AP Recovery Audits: Finding Duplicate Payments After the Fact
A recovery audit is a forensic review of payments that have already gone out the door. It does not prevent errors — it finds them after the fact. The auditor combs through a year or more of paid invoices, vendor statements, contracts, and payment records, looking for money the company paid that it should not have: the same invoice paid twice, an invoice paid at the wrong price, a vendor credit that was issued but never applied, an early-payment discount that was earned but not taken, sales tax charged on an exempt material purchase.
For a construction company, a recovery audit is often an uncomfortable exercise. The findings are real dollars that left the bank account, and every dollar recovered is also evidence of a control that failed. But the audit is valuable precisely because it is concrete. It converts a vague sense that 'we are probably leaking money somewhere' into a line-itemed list with vendor names, invoice numbers, and amounts — and that list is the best possible map of where the AP process is broken.
The goal of this article is not to sell the recovery audit. It is to explain what recovery audits find, why construction AP is unusually prone to those leaks, and — the part that actually matters — how to fix the upstream controls so that the next recovery audit comes back nearly empty.
0% – 0.1%
Typical share of total spend recovered by a first-time recovery audit at a company with manual or partially automated AP controls (IOFM)
The headline category is duplicate payments, but a thorough recovery audit looks at a much wider set of leak types. The duplicates are the easiest to explain to a CFO; the others are usually larger in aggregate.
The standard recovery-audit leak categories
- Duplicate payments — the same invoice paid twice, often once against a PO and once as a standalone, or once from a scanned copy and once from the original
- Overpayments — an invoice paid for more than the contract or PO price, or for quantities never delivered
- Unapplied vendor credits — a credit memo issued for a return, a billing error, or a warranty adjustment that was never deducted from a later payment
- Missed early-payment discounts — a 2/10 net 30 term that was available and earned but not captured because the invoice was paid late
- Pricing errors — invoices billed at list price when a negotiated or volume price applied, or at a stale price after a contract amendment
- Sales and use tax errors — tax charged on a tax-exempt purchase, tax charged at the wrong jurisdiction's rate, or use tax accrued twice
- Statement discrepancies — open items on a vendor statement that the company's records show as paid, or vice versa
- Unreturned deposits and retainage — deposits on rental equipment or material orders that were never refunded, and retainage held by the company but already released by the project
Notice that only the first item is fraud-adjacent. The rest are process errors — and process errors are far more common than fraud. A recovery audit that finds $180,000 across a year of spend will typically attribute very little of it to bad actors and almost all of it to a process that let honest mistakes through.
Every industry leaks some money in AP. Construction leaks more, and the reasons are structural — they are baked into how construction work is bought, billed, and paid. Understanding the structure is what tells you which controls to fix.
A mid-size general contractor processes thousands of invoices a month from hundreds of vendors — material suppliers, equipment rental yards, subcontractors, fuel vendors, dumpster services. The sheer count means that any error rate, however small, produces a meaningful absolute number of bad payments. A 0.3% duplicate rate sounds trivial until it is 0.3% of forty thousand invoices a year.
The same supplier delivers concrete to three jobs run by two legal entities. The same invoice can plausibly belong to any of them, and if each job's project team approves invoices independently, an invoice can be approved and paid twice — once charged to Job A and once to Job B — without either approver ever seeing the other. Duplicate detection that only looks within a single entity or a single job will never catch it.
When matching an invoice to a purchase order and a delivery ticket is a manual task, the volume eventually outruns the team. The pressure-release valve is to pay trusted vendors on the invoice alone. That works until the vendor's accounting system re-sends an unpaid-looking invoice, or a project manager forwards a copy to AP not knowing the original was already in the queue.
Vendors send monthly statements showing every open and recent item. A statement is a free, vendor-provided audit of your own AP — it will show a credit memo you never applied or an invoice the vendor still considers unpaid. Most construction AP teams never reconcile statements because there is no time. That single omitted step is where unapplied credits and missed discounts quietly accumulate.
Construction scope changes constantly. A subcontractor's contract value moves up and down through dozens of change orders, and material prices shift with amendments and escalation clauses. If the price an invoice is checked against is not the current contracted price, overpayments are inevitable. The change order is approved in one system, the invoice is paid in another, and the two never quite line up.
0% – 30%
Estimated share of recovery-audit findings tied to unapplied vendor credits and missed discounts rather than outright duplicate payments (IOFM)
There are two ways to run a recovery audit, and they are not mutually exclusive. The first is to hire a specialist recovery-audit firm. The second is to build the review into your own finance function.
