Accounts Payable Controls Checklist for Indian Mid-Market Finance Teams

Most Indian mid-market companies have accounts payable controls. They are informal, understood by the finance manager who set them up, and functional at low invoice volumes. At 300+ invoices per month, informal controls develop gaps — not because the team stops following them, but because there is no systematic check that they are being applied consistently across every transaction.

The four failure points in AP controls: vendor onboarding, invoice entry, payment authorization, and period-end compliance.

Vendor Onboarding: What to Verify Before the First Invoice

A vendor that enters your system with incomplete or unverified information is a risk that stays in the system indefinitely. The onboarding check that matters: GSTIN validation against the GSTN portal (not just format validation — active status check), PAN verification for TDS section mapping, bank account verification with a cancelled cheque and a bank statement, MCA/ROC filing status for companies above a threshold, and MSME registration where applicable for payment term obligations.

The gap that creates the most downstream problems is TDS section mapping. If a vendor's applicable section — 194C, 194J, 194H, or another — is not recorded at onboarding, every TDS calculation for that vendor is a manual judgment call. Over 12 months, that produces inconsistencies that CA firms spend days resolving before the annual TDS filing.

Vendor master changes — especially bank detail changes — should require a separate authorization from the person who processes invoices, with a mandatory out-of-band verification call to the vendor. This one control prevents the majority of bank detail fraud.

Invoice Entry: The Checks That Must Happen Before Approval

Four checks before an invoice enters the approval queue. First: duplicate check. For mandated vendors, IRN validation. For all others, composite matching on GSTIN + invoice number + date + amount. Second: three-way match status — has the GRN been confirmed for this invoice? An invoice for goods not yet received should sit in a pending queue, not an approval queue. Third: IRN presence and format check for mandated suppliers. Fourth: TDS section lookup from the vendor master — the calculation should be automatic, not manual.

What makes these checks work at volume is that they need to be systematic, not discretionary. A control that an experienced team member applies consistently but a new hire does not is not a control — it is a habit. The check needs to run regardless of who is processing the invoice that day.

Payment Authorization: Maker-Checker and Threshold Logic

Maker-checker for payment runs above a defined threshold (₹50,000 is a common starting point) ensures that no single team member can both approve an invoice and initiate the corresponding payment. The maker creates the payment instruction. A different authorizer releases it.

Threshold-based CFO or finance head approval for payments above ₹5 lakh adds a second line of defense for high-value transactions. This should be structured so that approval happens in the ERP with an audit trail — not via WhatsApp message or verbal confirmation.

Vendor master change authorization should be explicitly separated from invoice processing authorization. The person who updates bank details should not be the same person who processes invoices. This eliminates the most common internal fraud vector in AP.

Period-End: The Compliance Checks That Cannot Slip

Before filing GSTR-3B: GSTR-2B vs purchase register reconciliation, with identified gaps followed up before the filing deadline. Before the 7th of the month: TDS deposit confirmation for the previous month's deductions — the interest penalty for late deposit (1.5% per month) accrues daily. By the 15th: MSME vendor payment review for any outstanding invoices past the 45-day payment obligation.

Controls are only as strong as their consistency. A control applied 9 out of 10 times has a 10% gap — and organized fraud finds gaps systematically. The value of systematic AP controls is not in the transactions they catch. It is in the transactions that are never attempted because the controls are visible.