What KPIs should I track in accounts payable?

The four metrics that matter most are cost per invoice processed (industry average is $10-15 for manual, under $3 for automated), days payable outstanding (DPO), on-time payment rate, and early-pay discount capture rate. Cost per invoice tells you whether your process is scalable. DPO tells you whether you are managing cash flow or just paying whenever you get around to it. On-time rate protects vendor relationships and avoids late fees. Discount capture rate shows how much free money you are leaving on the table. Start tracking all four, even if the numbers look bad at first -- you cannot improve what you do not measure.

When does 3-way matching make sense for a small business?

Three-way matching (invoice against purchase order against receiving report) makes sense when you are buying physical goods in volume, when the items are high-value enough that a discrepancy costs real money, or when you have a pattern of vendors billing for quantities you did not receive. For services, SaaS subscriptions, and low-value recurring purchases, 2-way matching (invoice against PO or approved spend request) is enough. Applying 3-way matching to a $49 monthly SaaS subscription is bureaucratic overhead with no risk reduction. Applying it to a $40,000 materials order from a new supplier is basic financial hygiene.

How do I prevent duplicate invoice payments without enterprise software?

The most effective low-tech control is a simple paid invoice log with four columns -- vendor name, invoice number, invoice date, and amount. Before cutting any check or ACH, whoever processes payments searches that log for the same vendor and invoice number. If it appears, the invoice is a duplicate. This catches the most common attack vector (same invoice submitted twice) without any system investment. On top of that, use a unique invoice number field in your accounting software and set it to reject duplicates for the same vendor. Most small business accounting tools support this. The combination of the log and the software check catches nearly all duplicates.

What is segregation of duties and how do I apply it with a two-person finance team?

Segregation of duties means no single person should control an entire financial process from start to finish. In accounts payable the classic separation is -- one person approves invoices, a different person releases payments. With two people this is achievable. Person A reviews invoices, codes them to the right expense category, and marks them approved. Person B runs the payment file and releases the ACH batch or signs the checks. Neither person should be able to both approve and pay without the other seeing it. If you genuinely only have one person handling AP, compensating controls include monthly bank statement review by an owner who is not the AP processor, and read-only access for an external bookkeeper or accountant who reviews transactions monthly.

How do I capture early payment discounts without hurting cash flow?

Calculate the annualized return on each discount before deciding whether to take it. A 2/10 net 30 term (2 percent discount if paid within 10 days instead of 30) has an annualized return of approximately 36 percent. No bank account pays 36 percent. The question is not whether the discount is worth it -- it almost always is -- but whether you have the cash available on day 10. Build a 13-week cash flow forecast and mark each invoice with an early pay deadline. If the cash balance on that date is above your minimum operating threshold, take the discount. If not, pay on the standard due date. Tracking this systematically means you capture discounts when you can afford to and protect cash when you cannot, instead of making the decision reactively each time.

What are the most common AP fraud vectors for small businesses?

Four patterns account for the vast majority of small business AP fraud losses. CEO fraud -- an email impersonating an executive directing urgent payment to a new account. ACH redirect scams -- a vendor email (often a compromised real vendor account) asking you to update their banking details before the next payment. Duplicate invoice fraud -- the same invoice submitted twice, either by an employee or by a vendor. And ghost vendor fraud -- invoices from suppliers that do not exist, usually created by an employee with access to both the vendor master and the payment system. The controls that stop all four are call-back verification for banking changes, a separate approver for new payees, duplicate detection in your accounting system, and vendor master access restricted to one person who does not also process payments.

How often should I clean up the vendor master file?

Run a formal vendor master review twice a year at minimum. During each review, flag vendors with no activity in the past 12 months and either deactivate or delete them, merge duplicate entries for the same vendor (common when different employees set up the same supplier independently), verify tax ID numbers against IRS records for US vendors above your 1099 threshold, and confirm current banking details with a direct phone call to a number you look up independently, not one provided in an email. The semi-annual cadence catches most problems before they become payment errors or audit findings. If your vendor count is growing fast, quarterly reviews are worth the time.

