3-Way Match Controls Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

3-Way Match Controls Checklist

✓ Match Setup

✓ Tolerance Design

✓ Exception Handling Workflow

✓ Segregation of Duties

Get the checklist →

What it is

The 3-Way Match Controls Checklist is a practical, audit-ready playbook for one of the most important controls in accounts payable: matching the purchase order, the goods receipt, and the supplier invoice before any money leaves the building. Three-way match is the discipline of proving that what was ordered (the PO), what was received (the goods receipt or GRN), and what is being billed (the invoice) all agree on quantity, unit price, and extended amount at the line level. When those three documents line up, the invoice is legitimate; when they don't, you have an exception that needs a human decision before payment. This checklist turns that principle into concrete steps for match setup, tolerance design, exception handling, and segregation of duties.

Rather than treating three-way match as a single yes/no gate, the checklist breaks the control into the parts that actually trip teams up. It specifies matching at the line and unit-of-measure level rather than at the invoice header, handling partial receipts and partial invoicing against open PO balances, and blocking payment on any invoice that has not completed a match unless the override is explicit and logged. It then layers in a tolerance design table, a three-step exception workflow (identify, resolve, approve and record), and a segregation-of-duties checklist so that the same person never raises the PO, confirms the receipt, and releases the payment. The goal is a control that lets clean invoices flow untouched while forcing every genuine exception to a named owner with documented authority.

Because the document is grounded in real AP mechanics — open PO balances, GR/IR clearing, tolerance bands, immutable audit logs — it works whether you are running three-way match manually in an ERP or evaluating accounts payable automation platforms like Tipalti or AvidXchange that promise to do the matching for you. It gives a finance team a shared definition of what 'good' looks like so that controls are designed deliberately instead of inherited by accident.

What it's used for

Teams reach for the 3-Way Match Controls Checklist whenever they need to prove, defend, or rebuild the matching control that sits between an invoice and a payment. It is most often pulled out during audit preparation, a controls redesign, an ERP or AP automation rollout, or after a duplicate or over-payment exposes a gap. The checklist is built to answer a specific question: does our matching process let legitimate invoices pass while catching every meaningful variance?

✓ Designing match setup so the PO, goods receipt, and invoice are compared on quantity, unit price, and extended amount at the line level — not just on invoice header totals that can hide line-level errors.
✓ Building a tolerance table that defines acceptable variance by type (unit-price within 2% or $25, zero tolerance on short receipts, hard block above PO quantity) and the exact action to take when each is exceeded.
✓ Standing up a repeatable exception-handling workflow that auto-flags the specific variance, queues it with supporting documents, and routes it by type to the buyer, receiver, or AP owner.
✓ Handling partial receipts and partial invoicing cleanly so invoices that exceed the remaining open PO quantity or value are flagged rather than silently paid.
✓ Enforcing segregation of duties so the PO raiser is not the receipt confirmer, the invoice approver is not the payment releaser, and vendor bank-detail changes get independent verification.
✓ Documenting tolerance overrides with an approver name and capturing the full resolution trail in an immutable audit log so the control survives external audit scrutiny.
✓ Surfacing recurring exception types — bad POs, late receiving, missing receipts — so the team fixes root causes instead of clearing the same noise every month.

Who uses it

The checklist is written for the people who own the integrity of the invoice-to-pay process and for the auditors and controllers who have to sign off on it. It is deliberately cross-functional, because three-way match only works when procurement, receiving, and AP each play their part and no single role can complete the whole chain alone.

AP ManagerOwns the day-to-day match process and exception queue, and needs tolerances tuned so the team isn't buried in noise while still catching real variances.

ControllerIs accountable for the control environment and uses the checklist to prove that matching, tolerances, and segregation of duties are designed and operating as intended.

Internal / External AuditorTests whether three-way match actually blocks unmatched payments and whether overrides are limited, logged, and reviewed — the checklist maps directly to the evidence they request.

Procurement / BuyerResolves price and quantity exceptions routed to them, amends POs when terms change, and relies on clear tolerance rules to know when their sign-off is needed.

AP Automation ImplementerConfigures matching rules and tolerance bands in a platform such as Tipalti or AvidXchange and uses the checklist as the requirements spec for what 'matched' must mean.

Context & good to know

Three-way match is the single most cited control in accounts payable, and for good reason: it is the barrier that stops billing schemes, over-billing, and payment for goods that never arrived. The challenge is almost never understanding the concept — it is operationalizing it without grinding AP to a halt. A tolerance set too wide turns the match into a rubber stamp; set too tight, it floods the team with exceptions that train approvers to click through without reading. The art is calibrating tolerances so clean invoices flow straight through while every genuine variance lands on a named human with documented authority.

