AP Controls Framework: Internal Controls for Private Construction Companies
Private construction companies don't have SOX (the Sarbanes-Oxley Act) forcing them into documented internal controls the way publicly-traded companies do. The freedom is real, but so is the risk that comes with it. Private companies experience the same fraud, errors, and control failures as public ones — they just don't have the external framework that forces the discipline of preventing them.
The ACFE's periodic Report to the Nations consistently finds that the median fraud loss at small businesses is larger in relative terms than at large public companies, precisely because small companies have fewer controls. For private construction specifically, fraud often surfaces at moments of external scrutiny — during a surety renewal, a bank audit, or a CPA review — where the absence of controls is suddenly visible to parties whose opinion matters.
A practical AP controls framework doesn't require SOX-level documentation or continuous external audit. It requires specific structural controls in five areas: segregation of duties, approval hierarchies, vendor master management, payment authorization, and monitoring. This post walks through each.
Segregation of duties (SoD) is the principle that no single person should control all phases of a transaction. In AP specifically, the canonical segregation is: the person who sets up a vendor is not the person who approves invoices; the person who approves invoices is not the person who signs payments; the person who signs payments is not the person who reconciles the bank statement.
For small construction companies with a limited AP staff, full segregation can be operationally impractical. When perfect segregation isn't achievable, compensating controls become essential: a second-person review on new vendor setup, a controller-level sign-off on all payments above a threshold, or a monthly review by an external party (CPA, outside bookkeeper) on cumulative activity.
Standard SoD assignments in AP
- Vendor master setup — vendor management or procurement (not AP clerk)
- Invoice entry — AP clerk
- Invoice approval — department manager or PM, matching to PO
- Payment authorization — controller or CFO
- Payment execution — AP clerk or treasury clerk (different from the approver)
- Bank reconciliation — accountant separate from AP or treasury
- Vendor statement reconciliation — AP clerk or dedicated reconciliation role
Every invoice needs approval, but the approver should match the decision being made. A $200 invoice to an office-supply vendor doesn't need CFO approval; a $200,000 subcontractor pay application needs careful review at a senior level. A dollar-threshold-based approval hierarchy scales authority to transaction size.
Typical tiered approval structure for construction AP
- Under $1,000 — AP clerk or PM approval
- $1,000-$10,000 — department manager approval
- $10,000-$50,000 — controller or VP approval
- $50,000-$250,000 — CFO approval
- Over $250,000 — CEO or owner approval
- Any payment to a new vendor's first invoice — additional second-person verification regardless of amount
- Any bank-change request — mandatory callback and separate approval protocol
The thresholds are company-specific. A $50M revenue company and a $500M revenue company will set thresholds differently. The important principles are: thresholds exist; different types of spend have different review patterns; and the authorizations are documented, not informal.
The vendor master is the database of who the company pays. Control failures here enable ghost vendor fraud, duplicate-vendor payments, and bank-change fraud. The baseline controls:
Vendor master control structure
- Vendor setup restricted to authorized personnel (not AP clerks with invoice approval rights)
- New vendor approval requires W-9/W-8 verification and TIN matching before activation
- Bank account verification via callback to a previously-verified phone number
- Address verification against a commercial business address database
- Employee address cross-reference — flag any vendor with an address matching an employee
- Dormant vendor management — vendors with no activity for 12+ months deactivated automatically
- Periodic vendor master review — sample-based verification of long-tail vendors
Payment controls separate the authorization decision (approve this invoice for payment) from the execution mechanics (actually cut the check or initiate the ACH). The authorization is a business decision about whether the payment should happen. The execution is a treasury operation that moves funds.
Well-structured payment controls include dual-signature requirements on checks above a threshold, treasury-level review of ACH batches before release, positive pay services that validate checks against an expected list, and payment limits per vendor per period that prevent unauthorized spikes.
