Most AP tool evaluations begin with a demo and a pricing conversation. The vendor shows the platform processing invoices quickly, extracting data accurately, and routing bills to approvers. Speed is what gets demonstrated. Speed is the wrong axis when governance is the primary requirement.
When a business has experienced a fraud event, when an auditor has raised control concerns, or when the finance team has identified specific gaps - the evaluation framework changes entirely. The guide to building an audit-ready approval matrix provides the governance foundation that any tool evaluation should build upon. What matters is where controls sit in the workflow, what they actually verify, and whether the audit trail would hold up under scrutiny.
The Adelaide healthcare CFO evaluation
A CFO at an Adelaide healthcare organisation was evaluating AP tools after an internal controls review flagged three specific gaps: no systematic bank detail verification before invoices reached approval, no pre-approval duplicate detection, and approval thresholds that existed in the policy document but not in the workflow configuration.
She eliminated two tools in the first week of evaluation because neither could demonstrate any of the three controls in a live scenario. The first could show fast extraction and clean routing - it processed sample invoices efficiently. When she changed the bank account number on an invoice from a known supplier and asked the tool what happened, the answer was that it routed to the approver as normal. The second tool had a supplier validation feature listed in its documentation. In the demo environment, it couldn’t demonstrate it working against a real changed bank detail.
Speed was not the relevant question. The question was which of the three gaps each tool actually closed.
Where do controls need to sit in the workflow?
The most important structural distinction in AP automation is where control functions are positioned relative to the approval step.
Controls that sit before approval - supplier validation, duplicate invoice detection, exception flagging - catch problems before any human decision is made. These are the most valuable controls because they prevent wrong invoices from entering the workflow in the first place. An approver reviewing a flagged exception has a structured choice to make. An approver reviewing a fraudulent invoice that passed through without flagging has no choice to make, because they don’t know anything is wrong.
Controls that sit during approval - conditional routing, threshold enforcement, delegation of authority following the four-eyes principle - ensure the right people make the right decisions. These are essential, but they depend on the invoice already being legitimate.
Controls that sit after approval - reconciliation reports, exception dashboards, audit trail review - are useful for identifying what went wrong. They don’t prevent it.
Payment redirection scams cost Australian businesses AU$152.6 million in 2024, according to the ACCC National Anti-Scam Centre. Most of those events involved invoices that entered an approval workflow without upstream validation - the fraud passed through because no pre-approval check compared the bank details against the historical record.
What does the evaluation need to test?
Supplier bank detail verification: can the vendor demonstrate - in a live scenario, not a feature description - what happens when an invoice arrives with a bank account number that differs from the previous payment to that supplier? The answer should be an automatic flag before the invoice reaches the approval queue. If the answer is that it routes normally and the approver is expected to notice, that is not a control.
Duplicate detection: does the system check incoming invoices against existing bills in the accounting system before routing? What fields does it match - invoice number only, or supplier name, amount, and date window as a combined signal? Detection that checks only reference numbers misses re-submissions where the reference has been adjusted.
Approval threshold enforcement: the delegation of authority for Australian SMBs guide explains why this matters structurally. Does the workflow enforce value-based thresholds inside the system, or does threshold compliance depend on the approver knowing the policy? Can a user with admin access bypass the approval step? If the answer to the last question is yes, the threshold exists in settings but not in the workflow.
Audit trail completeness: the audit trail should capture supplier data at the point of approval - what bank details appeared on the invoice, whether any flags were active, what the approver was shown. An audit trail that records “approved by J. Smith on 14 March” is a minimal record. One that records what J. Smith was shown at the time of approval is a governance record.
Why the demo sequence matters
Standard vendor demos show the platform processing clean, structured invoices through a well-configured workflow. This tells you how the tool performs under ideal conditions. The governance evaluation runs a different sequence: a changed bank detail, a duplicate submission, an invoice above the first approver’s threshold, and an invoice with no matching purchase order. Observe what happens to each.
Platforms that handle all four correctly in a live demo are worth shortlisting. Platforms that handle the clean invoice demo well but can’t demonstrate the exception scenarios are routing tools - appropriate for low-risk, low-volume operations where the controls are procedural rather than system-enforced. For businesses where fraud risk is real and audit requirements are specific, the exception scenarios are the evaluation, not the demonstration.
Sources: ACCC - Targeting Scams Report 2024 · ATO - Record-keeping requirements for business
Further reading: Best Invoice Approval Workflow Software Australia 2026 · Invoice Workflow Software: What It Actually Needs to Do · Invoice Approval Workflow Software: What Australian Businesses Need