The six control blindspots hiding in your AP process

If an auditor asked you to walk through how a single payment was approved last month, end to end, could you do it? 

Most AP teams can point to controls. They can identify approval workflows, system checks, audit trails. On paper, it all looks controlled. But taking one payment and showing, step by step, how those controls actually operated in practice is where it becomes difficult. 

The issue isn’t that controls don’t exist. It’s that they operate as isolated points across the lifecycle: validated once, rarely revisited, and often assumed rather than evidenced. 

Over time, that creates blindspots where control gaps emerge. They don’t appear as single points of failure. Instead, they build up quietly, across handoffs, exceptions, and disconnected processes, making it difficult to piece together a clear, defensible picture of control when it matters. 

This article looks at six of the most common blindspots where those gaps show up, and the questions you need to be able to answer to close them. 

Control is often assumed, not validated 

With the rise of automation, most AP teams have become comfortable measuring performance. Solutions are assessed on straight-through processing rates, touchless percentages, cycle times – all metrics that signal efficiency and throughput. To be clear, these are useful operational indicators, but they aren’t control metrics. 

In practice, control tends to be inferred from performance. If invoices are being processed quickly, approvals are flowing, and payments are being made on time, it’s easy to assume the underlying controls are working as intended. 

Let’s take a typical finance team in a large organisation. They know supplier onboarding has controls: verification steps, approval points, and segregation of duties. They know invoice processing has controls: matching rules, exception handling, and workflow checks. And they know payments have controls: release approvals, bank validations, and audit trails. 

In isolation, each part of the process appears controlled. But the issue is what happens in between. 

Control in AP doesn’t typically fail within individual steps. It weakens in the handoffs between them: where information is re-keyed, context is lost, changes happen outside a controlled flow, or processes rely on assumption rather than verification. 

That’s where the blindspots emerge – in the gaps between controls. Where ownership is unclear, evidence is fragmented, and small inconsistencies build into something much harder to detect or defend. 

These are the structural weaknesses in most AP environments. Naturally, they are the areas auditors probe and the points fraud exploits.

[Graphic A3 – “Controls validated once…”] 

The six AP control blindspots 

Below are six of the most common control blindspots across the AP lifecycle. For each one, we’ve outlined where the gap typically sits, who it exposes, and the question you should be able to answer to test whether it exists in your environment. 

[Graphic A4 – “6 Blindspots summary”]

1. No audit trail for end-to-end invoice approval

What fails. Approval happens, but the trail behind it is fragmented across emails, ERPs, and informal sign-offs. There is no single record of who approved what, when, against which policy, and on the basis of what evidence. 

Who is exposed. If you can’t evidence that a payment was approved according to policy, you are exposed at audit, in fraud investigations, and in any internal escalation. The risk isn’t only the missing approval. It’s the inability to prove the approval that did happen. 

Control question: Can you walk an auditor through the approval of any single payment from the last 90 days, end to end, without leaving the system?

2. Automated does not mean controlled

What fails. Touchless and STP rates measure how many invoices move through without human intervention. They don’t measure whether controls were applied to those invoices. The headline number can rise while the proportion of invoices that passed a defensible control gate stays flat, or falls. 

Who is exposed. A 95% STP rate looks like operational excellence on a board slide. It can also mean 95% of invoices were paid without a control check anyone could reconstruct on demand. 

Control question: What proportion of your auto-approved invoices last quarter could you re-create the control logic for, on demand?

3. Supplier verification gaps

What fails. Suppliers are verified at onboarding. Bank details, tax IDs, entity information are checked once. After that, most teams rely on the supplier to flag changes, and on AP to spot anything unusual on the next payment run. 

Who is exposed. Bank detail fraud almost always happens between payments, not at onboarding. The window of exposure is the gap between the last verification and the next payment run. The longer that window, the larger the gap. 

Control question: If a supplier’s bank details changed last week, would you know before the next payment run?

4. Duplicate invoice exposure

What fails. Duplicates are usually treated as a processing problem. They are also a control readout. The volume of duplicates that survive review tells you how well capture, matching, and approval are joined up. High duplicate rates are rarely a software problem. They are usually a control gap problem. 

Who is exposed. Duplicates often hide inside backlogs. When one organisation worked through an invoice backlog they had been carrying for months, around 25% of it turned out to be duplicates. Invoices they had already paid, or were about to pay twice. The backlog wasn’t a processing failure. It was a control failure that had compounded quietly. 

Control question: How much of your current invoice backlog do you think is duplicate? Would you bet a payment run on that estimate?

5. Invoices that never reach AP

What fails. Invoices sent directly to business users, not to AP. They sit in inboxes. They get approved informally, or forgotten. They reach AP only when a supplier chases payment, if at all. 

Who is exposed. This is the structural cousin of “automated does not mean controlled.” There’s no automation problem here, because the invoice never entered the system. The control gap is the absence of AP visibility entirely. Every invoice that bypasses AP is a payment your control framework never saw, never logged, and can’t evidence. 

Control question: What percentage of invoices in your business this month went to a person before they went to AP? 

A note on what “losing control” actually means: When AP teams say they’ve lost control, they usually mean the business isn’t co-operating. Invoices arrive late, in the wrong inboxes, or never arrive at all. AP needs visibility and control of what’s happening across the business. That can’t exist if the business isn’t playing ball. The point isn’t that AP teams aren’t in control. It’s that the conditions for control are cross-functional, and the gap is rarely AP’s to close alone.

6. AI approval without explainability

What fails. AI matches, codes, and routes invoices. Most AP teams accept the output. Few can produce, on demand, the reasoning behind any individual decision: confidence scores, matching logic, or supplier history at the time of the decision. 

Who is exposed. “The model approved it” is not an audit trail. As more decisions move to AI, the gap between what a system did and what a team can explain widens. The auditor’s question doesn’t change. The team’s ability to answer it should not get harder as automation increases. 

Control question: For any AI-approved invoice last month, can you produce the confidence score, the matching logic, and the supplier history that supported the decision? 

[Graphic A5 – 6 control questions stack] 

These six problems are really just one 

Looked at individually, each blindspot is a discrete issue with a discrete fix. Looked at together, they describe something else. 

These are not six separate problems. They are one problem repeated in six places. 

Each blindspot is what happens when control points don’t talk to each other. The supplier record at onboarding doesn’t connect to the bank check at payment. The approval workflow doesn’t connect to the duplicate logic. The AI decision doesn’t connect to the audit trail. 

This isn’t a series of isolated gaps. It’s a structural break in how control operates across the lifecycle. 

Recovery is not a control strategy 

A lot of what passes for control today is actually recovery: catching the duplicate after it’s queued, spotting the fraud after the payment has cleared, reconstructing the approval trail after the audit request comes in. 

[Graphic A6 – “Recovery is not a control strategy”] 

But recovery is not a control strategy. 

The standard for what “in control” looks like is shifting. Finance leaders are starting to evaluate AP not on how fast it processes, but on whether controls hold up across the lifecycle; and if they hold up continuously, across systems, and under audit. 

The next generation of AP won’t be measured by how many invoices it processes. It will be measured by how many it can stand over. 

Take the AP controls self-assessment 

Twelve questions across four control domains. A quick, directional check on where gaps might exist. No scorecard. No diagnosis. Just a starting point.