Internal AP Fraud: Detecting Payment Fraud Committed by Insiders
When a contractor thinks about payment fraud, the picture is usually an outsider — a spoofed email, a stranger impersonating a vendor, a criminal somewhere else. That threat is real. But the more damaging fraud often comes from inside, from someone who already has access, already knows the controls, and is already trusted. Internal AP fraud is committed by employees: the person who enters invoices, cuts checks, manages the vendor master, or approves payments. They are not guessing how to beat the system. They run it.
Insider fraud is harder to catch precisely because it does not look like fraud. The transactions are entered by an authorized person, follow the normal workflow, and produce normal-looking records. And because the perpetrator is trusted, schemes tend to run for a long time before anyone questions them — long enough for the losses to mount. The ACFE consistently finds that fraud committed by insiders runs for months or years before detection, and that the longer it runs, the larger the loss. This post covers the most common internal AP schemes, the segregation-of-duties failures that enable them, the particular problem of detecting them on a small construction AP team, and the controls that work even when the team is lean.
0 to 18 months
A typical occupational fraud scheme runs for well over a year before it is detected, and longer-running schemes drive disproportionately larger losses (ACFE)
Internal AP fraud is not one thing. It is a family of schemes, each exploiting a specific point in the payables process. Knowing the schemes tells you where to look.
Billing schemes are the most common and usually the most costly. An employee causes the company to pay for goods or services it never received, and captures the money. The classic version is the shell vendor — a fake company the employee controls, set up in the vendor master, that submits invoices for services vague enough to escape scrutiny: 'site consulting,' 'project management support,' 'equipment cleaning.' The invoices clear because they look ordinary and an insider is shepherding them. Construction is fertile ground: vendor lists are long, scopes are varied, and one more consultant among hundreds of legitimate subs and suppliers does not stand out.
A related variant uses real vendors. The employee colludes with a genuine vendor to submit inflated or duplicate invoices, or pays a legitimate invoice and then issues a second payment that they intercept. A 'pay-and-return' scheme overpays a real vendor and pockets the refund. The common thread is a payment that is real money against work that was never done — or was already paid for.
Check tampering is fraud committed against the company's own checks. An employee with access to check stock, signing authority, or the payment file can issue a check to themselves or an accomplice, alter the payee on a legitimate check, or forge an endorsement and divert a check meant for a real vendor. Construction still moves meaningful volume by paper check, so this is not a legacy risk. Wherever check stock and the ability to produce a payment sit close together — or in the same pair of hands — check tampering is possible.
Expense fraud is smaller per incident but widespread and easy to overlook. Employees submit fictitious expenses, inflate real ones, claim personal spending as business, or submit the same receipt more than once. In construction it hides inside the field: fuel, per diems, small-tool purchases, mileage, materials bought at the counter. The amounts are individually modest, the volume is high, and review is often cursory — which is exactly why padded expenses can run for years.
Where the money leaves in an internal AP scheme
- A shell vendor in the master, billing for vague services that were never delivered
- Collusion with a real vendor on inflated, duplicate, or fictitious invoices
- An altered payee or forged endorsement on a company check
- An intercepted vendor refund after a deliberate overpayment
- Inflated, fictitious, or double-submitted expense reimbursements
- A real invoice paid twice, with one payment quietly redirected
Almost every internal AP scheme traces back to the same root cause: one person controlling too many steps of the payment process. Segregation of duties means no single individual can both create a payment and conceal it. The payables cycle has several distinct functions that should not collapse into one set of hands.
Functions that should be held by different people
- Setting up and editing vendors in the vendor master
- Entering and coding invoices
- Approving invoices for payment
- Executing payment — printing checks, releasing the ACH file
- Reconciling the bank statement
When these stay separate, fraud requires either collusion or a control breakdown. When they collapse, the door opens. The person who can add a vendor and approve its invoices can pay a shell company they created. The person who enters invoices and runs the check batch can pay themselves. The person who executes payments and also reconciles the bank can move money and erase the evidence in the same week. Every internal scheme above depends on at least one of these combinations existing.
Watch the vendor master specifically. The ability to add or edit a vendor is the single most dangerous permission in AP, because it is the gateway to shell-vendor fraud. Whoever can create a payee should never be the same person who can approve or release that payee's payments.
