See if your information has been exposed in a data breach with our latest free tool Check Now

Creating AP Policies and Procedures That Are Fit-For-Purpose

Niek Dekker
8 Min

A well-run and secure Accounts Payable (AP) function needs comprehensive policies and procedures that are fit-for-purpose in an increasingly complex digital age. It is also critical that those policies and procedures are well understood by AP staff and adhered to.

In this blog we will explore what’s involved in implementing fit-for-purpose AP policies and procedures in your organisation.

AP policies and procedures: Not a set and forget activity

When it comes to implementing best-practice Accounts Payable policies and procedures, it would be a huge mistake to assume that what worked yesterday will be fit-for-purpose tomorrow.

The digital landscape is changing at break-neck speed. Barely a day passes without the introduction of new technologies promising to make business operations more effective and efficient. Organisations that embrace digital transformation are reaping significant dividends. But there is also a considerable risk: Expanding the technology in your environment can lead to a corresponding expansion of your attack surface.

Your attack surface includes all the systems, from hardware devices such as laptops and smart phones, to the software you use for accounting and vendor management, that a cyber-attacker may seek to exploit in order to gain unauthorised access to your digital environment. Once inside your security perimeter, the attacker may be able to access and manipulate supplier data stored in your Vendor Master File or ERP. They may also be able to access email accounts and impersonate your organisation’s executives in order to launch a Business Email Compromise attack.

Put simply, with more hardware and software, you are expanding the opportunities for a sophisticated attacker to exploit any vulnerability they can identify in any of those systems. This in turn paves the way for them to engage in fraud against your organisation.

The AP policies and procedures you implemented in the past may have been fit-for-purpose at the time. But we now live in a whole new world. Your old AP policies and procedures are unlikely to be suitable in the current digital landscape.

As an AP manager, you need to ensure your policies and procedures are regularly reviewed and updated to take into account changing circumstances and technologies.

What are Accounts Payable policies?

AP policies establish a clear set of rules that outline how your department will address certain issues.

There are four main reasons you should establish AP policies:

1-Set clear expectations

The main reason you should establish AP policies is that they clearly lay out what your organisation expects from staff. With clearly written and communicated policies, your AP staff will understand how they should behave and act in specific circumstances.

2-Establish consistency

For any AP function, particularly as you grow and expand, ensuring all the staff are working in a consistent way is critical. For example, if every member of your AP staff follows different naming conventions when onboarding a new supplier into your Vendor Master File, you will quickly find many suppliers with multiple entries, increasing the likelihood of duplicate payments.

3-Reduce risk

Without clear policies in place that all AP staff follow, it will be impossible to ensure internal controls are maintained that mitigate your risk of fraud. For example, your AP policies may require staff to undertake supplier call-backs before processing an invoice, reducing the risk of fraudulent or erroneous payments.

4-Improve performance

Clear policies allow the CFO and AP manager to ensure that the AP function performs according to best-practice principles. Through a combination of a clearly articulated vision and detailed rules, it is possible to establish a benchmark that drives enhanced employee accountability.

How are AP policies different to AP procedures?

Whilst your AP policies provide a high-level overview of the rules, your AP procedures should provide the detailed explanation to staff about how they should implement those rules.

For example, AP procedures should articulate:

  • Who has responsibility for various tasks.
  • The specific steps that need to be completed for each task and when those steps need to be taken.
  • What oversight mechanisms are in place to ensure tasks are performed correctly.

Should every organisation have an AP policies and procedures manual?


An effective AP policies and procedures manual should articulate what your staff can expect from the department, and what the department expects of your staff. When creating your manual, or updating an existing manual, it is important to ensure the language is clear and concise.

Because many AP teams have grown gradually, or evolved as part of the broader accounting department, all too often they haven’t spent the time developing a specific AP policies and procedures manual that specifically covers all aspects of the AP function. Instead, AP processes have tended to develop on an ad-hoc basis, whenever a specific need arose.

The problem with this approach is that knowledge about how particular systems work, where specific information is stored and how certain tasks are carried out, often resides with one individual. Not only can this approach result in business continuity challenges if a certain individual gets sick or accepts another job, leaving the AP function in the lurch. It also makes it almost impossible to establish department-wide consistency. Without a dedicated manual, AP staff won’t have the clarity they need around how to handle specific tasks and may increase the organisation’s risk exposure.

Another reason why you should develop a dedicated AP policies and procedures manual, is that it can demonstrate to senior executives the value the AP team provides to the broader organisation. Accounts Payable is often seen as a cost centre in many organisations. This can result in a reluctance to adequately resource the function. Armed with a manual that demonstrates the breadth of business-critical tasks AP performs and the value it provides in mitigating the growing risk of fraud, it will be easier to demonstrate to senior executives how AP benefits the organisation and why it should be adequately resourced.

