AP Fraud Prevention in QuickBooks: A Controller's Guide

The Controller's Reality: You Can't Watch Everything

As a controller — whether full-time or fractional — you own the control environment. But you're not in the AP process every day. Bills get entered, payments go out, and the person doing the work is usually an in-house bookkeeper, an owner wearing too many hats, or a remote team member you've never met in person. That's where AP fraud happens — in the gap between your controls on paper and what actually happens between your visits. This guide covers the controls that actually work, the schemes they prevent, and how to monitor them systematically.

Scheme 1: Ghost Vendor / Billing Scheme

How it works: Someone with access to the vendor master creates a fake vendor — or reactivates a dormant one — and routes payments to it. The vendor looks ordinary; the bills look like any other. Prevention: Every active vendor should have a tax ID, verified contact details, and an approval trail for creation. Control: Run a vendor risk screen monthly that scores every vendor for the fingerprints of a fabricated one. Flag any created recently with immediate large payments, any with no contact info, and any with payee details that changed.

Scheme 2: Split Payments / Approval Threshold Gaming

How it works: One purchase is broken into multiple bills, each under the approval threshold, so no single one triggers a second sign-off. Prevention: Approval thresholds should apply to cumulative spend with a vendor within a period, not just per-bill. Control: Surface clusters of same-vendor bills close in time whose combined total crosses the threshold. Only one person should be able to create new vendors AND approve bills — segregation of duties is the strongest defense.

Scheme 3: Payee Redirection

How it works: A legitimate vendor's payment details are changed — new bank account, new payee name — and the next payment goes to the fraudster. By the time the real vendor asks where their payment is, the money is gone. Prevention: Require independent verification of any payee or banking change — a phone call to the vendor at their known number, not the number on the change request. Control: Monitor the vendor master for any changes to payee name or banking details and flag every one for review.

Scheme 4: Personal Expenses as Business Expenses

How it works: Personal purchases are coded as business expenses. Without systematic review, a $500 personal expense looks like any other $500 bill. Prevention: Require GL coding that matches historical patterns — flag deviations. Control: Review the vendor list for non-business payees. Review coding consistency — a vendor always coded to Office Supplies suddenly coding to a vague category like Miscellaneous is worth a question.

The Control Layer That Scales Across Your Portfolio

The challenge for fractional controllers and multi-client firms is applying these controls consistently across every file without spending hours on each one. Invoice Auditor runs all these checks automatically in about two minutes per file: duplicate payments across object types, ghost vendor risk scores, split-bill clusters, payee change monitoring, GL coding deviations, and more. Each file gets a Books Integrity Score, and every flag carries its evidence. It's read-only — it surfaces what deserves attention and never touches the books. For a controller managing multiple clients, it's the difference between hoping the controls are working and knowing what to look at.

The One Control That Beats Everything Else

Segregation of duties: the person who creates vendors should not be the person who approves bills. The person who enters bills should not be the person who reconciles the bank account. In a small business, perfect segregation is impossible — the owner often does everything. That's where automated monitoring fills the gap. If one person touches everything, the only defense is a second set of eyes that reads across the whole file and surfaces what doesn't add up. That's what Invoice Auditor provides — a consistent, automated second look that costs nothing and takes two minutes.

More posts

• Top 5 Money Leaks in QuickBooks Online
• Top 10 Money Leaks in QuickBooks and How to Find Them
• The Complete Guide to Finding Duplicate Payments in QuickBooks
• Full blog →