SoftCo
Book a demo
← Back to Resources

Why automated does not always mean controlled

Neil Kelly
Neil Kelly

Head of Product

Why automated does not always mean controlled

Most conversations about AP automation open with a number. Straight-through processing rate. Touchless percentage. Exception volume. They’re useful numbers, and they’ve done a lot of useful work in our industry, because for years the question we were trying to answer was how to move invoices through the function faster and with fewer hands on them. We’ve largely answered that question. 

The challenge has moved on, but the metrics we use to measure ourselves haven’t. The next problem is no longer how fast we move invoices; it’s whether the controls behind that speed are still doing their job. And that’s starting to create a quiet problem in finance organisations that look, on paper, like they’re doing everything right. 

Graphic featuring the quote “All the metrics are green, like a point in time check.” by Neil Kelly, Head of Product at SoftCo, over a teal background with a row of green status indicators above the text.

This piece is about that gap. It looks at what a clean STP rate is good at telling you, what it isn’t, and the supplier-level questions that automation tends to make AP teams stop asking. It closes with two diagnostic questions worth putting to any well-automated AP function, and a reframe I keep coming back to with finance leaders: the difference between active and passive control. 

Speed got the attention. Control is often assumed.

The problem isn’t that automation is failing. Automation is working as advertised. The problem is what a high STP rate makes a team stop asking. Once a process is running cleanly through workflow, the conversation tends to move on. Speed gets the attention. Control assumes itself. 

It helps to think about what happens when AP performance gets reviewed inside a finance function. Whether it’s a board update, a quarterly SLT meeting, or a one-to-one between the CFO and the controller, there are usually three people whose perspectives matter, and they ask three different questions of the same dashboard. 

  • The AP Manager is transactional. They’re measured on throughput, on cycle time, on how few invoices need a human in the loop. They want the operation to run smoothly and to be defensible if anyone asks why an invoice took longer than it should have. 
  • The business approver, the person whose budget the invoice hits, just wants the thing off their desk and on its way to paid. 
  • The CFO is paid to take the longer view. Fraud exposure, audit posture, sanctions risk, and ultimately the question of who actually got paid and why. 

Most automation conversations happen at the first level. The risk lives at the third. And if a payment goes to the wrong account, no one’s going to ask the AP Manager to explain it. 

The questions automation stops asking 

A productivity-focused AP process is compliant in the narrow sense, and it’s important to be honest about what the narrow sense covers. The workflow ran. Two people approved. The audit trail captured the action. Those things matter, and a process that handles them well is genuinely better than one that doesn’t. 

But that combination of evidence answers a specific question, did we follow our process?, and it doesn’t answer the question that actually matters when something goes wrong, which is whether we should still have been making the payment in the first place. 

The questions that get dropped, in my experience, are the supplier-level ones: 

  • Is this supplier still who we thought they were when we onboarded them? 
  • Has their bank account been verified recently, and against what? 
  • Are they still aligned with our compliance policy, including the version we updated last quarter? 
  • Are they on a watch list today that they weren’t on six months ago? 

These aren’t exotic questions. They’re the questions you’d expect any well-run finance function to be asking. The reason they get dropped isn’t negligence. It’s that they’re dynamic questions, with one answer today and a different answer in six months, and most AP processes built around throughput don’t have a mechanism to ask them again. 

Where a clean STP rate hides risk

A 3-way match looks fine, and on a good day it should. The purchase order, the goods receipt, and the invoice line up. The system approves. The metric goes green. 

The operational case for the match is strong, but it’s worth being clear about what the match actually checks: it confirms the invoice is consistent with what was ordered and received. It doesn’t re-test the supplier sitting on the other end of the payment. There are at least three things that can change between the day a supplier was onboarded and the day a payment is approved, and a clean STP rate won’t detect any of them.

Diagram comparing what an AP system sees versus what is actually happening after supplier onboarding. The top timeline shows onboarding and four invoices all marked as validated. The lower timeline shows changes occurring between invoices, including bank account changes, updated PEP status, and revised policies, illustrating that validation was correct at onboarding but was not refreshed over time.

