Accounts Payable Internal Controls for Bookkeeping Firms

Two forces turned “we’re careful with payments” into “show me your controls and your records.”

First, the money. The FBI’s 2024 Internet Crime Report attributed $2.77 billion in losses to business email compromise across 21,442 complaints — and a large share of those losses came from payee-redirect schemes, where an attacker changes where a legitimate invoice gets paid. The single most common entry point is a request to update a vendor’s bank account.

Second, the rules. NACHA Phase 2 took effect on June 22, 2026, and it applies to every ACH-originating business with no volume floor — including a bookkeeping firm originating client payments. It expects originators to use commercially reasonable methods to confirm the legitimacy of vendor banking changes and to be able to produce evidence of that verification. Controls that live only in someone’s habits no longer clear the bar; the control has to be written down, applied consistently, and provable after the fact.

You don’t need an enterprise control matrix. You need five controls written into a one-page procedure, applied the same way on every client.

1. Segregation of duties

No single person should be able to add a vendor, approve a bill, and release the payment without anyone else touching it. In a small firm that sounds impossible, but it doesn’t require a big team — it requires a deliberate split. The person who enters a bill shouldn’t also be the person who approves the payment run; the person who can change a vendor’s banking shouldn’t be the only person who signs off on paying it. Where headcount truly won’t allow a split, document a compensating control: a second review, a client approval step, or a periodic independent check of new and changed vendors.

2. An approval workflow with a dollar threshold

Every payment should pass through a defined approval before it’s released, and payments above a set amount should require a second approver. Write the threshold down (for example, dual approval above $5,000) and apply it per client. The point isn’t the exact number — it’s that approval is a gate the payment must pass through, not a courtesy someone extends after the fact. Most AP platforms can enforce this; the control is documenting who approves at what level for each client.

3. Vendor master-file discipline

The vendor master file is where fraud and error quietly enter. New vendors should be added through a controlled step — with a tax ID, a verified contact, and a reason — not created on the fly when an invoice shows up. Existing vendor records, especially banking details, should be change-controlled: who can edit them, and what has to happen before an edit becomes payable. A periodic review of additions and changes to the master file catches the dormant fake vendor and the quietly altered bank account that nothing else will.

4. Three-way matching

Before a bill is approved, match it against what was ordered and what was received: the invoice, the purchase order or engagement, and the confirmation that the goods or service actually arrived. Not every client runs purchase orders, but every client has some second source of truth — a contract, a recurring agreement, a manager’s confirmation. Matching the invoice to it stops duplicate invoices, inflated amounts, and bills for things that never happened.

5. Out-of-band verification of vendor bank changes

This is the control that catches the attack the other four miss. When a request arrives to change a vendor’s bank account, routing number, or remittance details, confirm it through a channel the requester doesn’t control — a phone call to a number you already had on file from a prior invoice, signed engagement, or your vendor master file. Never the number on the request, never a reply to the email. We wrote the exact callback script you can read word for word, and a full step-by-step procedure for the whole sequence.

Here’s the distinction that trips up firms. Having a control and being able to evidence it are two different things, and the second is what gets tested. An auditor reviewing your firm — or a client’s auditor sending a confirmation request, or an insurer reviewing a social-engineering claim — isn’t satisfied that you have a verification process. They ask you to produce the record for a specific payment: who called the vendor, on what number, sourced from where, what was confirmed, who approved it, and when.

That’s where the wheels come off. The verification was done correctly, but it lived in a phone call nobody logged, or in a note typed into a spreadsheet that could have been written any time. A denied insurance claim and a failed control test often share the same root cause: the firm did the right thing and kept no provable record of it.

So for each control, document not just the policy but the evidence:

• Segregation of duties — a written role map showing who can add vendors, approve bills, and release payments per client.
• Approvals — the approval threshold per client and a retained record of who approved each payment run.
• Vendor master file — a log of additions and banking changes, with periodic-review sign-off.
• Three-way match — the matched documents retained with each approved bill.
• Vendor bank-change verification — a dated, tamper-evident record of every callback, captured before the payment is released.

If you’re documenting controls because an auditor is coming, our guide on what auditors ask bookkeeping firms about vendor verification maps the specific questions to the records that answer them.

Across small firms running client AP, the same four gaps recur:

• One person does everything. Solo and lean firms collapse segregation of duties out of necessity, then never document a compensating control — so there’s nothing to point to when asked.
• Approval is a habit, not a gate. Payments get a glance rather than a recorded approval, and the dollar threshold for a second approver exists only in someone’s head.
• The vendor file drifts. Vendors get added mid-invoice, banking gets updated inline, and nobody reviews the changes — so a fraudulent edit looks identical to a routine one.
• Verification isn’t logged. The callback happens (sometimes), but there’s no tamper-evident record, so a correctly verified change is indistinguishable from one that was never checked.

Every one of these is fixable without new headcount. What they have in common is that the control may exist informally while the evidence doesn’t — and evidence is what gets tested.

The practical move is to write these five controls into a single procedure your whole firm follows the same way on every client, then make the evidence a by-product of doing the work rather than a separate chore. A few principles:

1. Make each control a gate, not a judgment call. A bank-change request is “entered but not payable” until the callback is logged. A payment over the threshold can’t release without the second approval. The default path enforces the control.
2. Capture evidence as you go. The record of a callback, an approval, a master-file change should be created at the moment the work happens — not reconstructed later when someone asks.
3. Keep the record tamper-evident. A log whose entries are time-stamped and can’t be silently back-dated or edited is far more credible to an auditor or claims adjuster than a spreadsheet anyone could have typed yesterday.
4. Run it identically across clients. The whole value of a documented control is consistency. One quiet exception is the gap an attacker or an auditor finds.

Our free vendor bank-change verification template gives you the verification control in ready-to-use form — the independent-contact rule, the callback script, a dual-approval step, and a one-page log sheet — with no signup. For firms that want the documentation to run automatically across every client, CallbackProof is the workflow-and-recordkeeping layer that enforces the callback-and-approval sequence and writes each verification into a SHA-256 hash-chained log, so the evidence is provable months later when someone asks to see it — without depending on any one client’s accounting tool.