipt logs, unmatched PO or GRN reports, supplier statements, and subsequent payment records accessible.

The detailed workflow belongs in a dedicated accounts payable cutoff procedure, but the audit-readiness principle is simple: timing fields must be preserved with the same discipline as amount fields. Invoice extraction and document organization can help gather invoice dates, service periods, receipt references, and posting references into a reviewable dataset. Accounting teams still make accrual decisions, and auditors still evaluate materiality and conclusions.

Review vendor master, duplicate payments, and recovery risks

Vendor master review is where AP audit work meets fraud risk and payment integrity. Reviewers look for whether new vendors were approved, whether tax and banking details are complete, whether bank account changes have independent approval, whether inactive vendors are disabled, and whether the same supplier exists under multiple names or IDs. The change history matters as much as the current record because an unauthorized bank change can be invisible if the audit only inspects the final vendor profile.

Duplicate-payment testing depends on normalized, comparable fields. Common indicators include repeated invoice numbers, same vendor and amount, same invoice date and amount, similar vendor names, repeated PO references, shared bank accounts, matching payment references, or credits that were never applied. These indicators are investigation leads, not automatic proof. A duplicate-looking record may be a split shipment, progress billing, legitimate recurring charge, or correction entry.

The accounts payable internal audit checklist should also include segregation of duties around vendor setup, invoice approval, payment release, and vendor changes. A person who can create a vendor, approve an invoice, and release payment has more opportunity to bypass normal checks than a user whose access is limited to one part of the workflow.

This area overlaps with a accounts payable recovery audit, but the focus is different. A normal accounts payable audit usually tests whether controls and records support accurate, authorized payment activity. A recovery audit looks backward after payment to identify overpayments, duplicates, unapplied credits, pricing errors, and supplier statement discrepancies. AP teams should keep the evidence connected enough that either review can move from a flagged payment to the underlying invoice, vendor record, approval, receipt, and payment trail.

Use invoice data extraction without overstating automation

AP audit preparation becomes slow when evidence is trapped in supplier PDFs, scanned invoices, email attachments, inconsistent exports, and manual notes. The audit problem is not only storage. It is the lack of a consistent field set that lets AP sort, filter, sample, reconcile, and answer document requests without reopening every file.

Structured extraction helps by turning invoice and finance-document content into usable data. For an audit-prep workflow, the output might include invoice number, invoice date, vendor, amount, tax, currency, PO reference, receipt reference, due date, payment reference, posting reference, and exception fields when those details are present in the source records. A consistent spreadsheet or JSON dataset makes it easier to compare invoice records with ERP exports, approval logs, vendor statements, payment files, and receiving reports.

That is the practical role of invoice data extraction for audit-ready AP evidence: it gives the AP team a cleaner evidence layer before sampling, duplicate checks, matching support, cutoff review, supplier statement reconciliation, and auditor request-list work begin. Invoice Data Extraction supports this by letting users upload invoices and financial documents, describe the fields they need in a natural language prompt, and download structured Excel, CSV, or JSON files. The same prompt-based workflow can be used for small batches or higher-volume review work.

The limit is important. Extraction software improves retrieval, consistency, and preparation. It does not set materiality, choose audit samples, evaluate whether a control operated effectively, determine whether an exception is acceptable, or make an audit conclusion. Treat it as a way to make the evidence usable, not as a substitute for accounting responsibility or audit judgment.

A practical AP audit readiness checklist

Use the checklist below as a working preparation sequence, not a decorative appendix. Assign an owner to each area before the audit request list arrives.

Confirm the audit context. Identify whether the work supports internal audit readiness, external financial-statement audit support, a control review, or recovery testing. Confirm the period, entities, systems, vendor populations, and AP processes in scope.

Build the document request list from source records. Gather supplier invoices, credit memos, POs, contracts, statements of work, receiving records, approval logs, ERP postings, payment records, supplier statements, AP aging, exception reports, and reconciliation workpapers.

Extract invoice fields consistently. Prepare invoice number, invoice date, vendor name, vendor ID, amount, tax, currency, PO reference, receipt reference, due date, approval identity, approval timestamp, posting reference, and payment reference in a format that can be sorted and sampled.

Prepare vendor master support. Export active and inactive vendors, recent vendor additions, bank account changes, duplicate vendor candidates, tax detail gaps, and approval history for setup or change events.

Tie matching and approval evidence together. For sampled invoices, make sure AP can move from invoice to PO, receipt or service confirmation, approval, exception note, ERP posting, and payment record without relying on memory or informal explanations.

Prepare cutoff support. Keep period-end receiving reports, unmatched PO or GRN reports, invoice receipt logs, vendor statements, subsequent payment records, accrual support, and explanations for invoices received after period end.

Run duplicate-payment and recovery checks. Review repeated invoice numbers, same-vendor same-amount payments, similar vendor names, shared bank accounts, unapplied credits, supplier statement discrepancies, and unusual manual payment patterns. Document why false positives are legitimate.

Review AP aging and open items. Identify stale invoices, debit balances, disputed items, unapplied credits, long-outstanding vendor balances, and items held outside normal payment terms.

Write exception explanations while evidence is fresh. For manual overrides, late approvals, missing receipts, price discrepancies, blocked invoices, and unusual payments, record what happened, who approved the resolution, and what changed afterward.

Track remediation owners. If the audit identifies control gaps or evidence problems, assign an owner, target date, and follow-up method. Audit readiness improves only when findings change the process that created them.

Protect evidence retention. Keep the support package aligned with retention policy, access controls, and security requirements so the next audit starts from a reliable trail instead of another reconstruction exercise.