SoftCo
Book a demo
← Back to Resources

The gap between ‘automated’ and ‘controlled’ in accounts payable

Robert Lynch
Robert Lynch

AP & P2P Analyst

The gap between ‘automated’ and ‘controlled’ in accounts payable

Most AP functions can produce, on demand, an impressive set of numbers. Touchless rates above 80%. Cycle times measured in hours rather than days. Cost per invoice that has fallen year on year. Headline metrics that, taken together, suggest a function operating at a level of maturity that would have been unthinkable a decade ago. 

Far fewer can produce, on demand, the reasoning behind a single payment. 

That’s the disconnect that should be drawing attention right now, because it’s the one finance leaders are increasingly being asked to explain. Auditors are reaching past the dashboard and asking how a specific transaction was approved, end to end. Internal investigations are pulling individual payments apart and asking what evidence sat behind each step. And as AI begins to make decisions that used to be made by people, the same question arrives from a new direction: not just whether the process worked, but whether anyone can show why it produced the answer it did. 

The issue isn’t that AP controls don’t exist; it’s that they were designed for a slower, simpler problem than the one they’re now defending against. Automation has made the process faster, AI has made the decisions opaquer, and the threat surface has matured significantly, while the control model underneath has barely moved. The gap between “automated” and “controlled” is what’s left. 

This article is about how that gap opened, where it shows up, and what closing it actually looks like. 

Control was designed for a slower problem 

The control models most AP teams operate on were built in a different decade, when invoices arrived more slowly, suppliers were verified by phone or letterhead, fraud was clumsier, and decisions were made by people who could explain them. The processes that came out of that environment have, by most measures, worked. They’ve handled volume, scaled with growth, and stood up to routine audits for years. 

What’s changed isn’t AP itself. It’s everything around AP. 

Volumes have risen and pressure to process faster has risen with them, which means AP teams haven’t been asked to do less verification so much as to do the same verification, in less time, against a threat surface that has grown more sophisticated in parallel. The process hasn’t failed. It’s been outpaced. 

Text graphic highlighting a key accounts payable risk: as AP processes become faster, more streamlined and more automated, existing control gaps can scale just as quickly, increasing compliance and governance exposure.

That’s the first thing worth saying clearly. As AP becomes faster, more streamlined, more automated, the control gaps that already exist scale at the same rate as the throughput, which means risk doesn’t shrink as efficiency improves; it compounds, with the headline metrics moving in one direction even as the exposure underneath moves in another. 

This is the structural problem, and everything else in this article is a symptom of it. 

The gap isn’t in the steps. It’s in the handovers. 

Control in AP doesn’t typically fail inside individual steps; it weakens between them. 

Most teams can show you the controls inside their onboarding process, the controls inside their invoice processing flow, and the controls inside their payment release, and each of those steps, viewed on its own, looks defensible. The gap is what happens in the spaces between them, where information is re-keyed, context is lost, ownership is unclear, or processes rely on assumption rather than verification. 

Diagram showing control points and potential gaps across the accounts payable lifecycle, including supplier onboarding, ongoing supplier maintenance, invoice matching and payment. The graphic illustrates how disconnected controls can create risk between key AP process stages.

The supplier record makes this concrete. A supplier record is the foundation of everything downstream, since it’s who POs are raised against, who’s invoicing the business, and ultimately who gets paid. When a supplier is onboarded, the record is verified rigorously: bank details, tax ID, entity status, sometimes external screening. After onboarding, that level of scrutiny rarely returns. 

Most teams treat onboarding as the control event, when it’s actually the start of one. 

Bank details change, entity structures shift, suppliers get acquired, restructured, and renamed, dormant suppliers get reactivated, and multi-country relationships drift, with details updated in one entity but not another. Each of these is a control event the original onboarding never accounted for, and each one tends to happen months or years after the moment the supplier record was last looked at properly. 

This is where most exposure actually lives, not in suppliers who shouldn’t have been onboarded, but in suppliers who were onboarded correctly and then drifted out of validity quietly, while every system involved continued to treat the record as verified. 

The threat surface caught up 

While the control model stood still, the things attacking it got better. Phishing emails became harder to distinguish from legitimate ones, social engineering moved into video, and generative AI made it cheap to fake the voice and face of someone the AP team trusts. 

There has been a recent case, widely discussed in financial control circles, of a finance manager being instructed via video conference to make a payment. The video showed the CEO, the voice was the CEO’s, and the instruction looked routine. None of it was real. It was an AI-generated video, used as a vector for fraud. 

Text graphic highlighting a modern payment fraud scenario where an AI-generated video is used to impersonate a CEO and authorise a payment, illustrating emerging risks in payment verification and accounts payable controls.

That example matters not because it’s typical but because it illustrates how far the threat has moved. The control framework most AP teams operate on assumes that identity verification happens at the edges of the process, when a supplier is onboarded, when a bank account is set up, or when a payment is released, and it does not assume that identity itself can be faked, in real time, on a channel AP doesn’t own. 

