How Finance Teams Reduce Fraud Risk With Structured Approval Workflows

An accounts payable system is the operational layer between a supplier sending an invoice and a business making a payment. When that layer lacks structured controls, it becomes the route through which fraud enters. Finance teams that have reduced fraud risk have done so not by becoming more suspicious of their suppliers, but by structuring the AP workflow to verify automatically at the moments that matter.

The Problem: Where AP Fraud Actually Enters

AP fraud does not typically exploit human gullibility in an obvious way. It exploits process gaps - moments in the workflow where a legitimate-looking document is reviewed with insufficient information or under time pressure.

The three most common entry points in Australian businesses:

Payment redirection via bank detail substitution. A fraudulent invoice arrives with the supplier's correct letterhead, address, ABN, and invoice history - but with a different bank account number. The accounts team processes it using the bank details on the invoice rather than verifying against the historical record. Payment redirection scams cost Australian businesses AU$152.6 million in 2024, a 66% increase from 2023 according to the ACCC National Anti-Scam Centre.

Duplicate invoice payment. The same invoice is submitted twice: once by the legitimate supplier, once by the attacker who has intercepted the original. Or a single invoice is entered manually twice by staff processing a high volume of bills. Either version results in a payment that is difficult to recover after the fact.

False billing from fabricated suppliers. A supplier is created in the system by a staff member or an external attacker. Invoices are submitted under that supplier's name for services that were never performed. Without a structured new-supplier verification step, the fabricated supplier passes through the intake process alongside legitimate ones.

What Good Accounts Payable Controls Look Like

The Australian Federal Police identifies construction as a primary BEC target due to high transaction values, frequent invoicing, and limited cybersecurity resources in many businesses. The AFP's guidance to construction businesses specifically includes implementing verification procedures for payment detail changes - a control that most standard accounting systems do not enforce natively.

Good accounts payable controls address fraud risk at three points in the workflow:

Before the approval step:

• Automated comparison of supplier bank details on each invoice against the historical record for that supplier

• Duplicate detection using invoice reference, supplier identity, amount, and date window

• New supplier verification requiring a documented review before first payment

• ABN validation where applicable (checking that the ABN on an invoice matches the registered supplier)

During the approval step:

• Exception flags visible to the approver - they should see that an anomaly was detected, not a clean invoice with the anomaly silently removed

• Approval authority appropriate to the invoice value - high-value invoices routed to senior approvers, not approved at the same level as routine bills

• Segregation of duties - the person processing the invoice should not be the person approving it

After the approval step:

• Structured audit trail recording every flag, every decision, and every override

• Override records that include the reason the flag was cleared

• Monthly review of the override log by a senior finance officer not involved in day-to-day processing

The Control Gap Most AP Systems Leave Open

The control that is most frequently absent from standard Australian AP systems is automated supplier bank detail validation. Xero does not natively compare the bank account on an incoming invoice against the historical record for that supplier. MYOB does not either.

This means that in the majority of Australian SMBs, bank detail validation depends on the accounts team member who is processing the invoice noticing that the number looks different from what they remember. At low invoice volumes, with consistent suppliers and a small team, this can work. At high volume, with 40 active suppliers and staff turnover, it reliably fails.

The Victorian construction company that lost AU$900,000 in 2024 when a supplier's email was compromised and fake invoices with altered bank details were sent operated with exactly this gap. The invoices looked completely legitimate. The bank details were different. There was no automated flag. The payment was made.

A financial controller at a manufacturing business in Geelong described implementing supplier bank detail validation after a near-miss: an invoice arrived from a long-standing materials supplier with slightly different payment details. The controller noticed by chance during a routine review. The invoice turned out to be a fraudulent substitution - the supplier's email had been compromised. The near-miss led directly to a workflow review and the addition of automated validation that would have flagged the discrepancy before it reached human review.

What a Structured Approval Workflow Does to Fraud Risk

A structured approval workflow does not prevent all fraud. It makes fraud harder by requiring it to defeat multiple independent controls rather than a single point of human attention.

The specific risk reduction from a structured accounts payable system:

• Bank detail validation removes the single-point-of-human-attention failure for the most common fraud mechanism

• Duplicate detection prevents the re-submission attack that works when processing happens faster than the records can be cross-checked

• Segregation of duties prevents internal fraud that relies on one person having end-to-end control of the payment process

• New supplier verification closes the fabricated supplier route before it is exploited

• Exception flagging visibility ensures that the approver sees anomalies rather than making decisions based on a clean invoice from which anomaly data has been suppressed

None of these controls are expensive or complex to implement. They are absent from many Australian AP systems not because they are difficult but because standard accounting platforms - Xero, MYOB - do not include them natively.

The Regulatory Context That Raises the Stakes

In February 2025, Australia passed the Scams Prevention Framework, imposing obligations on banks, telecommunications companies, and digital platforms to protect consumers from scams. The framework creates a more regulated environment around payment fraud, which has implications for businesses whose AP systems contribute to fraud risk through inadequate controls.

For businesses that process high volumes of payments - particularly in construction, wholesale, and healthcare - the expectation from both insurers and external auditors is that the AP system includes the validation and verification controls described above. An AP system that relies on human attention to catch bank detail changes is increasingly difficult to defend in an insurance claim context when the AU$152.6 million annual loss figure is publicly available.

Practical Implications for AP System Design

For finance teams reviewing their accounts payable system against a fraud risk lens:

1. Test your bank detail validation today: take three recent invoices from regular suppliers and check whether the bank details on those invoices match the bank details in your accounting system. If you cannot answer that question in under five minutes without manual checking, you do not have automated validation.

2. Check your duplicate detection: search your MYOB or Xero bills list for any supplier that appears twice with the same amount within 90 days. If you find matches, investigate whether they are legitimate recurring charges or duplicates that passed through undetected.

3. Review your override log: check how many invoices in the last 90 days were flagged for any reason and then approved. For each, confirm that a reason was recorded for the clearance. If reasons are not being recorded, the exception process is not functioning as a control.

For teams looking to add the controls described above to their existing MYOB or Xero workflow, the validation and exception review and approval workflows functions are where this layer is built. The accounts payable automation framework describes the broader architecture.

Frequently Asked Questions

What are the most common AP fraud types affecting Australian businesses?
Payment redirection via bank detail substitution is the most financially damaging, costing AU$152.6 million nationally in 2024. Duplicate invoice payment is the most frequent. False billing from fabricated suppliers is the most difficult to detect retrospectively. All three are addressable through structured AP controls.

Does an accounts payable system in Xero or MYOB protect against payment redirection fraud?
Not natively. Neither Xero nor MYOB compares supplier bank details on incoming invoices against historical records for that supplier. This validation requires either a manual check (unreliable at scale) or a dedicated validation layer added to the AP workflow.

What is the most important AP control for construction businesses in Australia?
Supplier bank detail validation. Construction businesses are specifically targeted by the ACCC and AFP due to high-value transactions and frequent subcontractor billing. The validation that catches changed bank details before payment is the control that directly addresses the primary fraud mechanism in this sector.

How does segregation of duties reduce AP fraud risk?
Segregation prevents any single person from controlling the full payment process - from receiving the invoice to approving payment. When the same person processes and approves, there is no independent check on their decisions. Separating these roles means that a fraudulent or erroneous invoice must pass two independent people, doubling the chance of detection.

What does a monthly fraud control review of the AP system cover?
The override activity log (invoices flagged and then approved, with reasons), the new supplier approvals for the period, any invoices above the standard threshold, and the segregation of duties confirmation that no staff member processed and approved their own invoices. This review should be performed by a senior person not involved in day-to-day AP processing.