Accounts Payable Workflow: Stages, Controls & 3-Way Matching
The 2026 process guide to AP — how the workflow actually runs, who owns each step, the internal controls that satisfy SOX Section 404, and the patterns that separate best-in-class teams from everyone else. Written for controllers and AP managers designing or tightening their process.
· Process patterns from Ardent Partners, IOFM, and the COSO Internal Control framework
Best-in-class AP cycle time (Ardent Partners 2025)
Best-in-class touchless invoice rate
Best-in-class cost per invoice
AP spend lost to errors/fraud without matching controls
Sources: Ardent Partners AP Metrics 2025 · COSO Internal Control Framework · IOFM AP Certification curriculum
What the accounts payable workflow is
The accounts payable workflow is the end-to-end process that takes a vendor invoice from receipt to posted payment. Every company has one — formally documented in mature finance organizations, implicit and tribal in smaller shops. How well it runs determines two outcomes that matter: whether suppliers get paid on time, and whether the company's financial controls hold up under audit.
A well-run AP workflow sits at the intersection of three things: a defined process (the seven stages below), the roles that execute it (AP clerk, approver, controller, treasury), and the internal controls that keep it honest (segregation of duties, three-way matching, duplicate detection). Sarbanes-Oxley Section 404 requires public companies to document, test, and attest to these controls; the Committee of Sponsoring Organizations (COSO) framework is the structure most finance teams use to organize them, because it is the framework external auditors evaluate against.
This guide maps the modern AP workflow stage-by-stage, names the roles and controls at each stage, and calls out the failure patterns that most commonly break it. For the software-selection angle, see our AP automation software buyer's guide.
The seven stages of a modern AP workflow
Each stage corresponds to one clear handoff in the process. Well-designed workflows make the handoff explicit (with a timestamp, owner, and queue) rather than implicit (email to someone, hope they see it).
Invoice receipt + capture
Vendor invoices arrive via email, portal, EDI, or mail. The capture layer logs the document, timestamps receipt, and records the originating channel for audit purposes.
Data extraction + validation
Vendor name, invoice number, dates, line items, totals, and tax are captured as structured fields. Duplicate-detection checks the invoice number and vendor combination against posted history.
Coding: GL + cost center
Each line or the full invoice is coded to a general-ledger account and, where applicable, a cost center, project, or department. This is where finance policy gets enforced per transaction.
Matching: 2-way or 3-way
For PO-backed invoices, the system reconciles the invoice to the purchase order (quantities, unit prices, totals) and, for physical goods, to the receiving report. Discrepancies route to exception review.
Approval routing
Approval is assigned based on amount threshold, cost center, vendor tier, or custom rules. Delegates cover PTO windows. Every approval decision is logged with user, timestamp, and comment for the audit trail.
Payment scheduling + execution
Approved invoices are scheduled per payment terms. Early-payment discounts are captured where net cash flow justifies. Execution is via ACH, check, virtual card, or wire, with remittance advice sent to the vendor.
Posting + reconciliation
The transaction posts to the accounting system with the source PDF attached. Sub-ledger reconciliation matches to the bank statement at period-end close. Open-item aging reports surface stuck invoices.
Who owns what
The roles below reflect segregation-of-duties (SoD) — a foundational COSO Control Activity. The principle: no single person can execute the full invoice-to-payment cycle alone.
AP clerk / specialist
Owns daily invoice handling: capture, coding, exception resolution, vendor inquiries. Does not approve or execute payments (segregation-of-duties principle).
Approver (budget owner)
Department head or cost-center owner who validates business-purpose and confirms the expense is authorized. Cannot also create the vendor or enter the invoice.
Controller
Reviews exceptions, sets approval policy, approves above-threshold payments, owns the close. Final check on unusual transactions.
Treasury / payments
Executes the approved payment batch. Separation from the person who entered the invoice is a core SOX control.
The six controls that matter most
For public companies these map to testable SOX Section 404 controls under the COSO framework. For private SMBs they remain best practice — the leakage math is the same whether you have an external auditor or not.
Segregation of duties (SoD)
No single person can create a vendor, enter an invoice, approve it, and release payment. Separating these roles prevents the classic ghost-vendor fraud pattern. COSO identifies SoD as a foundational Control Activity; SOX auditors test this as a Section 404 control.
Three-way matching
Invoice ↔ purchase order ↔ receiving report. A testable Section 404 internal control that satisfies the COSO preventive-control category. Organizations without systematic matching lose an estimated 1–2% of total AP spend to errors, overpayments, and fraud.
Duplicate detection
A detective control that flags invoices matching prior entries on vendor + invoice number + amount. Modern automation tools use deterministic idempotency keys so reprocessed documents never create a second Bill.