Modern AP automation platforms market three-way match as a headline feature, and the better ones do remove enormous manual effort by extracting invoice data, locating the PO and receipt, and matching at the line level automatically. But automation does not remove the design decisions: someone still has to set the tolerance bands, decide how partial receipts net against open PO balances, and define what happens when a match fails. Whether you run Tipalti, AvidXchange, or matching native to your ERP, the control is only as good as the rules behind it. This checklist is the rulebook that should exist before any configuration begins.

Segregation of duties is where well-intentioned matching quietly breaks. In lean teams it is tempting to let one person create the PO, receive the goods, and approve the invoice — which collapses the entire point of the control. The checklist insists on separation at the three pressure points (PO creation, receipt confirmation, payment release) and on independent verification of vendor master changes, especially bank details, which are the top vector for business email compromise. These are exactly the controls an auditor will probe first.

For finance leaders comparing AP software, three-way match capability is a useful lens because it exposes how seriously a platform treats controls. Buyers frequently ask 'what is the best accounts payable software?' and 'what is the most reliable AP software?' — and the honest answer depends on whether a tool enforces line-level matching, configurable tolerances, real exception routing, and an immutable audit trail. This checklist gives evaluators a vendor-neutral scorecard to bring to demos so the question becomes specific instead of generic.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 38 AP automation software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is a 3-way match in accounts payable?

A three-way match compares three documents before an invoice is paid: the purchase order (what was ordered), the goods receipt or GRN (what was received), and the supplier invoice (what is being billed). When quantity, unit price, and extended amount agree across all three at the line level, the invoice is considered valid for payment. If any of them disagree beyond an allowed tolerance, the invoice becomes an exception that a person must resolve before payment is released.

How is a 3-way match different from a 2-way match?

A two-way match compares only the purchase order and the invoice — useful when there is no physical receipt to confirm, such as services or freight. A three-way match adds the goods receipt, proving the items were actually delivered before you pay. Three-way match is the stronger control for physical goods; two-way match is common for non-PO or service invoices where a budget-owner coding approval substitutes for the missing receipt.

What tolerance levels should I set for matching?

Tolerances should let clean invoices pass while forcing real variances to a human. Common starting points are unit-price variance within 2% or $25 (whichever is lower) routed to the buyer, zero tolerance on short receipts so they hold for confirmation, a hard block above PO quantity, freight or tax not on the PO within about 5% of line value, and total invoice variance within 1% or $50 escalating to the AP manager. Tune these against your own exception data after a few cycles.

How do I handle partial receipts and partial invoices?

Match at the line level against the open PO balance rather than the original PO total. A partial receipt should match the quantity actually received, and a partial invoice should consume only the corresponding open quantity and value. Any invoice that exceeds the remaining open PO quantity or value should be flagged as an exception so you don't pay for more than was ordered or received.

What does segregation of duties mean for three-way match?

It means no single person can complete the whole chain. The person who raises the PO should not be the one who confirms the receipt, and the person who approves the invoice should not be the one who releases payment. Vendor master changes — especially bank details — require independent verification, and tolerance or rule configuration is restricted to a controls or admin role. This separation is what prevents both honest error and deliberate fraud.

What happens when an invoice fails the match?

It becomes an exception. The system should auto-flag the specific variance (price, quantity, missing receipt, no PO), queue it with the relevant documents attached, and route it by type to the right owner. That owner confirms the receipt, amends the PO, or corrects the coding, documents the reason for any tolerance override with the approver's name, and then re-runs the match rather than approving around it. Out-of-tolerance payments require a higher-tier approval.

Can AP automation software do three-way matching automatically?

Yes. Platforms like Tipalti and AvidXchange extract invoice data, locate the matching PO and receipt, and compare them at the line level automatically, routing only the exceptions to people. But automation does not replace the design work: you still set the tolerances, define how partial receipts net against open balances, and decide the exception routing. The software enforces the rules you give it, so the controls must be designed before the platform is configured.

Why is three-way match important for an audit?

Auditors test three-way match to confirm that payments are supported by evidence of a valid order and actual receipt, that unmatched invoices cannot be paid without a logged override, and that overrides are limited and reviewed. A clean, immutable audit log of every match, exception resolution, and override is the evidence they request. A documented matching control with proper segregation of duties is one of the strongest signals of a healthy AP environment.

What is the difference between a goods receipt and a GRN?

They are effectively the same thing — a goods received note (GRN) is the document that records receipt of goods, while 'goods receipt' is the broader term for the receiving event captured in the system. In three-way match, both refer to the confirmation that the ordered items arrived, which is matched against the PO and the invoice. The GR/IR (goods-received / invoice-received) clearing account is where these are reconciled until the matching invoice posts.

How do I stop tolerance overrides from becoming a loophole?

Limit who can override, require a higher-tier approval for any out-of-tolerance payment, force the approver to document the reason, and capture every override in the immutable audit log. Then review overrides periodically to spot patterns — the same vendor, buyer, or amount band recurring is a signal that either a tolerance is mis-set or a control is being worked around. Overrides should be the rare, visible exception, never the routine path.

Keep exploring