It also isn’t only about fraud. Legitimate change requests are part of the same load, since suppliers genuinely change banks, restructure, and update contact details, and AP teams have to process that legitimate traffic in a way that gives them confidence each change has been made correctly. Fraud is the headline; legitimate-change volume is the operational drag underneath it. Both are exposed by the same gap, the absence of a continuous, structured way to verify any change to a supplier record after onboarding. 

Automation outpaced the controls 

Most AP functions measure performance, tracking straight-through processing rates, touchless percentages, cycle times, and invoices per FTE, and while these are useful operational indicators, they aren’t control metrics. 

Text graphic emphasising the difference between efficiency and control in accounts payable, noting that operational metrics can measure process speed but may not reveal whether payment controls are effective, secure or compliant.

A 95% STP rate tells you how many invoices moved through the system without human intervention; it tells you nothing about how many of those invoices passed a control check anyone could reconstruct on demand. The two numbers can move independently, and in most environments, they do. STP rates rise as automation matures, but control coverage doesn’t automatically rise with them, and often falls, because the same volume is now flowing through fewer human checkpoints, while the system-level checks that replaced those checkpoints were never designed to produce the kind of evidence an auditor wants to see. 

This is the gap between “automated” and “controlled” expressed as a metric problem: performance dashboards report on the part of the process that has improved while staying silent on the part that hasn’t. 

It’s worth being precise about what this means. AP teams aren’t out of control; they have controls, and the controls work. The problem is that the metrics most often used to demonstrate that AP is working are, structurally, indicators of speed rather than indicators of safety, which means asking an AP function to prove control by reading off its STP rate is asking the wrong question. The two things aren’t the same. 

AI made the decisions harder to explain 

AI is now making decisions that used to be made by people. It matches invoices to POs, it codes line items, it routes approvals, and in some environments it auto-approves invoices below threshold without any human intervention at all. The throughput gains are real and measurable. 

What’s less often examined is what happens when an auditor, or a CFO after the fact, asks why a specific decision was made. 

AI is fantastically powerful, and it can also be fantastically wrong if it hasn’t been deployed correctly, since the same input can produce different outputs depending on context, model state, and reference data. “The model approved it” isn’t an audit trail; it’s the absence of one. 

Framework graphic outlining three requirements for controlled AI in accounts payable: auditable confidence, explainable matching logic and retrievable supplier history. The image emphasises the need for transparency, traceability and defensible decision-making in AI-assisted AP processes.

The standard for controlled AI in finance reduces to three things. The first is confidence scores that can be audited, not as a number but as a reasoning trace. The second is matching logic that can be explained, so any individual decision can be reconstructed without reverse-engineering the model. The third is the supplier record as it existed at the moment of the decision, retrievable on demand, because the auditability of an AI decision depends on the auditability of the data that fed it. 

The auditor’s question doesn’t change as more decisions move to AI, but the team’s ability to answer it should not get harder, and for most AP teams, it has. Closing that gap is the next generation of AP control work, and it’s structurally different from what came before. It isn’t about adding more checks; it’s about making the checks that are already happening explainable. 

What “in control” actually requires 

Pull all of this together and a clearer picture of continuous supplier control emerges. It isn’t six separate controls so much as six parts of the same control, holding together across the lifecycle. 

Diagram showing six interconnected controls across the supplier lifecycle: controlled workflow, differentiated data capture, dynamic approvals, external validation, complete audit history and process governance in front of the ERP. The framework illustrates how end-to-end controls work together to reduce supplier and payment risk.

What that looks like in practice is six things working together: 

  • A strict, structured process for any supplier change, with no informal first-contact-by-invoice route into the supplier master. 
  • Differentiated information capture by supplier type, because a one-time vendor needs different scrutiny than a strategic partner. 
  • Dynamic approval workflows by request type, so a bank detail change routes differently than an address update. 
  • External validation against authoritative sources for tax, bank, sanctions, and credit data, refreshed continuously rather than checked once. 
  • An uneditable audit history of who did what, when, and on what basis. 
  • The whole supplier lifecycle process sitting in front of the ERP, guarding it, rather than retrofitted to controls the ERP was never designed to enforce. 

These aren’t six aspirations; they’re six interlocking requirements, and taking any one of them out causes the rest to stop holding. An audit trail without the controlled workflow gives you visibility of decisions that were never controlled in the first place. A controlled workflow without the external validation gives you a clean process running on stale data. Continuous validation without the uneditable history gives you good checks that can’t be evidenced. 

This is what continuous supplier control actually means in practice, and it’s what the auditor is implicitly asking about when they reach for a single transaction and ask you to walk them through it. 

A different standard 

The standard for what “in control” looks like is shifting, with finance leaders beginning to evaluate AP not on how fast it processes but on whether controls hold up across the lifecycle, continuously, across systems, and under audit. 

The strongest AP teams aren’t the ones with the most steps; they’re the ones that can stand over every supplier change, every approval, every payment, on demand, without leaving the system. The next generation of AP won’t be measured by how many invoices it processes. It will be measured by how many it can stand over. 

If an auditor asked you to walk through how a single payment was approved last month, end to end, could you do it? 

That’s still the question.

How strong are your AP controls? Answer 12 questions in under 5 minutes to uncover hidden AP control gaps across supplier onboarding, approvals, payment workflows, and audit readiness.