Duplicate & Fraud Prevention Controls Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

Duplicate & Fraud Prevention Controls Checklist

✓ Duplicate Detection

✓ Fraud Schemes & Controls

✓ Business Email Compromise Defense

✓ Segregation of Duties & Monitoring

Get the checklist →

What it is

The Duplicate & Fraud Prevention Controls Checklist addresses the two ways money leaks out of accounts payable: paying the same invoice twice, and paying a fraudster. It is organized around four control areas — duplicate detection logic, a fraud schemes-and-controls map, a business email compromise (BEC) defense workflow, and the segregation of duties and monitoring that catch what slips through. The guiding distinction is that duplicates are an accuracy problem and fraud is an authorization problem, and both are cheapest to stop at the point of entry rather than at payment.

On duplicates, the checklist specifies matching candidates on vendor plus invoice number plus amount and on fuzzy variants (INV-001 versus INV001), detecting same-amount same-date invoices entered under slightly different vendor names, blocking at entry when an invoice number already exists for a vendor, flagging round-dollar and just-under-threshold invoices, reconciling credit memos so a credit isn't paid as a fresh invoice, and de-duplicating the vendor master. On fraud, a table maps each scheme — BEC/vendor impersonation, duplicate payment, fictitious vendor, check tampering, billing scheme, ACH account takeover — to its primary control, and a three-step BEC workflow treats every bank-change request as high risk, enforces dual control on the master, and holds the first payment on new banking details.

The single most important message is that independent call-back verification on every bank-detail change is the highest-ROI control in AP, because it is the one barrier that stops the most expensive scheme — business email compromise. The checklist rounds out with segregation-of-duties and monitoring controls: no single user can create a vendor, approve an invoice, and release a payment; vendor master reviews catch records matching employee addresses or bank accounts; monitoring catches invoices clustered just below approval thresholds (structuring); and immutable audit-log review and subledger-to-GL-to-bank reconciliation backstop the whole system. It works as both a manual controls framework and a feature checklist for AP platforms that advertise duplicate and fraud detection.

What it's used for

The checklist is used to design, audit, or strengthen the controls that protect AP from duplicate payments and fraud. Teams reach for it after a near-miss or actual loss, during a controls review or audit, when rolling out AP automation, or simply to verify their defenses against the known schemes. It is built to close gaps at the point of entry, where both duplicates and fraud are cheapest to stop.

✓ Building duplicate-detection logic that matches on vendor, invoice number, and amount plus fuzzy variants, and blocks at entry when an invoice number already exists for that vendor.
✓ Detecting same-amount, same-date invoices entered under slightly different vendor names, and flagging round-dollar or just-under-threshold invoices for review.
✓ Mapping each fraud scheme — BEC, fictitious vendor, check tampering, billing scheme, ACH takeover — to its primary control so coverage is deliberate and complete.
✓ Running a business email compromise defense that never actions a bank change from email alone, calls back on an independently sourced number, and requires a secondary identity confirmation.
✓ Enforcing dual control on the vendor master so a small named group edits banking fields and a second approver releases any change to live, with requestor, verifier, and approver logged.
✓ Holding the first payment on new banking details, re-validating account ownership, and alerting on changes made shortly before a scheduled large payment.
✓ Backstopping with monitoring — vendor master reviews for employee-matching addresses or accounts, structuring detection, immutable audit-log review, and subledger-to-GL-to-bank reconciliation.

Who uses it

The checklist is for the people accountable for AP's integrity and for those who detect and investigate what gets through — controllers, AP leadership, internal audit, and the analysts who watch the data. Because authorization is the heart of fraud control, it separates who can request, verify, and approve changes.

ControllerOwns the anti-fraud control environment and enforces dual control on the vendor master, segregation of duties, and the audit-log and reconciliation reviews.

AP ManagerRuns the duplicate-detection logic and the BEC defense in daily operations and ensures bank-change requests are never actioned on email alone.

Internal Auditor / Fraud AnalystTests the scheme-to-control map, reviews vendor master records for employee matches, and hunts for structuring and override patterns in the data.

TreasuryConfigures positive pay, payee positive pay, and ACH debit blocks at the bank so check tampering and account takeover are blocked before items clear.

CFO / Finance LeadershipSponsors the controls and cares most about BEC, the most expensive scheme, which independent call-back verification is the primary defense against.

Context & good to know

Duplicate payments and AP fraud are distinct problems that often get lumped together, and the checklist's first contribution is to separate them. Duplicates are an accuracy failure — the same legitimate invoice paid twice — best stopped by entry-time blocking and a de-duplicated vendor master. Fraud is an authorization failure — money sent to someone who shouldn't receive it — best stopped by segregation of duties and verification. Conflating them leads to controls that catch one and miss the other. Treating them as two problems with overlapping defenses produces a more complete program.

Business email compromise is consistently the most expensive scheme in accounts payable, and the checklist is emphatic that independent call-back verification on every bank-detail change is the single highest-ROI control available. The mechanics matter: never action a change from an inbound email alone, call back on a number sourced independently of the request (not one in the request email), require a secondary identity confirmation, enforce dual control on the master, and hold the first payment on new details. Each step removes a way the attacker can succeed, and together they make the scheme very hard to execute.