The highest-impact payment control for most private construction companies is mandatory dual approval on any new bank account or bank-change request for an existing vendor — with one approver pulled from a different team (treasury vs. AP, or CFO vs. controller). This single control eliminates most wire-fraud and bank-change-fraud scenarios.
Preventive controls (SoD, approval hierarchy, vendor verification) stop most issues before they happen. Monitoring controls catch the ones that slip through. The AP-specific monitoring practices:
AP monitoring controls
- Monthly AP aging review — unexpectedly old balances flagged for investigation
- Vendor statement reconciliation — monthly on top vendors, catching misapplied payments and missed credits
- Duplicate detection — both automated (at invoice ingestion) and monthly sweep
- Payment trend analysis — unusual spikes in specific vendors or periods
- New vendor audit sampling — quarterly review of vendors added in the prior 90 days
- Bank reconciliation timing — reconcile within 5 business days of month end
- Quarterly CFO review of top 50 vendors by spend — concentration risk, relationship status, any emerging concerns
Get AP insights in your inbox
Get our weekly roundup of AP automation tips and industry news. No spam, ever.
No spam. Unsubscribe anytime.
Documentation
Private companies don't need SOX-level documentation but do benefit from written policies that describe the controls in place. The minimum documentation:
Minimum AP controls documentation
- AP policy document — one to three pages covering approval authority, payment methods, vendor setup procedures, and exception handling
- Approval matrix — who can approve what at what thresholds, updated as roles change
- Authorized signer list — who can sign checks and initiate ACH/wire transfers, with dollar limits and bank-signature-card alignment
- Vendor onboarding checklist — steps required to activate a new vendor
- Bank-change verification procedure — specific protocol for bank account updates
- Annual review schedule — when each policy gets reviewed and refreshed
Surety companies and commercial lenders assess internal controls as part of underwriting. A private construction company with documented AP controls gets better bonding terms, better lending relationships, and more favorable terms generally than a company without them. The time invested in building the controls framework pays off not just in fraud prevention but in the external relationships that depend on the company looking well-run.
For surety specifically, AP controls directly affect the 'character' dimension of the three-C underwriting analysis. A well-controlled AP operation signals that the company is managed professionally, which translates to favorable underwriting decisions. Companies that want to expand bonding capacity (which is often the binding constraint on growth) find that investing in controls is one of the more reliable paths.
The framework scales. A $20M revenue company might implement it with 2-3 people wearing multiple roles and clear written procedures. A $200M company has the same framework implemented with specialized roles, formal documentation, and technology enforcement. A $2B company looks SOX-like whether or not it's public. The underlying principles are the same; the specific operational embodiment grows with the company.
The worst pattern is a company that grew from $20M to $200M without evolving the controls framework. The original informal structure that worked for the small team becomes dangerous at scale — more dollars, more transactions, more opportunity for things to slip through. Recognizing the need to build the framework before the company fully outgrows its original structure is one of the most important transitions a growing construction company navigates.
AP automation makes controls structural rather than procedural. Approval hierarchies enforce themselves automatically. Vendor master rules block unauthorized changes. Payment limits and dual approvals happen at the system level. Monitoring runs continuously rather than relying on someone to remember to check.
The difference between policy-based controls and system-enforced controls is the difference between 'we have a policy' and 'the system can't be used to violate the policy.' For most private construction companies, moving from the former to the latter is the single highest-ROI investment in controls maturity.
Private construction companies don't face SOX but face the same underlying risks that SOX was designed to prevent. A practical controls framework — segregation of duties, tiered approval, vendor master discipline, payment authorization, and continuous monitoring — protects against fraud, error, and the operational messiness that compounds over time. The framework pays dividends beyond fraud prevention: better surety relationships, better lender terms, cleaner audits, and a more trustworthy organization overall. Building it early costs less than recovering from its absence later.
Written by
Sarah Blake
Head of Product
Former AP Manager at a $200M construction firm, now leads product at Covinly. Writes about what AP teams actually need from automation — beyond the marketing promises.
View all posts