Purchase orders are not an administrative burden. They are the mechanism by which a business documents that it agreed to a purchase before being asked to pay for it. Without that documentation, every invoice is essentially unverifiable - there is no prior record against which to check whether the goods or services were actually ordered at the price being charged.
The AP fraud that purchase order discipline prevents is not exotic. It is everyday: an employee creating an invoice for an unapproved purchase, a supplier billing at prices above the agreed rate, a fraudulent vendor submitting an invoice for services that were never engaged. Each of these scenarios is caught by a simple check - does this invoice correspond to an authorised purchase order? Without POs, the check cannot happen.
How AP fraud enters through the absence of POs
The mechanics of AP fraud without purchase order controls are straightforward.
A fraudulent invoice arrives from a new vendor offering a service the business routinely uses - IT support, consulting, cleaning. Because the business processes invoices without requiring PO references, the invoice enters the approval queue looking like any other. The approver, focused on whether the amount seems reasonable rather than whether the service was actually ordered, approves and pays.
This is not a sophisticated attack. It requires only that the business has no process for verifying that invoices correspond to authorised orders. In organisations where purchasing happens informally - by phone or email - this gap is common.
Purchase order discipline changes the check. The AP system asks: does this invoice reference a PO? Is that PO in the system? Does the invoice amount and vendor match the PO? An invoice that answers no to any of these questions is flagged before it reaches an approver.
The four fraud scenarios that PO matching catches
Vendor fraud - invoices for services never ordered. A fraudulent invoice from an unknown vendor is submitted for web design, marketing research, or consulting. Without PO matching, it enters the queue. With PO matching, it is immediately flagged: there is no purchase order for this vendor in the system. The exception requires explanation before the invoice proceeds.
Overbilling - invoices above the agreed price. A legitimate supplier bills at a rate higher than the agreed contract price. This may be accidental (pricing system error) or deliberate (testing whether the customer will notice). PO matching compares the invoice price against the PO rate and flags any discrepancy above the configured tolerance. The approver sees the variance and can reject or approve with an explanation.
Duplicate invoices - the same order billed twice. A supplier resends an invoice a month after the original, either due to their own system error or deliberately testing payment. PO matching records that the original PO has already been matched and paid. The second invoice triggers a flag: this PO has already been invoiced. Duplicate detection at the matching stage prevents double payment without requiring manual identification.
Internal fraud - purchases made without proper authorisation. An employee with bill payment access creates an invoice for personal goods or services and approves it themselves. PO matching requires that every invoice correspond to an approved purchase order, and purchase order approval is a separate step from invoice approval. A purchase order for the fraudulent item would require separate sign-off, creating a second control point the fraudster must bypass.
Why many businesses still lack PO discipline
Most businesses that skip purchase orders do so because of how they grew. In the early stage, the founder or a single manager handles all purchasing informally. There is no need for a paper trail when one person makes all decisions. As the business grows and more people can initiate purchases, the informal system persists because changing it requires effort and there has not yet been an obvious failure.
The absence of PO controls becomes visible when something goes wrong: a fraudulent invoice is paid, a supplier invoices above the contract rate for several months before anyone notices, or an internal audit finds that a number of payments have no authorisation trail.
Australian businesses are not unusual in this pattern. According to DocuClipper’s 2024 AP research, 86 percent of SMBs still enter invoice data manually, which correlates strongly with the absence of structured purchasing processes. Manual invoice processing and informal purchasing practices tend to coexist.
Implementing PO controls: the practical steps
Step 1: Define what requires a PO. Not every purchase needs a formal purchase order. Set a threshold - typically AU$500 to AU$2,000 - below which purchases can be made without a PO but above which a PO is required. Apply this consistently.
Step 2: Identify who can raise POs. Restrict PO creation to designated purchasers or require approval before a PO is issued above a threshold. If anyone can raise an unlimited PO, the control is limited. The PO approval process is a separate control from the invoice approval process.
Step 3: Require suppliers to reference POs on invoices. Communicate to your regular suppliers that invoices should include the purchase order number. Most suppliers will comply, as it often speeds up their payment. This makes PO matching at invoice intake possible.
Step 4: Configure PO matching in your AP system. Once POs are being issued consistently and suppliers are referencing them, configure your AP automation platform to flag invoices without PO references and to run price and quantity matching on invoices that do reference a PO. Pulsify’s PO matching runs this check at intake before invoices enter the approval workflow.
Step 5: Review the exception rate monthly. For the first three months, review what percentage of invoices are being flagged and why. A high exception rate indicates either tolerance settings that are too tight or supplier compliance that is still improving. Adjust accordingly.
PO matching as one layer in a broader control framework
Purchase order matching addresses one specific fraud vector: invoices submitted without corresponding authorised orders. It does not address all AP fraud risks.
Payment redirection fraud - where a legitimate supplier’s invoice has its bank details changed - bypasses PO matching because the PO exists and the invoice otherwise looks legitimate. This requires vendor bank detail monitoring, which is a separate control. Pulsify’s validation and exception review includes vendor bank detail monitoring alongside PO matching, creating the layered control framework that addresses multiple fraud vectors rather than one.
The combination of PO matching, vendor bank detail monitoring, duplicate detection, and multi-level approval routing represents the full controls layer that sits in front of Xero and MYOB for Australian businesses serious about AP fraud prevention.
A practical framework for deciding which AP decisions are safe to automate and which require a human checkpoint is available at The Reversibility Test - Pulsify’s reference guide to the automation boundary in AP.
Sources: ACCC Targeting Scams Report 2024 · DocuClipper AP Statistics 2024 · ATO eInvoicing for business