Process and governance risks originate inside the organization. The failures described in this section happen because of how the paying organization has structured its own operations — how duties are divided, how the vendor file is maintained, how invoices are reviewed, how approvals are granted, and how payment timing is managed. When these internal structures are weak, absent, or deliberately circumvented, the disbursement environment becomes the vulnerability rather than the safeguard.
This is the territory that internal audit, external audit and fraud examiners spend the most time in, and for good reason. Process and governance failures are responsible for a significant majority of occupational fraud losses. They tend to compound over time — small control gaps exploited initially for small amounts, with perpetrators growing bolder as they confirm the absence of detection. And they are organizational in nature, meaning they usually reflect something systemic rather than a one-time lapse: a control that was never designed, a segregation that was waived for convenience and never reinstated, an approval process that became a rubber stamp.
The six risks in this section don't all look the same operationally, but they share a structural characteristic. Each one represents a point in the disbursement process where the absence of a specific control — or the compromise of one — creates an opening that a fraudster, whether an insider or an external actor with insider assistance, can exploit.
Segregation of Duties Failures
Segregation of duties is the foundational principle of disbursement control. The logic is simple: no single individual should have the ability to initiate, approve, and record a payment. Concentrating those functions in one person creates the conditions for undetected fraud. When they are properly distributed across different individuals — and when those individuals operate with genuinely independent accountability — each step in the payment process creates a check on the others.
The principle is well understood. The failures are nevertheless common, and they occur for reasons that are structurally predictable. Small and mid-sized organizations frequently lack the staff to fully segregate duties across all disbursement functions. Rapid growth can outpace the development of control infrastructure. Staff turnover leads to temporary consolidation of responsibilities that becomes permanent. IT system implementations sometimes grant access rights based on operational convenience rather than control design. And in some cases, individuals with authority over a function also have authority to override or bypass the controls that were supposed to govern it.
The principle is well understood. The failures are nevertheless common.
The most dangerous segregation failure is the one that combines payment initiation with approval authority. An employee who can both create a vendor record and approve payments to that vendor has everything they need to run a fictitious payee scheme. An employee who can both submit invoices for payment and authorize the disbursement can inflate or fabricate invoices without a second review. An employee who controls the master vendor file and processes payment runs can redirect legitimate vendor payments to personal accounts.
Segregation failures are also technology problems, not just organizational ones. Access rights in ERP and AP systems often accumulate over time as roles evolve, and periodic recertification of user access is frequently neglected. An employee who was granted temporary access to a function during a vacancy may retain that access indefinitely. System administrators who require broad access for technical reasons may also can create vendors or approve transactions — a combination that should be structurally prevented rather than managed through policy.
The control response requires both organizational design and system configuration. Duties should be formally mapped, with clear documentation of which roles perform which functions in the disbursement process. System access should reflect those role definitions, with technical controls that prevent incompatible access combinations rather than relying solely on policy compliance. Compensating controls — transaction monitoring, supervisory review, internal audit testing — are appropriate where full segregation is impractical, but they are compensating controls, not substitutes for the underlying principle.
Ghost Vendor and Fictitious Payee Schemes
Ghost vendor schemes are among the most reliably damaging forms of occupational fraud in financial operations, in part because they can operate for extended periods without generating the kind of obvious disruption that triggers investigation. A ghost vendor — a fictitious entity or a real-sounding name associated with a bank account controlled by the fraudster — receives legitimate-looking payments that are processed through the normal disbursement cycle. No goods are delivered. No services are rendered. The payments simply disappear.
The mechanics typically require either control over the master vendor file or the ability to create and approve a new vendor without independent review. In organizations with proper segregation, creating a ghost vendor requires either collusion — one employee creates the vendor, another approves payments — or the exploitation of a system access gap that allows a single employee to do both. In organizations without proper segregation, a single motivated employee with sufficient system access can run the scheme alone.
Ghost vendors often appear plausible at the level of casual review. Names are chosen to resemble legitimate vendors, sometimes close variations of real vendor names already in the file. Addresses may be residential addresses, PO boxes or addresses recycled from real businesses. Invoice amounts are calibrated to stay below approval thresholds, audit scrutiny levels or round-number patterns that might attract attention. Payment frequency is managed to avoid generating outliers in spend reporting.
Detection typically requires either analytical work — examining the vendor file for anomalies in creation patterns, address data, tax identification or payment behavior — or a tip from someone with direct knowledge. Automated monitoring for specific risk indicators is more reliable than periodic manual review: vendors without a tax ID, vendors with employee addresses, vendors added and paid within short windows, vendors with no purchase orders, or vendors whose sole contact is the employee who created them.
The preventive control structure is straightforward in principle. Vendor creation and vendor payment should require independent authorization. New vendor setup should include documentation requirements — tax ID, physical address, banking details verified through an independent source — that create friction for fictitious entries. Periodic vendor file audits should examine the full population for indicators of fictitious records, not just spot-check recent additions.