Monitoring is what catches the fraud that bypasses prevention. Reviewing the vendor master for records matching employee addresses or bank accounts catches fictitious-vendor and insider schemes; watching for invoices clustered just below approval thresholds catches structuring, where someone splits spend to stay under a control; and immutable audit-log review on master-data and payment changes catches manipulation after the fact. Reconciling the AP subledger to the GL and to bank activity on a defined cadence is the final backstop that surfaces anything the other controls missed.

AP automation platforms increasingly advertise built-in duplicate and fraud detection, and the better ones do flag duplicates at entry, surface potential vendor-master duplicates, and enforce dual approval on banking changes. Tools like Tipalti and AvidXchange build supplier verification and controls into the workflow. But software enforces only the rules you give it, and the highest-value control — independent call-back verification — is fundamentally a human process the platform can prompt but not perform. For buyers asking 'what is the most reliable AP software?', this checklist provides the criteria: does the platform block duplicates at entry, screen vendors, enforce dual control on banking, and produce an immutable audit log? The answer separates genuine controls from marketing.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 38 AP automation software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is business email compromise in accounts payable?

BEC is a fraud in which a criminal, often using a spoofed or compromised email, impersonates a vendor or executive and requests a change to vendor bank details or an urgent payment. The fraudulent banking change redirects legitimate payments to the attacker's account. It is consistently the most expensive scheme in AP, and its primary defense is independent call-back verification — confirming the change by phone on a number you sourced yourself, never one from the request email.

How do I detect duplicate invoices?

Match candidate duplicates on vendor plus invoice number plus amount, and catch fuzzy variants like INV-001 versus INV001. Detect same-amount, same-date invoices entered under slightly different vendor names, and block at entry when an invoice number already exists for that vendor rather than catching it at payment. Also reconcile credit memos so a credit isn't paid as a new invoice, and de-duplicate the vendor master so one supplier can't be paid from two records.

Why is independent call-back verification so important?

Because it is the single barrier that stops business email compromise, the most expensive AP fraud. When a bank-detail change request arrives, you call the vendor back on a phone number you sourced independently — not one from the request email — and confirm the change is genuine. This breaks the attacker's control of the communication channel. It's described as the highest-ROI control in AP because it stops the costliest scheme at very low cost.

What is structuring and how do I catch it?

Structuring is splitting spend into multiple invoices that each fall just under an approval threshold, so no single invoice triggers higher scrutiny. You catch it by monitoring for invoices clustered just below approval thresholds and for round-dollar amounts, then investigating patterns by vendor or submitter. Flagging just-under-threshold invoices for review turns a deliberate evasion tactic into a visible signal.

How does segregation of duties prevent fraud?

It ensures no single user can create a vendor, approve an invoice, and release a payment — the full chain a fraudster needs to control to pay themselves. By separating those roles and requiring dual approval on vendor master and banking changes, you make insider fraud require collusion, which is far harder to execute and easier to detect. Limiting and logging override authority closes the remaining gap.

What controls stop check fraud?

Positive pay and payee positive pay are the primary controls: the bank matches each check presented against your file of issued checks, including the payee, and flags any altered amount or payee before it clears. Combine that with segregation of duties on check issuance and an immutable log of voids and re-issues. For ACH, debit blocks and filters prevent unauthorized originators from pulling funds, defending against account takeover.

How do I find fictitious or insider-created vendors?

Periodically review the vendor master for records matching employee addresses or bank accounts, which is a strong signal of a fictitious vendor set up by an insider. Combine this with segregation of duties so the person who creates a vendor can't also approve and pay it, and with audit-log review of who created and edited each record. Many AP platforms can flag vendor-employee data overlaps automatically.

Should I block duplicates at entry or at payment?

At entry. Blocking when an invoice number already exists for a vendor stops the duplicate before it enters the workflow, which is far cheaper than catching it at the payment run after approvals have been spent on it. Entry-time blocking is the principle the checklist emphasizes: both duplicates and fraud are cheapest to stop at the point of entry, before they consume process and before money moves.

What monitoring should run after the fact?

Run an immutable audit-log review on all master-data and payment changes, review the vendor master for employee-matching addresses or accounts, monitor for structuring (just-under-threshold clustering), and reconcile the AP subledger to the GL and to bank activity on a defined cadence. These detective controls catch what prevention misses and provide the evidence trail auditors and investigators rely on.

Can AP automation software detect fraud automatically?

Partly. Platforms like Tipalti and AvidXchange block duplicates at entry, flag potential vendor-master duplicates, screen vendors, and enforce dual approval on banking changes — strong automated defenses. But the highest-value control, independent call-back verification on bank changes, is a human process the software can prompt but not perform. The most reliable setup pairs the platform's automated detection with disciplined human verification and the segregation-of-duties rules this checklist defines.

Keep exploring