Textbook segregation assumes you have enough people to split five functions across five hands. Many construction contractors do not. A growing GC may run AP with two or three people — sometimes one — and that person genuinely does everything: onboards vendors, enters invoices, prepares the payment run, and reconciles the bank. It is not negligence; it is staffing reality. But it also means the classic control is unavailable exactly where the temptation and the opportunity are highest.
This is the trap to avoid: concluding that because you cannot fully segregate duties, you cannot control internal fraud. You can. The answer is compensating controls — substitutes that achieve the same end of preventing one person from acting unchecked. When you cannot separate duties by headcount, you separate them with oversight, with system permissions, and with visibility. A lean team does not mean an uncontrolled team. It means the controls have to be designed differently.
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Detecting Internal AP Fraud
Detection works on two fronts: surfacing anomalies in the data, and creating conditions where a scheme cannot stay hidden. Use both.
Internal fraud leaves statistical fingerprints. Run regular analytics across payables and look for the patterns insiders create: vendors whose remittance address or bank account matches an employee's; vendors added just before they were first paid, then paid quickly; payments sequenced just under an approval threshold; round-dollar invoices; vendors with a P.O. box and no other identifying detail; invoice numbering that does not behave like a real vendor's; and one employee who touches a suspiciously high share of a single vendor's invoices. None of these prove fraud on their own — they tell you where to look.
Schedule periodic AP audits, and supplement them with reviews nobody can predict. A scheduled annual audit can be cleaned up in advance; a surprise review of a random week of payments, vendor additions, or expense reports cannot. The unpredictability is the control. Pay particular attention to a periodic vendor-master review — confirming that the vendors on file are real businesses — because that is where shell vendors are caught.
This is one of the most effective and most underused controls, especially for small teams. Many internal schemes require constant maintenance — the perpetrator has to keep feeding invoices, intercepting statements, or steering reconciliations. Require AP staff to take a meaningful block of consecutive time off, and have someone else cover the role while they are out. A scheme that needs daily tending tends to surface when the person tending it is gone for two weeks. Job rotation, where headcount allows, has the same effect: a fresh set of eyes on the same process.
“We could not split the duties — our AP team was two people. So we required uninterrupted vacation and had a manager cover the desk. The first time we enforced it, the coverage caught a vendor nobody recognized. The control was not segregation. It was making sure the work could not hide.”
— Controller, mid-market general contractor
If you cannot add people, lean on controls that do not require them. The goal is the same as full segregation — no single person acting unchecked — achieved through oversight and system design.
Compensating controls for a small AP function
- Owner or controller review of the bank reconciliation, performed by someone who is not the AP processor
- Dual approval on new-vendor setup, so no one person can add a payee unchecked
- An approval threshold above which a second authorizer must release payment
- Positive pay on checks, so the bank validates payee and amount against an issued-checks file
- Mandatory uninterrupted vacation with the AP role genuinely covered by someone else
- Periodic vendor-master and expense reviews, including unannounced spot checks
- System permissions that enforce the separations headcount cannot — different roles for vendor setup, invoice entry, approval, and payment
- A complete, tamper-evident audit trail showing who did what, and when, on every invoice and payment
The last two are where modern AP software earns its place. When permissions are split by system role, a single employee literally cannot perform conflicting functions, even if there is no second employee to enforce it — the platform enforces it. When every action is logged immutably, an insider cannot quietly alter or delete a record, and analytics can run continuously instead of once a year at audit. Covinly is built around that idea: role-based permissions that separate vendor setup, invoice entry, approval, and payment, plus a full audit trail and anomaly detection, so a lean construction AP team gets segregation-grade control without segregation-grade headcount.
Software is a control, not a conscience. Tone from the top still matters: a clear anti-fraud stance, a confidential way for employees to report concerns, and visible follow-through when something is found. Most internal fraud is discovered through a tip — make sure there is somewhere safe for that tip to go.
Internal AP fraud is uncomfortable to plan for, because it means accepting that a trusted colleague could be the threat. But the controls that detect it are not accusations — they are the same disciplines that produce a clean, audit-ready payables function. Segregate duties where you can, compensate with oversight and system design where you cannot, run the analytics, audit by surprise, and enforce real vacations. Do that, and an insider scheme has nowhere left to hide — regardless of how small the team is.
Written by
Marcus Reyes
Construction Industry Lead
Spent twelve years running AP at a $120M general contractor before joining Covinly. Lives in the world of AIA G702/G703, retainage schedules, and lien waiver deadlines. Writes about the construction-specific workflows that generic AP tools get wrong.
View all posts