It is worth noting that ghost vendor schemes and employee banking substitution fraud are related but distinct. In a ghost vendor scheme, the fraudster creates a new payee. In banking substitution fraud, the fraudster redirects payments from a legitimate existing vendor to a controlled account. Both require access to the master vendor file or payment initiation, and both are prevented by the same underlying control: independent verification of any change or addition that routes funds to a new bank account.
Master Vendor File Integrity
The master vendor file is the authoritative record of who the paying organization is permitted to pay and where those payments are directed. Every disbursement, ultimately, is an instruction to move funds to an entity and bank account defined somewhere in that file. The integrity of the file is therefore foundational to the integrity of the entire disbursement process. A compromised master vendor file is not just a data quality problem — it is an open channel through which fraudulent payments can flow indefinitely.
The integrity of the vendor master file is foundational to the integrity of the entire disbursement process.
The vulnerabilities in vendor file management are both structural and operational. On the structural side, the file is often treated as a reference database maintained by AP staff, with insufficient governance around who can add, modify or delete records — and insufficient logging of when those actions occur and who performs them. On the operational side, vendor records accumulate over time without regular deduplication or cleansing, creating a population that includes dormant vendors, obsolete banking details and duplicate entries that can obscure fraudulent insertions or modifications.
Unauthorized banking detail changes are the highest-risk event in vendor file management. When a vendor's bank account number is changed — whether by a legitimate vendor update or a fraudulent modification — all subsequent payments to that vendor go to the new account. If the change is fraudulent, the legitimate vendor receives nothing, and the paying organization doesn't know it until the vendor complains about non-payment. By then, one or more payment cycles may have cleared.
The control architecture for master vendor file integrity has several layers. Access controls define who can make changes and require that changes be made by someone other than the person who processes payments to that vendor. Change documentation requires that all modifications — particularly banking detail changes — be supported by source documentation and independently verified. Change logging creates an immutable audit trail that records every addition and modification with timestamp and user identity. And periodic file reviews examine the population for anomalies: duplicate tax IDs, duplicate bank accounts across multiple vendors, employees whose personal addresses match vendor addresses, vendors with missing required fields.
There is also a data governance dimension that is often neglected. The master vendor file should have a defined owner, a defined maintenance process and a defined review cycle. In many organizations it has none of these things — it is managed informally, by multiple people with inconsistent practices, without documentation of what standards govern entries. That informality is itself a control gap, independent of any specific fraud.
Invoice and PO Fraud (Duplicate, Altered, and Inflated)
Invoice fraud is the broadest category in this section, encompassing schemes that range from relatively unsophisticated duplicate submission to more deliberate alteration of legitimate documents and systematic inflation of billing over time. What these variants share is the core mechanism: a payment is made for an amount or for a purpose that does not accurately reflect value received.
Duplicate invoice fraud — submitting the same invoice more than once and receiving payment on both submissions — is in principle the easiest to detect and the most common to occur. It happens because invoice management systems frequently lack reliable deduplication logic, because invoices may arrive through multiple channels, because vendor numbering conventions vary and the same underlying transaction may appear with different reference numbers, and because high invoice volumes reduce the likelihood that any individual reviewer catches a repeat submission. Automated duplicate detection — matching on vendor, amount, date, and invoice number — is the standard control, but its effectiveness depends on clean and consistent data capture.
Altered invoice fraud involves modification of legitimate invoice documents to change the amount, the payee, or the banking details. In physical document environments this required access to original paperwork. In digital environments it requires only the ability to edit a PDF or intercept a document in transit — both relatively accessible capabilities. The control response involves document integrity verification and, for high-value transactions, direct vendor confirmation that the invoice as received matches what the vendor submitted.
Invoice inflation is more systematic and often more difficult to detect because each individual invoice may pass surface-level review. The fraud operates at the pattern level — a vendor consistently billing at the top of contracted rate ranges, systematically adding line items for services that are difficult to verify, or incrementally increasing prices in ways that individually appear within tolerance but cumulatively represent significant overbilling. Detection requires contract compliance analysis, not just invoice matching: comparing what was billed against what was contracted and comparing billing patterns over time against reasonable benchmarks.
Purchase order fraud — creating fraudulent POs to authorize illegitimate purchases or manipulating PO records to cover unauthorized spending — is the complement to invoice fraud on the commitment side of the transaction. It typically requires access to the procurement system and either approval authority or the ability to exploit approval thresholds. The control response parallels the invoice controls: independent authorization of POs, matching requirements, and monitoring for POs that are created and approved by the same individual or that cluster suspiciously just below approval thresholds.
The combination of PO fraud and invoice fraud — where a fraudster controls both the purchase order and the invoice side of a transaction — represents a more complete scheme that bypasses three-way matching entirely. This is precisely why the segregation of duties between procurement authorization and invoice approval is structurally important, not just procedurally recommended.
