Accounts payable internal controls reveal a governance gap in payment risk

At a glance

What this is: This is an analysis of how accounts payable internal controls reduce payment fraud, errors, and audit risk through layered checks and balances.

Why it matters: It matters to IAM practitioners because the same separation-of-duty and approval principles shape governance for NHI, autonomous, and human access workflows.

By the numbers:

• Over 82% of organizations have faced fraud attempts in recent years.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 96% of organizations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organizations have full visibility into their service accounts.

👉 Read Pathlock's guide to accounts payable internal controls

Context

Accounts payable internal controls are the financial equivalent of identity governance controls. They separate obligation, verification, and execution so that one person or one weak process cannot create, approve, and pay the same transaction without challenge.

That matters because AP is a high-risk workflow for fraud, duplicate payments, and vendor impersonation, especially when speed pressure pushes teams toward manual shortcuts. The same pattern appears in identity programmes when approvals, entitlements, and execution are collapsed into a single uncontrolled path.

For IAM and NHI teams, the useful lesson is not accounting-specific. It is the governance pattern: define who can initiate, who can validate, and who can execute, then preserve evidence at every handoff.

Key questions

Q: How should organizations separate approval and execution in accounts payable workflows?

A: Organizations should ensure that no one role can initiate, approve, and release the same payment. The control has to be enforced in the workflow engine, payment system, and audit trail together, otherwise a user can still bypass the intended separation through manual shortcuts or delegated access.

Q: Why do duplicate payments happen when AP controls are weak?

A: Duplicate payments usually occur when invoice matching, exception handling, and posting controls are fragmented or manual. If the system does not cross-check purchase orders, receipts, and prior payments before release, the same obligation can be paid twice with no immediate warning.

Q: What do security teams get wrong about audit trails in financial workflows?

A: Teams often treat logs as reporting output instead of a core control. A useful audit trail must show who approved, who executed, and which evidence supported the decision, otherwise it cannot prove accountability or support a reliable review after the fact.

Q: Who is accountable when a vendor payment is changed fraudulently?

A: Accountability sits with the organisation that failed to verify the change through a trusted channel and failed to enforce separation of duties. If a payee update is approved without independent confirmation, the control failure is governance, not just user error.

Technical breakdown

Three-way matching as a control boundary

Three-way matching compares the purchase order, the receiving record, and the invoice before payment is approved. The control works because it forces independent evidence to agree before money moves, which reduces duplicate billing, inflated charges, and fictitious vendor claims. In governance terms, it is a verification boundary, not just an administrative step. If the three records are not aligned, the transaction should stop until the mismatch is explained and documented.

Practical implication: require evidence alignment before payment posting, not after exceptions are discovered.

Segregation of duties in payment execution

Segregation of duties splits invoice entry, approval, and payment release across different people or roles. This prevents a single actor from creating a vendor, editing bank details, approving the invoice, and sending the funds. The same design principle is central to identity security because concentration of privilege creates hidden blast radius. Where workflow automation replaces human review, the control only works if approval authority remains separately enforced and auditable.

Practical implication: separate initiation, approval, and disbursement rights in both finance and identity workflows.

Access controls and digital audit trails

Access controls limit who can reach bank portals, payment systems, or sensitive payment materials. Digital audit trails record who approved what, when, and from which workflow path, which makes later review possible and supports SOX-style evidence requirements. The technical point is that traceability is part of the control itself. Without logs that tie actions to accountable roles, review becomes forensic guesswork rather than governance.

Practical implication: pair role-based access with immutable transaction logs for every payment action.

Threat narrative

Attacker objective: The attacker’s objective is to divert funds or approve improper payments while preserving enough workflow legitimacy to avoid immediate detection.

1. Entry occurs when an unauthorized actor reaches payment workflow data through weak approval handling, exposed payment details, or impersonated vendor updates.
2. Escalation follows when a single user or compromised workflow can alter invoice details, redirect payment instructions, or bypass segregation of duties.
3. Impact is unauthorized disbursement, duplicate payment, or vendor impersonation that creates direct financial loss and audit failure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Accounts payable is a governance problem before it is a processing problem. The article’s logic is that speed without separation creates risk, because the same workflow can be used to initiate, approve, and disburse value. That is structurally the same control failure identity teams face when entitlements, approval rights, and execution permissions are not separated. Practitioners should treat AP as a useful model for control design, not just a finance process.