Recovery-audit firms almost always work on contingency: they take a percentage — commonly 20% to 35% — of whatever they recover, and you owe nothing if they find nothing. The appeal is obvious. There is no upfront cost, the firm brings pattern-matching tools and experience across many clients, and they will pursue vendors for refunds in a way an internal team rarely has the bandwidth to do. The trade-off is that they only look backward. A contingency firm has no commercial incentive to fix your controls — a fixed process means a smaller audit next year and a smaller fee.
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
In-house recovery is the opposite trade. It costs internal time, it lacks the cross-client pattern library, and a small team will not chase every $40 sales-tax error. But it builds institutional knowledge, every finding feeds directly back into process improvement, and recoveries happen continuously rather than once a year. The mature pattern is to use a contingency firm once — to get the baseline map of where money is leaking — and then invest that recovered cash into fixing controls and standing up a lightweight ongoing in-house review.
When you engage a contingency recovery firm, negotiate a 'fix-forward' clause: require the firm to deliver a written root-cause analysis of every recurring finding, not just the recovery list. The list gets you the cash once; the root-cause analysis is what lets you stop paying for the same audit every year.
A recovery audit is, by definition, a sign that prevention failed. Every dollar a recovery audit finds is a dollar that already left the account, sat with a vendor for months, and had to be clawed back at a 30% finder's fee. The genuinely valuable outcome of a recovery audit is not the check — it is the to-do list for upstream controls. Three controls eliminate the large majority of recovery-audit findings.
Most overpayments and a meaningful share of duplicates die at a three-way match. When every material and subcontractor invoice is checked against a purchase order or contract and a receipt or delivery confirmation before it can be paid, an invoice for the wrong price, the wrong quantity, or a delivery that never happened simply cannot pass. The match has to run against the current contract value — change orders included — or it checks against a stale number and lets escalation overpayments through.
Effective duplicate detection does not compare exact invoice numbers within a single job. It fingerprints invoices on a fuzzy combination of vendor identity, invoice number, amount, and date, and it checks every new invoice against every paid and pending invoice across all entities and all jobs. It catches the near-miss cases — invoice '12345' versus 'INV-12345', the same amount and date billed once to two jobs, a scanned copy of an original already paid — because those near-misses are exactly what slips past humans.
A messy vendor master is a quiet engine of leakage. When one supplier exists as four slightly different records, duplicate detection cannot connect a payment on record one to an invoice on record three, and vendor statements cannot be reconciled cleanly because each record holds a partial history. Deduplicating vendors, enforcing one record per tax ID, normalizing names with an alias system, and verifying remittance details on a known schedule closes the gap that lets duplicates and unapplied credits hide.
Add one habit that most construction AP teams skip: reconcile vendor statements for your top 25 vendors by spend every month. Those vendors account for the majority of your dollars, the statement is a free audit they hand you, and ten minutes per vendor surfaces unapplied credits and discount errors before they ever reach a year-end recovery audit.
When the upstream controls are in place, the economics of the recovery audit invert. The first audit at a company with weak controls might recover five to ten basis points of spend. After three-way matching, organization-wide duplicate detection, and a clean vendor master are operating, a follow-up audit typically struggles to find a fraction of that — and the cost of the audit starts to exceed what it recovers. That is the goal. A recovery audit that comes back nearly empty is not a wasted engagement; it is the proof that the money is being protected before it leaves, not chased after it is gone.
Automation is what makes this durable. Manual three-way matching and manual duplicate checks degrade under volume — they are the first thing to slip when AP is behind. An automated AP system runs the match and the duplicate fingerprint on every single invoice, every time, regardless of volume, and keeps the audit trail that a recovery auditor would otherwise have to reconstruct. The control does not get tired, and it does not take shortcuts during a busy month.
A recovery audit is a useful diagnostic and a poor strategy. Run one — ideally with a contingency firm the first time — to get an honest, line-itemed map of where your AP process is leaking. Then treat that map as a punch list. Three-way matching, organization-wide duplicate detection, and vendor master hygiene will close the large majority of what the audit found, and they do it before the money leaves the bank rather than months later at a finder's fee. The best recovery audit is the one that, next year, has almost nothing left to find.
Written by
Sarah Blake
Head of Product
Former AP Manager at a $200M construction firm, now leads product at Covinly. Writes about what AP teams actually need from automation — beyond the marketing promises.
View all posts