Invoice routing automation solves a genuine problem: invoices that used to sit in email inboxes, get forwarded to the wrong approver, or disappear for days now move through a structured queue. That’s real value. The problem is that routing invoices faster without first validating what’s in them doesn’t reduce AP risk - it accelerates it.
The controls that catch fraud and errors don’t live in the approval step. They belong upstream, between invoice receipt and the approval queue, running automatically before a human sees the invoice. Bank detail validation, duplicate detection, ABN verification, PO matching - these checks can’t be done effectively by an approver during the approval step, because the approver’s job is to decide whether the expenditure is authorised, not to perform the data verification that should have already happened.
The Perth scenario: what ungoverned automation looks like in practice
A financial controller at a Perth electrical subcontractor was processing around 70 invoices a week through Xero. Invoices arrived by email, were forwarded to the business owner for approval, then returned for payment. When a long-term supplier’s email was compromised in late 2024, an invoice with altered bank details arrived in the usual inbox. The format was correct. The supplier name was right. The amount was plausible. The owner approved it. The automated payment ran. The fraud succeeded because verifying the supplier’s bank account number against the stored record had never been built into the workflow.
This is not a failure of attention or trust. It’s a failure of process design. The approver was doing exactly what the workflow asked them to do - review the invoice and approve it. Nobody in the workflow was responsible for checking whether the bank account number matched the one that had been used for the last 18 invoices from that supplier. This is a textbook example of AP fraud vulnerability in Australian businesses. In a manual process, that check depends on someone remembering to do it. In an automated process that doesn’t include supplier validation, it simply doesn’t happen.
The ACCC’s National Anti-Scam Centre reported AU$152.6 million in payment redirection losses across Australian businesses in 2024. These losses concentrate in businesses with established supplier relationships and manual or uncontrolled verification processes - which describes most 15-to-50-person businesses that have implemented basic routing automation without a controls layer.
What are the three control gaps that create the most exposure?
Supplier bank detail verification absent from the workflow. When an invoice arrives, the bank account number on it should be automatically compared against the account stored for that supplier in the system. A mismatch should hold the invoice immediately, before routing. Most basic approval routing tools don’t do this. They route the invoice to the approver with the changed bank details included, and the approver approves it without knowing the details have changed.
Duplicate detection happening after approval, not before. Duplicate invoices - same supplier, same amount, same reference number resubmitted weeks later - often look legitimate to an approver who doesn’t remember the original invoice. Duplicate detection that runs at the ledger level, after approval, catches the duplicate only after an authorised approval has been recorded. Detection that runs at intake, before the invoice reaches any queue, holds it for review without ever asking an approver to make a decision on potentially fraudulent data.
Approval authority not enforced by the system. An invoice approval workflow that routes invoices to a named person doesn’t enforce that person’s approval authority limits. A project manager with a documented authority limit of AU$5,000 can approve a AU$45,000 subcontractor invoice if the routing tool doesn’t know the limit exists. Enforcing delegation of authority requires the system to hold or escalate invoices that exceed the approver’s configured limit - not just route them to their inbox.
What should the controls layer do?
Before any invoice reaches an approver, the system should have already answered four questions: Is this supplier’s bank account the same as last time? Has this invoice reference been processed before? Is the ABN active and matching the entity name? Does the amount align with what was ordered?
These aren’t judgment calls - they’re structured comparisons against known data, the kind of internal controls that should run automatically on every invoice. A system rule runs them on every invoice in milliseconds. A human check depends on the AP officer’s memory and time, and gets skipped when volume and deadline pressure collide.
When a check fails - when the bank account has changed, or the invoice is a near-duplicate, or the ABN doesn’t match - the invoice gets held with a specific flag explaining exactly what triggered the hold. Not “review required,” but “bank account differs from last payment: previously 06-2341 123456789, now 06-2341 987654321 - verify by calling supplier’s existing contact before approving.” The flag should tell the reviewer precisely what to do to resolve it.
The approver’s decision, when they see a validated invoice, is whether the expenditure is authorised. That’s the judgment call that belongs with a human. The data verification that precedes it is a structured, repeatable check that belongs with a system.
Why routing tools are sometimes described as control layers
The marketing around approval workflow software often conflates routing with control. “Automated approvals” and “approval controls” sound similar but describe different functions. A routing tool sends invoices to approvers. A controls platform validates invoices before routing them.
Xero’s native bill approval is a routing tool. It’s effective at what it does: forwarding bills to nominated approvers and recording the approval. It doesn’t validate supplier bank details against stored records, detect duplicates at intake, or enforce approval authority limits. These aren’t gaps in Xero’s execution - they’re outside the scope of what an accounting system is designed to do. The control layer belongs in a dedicated AP platform that sits between invoice receipt and the accounting system, not inside the accounting system itself.
For businesses that have outgrown manual checks but haven’t yet built a governed automated workflow, the AP automation overview covers what a complete workflow - controls layer included - looks like in practice.
Sources: ACCC National Anti-Scam Centre - Targeting Scams Report 2024 · ATO - E-invoicing and invoice processing in Australia · ACCC - Business Email Compromise
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026