The bank account on file may not belong to your supplier any more

This is where the real risk lives, and it’s bigger than most AP teams realise. The 2025 AFP Payments Fraud and Control Survey reports that 79% of organisations were victims of attempted or actual payments fraud in 2024. Business email compromise was the top avenue at 63%, and vendor imposter fraud, where someone impersonates a known supplier, was cited by 45% of respondents. That’s an 11-percentage-point jump on the prior year. 

The pattern is depressingly consistent. A request comes in to update bank details for a known supplier. The email looks legitimate. The change is processed through normal workflow. The next payment leaves the building and goes somewhere it shouldn’t. The supplier was validated at onboarding. The bank account on file today isn’t theirs. 

Your supplier’s regulatory status may have moved

A counterparty that was clean on day one can appear on a sanctions list, a politically-exposed-persons list, or a financial-crime watch list six months later. They may have moved the domicile of the account they’re asking you to pay into. The regulator looking at your books doesn’t care that the supplier was clean when you onboarded them. They care whether the supplier was clean on the day you made the payment. 

Your own policy may have moved

Compliance rules change, sometimes substantially. The master data refresh that lands in your AP system from the ERP every night carries data that was correct at some point, but the AP system has no way of knowing whether some point was this morning or last quarter. The supplier could be perfectly aligned with the policy you had in place when you onboarded them, and out of step with the policy you operate under today. 

The pattern is the same in each case. The validation happened. It was correct. It just wasn’t refreshed. All the metrics are green, like a point-in-time check, and the team running the system is acting in a bubble because the data behind the green light hasn’t been retested. 

Two diagnostic questions worth asking yourself

If your touchless rate is good, that’s genuinely good news, and I don’t want to pretend otherwise. But before you take it as evidence that the underlying control posture is healthy, there are two questions worth asking yourself. Both tend to be more diagnostic than the metric they’re interrogating. 

Have you had any fraud incidents recently, and what was the root cause?

This isn’t a question designed to relive an unpleasant moment. It’s a question designed to surface a pattern. 

Fraud root causes in well-automated AP functions almost always trace back to a validation that was correct at the time it ran and stale by the time it mattered. The bank account that was verified once at onboarding and never again. The supplier you hadn’t transacted with for three years but who was still active in the master data. The change request that came in through a channel the workflow wasn’t built to scrutinise. 

The shape of the answer is what tells you whether the controls in place are doing the work you think they are. 

When was each of your supplier bank accounts last revalidated?

This one’s more boring and probably more useful. Not approved, not reconciled. Revalidated, meaning checked against an external source that wasn’t the supplier’s own paperwork. 

If the honest answer is more than six months for any meaningful proportion of your supplier base, it’s a flag. Not a failure, and not a sign that anyone’s done anything wrong. But it’s the difference between an AP function that’s audit-ready and one that’s automated to a green light, and those aren’t the same thing. 

The shift to active control

The reframe I keep coming back to with finance leaders is this: most AP teams have controls. The honest question isn’t whether they exist. The question is whether they’re active or passive. 

passive control was validated once at onboarding, captured in the audit trail, and never revisited. It looks identical on day one and day 365. It’ll go green for the auditor on a sample-test basis, because the evidence of validation is sitting in the file where the auditor expects to find it. What it can’t do is tell you whether the validation is still true. 

An active control is repeated against current data. The bank account is checked against an external reference before this payment run, not against itself. The sanctions list is checked today, not against the version we ran six months ago. The supplier’s policy alignment is reassessed when policy changes, not when someone happens to remember. The control is alive, not preserved. 

Comparison graphic showing passive versus active AP controls. The passive control side describes checks completed once at supplier onboarding, including bank account verification, sanctions screening, policy alignment, and audit trail evidence. The active control side shows ongoing validation against current data, including checking bank accounts before payment runs, screening sanctions lists continuously, reassessing policy alignment when policies change, and maintaining an audit trail proving validations are still current.

The honest takeaway for most finance leaders isn’t that they’re in control or that they’ve lost control. It’s something quieter and considerably more useful. It’s the recognition that they might have gaps, that they might be exposed, that they have meaningful risk or are at least not confident they don’t. 

That’s the question worth walking away with. Not how fast your AP runs. Whether the controls behind it are still valid today.

Test your control posture

If you can’t easily answer how recently your supplier bank accounts, sanctions checks, or policy alignments were last validated, the controls you have may be passive. 

Our 12-question self-assessment is a temperature check, not a sales call. It takes about five minutes.