Finance teams commonly present their AP automation platform to auditors as evidence that financial controls are in place. The assumption is that a modern platform with an approval workflow and an audit trail satisfies audit requirements for AP governance. In practice, auditors look at something different from what finance teams expect - and the gap between what the platform records and what the auditor needs is where most AP audit findings originate.
The Melbourne professional services finding
An external auditor reviewing a Melbourne professional services firm’s AP records for the financial year found that every bill had an approval event recorded: a user name and a timestamp. The auditor asked four questions.
First: could the person who approved bills also enter them? Yes - no segregation was enforced in the platform. Second: were any bills approved above the authority limits documented in the firm’s internal finance policy? The finance team couldn’t answer because the policy thresholds weren’t reflected in the platform configuration. This is precisely why delegation of authority needs to be enforced in the system, not just documented. Third: what was the supplier’s bank account number at the time each bill was approved? The audit trail didn’t capture this. Fourth: had any bills been processed without matching purchase orders where POs were required by policy? There was no tracking.
Four control gaps. None of them addressed by the approval platform. The platform had been presented as evidence of strong AP controls. It was evidence of a workflow. Those are different things.
What are auditors looking for?
The audit procedures for AP governance typically cover four areas.
Segregation of duties test. Are the invoice entry, approval, and payment functions performed by different individuals? Can the system prevent someone from approving their own entries? Most AP platforms record who performed each action - fewer actively prevent the same person from performing multiple actions.
Authority compliance test. For a sample of approved invoices, was each approved by someone with documented authority for that value? This requires two things: a written approval matrix, and evidence that the workflow enforced it. If the matrix exists only in a document and the platform doesn’t enforce it, the auditor will find approvals that exceeded the approver’s documented authority. This is a finding even if the payments were legitimate.
Supplier verification evidence. For high-value or new suppliers, is there evidence that bank details were verified before payment? If the audit trail doesn’t capture the supplier’s bank account at the point of approval, the auditor may request separate verification records - which usually means manual reconstruction from email.
Duplicate payment test. Were any invoices paid twice in the audit period? This is typically tested through data analysis on the bill list, looking for same-supplier, same-amount combinations. The question for audit purposes isn’t just whether duplicates occurred - it’s whether the AP process was designed to catch them before payment.
Why does the gap between AP platforms and auditor expectations persist?
AP automation tools are primarily marketed as efficiency solutions: faster processing, less manual entry, reduced cycle times. The control layer - what auditors care about - is secondary in most vendor marketing and, in many platforms, secondary in the actual product design.
This creates a structural mismatch. Finance teams adopt a tool that makes their workflow faster, and use the presence of an audit trail as evidence of governance. The audit trail confirms processing activity. It doesn’t confirm that the approver had authority for that value, that the supplier’s identity was verified, that the invoice wasn’t a duplicate of one already paid, or that the approval step couldn’t be bypassed.
The most commonly used AP configuration in Australian SMBs - Dext for extraction, Xero or MYOB for the ledger, native approval workflows - addresses none of those four. A modern AP system needs to handle all of them in a single workflow. The most common third-party addition, ApprovalMax, addresses approval workflow governance but not supplier validation or duplicate detection at intake.
What the platform needs to be able to show an auditor
A finance team preparing for external audit should be able to produce from the AP system: approval records that show both the approval event and the supplier’s bank details at the point of approval; evidence that value-based thresholds were enforced by the workflow rather than just documented in policy; a log of any exceptions - flagged invoices, escalations, rejections - with resolution records; and confirmation that the approval step couldn’t be bypassed by any user without logging that action.
If the platform can’t generate these from system records, the finance team will compile the evidence manually from email and accounting system logs. That’s the scenario that creates audit delay, audit findings, and - if the manual reconstruction reveals discrepancies - questions about whether the AP process was actually controlled.
The goal isn’t a sophisticated approval workflow for its own sake. It’s an AP process that produces the evidence an auditor needs without requiring the finance team to reconstruct it from scratch each year.
Sources: ASIC - Financial reporting and audit · ATO - Record-keeping requirements for business
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026