Accounts Payable Audit Checklist: Catch Duplicate Payments

Why Duplicate Detection Belongs in Every AP Audit

Duplicate payments don't blow up. They bleed. One ACH at a time, to real vendors you actually owe, in amounts small enough that nobody flags them — until the year-end audit lands and someone finally adds it all up. By then the cash is gone and the trail is cold.

Most AP audit checklists from Stampli, BILL, and AvidXchange list "check for duplicate invoices" as a single line item. That framing is the problem. Duplicate payments aren't one control failure — they're the downstream symptom of weak vendor master data, broken three-way matching, missing exception reporting, and fragmented segregation of duties. A modern AP audit treats duplicates the way a good doctor treats a fever: as a signal pointing somewhere else, not the thing you dose away.

The Association of Finance Professionals estimates duplicate payments cost businesses 0.1% to 0.3% of invoice spend annually. For a company processing $50M in AP, that's $50K to $150K leaking out the door every year. Recovery audits typically claw back 60% to 80% of identified duplicates — but only when the trail held up.

The 15 steps below are what a thorough internal AP audit looks like in 2026. Steps are grouped by phase. Each one names a specific action and explains why it matters.

Phase 1: Audit Preparation (Steps 1-3)

Before you can hunt duplicates, you need a clean dataset and a defined boundary around it. Skip this phase and every test downstream produces noise.

1. Define audit scope and time period. Pick a window — usually the last 12 months or the current fiscal year — and document which entities, currencies, and payment methods are in scope. Without that boundary, your duplicate analysis will either miss recent payments or drown in legacy data.

2. Pull a complete invoice extract from your ERP. Export invoice number, vendor ID, vendor name, gross amount, invoice date, posting date, PO number, payment date, payment reference, and approver. This dataset is the foundation for every test that follows. Skimp here and the rest of the audit is built on sand.

3. Reconcile the extract to the GL. Sum your invoice extract and tie it to the AP expense accounts in the general ledger. If the totals don't match, stop and find the gap before running any tests. We've seen duplicates hide in unposted batches and sub-ledger reconciliation gaps more times than we can count — exactly the places a sloppy extract conveniently skips.

Phase 2: Vendor Master Review (Steps 4-6)

A clean dataset still produces false negatives if the vendor master is dirty. The next three steps clean the lookup table that every duplicate test depends on.

4. Review the vendor master for fuzzy duplicates. Sort by name, tax ID, bank account, and address — then look for near-matches. "ACME Corp," "Acme Corporation," and "ACME, Inc." sharing one address is the single most common source of duplicate payments we see in the wild. Same invoice gets entered against each record, no system check trips, money goes out twice. In recovery audits, fuzzy vendor duplicates account for an estimated 30% to 40% of the cash recovered.

5. Verify all active vendors have a tax ID and bank account on file. Vendors with missing or shared bank accounts are a fraud red flag and a duplicate-payment risk rolled into one. Document every exception. Require remediation before the audit closes.

6. Test for inactive vendors with recent activity. Run a query for vendors flagged "inactive" or "blocked" that received payments during the audit period. Reactivated vendors are a classic duplicate vector: instead of unlocking the existing record, AP staff spin up a second one — and now the same invoice can be paid against both.

Phase 3: Transaction-Level Testing (Steps 7-10)

Scope is set. Vendor master is clean. Now duplicates actually start to surface. Expect this phase to eat the majority of your audit hours — and to deliver the bulk of the recovered cash.

7. Run a four-tier duplicate detection scan. Don't just check for identical invoice numbers. That catches less than half of real duplicates, because resubmitted invoices are often re-numbered or reformatted along the way. Run four tests: (a) exact invoice file hash, (b) same invoice number plus vendor across the period, (c) same amount plus date plus vendor (this is the one that catches reformatted resubmissions), and (d) fuzzy match on filename plus file size for PDF attachments. This is the single highest-ROI step in the entire checklist. We covered the methodology in The Complete Guide to Duplicate Invoice Detection.

