How to Conduct an Accounts Payable Audit: A Guide for UK Businesses

Introduction

UK businesses face significant financial exposure without systematic accounts payable oversight. Research shows organisations lose an estimated 5% of revenue to occupational fraud annually, with asset misappropriation — the category most relevant to AP fraud — accounting for 86% of cases. For UK finance managers, CFOs, and business owners, these figures make a clear case for treating accounts payable audits as a core financial control, not an afterthought.

An accounts payable audit is a structured review of a business's payable records, transactions, and processes to verify accuracy, detect errors, and ensure compliance. In the UK context, a well-run AP audit serves several key functions:

  • Confirms HMRC record-keeping compliance
  • Prevents duplicate payments and financial leakage
  • Maintains supplier trust through accurate payment records
  • Identifies unrecorded liabilities before they distort financial statements

This guide walks through what an AP audit involves, how to conduct one step-by-step, which UK-specific compliance areas require examination, and when to bring in professional support.

TL;DR

  • AP audits verify accounts payable accuracy and confirm regulatory compliance
  • UK compliance covers HMRC record-keeping rules, Payment Practices Reporting thresholds, and the Companies Act
  • Audits run across four stages: planning, testing, reporting, and follow-up
  • Common findings include duplicate payments, missing invoices, weak controls, and unrecorded liabilities
  • Bringing in external support often uncovers duplicate payments and overpayments that offset the cost of the audit

What Is an Accounts Payable Audit and Why Does It Matter for UK Businesses?

Accounts payable in the UK context represents the total amount a business owes suppliers for goods and services received but not yet paid, recorded as a current liability on the balance sheet. This liability is governed by invoice terms, UK contract law, and HMRC record-keeping rules.

An AP audit involves detailed examination of:

  • AP transactions and invoice records
  • Payment approvals and authorisation workflows
  • Supplier master data and vendor files
  • Internal controls and segregation of duties

The Financial Risk of Skipping AP Audits

Without regular audits, UK businesses face multiple exposures:

  • Fraud exposure: The ACFE's 2024 Report to the Nations estimates organisations lose 5% of revenue to occupational fraud annually — roughly £5 trillion globally. Asset misappropriation alone carries a median loss of £120,000 per case.
  • Duplicate payments: Around 1% of all invoices are paid more than once, and businesses lose roughly 0.35% of annual spend to duplicates, invoice errors, and missed credits.
  • HMRC penalties: VAT-registered businesses must retain compliant records for at least six years. Non-compliance risks penalties and interest charges.

When AP Audits Become Mandatory

Under the Companies Act 2006, small companies meeting the exemption criteria are not required to undergo statutory audit. From 6 April 2025, these thresholds increased significantly:

  • Turnover: £15 million (up from £10.2 million)
  • Balance sheet total: £7.5 million (up from £5.1 million)
  • Employees: 50 (unchanged)

Companies not exceeding two of these three thresholds qualify as small and may claim audit exemption. Audit exemption, however, doesn't mean audit immunity. Internal AP reviews address the operational risks and financial leakage that statutory audits are not designed to catch.

How to Conduct an Accounts Payable Audit: A Step-by-Step Process

Every effective AP audit follows four stages: planning, testing and investigation, audit report, and follow-up. Here's how to work through each one.

Four-stage accounts payable audit process flow from planning to follow-up

Step 1: Define Scope and Set Objectives

Before reviewing any documents, establish:

Time period under review: Typically the previous financial year, though high-risk departments benefit from quarterly reviews.

Specific objectives: Choose from:

  • Duplicate payment detection
  • Fraud investigation
  • Compliance verification (HMRC, PPPR, GDPR)
  • Internal control assessment
  • Unrecorded liability identification

Audit team composition: Determine whether the audit will be conducted internally or by external auditors. Poorly scoped audits waste time and miss material risks.

Step 2: Gather and Organise AP Documents

Essential documentation includes:

  • Vendor invoices (paper and electronic)
  • Purchase orders and receipts
  • Supplier contracts and master file
  • AP ageing reports
  • Bank statements and payment records
  • General ledger entries
  • Expense approval policies

Disorganised documentation is the most common reason audits exceed planned timelines. Establish a centralised repository before testing begins.

Step 3: Review Internal Controls and Approval Workflows

Examine three critical control areas:

  • Approval authority: Invoice sign-off should align with documented authorisation levels — verify this holds across all departments, not just finance.
  • Segregation of duties: No single employee should handle invoice entry, approval, and payment. One person controlling all three steps is how most AP fraud goes undetected.
  • Policy enforcement: Payment control policies should be documented, current, and applied consistently — spot-check compliance across departments rather than relying on self-reporting.