What documents do I need to keep for AP audit purposes?

For each payment, auditors typically want the original invoice, the purchase order or approval record, and proof of payment (bank statement showing the ACH or check cleared). For vendors above the 1099 threshold ($600 in payments for services in the US), you also need a current W-9 on file. Keep all of this for a minimum of three years from the tax filing date, or seven years if you have any reason to expect an audit. The IRS can go back six years for substantial underreporting. Store originals digitally with backup -- a paper folder in a filing cabinet is not a retention strategy. See IRS Publication 583 for the authoritative retention guidance for small business records.

Accounts Payable Best Practices (2026 Guide)

Most AP problems are not accounting problems. They are process problems that show up later as accounting problems. An invoice that sat in someone's inbox for three weeks is not a data entry issue -- it is a missing intake standard. A duplicate payment is not a bookkeeper error -- it is a missing control. A vendor that bills $12,000 when you expected $9,000 is not a surprise -- it is a missing approval step.

This guide covers the practical decisions a finance manager or business owner needs to make their AP function reliable: how to design the intake flow, when to apply 3-way matching, how to build approval tiers that do not slow everything down, how to optimize payment timing for cash flow, how to maintain vendor data before it becomes a mess, and how to prevent the specific fraud patterns that hit small and mid-sized teams hardest.

No enterprise system required. Most of this works with a spreadsheet and basic accounting software. The goal is a process that runs predictably, scales with the business, and does not depend on any one person's memory.

The AP cycle from intake to payment -- and where it breaks

The accounts payable cycle has five stages. Most AP problems are traceable to one of them.

Intake is where invoices enter the business. Problems here: invoices arrive at multiple addresses (the CFO's email, the admin's inbox, a shared accounting@ address, and occasionally a physical mailbox), some get processed, some get lost, and nobody has a complete view of what is owed.

Coding is where someone assigns a general ledger account and cost center to each invoice. Problems here: inconsistent coding across people or periods, which makes expense analysis useless. A vendor coded to "Software" one month and "IT" the next cannot be trended.

Approval is where the right person authorizes payment. Problems here: no defined approval tier, so everything goes to the same senior person who becomes a bottleneck, or approval is informal and undocumented, which fails an audit.

Payment is where the vendor gets paid. Problems here: wrong timing (too early, sacrificing cash flow; too late, incurring late fees), wrong account (ACH redirect fraud), duplicate payments (same invoice twice).

Archiving is where the invoice, approval record, and proof of payment get stored for future reference. Problems here: documents stored in email or on someone's hard drive, unavailable for audits or disputes.

The KPIs that track health at each stage:

Intake: % of invoices received through a controlled channel (target 100%)
Coding: % coded without re-work (target >95%)
Approval: average time from receipt to approval (target under 48 hours for standard invoices)
Payment: on-time payment rate (target >98%), early-pay discount capture rate (target >80% of eligible)
Archive: % of paid invoices with complete document package retrievable within 5 minutes (target 100%)

Track these monthly. They will surface the stage where your process is breaking before it becomes expensive.

Invoice intake standards

The single biggest lever in AP is controlling where invoices enter the business. One intake channel, consistently enforced, eliminates a class of problems that no downstream control can fully fix.

The single inbox rule. Designate one email address for all vendor invoices. Something like ap@yourcompany.com works. Tell every vendor to send invoices there. Add it to purchase orders and contracts as the required billing address. This gives you a complete intake record, enables automation, and means no invoice gets lost in a personal inbox when someone is on vacation.

For businesses using email-based invoice capture, tools like our inbox monitoring feature can watch a dedicated AP inbox and automatically extract invoice data without manual intervention. The key is making that inbox the only path in.

Forwarding rules for existing vendor relationships. Vendors you have worked with for years will still send to the old address. Set up email forwarding rules in your existing inboxes to automatically forward anything matching common billing patterns (subject lines containing "invoice," "statement," or "billing") to the AP inbox. This is not a permanent solution -- actually update the billing address with each vendor over time -- but it prevents gaps during the transition.

