There’s a specific point in a business’s growth where AP fraud risk peaks. Not at the start, when the owner is reviewing every invoice personally and knows every supplier by name. Not at enterprise scale, where a dedicated AP function has formal controls, segregation of duties, and a fraud team. The peak is in the middle - the 10-to-50-person Australian business that has grown past personal oversight but hasn’t yet built the structure that replaces it.
SMB accounting in Australia sits in this gap more than people realise. The business is running Xero or MYOB, has a bookkeeper or part-time CFO managing AP, and processes between 30 and 200 invoices per month. That’s enough volume for manual verification to become inconsistent. It’s not enough scale to justify a dedicated AP officer whose job includes running systematic fraud checks.
Why This Size Has the Highest Per-Invoice Exposure
A sole trader paying ten invoices a month reviews each one personally. The owner knows who Boral is, knows the approximate cost of their last concrete order, and would immediately notice an invoice from a supplier they’ve never used. Personal familiarity is a functional, if informal, control.
An enterprise processing ten thousand invoices a month has a dedicated AP team, formal vendor onboarding processes, bank detail change verification protocols, segregation of duties enforced at the system level, and an internal audit function that reviews AP activity periodically. Scale justified the investment in controls.
A 20-person business processing 80 invoices a month has neither. The owner is running the business, not reviewing invoices. The bookkeeper is entering invoices into Xero, coding them, chasing approvals via email, and processing the payment run - all four functions done by the same person or a small team without formal separation between them. Supplier bank details are stored in MYOB from when the supplier was first set up. Nobody compares the bank account number on the current invoice against what’s stored unless the amount looks wrong.
This is the setup that business email compromise is specifically designed to exploit. The ACCC’s National Anti-Scam Centre reported AU$152.6 million in payment redirection losses for Australian businesses in 2024. The fraud works precisely because the targeted businesses have established supplier relationships - which means a fraudulent invoice from a familiar supplier name doesn’t immediately raise suspicion - but lack the automated verification that would catch the changed bank account number.
Where the Controls Break Down
In a 15-person business, the bookkeeper typically receives invoices, enters them, codes them, routes them for approval, and processes the payment run. All four steps. That’s not negligence - it’s what happens when there’s one finance person and a lot to get through. But it means a fraudulent invoice that clears the approval step has no second checkpoint before funds leave the account.
Segregation of duties is the control that addresses this. The person who approves a payment shouldn’t be the person who executes it. It doesn’t require a second AP officer. It can be as simple as the payment run summary going to the business owner for a 90-second review before the bank transfer is released. Most SMBs haven’t configured this because nobody identified it as a gap until something went wrong.
The second failure is treating supplier validation as a one-time event. When a supplier is first set up, their bank details go into MYOB or Xero and largely stay there. The problem is that changing those details is exactly how payment redirection fraud works. An attacker sends a convincing bank detail update, the AP officer processes it, and future payments go to the wrong account. The control - comparing the bank account number on every incoming invoice against the stored record - needs to run on each invoice, not just when a supplier is onboarded. In a manual process, that check depends on someone remembering while processing 80 other invoices that month.
The third gap is subtler. At 30 to 80 invoices per month, an experienced bookkeeper can physically get through all of them. Processing and verifying are different tasks, though. Processing takes time. Verifying takes attention. When the queue is long and month-end is close, attention goes to getting invoices through rather than checking each one carefully.
Duplicate detection is where this shows up most clearly. At 80 invoices per month from 25 suppliers, remembering whether invoice #INV-2847 from BuildersDirect was already processed last month requires either excellent recall or checking the supplier’s history before approving. Under pressure, the check gets skipped. The duplicate clears. It might surface when the supplier sends a statement. Often it doesn’t surface at all.
What Good SMB Accounting Controls Look Like
The controls that address these gaps aren’t complex. They don’t require a restructure or additional headcount. They require the right configuration in a tool designed for this.
Automated bank detail comparison on every invoice. Not every new supplier - every invoice. The comparison is a system rule, not a manual step, so it doesn’t depend on the bookkeeper’s time or memory. A mismatch generates a specific flag and holds the invoice until it’s verified by a call to the supplier’s existing contact number.
ABN verification at onboarding, with periodic re-checking for high-value suppliers. The ATO’s ABN Lookup is queryable in real time. A cancelled or mismatched ABN is a signal worth reviewing before payment is approved.
Approval thresholds enforced in the system, not in a policy document. Invoices under AU$2,000 route to one approver; above AU$5,000 escalate automatically. The system doesn’t allow someone to approve an invoice above their configured authority limit. This makes the delegation of authority policy real rather than aspirational.
A second checkpoint between approval and payment. Even if it’s just the owner reviewing a payment summary for thirty seconds before authorising the bank run, that step means no individual controls the full cycle unilaterally.
For an AP automation platform to deliver these controls for an SMB, the integration with Xero or MYOB needs to be direct - not through exports or middleware - and the validation needs to run before invoices reach the accounting system, not after.
The Practical Upside
The argument for controls in SMB accounting is usually framed around risk prevention, which is real but abstract until something goes wrong. There’s a more immediate practical argument.
A bookkeeper spending four hours per week on manual invoice processing - data entry, coding, chasing approvals, resolving mismatches - is spending roughly 200 hours per year on tasks that a properly configured AP tool handles automatically. At AU$40 per hour, that’s AU$8,000 in labour time. The exception-review model, where the bookkeeper handles only flagged invoices and confirmations, typically takes 30 to 45 minutes per week for the same invoice volume. The freed time goes somewhere more useful.
The fraud prevention case and the efficiency case point to the same solution. For a 15-to-30-person Australian business on Xero or MYOB, the gap isn’t the accounting software. It’s the controls layer that sits in front of it.
Sources: ACCC National Anti-Scam Centre - Targeting Scams Report 2024 · ACCC - Business Email Compromise · ATO - ABN Lookup and verification
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026