Step 4: Analyse Transactions for Errors and Fraud

Core testing activities include:

Reconciliation and matching: Match AP balances against supplier statements to catch discrepancies, unrecorded credits, or disputed amounts. Follow this with three-way matching — verify each payment against the purchase order, goods received note, and invoice to confirm goods were ordered, received, and correctly invoiced.

Duplicate detection: Run checks for invoices with identical amounts, vendor names, and dates. Nearly two-thirds of UK finance professionals have received duplicate invoices, and approximately one-third ended up paying them.

Anomaly flagging: Isolate transactions that fall outside normal patterns:

  • Round-number payments (£1,000, £5,000) without supporting detail
  • Payments to new or infrequent suppliers
  • Transactions outside normal business hours
  • Overpayments and unclaimed credit notes

How much does error exposure matter? According to APQC data, leading organisations achieve 98% disbursement accuracy, average performers reach 95%, and lower performers sit at 88%. Even at 95%, 5% of disbursements contain errors — material exposure at any scale.

AP disbursement accuracy comparison chart leading average and lower performing organisations

Step 5: Prepare the Audit Report and Implement Follow-Up

The audit report should contain:

  • Summary of findings using the Five C's framework (Condition, Criteria, Cause, Consequence, Corrective action)
  • Unrecorded liabilities identified
  • Internal control weaknesses and gaps
  • Specific, actionable recommendations

The report is not the end. Schedule a follow-up review — typically after 6–12 months — to confirm corrective actions have been implemented and are working effectively. Without follow-up, findings remain unresolved and risks persist.

Key UK Compliance Checks Every AP Audit Should Cover

UK businesses operate under specific regulatory obligations that AP audits must verify.

HMRC Record-Keeping Requirements

HMRC's VAT Notice 700/21 states businesses must retain all VAT records for at least 6 years. AP audits should verify:

  • All supplier invoices contain required VAT elements (VAT number, itemised amounts, invoice date, unique sequential number)
  • Records are stored in retrievable format (electronic or paper)
  • Retention periods comply with statutory minimums

HMRC requires full VAT invoices to include 15 specific elements in total — covering the supplier's VAT registration number, time of supply, unit prices, applicable VAT rates, and total VAT chargeable expressed in sterling, among others.

Payment Practices and Performance Reporting (PPPR)

From 6 April 2025, companies exceeding two of three size thresholds must report payment practices half-yearly:

  • Turnover: £54 million
  • Balance sheet: £27 million
  • Employees: 250

Reports must be published within 30 days of each period end. Failure to report is a criminal offence for the business and every director.

AP audits for companies in scope should verify:

  • Actual payment behaviour aligns with submitted PPPR reports
  • Average payment days calculations are accurate
  • Late payment patterns are identified and addressed
  • Dispute resolution processes are documented and followed

UK GDPR Compliance for Supplier Data

AP departments hold personal data for supplier contacts, especially sole traders and individual vendors. Audits should confirm compliance with:

Data minimisation (Article 5(1)(c)): Personal data must be adequate, relevant, and limited to what is necessary.

Storage limitation (Article 5(1)(e)): Data must not be kept longer than necessary.

Audit procedures should include:

  • Reviewing vendor master files for outdated records
  • Confirming data retention periods are justified
  • Verifying unnecessary supplier data has been purged
  • Checking that individual supplier contact details are current and authorised

FRS 102 and AP Balance Classification

FRS 102 Section 11 classifies trade payables as basic financial instruments, initially measured at transaction price and subsequently at amortised cost. For standard short-term payables, this simply means the undiscounted invoice amount — so the practical impact on most AP teams is straightforward.

Audits should verify:

  • Accruals are properly recorded at period end
  • Cut-off procedures correctly capture goods/services received before year-end
  • Liabilities are not understated to inflate profitability
  • Payables are correctly classified as current or non-current based on payment terms

UK accounts payable compliance checklist covering HMRC PPPR GDPR FRS102 and CFA obligations

Criminal Finances Act 2017 Risk

Section 45 creates a strict liability corporate offence for failure to prevent facilitation of tax evasion by associated persons (employees, agents, contractors). The sole statutory defence is demonstrating that reasonable prevention procedures were in place.

HMRC initiated its first corporate prosecution under Section 45 in August 2025, signalling that enforcement is no longer theoretical.