8. Validate three-way match completion. Sample 50 to 100 invoices and confirm each one has a matching PO and goods receipt. Three-way matching is the strongest control you have against duplicate billing — vendors can't bill twice for the same receipt unless somebody overrides the match. See our three-way matching deep dive for sampling methodology.

9. Investigate every manually overridden match. Pull each invoice where the three-way match was bypassed and document the business reason. Overrides are where duplicate payments and outright fraud both tend to live. They should never be routine. A healthy AP function overrides on fewer than 5% of matched invoices — anything north of that, you've found your starting point.

10. Test invoices entered without a PO. Non-PO invoices skip the strongest duplicate control entirely. Sample at least 25 from each high-spend category — utilities, professional services, software, marketing — and verify the supporting documentation and approval.

Phase 4: Controls and Segregation of Duties (Steps 11-13)

Transaction tests catch what already happened. The next three steps test whether the system that produced those transactions can prevent the next round.

11. Map segregation of duties for the full AP cycle. No single person should be able to create a vendor, enter an invoice, and release a payment. SoD gaps multiply duplicate-payment risk because one person can re-enter and re-approve the same invoice without a second pair of eyes — and the same gap shows up year after year as the top finding in SOX deficiency reports for finance functions.

12. Review system access logs for after-hours or off-cycle activity. Pull a report of invoice entries posted outside business hours, weekend payment runs, and entries made by users outside the AP team. Anomalies don't always mean fraud, but they always warrant a written explanation in the working papers.

13. Confirm exception reports are reviewed and signed off weekly. Most ERPs already generate a duplicate-detection exception report. The real question is whether anyone reads it. Pull six months of reports and verify reviewer signatures or system approval logs. An unreviewed exception report is worse than no report at all — it creates the illusion of a control while the underlying risk runs unchecked.

Phase 5: Post-Audit Reconciliation (Steps 14-15)

The final phase confirms nothing slipped past the earlier tests and turns findings into accountability.

14. Reconcile bank statements to the AP sub-ledger. Match every cleared payment to a posted invoice. Unmatched bank debits are sometimes duplicate payments that were issued, cleared, and never reversed in the sub-ledger. Think of this step as the last line of defense — once the cash clears and nobody catches it, it's gone for good.

15. Document findings and assign remediation owners. A finding without an owner and a deadline is a finding that repeats next year. Track each duplicate, near-miss, and control gap in your working papers with a named owner, a target close date, and a verification step that confirms the fix actually held.

Operationalizing the Checklist

A 15-step checklist is only useful if your team can actually run it. Steps 4, 7, 9, and 13 eat the most audit hours — and they're also the steps most amenable to automation. Vendor master fuzzy matching, four-tier duplicate detection, override review, exception monitoring: those are pattern-matching problems, not judgment calls. Pattern matching is what software does well. Reserve human hours for the steps that actually need a human brain.

This is where modern AP tools earn their keep. Stampli, BILL, and AvidXchange are full AP suites — they handle invoice capture, approval workflow, and payment, with duplicate checking as one feature among many. That's the right call if you're replacing your entire AP stack. If you already have an ERP and an approval workflow you trust, a focused tool that does duplicate detection well will plug in faster and cost less. We laid out the broader approach in Prevent Duplicate Payments: A Framework.

DupeInvoice was built for the steps in this checklist that depend on pattern matching across thousands of invoices. Upload a PDF or connect your invoice export, and the four-tier detection runs in seconds: SHA-256 file hashing, invoice number plus vendor matching, amount plus date plus vendor matching, and fuzzy filename plus size matching. The free tier processes 50 invoices a month — enough to run a sample-based audit on most mid-sized AP operations, no credit card required.

Try DupeInvoice free and run steps 4 and 7 on your last quarter of invoices. Find one duplicate, and the audit has already paid for itself.