Portal-based vendor tracking. Some vendors, particularly larger enterprise suppliers, only issue invoices through a vendor portal. They do not send email at all. Keep a separate log of these vendors with their portal URL, your login credentials (stored in a password manager, never a spreadsheet), and the date each invoice is typically available. Check this log monthly as part of your close process. Missing a portal-only vendor's invoice is entirely predictable and entirely preventable with a checklist.

Accounts payable for Stripe charges and Amazon Business purchases present a specific intake challenge because both platforms generate high invoice volumes with non-standard delivery. The Stripe portal and the Amazon Business portal each have specific export mechanisms for bulk invoice retrieval that are faster than downloading individually.

3-way match: when it is worth the overhead

Three-way matching compares an invoice against a purchase order and a receiving report before approving payment. It is the gold standard for physical goods procurement. It is also overkill for most of a small business's spend.

When 3-way matching is essential:

Physical goods orders above $5,000 from suppliers you do not buy from weekly
Any purchase from a new vendor in the first six months of the relationship
Categories with a history of billing errors (construction materials, manufacturing components, catering)
Any order where quantity, pricing, or both are negotiated per purchase rather than contracted in advance

When 3-way matching is overhead with no return:

Recurring SaaS subscriptions at fixed monthly prices
Utility bills with no quantity component to verify
Professional services billed at agreed hourly rates (2-way match against the engagement letter is enough)
Low-value purchases below your defined threshold (most teams set this at $500-1,000)

The practical middle ground. Set a dollar threshold below which invoices are approved with 2-way match (invoice against an approved spend request or purchase order) and above which they require 3-way match. Most small businesses find $2,500-5,000 is the right threshold -- high enough to require receiving verification, low enough that the rule does not create a bureaucratic bottleneck on everyday purchases.

For services, replace the receiving report with a project manager or department head attestation: "I confirm this work was completed as described." This achieves the same risk control without the literal goods-receipt paperwork that does not apply to service businesses.

Approval workflow design

Approval workflows fail in two ways: they are too loose (anything goes through without meaningful review) or too tight (everything requires the same senior person, creating a bottleneck that slows payment and damages vendor relationships).

The design principle is matching approval authority to financial risk, not organizational hierarchy.

Tier-based approval by invoice amount:

A workable structure for a team of 10-50 people:

Under $500: AP processor approves, no secondary review
$500-$2,500: department manager approves
$2,500-$10,000: finance manager approves
Over $10,000: CFO or CEO approves

Adjust the thresholds to your business. The point is that a $180 software subscription does not need the same attention as a $45,000 vendor payment. Both need some approval, but not from the same person, and not with the same turnaround expectation.

Category-based approval layers. Some categories warrant extra scrutiny regardless of amount. New vendors should always require a secondary approval until they have completed a first payment cycle. Any payment to a vendor outside your normal geographic market warrants a check. Unusually large invoices from existing vendors -- say, more than 20% above the trailing 3-month average -- should trigger a confirmation call to the vendor before payment.

Department head attestation for services. For professional services, marketing spend, and consulting invoices, route the invoice to the department head who engaged the vendor for a "work completed" confirmation before finance approves payment. This keeps the approval accountable to someone who can actually verify the deliverable, rather than finance approving work they have no visibility into.

Time limits matter. Define a maximum approval time for each tier and track it. An invoice that sits in an approval queue for three weeks costs you vendor goodwill and potentially late fees. If an approver is unavailable, define a backup approver by name in your policy, not just by title.

Payment timing optimization

Paying invoices on time protects vendor relationships. Paying them at the right time within your cash flow cycle is where the financial optimization happens.

Early payment discounts are almost always worth taking. The classic 2/10 net 30 term offers a 2% discount for payment within 10 days. The annualized interest rate equivalent is approximately 36%. No money market account, no short-term investment, pays 36% annually. If you have the cash available on day 10, taking the discount is mathematically correct.