For businesses with international supplier relationships, AP audits should:

  • Verify payments to overseas vendors are properly authorised and documented
  • Confirm due diligence procedures exist for foreign suppliers
  • Check that anti-facilitation-of-tax-evasion procedures are documented
  • Ensure training and communication on CCO risks is provided to AP staff

Common AP Audit Mistakes UK Businesses Make

Auditing Too Infrequently

Many businesses only conduct AP audits when problems are already suspected. By that time, significant financial leakage has usually occurred.

Recommendation: Establish a regular audit schedule — annually at minimum, quarterly for higher-risk departments or those with high transaction volumes. Preventive audits identify issues before they become material.

Relying on Manual AP Processes

Paper-based systems create multiple audit challenges:

  • Difficulty tracing the full lifecycle of transactions
  • Increased risk of incomplete or altered records
  • Longer audit timelines
  • Higher error rates and duplicate payment risk

APQC benchmarks show even average organisations process 5% of disbursements with errors when controls are weak. If your team is still working from paper records and spreadsheets, that 5% error rate is a realistic baseline — not a worst-case scenario.

Treating Audits as Fraud Detection Only

In practice, the majority of findings in typical AP audits relate to:

  • Process inefficiencies and workflow bottlenecks
  • Missing or incomplete documentation
  • Duplicate payments (approximately 1% of all invoices)
  • Unrecorded liabilities at period end
  • Weak internal controls rather than intentional fraud

Each of these issues carries a direct cost. Businesses that treat audits as fraud-detection exercises miss recoverable money sitting in plain sight. Duplicate payment recoveries, unclaimed credit notes, and overpayments often represent 0.1% to 0.15% of annual spend — a meaningful sum for any organisation processing high invoice volumes.

Common AP audit findings breakdown showing process errors duplicate payments and control weaknesses

When to Consider Professional AP Audit Support

Independent external AP audits are preferable to internal reviews in several scenarios:

  • No in-house audit team: Without dedicated internal audit resource, businesses often lack the technical expertise or capacity for thorough AP reviews.
  • Suspected fraud or discrepancy: External auditors provide independence and follow established forensic procedures — essential when objectivity is non-negotiable.
  • Pre-audit or due diligence preparation: Identifying and resolving AP issues before statutory audit, a sale, or investor scrutiny reduces risk significantly.
  • Processes unreviewed for 2+ years: Accumulated inefficiencies and control gaps are common in AP functions that haven't been formally assessed recently.
  • Cross-border supplier relationships: UK businesses with international suppliers or complex VAT arrangements benefit from specialist expertise that in-house teams may not have.

For UK businesses with overseas supplier relationships, VJM Global offers AP audit advisory services built on 30+ years of experience across cross-border accounting and UK compliance. Having served over 250 UK businesses, the firm is particularly well-placed to support companies with India-linked operations or international tax considerations.

The Cost-Benefit Case

Professional AP audit costs are typically recovered through:

  • Recovering duplicate payments and overpayments (around 20% of total recoveries)
  • Reclaiming unapplied statement credits and missed discounts (around 80% of total recoveries)
  • Preventing ongoing overpayments through improved controls

Traditional recovery audits typically recover 0.1% to 0.15% of annual spend, making professional audits a financially justified investment. For a business with £10 million annual AP spend, this represents potential recoveries of £10,000 to £15,000, often exceeding audit costs while also strengthening compliance.

Frequently Asked Questions

Do UK company accounts have to be audited?

Small companies meeting two of three Companies Act 2006 thresholds (turnover under £15 million, balance sheet under £7.5 million, fewer than 50 employees from 6 April 2025) are generally exempt from statutory audit. However, internal AP audits remain recommended even when not legally required.

What are the audit procedures for accounts payable?

Core AP audit procedures include:

  • Verifying completeness of AP records
  • Validating compliance with HMRC, FRS 102, and PPPR standards
  • Confirming transaction validity through three-way matching
  • Reconciling supplier statements against internal records

What is accounts payable in the UK?

Accounts payable refers to money a UK business owes suppliers for goods or services received on credit, recorded as a current liability. It is governed by invoice terms, UK contract law, and HMRC record-keeping rules requiring six-year retention of VAT documentation.

What software do accounts payable use?

Common AP platforms used by UK businesses include Sage (approximately 40% market share among UK SMEs), Xero (32.84% of global users are UK-based), QuickBooks, Oracle NetSuite, and SAP. All maintain audit trails and support document retrieval during reviews.

What are the 5 C's of audit findings?

The Five C's structure audit findings: Criteria (the standard), Condition (what was found), Cause (why the gap exists), Consequence (the resulting risk), and Corrective action (steps to fix and prevent recurrence).