Three-way matching is a template for evidence-based authorisation. The control does not trust a request until purchase order, receipt, and invoice all agree. That is the same discipline IAM teams need when validating access changes, vendor updates, or privileged requests across workflows. The broader lesson is that authorisation should be backed by independent evidence, not by workflow momentum alone.

Segregation of duties only works when systems enforce it end to end. The article shows how manual process shortcuts and automated approval workflows can still leave one person too much power if role design is weak. In identity governance, this is the same failure mode that appears when recertification, approval, and execution sit inside one uncontrolled path. The implication is that separation must be enforced in process and system design, not assumed from org charts.

Digital audit trails turn accountability into something reviewable. The post is clear that continuous oversight depends on knowing who approved, who posted, and when the transaction moved. That matters across IAM and NHI programmes because evidence without traceability is not governance. Practitioners should view logging, approvals, and approval lineage as a single control set.

Payment workflow controls reveal a useful named concept: approval chain integrity. When the chain from request to review to execution can be collapsed, the organisation loses both fraud resistance and audit credibility. The same concept applies to identity governance, where review, approval, and implementation must remain distinct enough to prove accountability. Practitioners should use that lens when assessing any high-risk workflow.

From our research:

• 96% of organizations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organization is notified, which shows how slowly remediation can lag behind exposure, according to the Ultimate Guide to NHIs.
• For a practical lifecycle angle, the Ultimate Guide to NHIs section on lifecycle processes shows why provisioning, rotation, and offboarding need the same control discipline seen in payment governance.

What this signals

Approval chain integrity: The bigger lesson for identity programmes is that workflow design is a control surface, not just an efficiency choice. When approvals, execution, and evidence collection live in the same path, the organisation loses both segregation of duties and defensible accountability.

AP control failures often begin as process shortcuts, then become audit problems, then become fraud incidents. Identity teams should watch for the same pattern in NHI and human access workflows, especially where manual exceptions are normalized and no independent evidence is required before action.

The organisation that can prove who initiated, who reviewed, and who executed a high-risk transaction will also be better positioned to govern privileged access and lifecycle decisions. That is why controls, logs, and review lineage should be treated as one programme capability rather than separate tools.

For practitioners

• Separate initiation, approval, and execution rights Map every payment and access workflow so no single role can create, approve, and release the same transaction. Enforce that separation in the system of record, not only in policy documents.
• Require evidence before authorisation Use purchase orders, receipts, invoice validation, and change confirmation as mandatory proof points before payment release. If the evidence set is incomplete, the workflow should pause until the discrepancy is resolved.
• Strengthen vendor change verification Verify bank detail changes or payee updates using a pre-existing trusted contact method rather than the request itself. This reduces business email compromise risk and prevents impersonation-driven payment diversion.
• Make audit trails part of the control design Record who initiated the transaction, who approved it, and who executed it in a format that can be reviewed after the fact. Use that record to support exception review, SOX evidence, and fraud investigations.

Key takeaways

• Accounts payable controls are a governance model for separating request, review, and execution so that fraud and error cannot flow through a single unchecked path.
• The article’s evidence shows that weak matching, weak segregation of duties, and weak verification create direct financial loss and audit exposure.
• Identity and access teams can borrow the same design pattern by enforcing independent evidence, separate approval rights, and traceable execution for high-risk workflows.

Key terms

• Segregation of Duties: Segregation of duties is the practice of splitting a sensitive process across multiple people or roles so that no one actor can complete the entire transaction alone. In identity governance, it limits concentrated privilege and creates independent checkpoints that make abuse easier to detect and harder to hide.
• Three-Way Matching: Three-way matching is a verification control that compares the purchase order, the goods or services received, and the invoice before payment is released. It prevents mismatches and fraudulent billing by requiring independent evidence to align before a transaction moves forward.
• Audit Trail: An audit trail is the recorded history of who did what, when, and under which approval path. In controlled workflows, it turns a transaction from a black box into reviewable evidence and supports accountability, fraud investigation, and compliance testing.
• Vendor Impersonation: Vendor impersonation is a fraud pattern where an attacker or dishonest actor pretends to be a supplier in order to change payment details or redirect funds. The control weakness is usually weak verification, not just a bad email, because the organisation failed to confirm the change through a trusted channel.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: internal controls in accounts payable and financial governance. Read the original.