Vendor master integrity
New vendor creation requires documented approval; changes to bank details trigger verification (phone-back, not email). This control stops business-email-compromise fraud, where attackers spoof vendor emails to redirect payments.
Approval thresholds
Approval authority scales with amount: manager up to $5K, controller $5K–$50K, CFO above $50K (thresholds vary). Thresholds are codified in policy and enforced in the workflow tool, not left to email chains.
Audit trail
Every action — capture, code, approve, edit, override, pay, post — is logged with user identity and timestamp. External auditors sample-test these logs to verify control design and operating effectiveness.
Three-way matching, explained
Three-way matching reconciles three documents before authorizing payment: the purchase order (what you ordered), the receiving report (what arrived), and the vendor invoice (what you were billed). All three must agree on vendor, quantities, unit prices, and totals. Discrepancies route to exception review — the receiver got short-shipped, the vendor billed an old price, or the quantity shipped exceeded the PO.
The control matters because it catches three distinct risk categories at once. Authorization risk (was this spend approved?): verified by matching to the PO. Delivery risk (did we actually receive the goods?): verified by matching to the receiving report. Billing risk (is the invoice correct?): verified by the final reconciliation. Without 3-way matching, an organization typically loses 1–2% of total AP spend to errors, overpayments, and fraud — $100,000 to $200,000 a year on $10M of AP.
Line-item extraction is the technical prerequisite. Matching at the header level (vendor + total) catches gross errors; matching at the line-item level catches unit-price drift, partial shipments, and quantity discrepancies. See our invoice OCR software guide for the extraction-engine comparison, and the line-item extraction guide for the schema builder walkthrough.
Five common workflow failures
The patterns that show up repeatedly in AP audits. Most are process design problems, not software problems — fixing them often starts before any automation investment.
Invoice hits the wrong mailbox
Vendors email invoices to personal accounts of former employees, shipping clerks, or the CEO. Without a canonical ap@ inbox, invoices disappear into personal archives and late-fee penalties accumulate.
Approval chain goes cold
Approver is on PTO, invoice sits in their inbox unopened. No delegate-authority mechanism means the invoice ages past payment terms and the early-payment discount evaporates.
Vendor master rot
Duplicate vendor records, stale bank details, inactive vendors that haven't been cleaned up for years. Creates duplicate-payment risk and fraud exposure.
Manual 3-way match
Clerk prints the PO, the receiving report, and the invoice and matches them by eye. Slow, error-prone, and impossible to audit at scale — this is the biggest lift automation delivers.
Exception piles without workflow
Mismatched quantities, pricing discrepancies, tax errors pile up in a shared drive folder. Nothing routes them to a clear owner. Month-end close extends by a week chasing exceptions.
Metrics that actually matter
Ardent Partners' AP Metrics That Matter benchmark tracks four leading indicators year over year: cycle time (how long between invoice receipt and posted payment), cost per invoice, touchless rate (percentage of invoices processed without human data entry), and exception rate. Best-in-class AP organizations hit 3.1-day cycle time, $2.78 per invoice, 49.2% touchless, and sub-6% exceptions. Market-average performance sits at 17.4 days, $12.88, 20–25% touchless, and 22% exceptions.
Two lagging metrics round out the dashboard. Discount capture rate: what percentage of available early-payment discounts you actually take (if approval routing is slow, this drops to near zero). Payment-on-time rate: what percentage of invoices pay by terms (if the workflow has bottlenecks, you accrue late fees and damage vendor relationships).
Instrument every stage transition. If you can't see when an invoice moved from capture to coding, or from approval to payment, you can't diagnose where the workflow slows down.
Keep reading
AP automation software
The 2026 buyer's guide to AP automation software.
OpenInvoice processing software
The capture-layer evaluation guide.
OpenInvoice approval software
Approval routing, SOX controls, mobile approvals.
OpenInvoice & PO automation (category)
The pillar page bridging invoices and purchase orders.
OpenImport invoices into QuickBooks
The QBO-specific playbook for AP posting.
OpenLine-item extraction guide
The technical prerequisite for line-level 3-way matching.
OpenFrequently asked questions
What is the accounts payable workflow?
What is three-way matching in accounts payable?
What's the difference between 2-way and 3-way matching?
What are the key AP internal controls?
How do I map AP controls to SOX and COSO?
How long should the AP workflow take?
What's the difference between AP workflow and AP automation?
Who owns the AP workflow?
Tighten the workflow, then automate it.
The biggest ROI comes from combining a clean process with the right software. Start with our free plan — 30 pages a month.