The reason teams miss discounts is not that they decide against them -- it is that nobody tracks them systematically. Add an "early pay deadline" field to your invoice log and build a weekly review into your AP process. Every Monday, review invoices with early pay deadlines in the next 5 business days and check the cash balance. If you can afford to pay, pay early and capture the discount.

DPO management for cash flow. Days Payable Outstanding (DPO) measures how long on average you take to pay vendors. A higher DPO means you hold cash longer. But there is a floor: pay too slowly and you damage vendor relationships, lose early-pay discounts, and incur late fees that dwarf any cash flow benefit.

The target zone is 30-45 days DPO for most small businesses. Below 20 days suggests you are paying faster than necessary. Above 60 days suggests you are either straining vendor relationships or have an AP process so slow that invoices are not being paid on time even when you intend to.

Batch payment runs reduce friction and errors. Running payments twice a week (say, Tuesday and Friday) rather than on-demand means every invoice gets a predictable processing window, reduces the cognitive load on whoever processes payments, and makes the payment activity easy to review in a single bank reconciliation pass. Vendors adapt quickly to predictable payment cycles.

Dynamic discounting for high-volume vendors. If you have a vendor you pay $500,000 or more per year, it is worth a direct conversation about customized early payment terms. Many larger suppliers will offer 1-3% discounts for same-week payment, particularly in industries with tight margins where receivables are expensive. This is a negotiation most small business AP teams do not have, and it is a negotiable item.

Vendor master data hygiene

The vendor master file -- the database of who you pay, how you pay them, and what their tax information is -- degrades without active maintenance. A messy vendor master causes duplicate payments, misdirected ACH transfers, and 1099 filing failures.

Duplicate vendor prevention. Duplicates enter the vendor master when different people set up the same supplier independently, when a vendor changes their name, or when acquisitions result in the same underlying company appearing under multiple names. Prevent new duplicates by requiring a search of existing vendors before creating a new one. Clean existing duplicates by running a quarterly comparison of vendor names and tax IDs -- same tax ID under two names is a guaranteed duplicate. Most accounting systems have a merge function; use it.

W-9 collection before first payment. Any US vendor you will pay $600 or more for services in a calendar year requires a W-9 on file for 1099 reporting. Collect the W-9 before cutting the first payment -- not after. Once you have paid someone without a W-9 and the 1099 deadline approaches, collecting it becomes a chase. Make W-9 submission a step in your vendor onboarding checklist. IRS Publication 583 covers the record retention requirements for small business tax records including vendor documentation.

Payment terms standardization. Inconsistent payment terms in your vendor master create a reconciliation headache. If your accounting software shows vendor A with net 15 terms and the actual contract says net 30, the system will flag late payments that are not actually late. Audit payment terms in your vendor master twice a year and reconcile against the actual contract or purchase agreement. Where no formal terms exist, set net 30 as a default.

Banking detail change protocol. Any request to change a vendor's bank account or ACH routing information should require a direct phone verification call to a number you look up independently from the request. This single control stops the most common form of payment fraud targeting AP teams. Capture the date, time, name of the person you spoke to, and the phone number you used in a log. This is the IOFM AP best practices control most consistently recommended across audit frameworks.

Internal controls at small scale

Segregation of duties is the foundational principle of AP internal control. The idea is that no single person should be able to initiate, approve, and complete a financial transaction without another person's involvement. In a large company, this is structural. In a small one, it requires deliberate design.

The minimum viable separation. Even with two people in finance, you can separate approval from payment execution. Person A reviews invoices, codes them, and marks them approved. Person B runs the payment file or signs the checks. Neither person should be able to do both steps without the other seeing the transaction. This catches most errors and most intentional fraud before money leaves the account.