How often should the AP policies and procedures manual be updated?

An AP policies and procedures manual should be a living document. Whether you choose to review it on an annual basis, or every time a new process is added or amended, will be at your discretion. However, by regularly reviewing the practices followed in your AP function, you will be able to ensure your team is always keeping up with industry best-practices, and that all the activities remain in alignment with your organisation’s requirements over time.

Of course, whenever you identify mistakes in your AP function that require a change in processes, your manual should be amended immediately in order to eliminate those errors.

Another benefit of regularly reviewing your manual is that allows staff within the department to have greater input on a regular basis into how the AP function is run. Staff should have the opportunity to regularly come forward with suggested improvements to the way tasks are undertaken, and if management agrees with the changes, they can be incorporated into the manual so that all staff can follow the amended methodologies.

As an AP manager, you should also ensure that all AP staff receive adequate training every time any of the policies and procedures contained in the manual are updated.

What to consider when creating an AP policies and procedures manual

A good AP policy and procedures manual, that accurately reflects your AP practices in use, can be used in the following ways:

  • As a training guide for new employees.
  • As a reference guide for existing employees, especially for those tasks that are completed infrequently.
  • As a reference for other departments affected by AP policies.

When creating your manual, remember that it should be a clear and concise how-to guide. The purpose of the document is not to provide lengthy explanations on the broader corporate mission, nor on theoretical principles underpinning accounting practices.

Following these style guidelines will help ensure your AP policies and procedures manual becomes an invaluable resource for your staff:

  • Create a table of contents so users can easily access the information they require.
  • Keep all instructions short, and break down longer processes into several short steps.
  • Keep sentences short, preferably under 20 words.
  • Lists are your friend: Make extensive use of bulleted and numbered lists.
  • Include examples wherever possible. This will help staff, particularly new recruits, to understand concepts which may not be very clear.
  • Like every industry, AP has its unique jargon and abbreviations. Try to avoid unnecessary use of jargon and abbreviations. Consider including a glossary that provides definitions for such terms.
  • It may seem obvious, but remember to number your pages.
  • Run spellcheck – spelling errors will make users of the manual think it has not been compiled carefully.

Compiling a comprehensive AP policies and procedures manual may seem like a relatively straight forward task. Be warned, it will likely take you considerably longer that you initially anticipate. Once you need to start breaking down all the AP processes into step-by-step instructions, you will realise how complex many of the tasks are. This is a great opportunity to identify gaps in the way your staff handle certain tasks and will allow you to improve many aspects of the AP function.

Also be warned that every organisation’s AP requirements are different. As such, no two AP teams operate in exactly the same way. It would be great if you could simply borrow another organisation’s manual and update it for you own requirements, however this is unlikely to work very well.

How to ensure AP policies and procedures are being followed?

It’s all very well having a fit-for-purpose AP policies and procedures manual, but if it isn’t adhered to, you will have a major problem on your hands.

The first step is to disseminate the manual to all AP staff. However, you will need to do much more than that to ensure the information contained in the manual is absorbed, understood and followed. Breaking the manual down into its various chapters and running individual training sessions dedicated to each chapter is one way to ensure the entirety of your team sees its value.

Another worthwhile exercise would be to initiate discussions with individual employees about various aspects of the AP policies and procedures during periodic staff reviews. This makes staff feel invested in the operations of the AP function and can contribute to stronger staff morale.

Having checks and balances in place to ensure all members of your team are sticking to the rules as stipulated in the manual will also be critical, with additional training for those who may not be following the steps correctly. Importantly, you need to convey to staff the reason why the manual stipulates that certain tasks be conducted in a specific way, and why consistency across the AP team is critical from a risk mitigation and business continuity point of view.

Finally, there may be other staff in other departments across the organisation who engage with AP from time to time. These other staff members may also need to be trained in various aspects of the AP policies and procedures.

How can eftsure help?

Whilst a fit-for-purpose AP policies and procedures manual is an important element in a well-run and secure AP function, alone it will not eliminate all risk of fraud. Sophisticated fraudsters will always look for ways to circumvent your processes and controls, no matter how comprehensive they are.

With eftsure sitting on top of your AP processes, you have an important layer of defence that ensures outgoing payments are verified in real-time. This helps mitigate the risk of range of threats, such as breaches of your attack surface that can result in fraudulent payments.

To learn how eftsure can align with your AP policies and procedures, whilst affording you an important additional layer of protection, contact us today.

Related articles


A CFOs Guide to ACH Payments

In recent years, the banking industry has undergone significant transformations that have changed how we manage our finances. The shift from traditional …

Read more

Pros and cons of faster payments

Faster payments are part of our every day – but cybercriminals are exploiting the system. Discover how you can reduce the risks in your business.

Read more

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.