Healthcare Accounts Payable (AP) Audit: Checklist, Controls, and Compliance

Accounts Payable Audit Checklist

A robust healthcare Accounts Payable (AP) audit confirms that invoices are valid, properly approved, and paid accurately and on time. It also validates that your internal controls framework mitigates fraud and error while supporting operational efficiency.

Scope and objectives

• Confirm policy alignment with an internal controls framework and healthcare-specific requirements.
• Evaluate invoice intake, coding, three-way matching, and approval workflows.
• Review vendor master file verification, onboarding, and change controls.
• Test payment authorization limits, payment runs, and bank safeguards.
• Assess tax reporting compliance and document retention practices.
• Reconcile subledger to the general ledger and review the accounts payable aging report.

Evidence to assemble

• AP policies and procedures, approval matrices, and role-based access lists.
• Samples of POs, receiving records, invoices, and match/exemption logs.
• Vendor setup forms, W‑9/W‑8 records, TIN matches, and bank verification evidence.
• Payment files, check stock logs, ACH/wire confirmations, and void/stop-payment records.
• Month-end close checklists, AP aging, accruals, and reconciliation workpapers.

Key audit tests

• Walkthroughs of end-to-end invoice processing and approvals.
• Sampling for three-way matching accuracy, coding, and cutoff.
• Data analytics for duplicates, split payments, and unusual vendors or amounts.
• Review of payment authorization limits and evidence of secondary approvals.
• Inspection of vendor master file changes and segregation of duties around setup and payment.

Invoice Processing and Approval

Strong invoice workflows reduce risk and cycle time. Your process should authenticate invoice origins, link them to approved spending, and capture accurate accounting data for timely reporting.

Standard flow

• Intake: Receive invoices via secure channels; de-duplicate and date-stamp.
• Validation: Perform three-way matching (PO, receipt, invoice) with clear tolerance thresholds.
• Coding: Assign GL, cost center, project, and tax attributes; note capital vs. expense.
• Approval: Route by dollar thresholds to approvers per policy; record time-stamped sign-offs.
• Cutoff: Enforce receipt and accrual procedures to capture period-end liabilities accurately.

Control considerations

• Automated duplicate detection using invoice number, vendor ID, amount, and date.
• Exception handling workflow with documented rationale for match variances.
• Restricted edit rights for invoice fields that affect payment or reporting.
• Audit trail retention for all approvals, reversals, and changes.

Vendor Management and Verification

Vendors are a frequent source of AP risk. A disciplined onboarding and monitoring program prevents fraud, payment errors, and compliance violations.

Onboarding controls

• Vendor master file verification: Validate legal name, address, TIN, and banking details before activation.
• Regulatory screening: Check exclusion/sanctions lists as applicable and repeat periodically.
• Tax documentation: Collect and review W‑9/W‑8 forms; confirm TIN via authorized methods.
• Conflict-of-interest attestations for requestors and approvers, where required.

Change management

• Require independent verification for bank account or remit-to changes using trusted contacts.
• Segregate duties so vendor maintenance is separate from invoice entry and payment release.
• Maintain versioned records of adds/edits/deactivations with maker-checker approval.

Ongoing monitoring

• Periodic vendor recertification and activity reviews to identify dormant or duplicate records.
• Spend analysis to flag unusual spikes, round-dollar patterns, or off-contract rates.

Payment Processing and Controls

Payments must be timely, authorized, and protected in transit. Controls should cover batch integrity, transmission security, and post-payment reconciliations.

Run-to-bank safeguards

• Payment authorization limits enforced in the system with documented secondary approvals.
• Segregated payment file creation, approval, and bank release; dual control for wires and ACH.
• Positive pay and ACH debit blocks/filters; secure check stock with inventory logs.
• Exception handling for voids, reissues, returns, and stop-payments with supporting notes.

Optimization and oversight

• Payment scheduling aligned to terms and cash flow; capture early-payment discounts when economical.
• Daily bank reconciliation and periodic review of stale checks and credit balances.
• Continuous monitoring for duplicate or split transactions across payment methods.

Internal Controls and Segregation of Duties

Effective AP governance relies on clear responsibilities and independent checks. The goal is to prevent a single individual from initiating, approving, and releasing the same transaction.

Control design

• Adopt an internal controls framework for risk assessment, control activities, information, and monitoring.
• Segregation of duties across vendor maintenance, invoice entry/approval, and payment release.
• Role-based access with least-privilege principles and periodic access recertifications.
• Control matrices mapping risks (fraud, error, noncompliance) to specific preventive and detective controls.

Control testing

• Sample-based and data-analytic tests for approvals, overrides, and emergency payments.
• Issue tracking with root-cause analysis and targeted remediation plans.
• Quarterly self-assessments and annual independent reviews for sustained effectiveness.

Compliance and Documentation

Healthcare AP intersects with tax rules and industry regulations. Documented, consistent practices prove compliance and support reliable financial statements.

Tax reporting compliance

• Vendor classification and form tracking for 1099 reporting; capture reportable payments accurately.
• Withholding and treaty documentation for cross-border vendors, where applicable.
• Sales/use tax evaluation on non-PO invoices and services per jurisdictional rules.

Recordkeeping and audit trail

• Retention schedules for invoices, approvals, payment proofs, and correspondence.
• Immutable logs for approvals, changes, and overrides; timestamped and attributable to users.
• Monthly close documentation: reconciliations, accrual entries, and the accounts payable aging report.

Healthcare-specific considerations

• Business Associate Agreements when vendors access protected data; minimize PHI on invoices.
• Contract compliance to avoid remuneration issues; validate fair market value where required.

Vendor Contracts and Agreements

Contracts drive AP accuracy. Align invoice terms to executed agreements so pricing, service levels, and obligations are enforced before payment.

Contract-to-pay alignment

• Capture contract IDs on POs and invoices to enable automated rate and term checks.
• Validate escalators, rebates, and credits; reconcile statements to ensure benefits are realized.
• Define acceptance criteria and deliverables so three-way matching confirms both quantity and service completion.

Governance

• Central repository for executed agreements, amendments, and renewals with alerting.
• Standard clauses for termination, audit rights, data security, and invoice requirements.
• Periodic contract compliance reviews comparing billed amounts to negotiated price lists.

Conclusion

A disciplined healthcare Accounts Payable (AP) audit verifies that spending is authorized, invoices are accurate, vendors are legitimate, and payments are protected. By embedding three-way matching, vendor master file verification, payment authorization limits, and strong segregation of duties within a coherent internal controls framework, you strengthen compliance, reduce fraud risk, and improve financial performance.

FAQs.

What is included in a healthcare AP audit checklist?

An AP audit checklist covers policies, approval matrices, vendor master file verification, invoice three-way matching, cutoff and accruals, payment authorization limits, bank controls, tax reporting compliance, and reconciliation of the AP subledger to the general ledger and accounts payable aging report.

How do you verify vendor information in AP audits?

You confirm legal name and TIN with tax forms, authenticate banking through trusted channels, screen for exclusions or sanctions, and review change logs. Strong vendor master file verification includes maker-checker approvals, duplicate checks, and periodic recertification.

What controls prevent fraud in healthcare accounts payable?

Preventive measures include segregation of duties, predefined payment authorization limits, three-way matching with exception control, secure payment release under dual control, and bank tools like positive pay. Detective controls include duplicate-payment analytics and post-payment reconciliations.

How is compliance ensured during AP audits?

Compliance is demonstrated through documented policies, consistent execution, and retained evidence: approvals, audit trails, tax reporting compliance workpapers, and contract-to-invoice validations. Regular control testing and remediation sustain effectiveness over time.