We have all heard the warnings that AI within the accounts payable function will not survive an audit. The reasoning is architecturally based, drawing on a belief that these systems cannot explain how they reached a decision, and the new wave of AI-led audits will catch that out.
PwC has already spent roughly
As it turns out, the warning is fair, but it points at the wrong black box. The reason most AP AI fails an audit isn't necessarily due to architecture but because you cannot audit a process that the organization hasn't actually defined.
Used properly, the arrival of AI in finance isn't what puts the audit at risk but is what finally forces the discipline that should have been there all along — and there are practical steps any team can take before they introduce AI into AP.
The black box is already in your AP
Ask an AP team why a particular invoice was paid on the 14th of the month, for that amount and approved by that person. Usually nobody can say. The invoice arrived by email, sat in an inbox, was approved by whoever was at their desk, and somebody cleared the exception using knowledge they have never written down. There is no record of the reasoning. People call AI a black box but manual AP is a black box too, just one built out of inboxes and habits rather than code. AI doesn't create that opacity but inherits it.
This scenario is more common than one might think.
Audit has been based on sampling for decades. Test a slice, infer the rest, and a messy process survives because most of it is never examined. Read the whole population in close to real time and that cover is gone. The improvised corners of your process stop being private and start becoming findings. Some of these cost real money; 76% of U.S. organizations were hit by attempted or actual payment fraud last year, according to AFP's 2026 survey, with duplicate payments and miscodings slipping through the same gaps that fraud does.
Governance is a process problem before it's a technology problem
The prompt "show me the payment from the 14th and everything behind it" only works if there is a defined, logged process behind it. A workflow that lives as habits in people's heads cannot be handed to a machine but likewise, it cannot be handed to an auditor either.
This is also why AI keeps stalling in finance teams.
A pilot that never reaches production and an audit finding nobody can explain come from the same place — a process that was never written down.
Done properly, automation makes AP more auditable, not less
Plug a model into documented chaos and the audit will expose everything. Define the process first and automation can achieve the reverse. Automating something properly forces a team to write down the rules, agree who approves what, and decide what happens to every exception. The result is structured data instead of PDFs in an inbox and a record of every decision instead of a shrug.
For example, take a multisite business running a large vehicle fleet. Their monthly fuel invoice runs to 30 pages of refuels across dozens of vehicles and cost centers and used to take up to two days of manual reconciliation across two disconnected systems. The audit problem there wasn't really the speed but that hundreds of purchase orders sat permanently open in their operational system because closing them was a manual step the team often skipped. With the right AI infrastructure, each PO is closed automatically and every invoice posted into the ERP with full accounting dimensions. That is what auditable AP looks like in practice.
Manual AP was never made to explain itself, but automation done well can be the turning point. By 2028 most companies will be audited transaction by transaction. Better to put the process in now than have an auditor find out you never had one.
Four things to settle before you add AI
The work that makes AP auditable is not technical but governance, and it has to come first. Four things are worth getting explicit before any model gets near the payables function.
It starts with your decision rights, which must be clear. For example, a finance director can approve spending without board sign-off up to a certain amount and an AP team lead can release payments under a different amount without dual authorization. Most organizations have never actually mapped this and instead run on convention.
Next comes accountability. Name the individual who owns the outcome when something goes wrong, not just the team. If AP automation misfires, the answer is not "finance" or "ops" but a person.
With accountability comes oversight and escalation. Define what gets reported, to whom and on what cadence. Crucially, it must also be clear what triggers an escalation. This is where governance can fail. Organizations design well-staffed committees and never define what actually causes something to surface in the first place.
Finally, insert change control. New tools, new integrations and new rules all need an evaluated route in. Without that, governance erodes the moment circumstances change because people quietly route around it. If teams can do this work now, they will control how the audit gets done. Wait, and that decision will lie with the auditor instead.