Owner-level review as a compensating control. When team size makes full segregation impossible -- a single AP person at a 10-person company -- compensating controls close the gap. The business owner or a non-finance senior employee reviews the bank statement monthly and flags any unfamiliar payees or unusual amounts. An external bookkeeper or accountant with read-only accounting access reviews transactions quarterly. These are not as strong as structural segregation, but they significantly raise the detection probability for both errors and fraud.

Access controls in your accounting software. Most small business accounting tools support user-level access permissions. Your AP processor should not have access to create new users, change bank account settings, or delete transactions. The person who approves invoices should not also be able to process payments without a separate login. Review these permissions annually and remove access from employees who have changed roles.

The AICPA SOC guidance for service organizations provides a useful framework for thinking about which controls matter at different stages of financial processing, even for companies that will never need a formal SOC audit. The AICPA publishes accessible summaries of foundational internal control concepts that translate well to small team environments.

Reconciliation as a detective control. Monthly bank reconciliation, performed by someone other than the person who processes payments, catches errors that preventive controls miss. Any transaction in the bank statement that does not match an approved invoice in the system is a discrepancy requiring explanation. This is not optional for a business of any size.

Fraud prevention in accounts payable

AP is one of the highest-risk functions in any business from a fraud perspective, because it is where money leaves the company. Four attack vectors account for the majority of AP fraud at small and mid-sized businesses.

CEO fraud (business email compromise). An attacker -- or occasionally an insider -- sends an email impersonating the CEO or CFO requesting an urgent wire transfer to a new account. The email may come from a convincing spoofed address or, in more sophisticated attacks, from an actual compromised account. The defense: establish a firm policy that no payment to a new or changed account will be processed based solely on an email request, regardless of who it appears to be from. For any payment above a threshold you set, require a direct verbal confirmation.

ACH redirect requests. A vendor -- or someone impersonating a vendor from a spoofed or compromised email address -- requests that you update their banking details before the next payment. The new account belongs to the attacker. This is one of the most financially damaging small business fraud patterns because payments can reach six figures before anyone notices. The defense is the banking change protocol described above: always call a number you look up independently, never the number in the request.

Duplicate invoice submission. The same invoice submitted twice, sometimes weeks apart with a minor variation (different invoice number suffix, slightly different amount). This can be an honest billing error from the vendor or intentional fraud. The defense is automated duplicate detection in your accounting software -- most modern tools check for same vendor, same amount within a date range -- combined with a manual review step for any invoice from a vendor who has submitted a duplicate before.

Ghost vendor fraud. A fictitious vendor is created in the vendor master by an employee who also processes payments, and invoices from that vendor are approved and paid to an account the employee controls. This requires the same person to control both vendor setup and payment processing, which is why those two functions should never belong to the same person. If they currently do, that is the highest-priority control to fix. Quarterly vendor master audits -- flagging recently created vendors with few transactions -- also help detect this pattern early.

Beyond these four, train everyone who handles AP email on basic phishing indicators: urgency pressure, requests that bypass normal process, sender addresses that look right but are slightly off. Most AP fraud starts with a convincing email. A team that reads email skeptically is harder to exploit than any software control.

Start for free and extract your first 10 invoices without a credit card.

Automation reduces the surface area for several of these attacks. When invoices flow through a controlled intake channel and match against known vendor profiles automatically, anomalies stand out. An AI-powered inbox triage system flags invoices from unknown senders, amounts that deviate significantly from vendor history, and payment instructions that differ from the vendor master -- before a human makes a payment decision. Our guide on how to automate invoice processing covers how this fits into a broader AP automation stack.

For teams evaluating tools in this space, our comparison of AP automation software covers the realistic cost and capability differences between entry-level and mid-market options, and the alternativeto comparison hub is useful for seeing how purpose-built tools compare to general-purpose accounting software add-ons.

The throughline across every section of this guide is the same: AP problems compound. A weak intake standard creates coding inconsistency. Coding inconsistency makes approval harder. Approval delays create payment timing problems. Payment timing problems damage vendor relationships and expose you to fraud risk. Getting the upstream steps right makes every downstream step easier. Start at intake, get that right, and work forward from there.