Authorization and Approval Control Weaknesses
The authorization and approval structure in a disbursement environment is the formal architecture through which the organization determines that a payment is legitimate, appropriate and properly sanctioned. When that structure has weaknesses — whether in design, execution or enforcement — payments that should not clear do clear, and the control that was supposed to catch them provides only the appearance of oversight rather than the substance.
Authorization weaknesses take several forms. Threshold-based approval structures are standard practice — transactions above certain dollar amounts require higher levels of approval. But threshold structures create predictable gaming behavior: a fraudster who knows the thresholds will structure fraudulent payments to fall just below them, sometimes repeatedly, generating a pattern of payments that individually appear routine but collectively represent significant theft. This is one of the most consistently documented patterns in occupational fraud, and it is one of the clearest arguments for transaction monitoring that looks at cumulative vendor spend and payment frequency rather than just individual transaction amounts.
Approval quality is a distinct issue from approval existence. Many disbursement environments have formal multi-level approval requirements that are technically followed but operationally meaningless — approvers who rubber-stamp large volumes of transactions without genuine review, approval workflows that route to managers who lack the context to evaluate what they are approving, or digital approval processes that are so frictionless they provide no real check. The existence of an approval in the system does not mean the payment received genuine scrutiny. Periodic review of approval behavior — who is approving what, at what velocity and with what rejection rate — can reveal approval patterns that suggest the process has become ceremonial.
Delegation and override controls are a third vulnerability. Organizations routinely delegate approval authority during vacations, transitions and restructuring, and those delegations are frequently not revoked when the circumstances that prompted them resolve. Override capabilities — the ability to bypass normal approval requirements in exceptional circumstances — are a necessary operational feature but a significant control risk if not tightly governed. Every override should require documentation and secondary authorization, and override usage should be a standard item in internal audit review.
Emergency payment processes deserve particular attention. Organizations commonly establish expedited payment procedures for genuinely urgent situations, and those procedures commonly involve relaxed approval requirements. Fraudsters who are aware of these procedures — as insiders typically are — will construct scenarios that appear to qualify for emergency processing to bypass normal controls. Emergency payment requests should be subject to heightened scrutiny, not reduced scrutiny, even when the urgency appears genuine.
Timing and Cash Flow Manipulation
The final category in this section is less commonly discussed than the others, and it occupies a different point on the spectrum between outright fraud and aggressive but technically permissible behavior. Timing and cash flow manipulation involves using control over the disbursement function to influence when payments are made in ways that serve interests other than the organization's — whether those interests are personal, departmental, or the result of collusion with an external party.
The most straightforward version is payment acceleration: deliberately processing a payment earlier than its due date to benefit a specific vendor — potentially a vendor in which the approving employee has a financial interest, a vendor who has offered inducements, or simply a favored relationship. The harm to the paying organization is real: early payment sacrifices float, may forfeit early-payment discount opportunities with other vendors, and in extreme cases can create cash flow pressure if multiple accelerations coincide.
The opposite pattern — deliberate payment delay — can be used to generate leverage over vendors, to manage the appearance of disbursement totals within a reporting period, or to benefit vendors who profit from the interest that accrues on outstanding balances in certain structured payment arrangements. Systematic late payment also creates legal exposure in jurisdictions with prompt payment requirements and damages vendor relationships that have operational value.
Period-end manipulation is a more structurally significant variant. Because AP balances affect working capital metrics, cash flow statements and, in some cases, covenant compliance, employees with control over payment timing can influence financial reporting without altering a single record. Accelerating payments just after a period close to inflate the next period's AP balance or holding payments just before close to manage cash figures represents a form of financial manipulation that may not involve fraud in the criminal sense but that distorts the financial picture the organization's leadership depends on.
The control response to timing manipulation is monitoring rather than prevention in the traditional sense. Approval workflows cannot easily detect whether a payment that is technically due has been deliberately accelerated or delayed. What monitoring can detect is patterns: vendors consistently paid before their due dates, payment timing that correlates with specific employees or approval chains, period-end disbursement patterns that deviate from normal cadence, and individual payment runs that are anomalous relative to historical behavior.
The Internal Control Imperative
The six risks in this section are, at their core, a description of what happens when the internal control environment fails to keep pace with the operational reality of the disbursement function. Some failures are designed out through proper structural controls — segregation of duties, access restrictions, approval architecture. Some are detected through monitoring and analytics. Some require the cultural dimension of internal control: an environment in which employees understand that controls exist, that exceptions are reviewed, and that anomalies will be investigated.
None of these controls is exotic or beyond the reach of a well-managed finance operation. What they require is intentionality — the recognition that the disbursement process is a high-risk environment that warrants a designed and maintained control structure, not just a set of procedures that exist on paper. The organizations that experience significant process and governance losses are rarely surprised by the specific type of fraud that hit them. They are surprised that it happened to them — that the controls they had were not functioning the way they believed.
That gap between perceived and actual control effectiveness is the real risk. Closing it requires not just designing the right controls, but testing them, monitoring their operation, and treating the disbursement environment as one that requires active governance rather than periodic attention.
Written by