What is Disbursement Control?

Disbursements: A Control Function

Not an Administrative Task

Every dollar that leaves an organization passes through a single chokepoint. It is not the CEO's office. It is not the board of directors. It is accounts payable — the function most executives relegate to back-office status managed by junior staff, measured by invoice cycle times and largely invisible until something goes wrong.

And when something goes wrong in accounts payable, it goes wrong at scale. Fraud schemes built on fictitious vendors, duplicate payments to legitimate ones and misdirected wire transfers to compromised bank accounts have cost organizations tens of millions of dollars — losses that, in retrospect, passed directly through an accounts payable process that was not properly designed to stop them.

The premise of Disbursement Control is straightforward: accounts payable is not an administrative function. It is not merely an accounting function. It is a control function. Accounts payable is the organization's last opportunity to verify that money is going where it should, to whom it should, for the reason stated. And vendor information management, often treated as a clerical chore, sits at the very foundation of that control.

Accounts payable is the last control point before money leaves an organization. That is not a description of an administrative role — it is a description of a mission-critical control.

What Accounts Payable Actually Does

In its most reductive framing, accounts payable pays the organization’s bills. But this description misses the substance of what a well-run AP function is doing at every step: it is validating that a good or service was ordered, that it was received, that the invoice matches what was ordered and received, that the vendor is legitimate, that the vendor’s bank account actually belongs to that vendor, and that payment authority has been properly granted. Each of these steps is a control.

The three-way match — purchase order, receipt, invoice — is not a clerical exercise. It is a fraud and error detection mechanism. The segregation of duties between those who approve vendors and those who approve payments is not organizational formality. It is a foundational internal control principle. The requirement to verify a vendor's banking details before updating them in the system and issuing payment is not bureaucratic caution. It is a direct defense against misdirection through business email compromise, one of the most financially damaging fraud categories in the world.

When any of these controls degrades — due to understaffing, poor process design, inadequate technology or executive indifference — the exposure is immediate and the losses can be catastrophic.

While occupational fraud continues to threaten value from within, the rapid expansion of cybercrime has fundamentally altered the risk landscape — multiplying threat vectors, accelerating loss events and elevating payment fraud to a top-tier financial and operational risk.

Vendor Data: The Silent Vulnerability

If accounts payable is the last control point, the vendor master file is its most vital and vulnerable component. The vendor master contains the names, tax identification numbers, addresses, and — critically — bank account details for every entity to which the organization sends money. It is also, in most organizations, one of the least governed data assets in the enterprise.

In a typical vendor onboarding process at a mid-to-large-sized organization, a new vendor is submitted by an internal requester with limited verification accountability. Data entry is performed by an AP clerk; a supervisor may review the entry. The bank account information provided by the vendor — the details that will determine where thousands to millions of dollars are sent — may be accepted with nothing more than a phone call, if even that. When a vendor notifies the organization of a bank account change, typically by email, manual account verification is an arduous task that may be left undone. This is not an unusual scenario. It is the norm. And it is precisely the gap that fraud schemes exploit.

Business email compromise attacks targeting AP departments have become sophisticated, patient and highly effective. A fraudster will monitor email communications for weeks, then impersonate a known vendor at precisely the right moment — during a contract renewal, after an invoice dispute, at the close of a fiscal quarter when payment pressure is highest — and request a bank account change. The data in the vendor master is updated. The next legitimate invoice is paid to a fraudulent account. The loss is discovered weeks later, after the funds are unrecoverable.

Disbursements are not an “admin” or “back-office” function. They represent the last check point before cash leaves the organization. The defense against the risk of payment fraud is a rigorous, consistently applied process for validating and re-validating vendor data — one that is treated with the same seriousness as any other financial control.