Internal control is a cornerstone of risk management and organizational transparency. When well designed and operating effectively, it not only helps prevent fraud and errors, but also strengthens stakeholder confidence and improves operational efficiency. 

Below is a real-world case (with details anonymized) that illustrates how a robust control structure in procure-to-pay (P2P) can transform risk management and create value. 

The Challenge: Risks in Supplier Management

A large industrial company with international operations faced significant weaknesses in supplier management. Reliance on a broad vendor base, coupled with deficient controls, resulted in risks such as: 

• Duplicate payments and invoicing errors 

• Limited transparency in vendor selection 

• Fraud and conflicts of interest 

• Delivery delays and quality issues 

Senior management commissioned an internal audit of vendor onboarding, contracting, and payment processes. The audit identified control design and operating effectiveness gaps and proposed a remediation plan. 

The Solution: Implementing an Effective Internal Control Framework

Strengthen Approvals and Authorization

Before the audit, approval flows for vendor selection and payments were unclear. The company implemented: 

• A vendor selection committee with documented criteria and minutes 

• Dual authorization (segregation of duties) for payment approval 

• Contract validation and terms review prior to any financial commitment 

These controls reduced corruption and conflict-of-interest risk and improved supplier quality. 

Leverage Technology and Automation 

A major issue was lack of integration between purchasing and accounting systems. The company deployed: 

• An ERP integrating purchasing, receiving, accounting, and payments 

• Automated duplicate-invoice detection and exception reporting 

• Real-time alerts for payments outside approved contracts or without required supporting documents 

• Three-way match (PO, receipt, invoice) where applicable 

Result: a 40% reduction in invoicing errors and a material increase in process efficiency.

Establish a Vendor Master with Risk Assessment 

Previously there were no formal criteria for vendor evaluation. The company introduced: 

• A single vendor master file with verified, periodically updated data 

• Risk-based classification (financial, operational, and compliance) 

• Ongoing performance scorecards for quality and contract compliance 

This reduced dependency on unreliable suppliers and improved delivered quality. 

Periodic Internal Audits and a Culture of Compliance

To sustain control effectiveness, management adopted: 

• Periodic internal audits of the P2P cycle 

• Targeted training on internal controls and risk management 

• Anonymous reporting channels for concerns and irregularities 

These steps strengthened the control environment and confidence in supplier management. 

Results (within 12 months) 

• ✅ ~40% reduction in invoicing errors and duplicate payments 

• ✅ Greater transparency in vendor selection 

• ✅ Lower incidence of vendor-related internal fraud 

• ✅ Meaningful savings in operating costs 

• ✅ Increased confidence from regulators and external auditors 

Lessons Learned and Leading Practices 

• Controls must evolve. Obsolete processes created risk; updating controls to current leading practices was essential. 
• Technology is an enabler. ERP integration and automation improved traceability and prevented duplicate payments. 
• Internal audit as a strategic partner. Beyond identifying issues, IA provided practical remediation and strengthened risk management. 
• Continuous monitoring matters. Controls are not “set and forget.” Periodic audits and supplier monitoring sustained results. 
• Compliance culture lifts performance. Training and clear accountability changed behaviors and reduced future irregularities. 

Conclusion 

Effective internal control does more than mitigate risk—it creates value. With well-designed audits, enabling technology, and a strong compliance culture, this organization turned a high-risk area into a model of efficiency and transparency. 

Has your organization recently improved internal controls in P2P? Share your experience.