Supplier invoice control: how to stop paying wrong invoices

Why you need control over supplier invoices

The most expensive operational error of a medium-high purchasing volume company is not paying late. It is paying wrong. Paying too much, paying the same invoice twice, paying for units that never entered the warehouse, or paying a supplier that was deauthorized six months earlier. And companies pay wrong because, in practice, the approval process is built on tacit trust: if the supplier has been working with the company for years, if the amount seems reasonable, if the section manager says yes, the invoice enters the ERP and is posted.

Sector literature quantifies the problem with reasonable consistency. Ardent Partners, in its 2024 annual accounts payable report, puts the average cost of manually processing an invoice in a Spanish SME between 11 and 16 EUR per invoice, with an operational error margin of around 1.5% to 3.5% of undetected overpayments over total billing. The IOFM (Institute of Finance and Management) reports similar figures: in companies without automated three-way matching, one in fifteen invoices shows a material discrepancy that manual flow does not capture.

Translated into concrete operations: a distributor processing 800 invoices per month and 6 million euros of annual purchases loses, without control, between 90,000 and 210,000 EUR per year in undetected overpayments. The figure seems exaggerated until it is broken down line by line. And that is where real control lives.

Supplier invoice control is not a procedure that gets documented and published in the operations manual. It is a software layer that mathematically verifies, invoice by invoice, line by line, that what the supplier charges matches what the company ordered and what it actually received. Without that layer, control is a declaration of intent.

The 5 most expensive problems without control

The following patterns appear recurrently in Spanish SMEs that reach three-digit monthly invoice volumes without a specific control system. Reproducible cases, real numbers, operational breakdown.

1. Duplicate invoices

A beverage distributor in Catalonia received in March 2025 two invoices from the same supplier for the same order three weeks apart. The first arrived as a PDF in the admin inbox; the second as structured XML on the dedicated channel. Different correlative numbering (the supplier had reissued it to correct a tax data point). Amount: 4,380.00 EUR each. Both were approved and paid. Detection came three months later in the bank reconciliation of the quarterly close. Recovery: partial, via credit note, after three conversations with the supplier.

Duplicate detection control does not compare invoice numbers. It crosses issuer + amount + base date + line descriptions and produces a duplicate probability score. An invoice with score >70 is automatically blocked for human review before going into the approval queue.

2. Overpayments due to incorrect price

A hospitality group with four sites in Madrid agreed with its beverage supplier a price of 1.18 EUR/unit for a high-rotation SKU. For six months, all invoices arrived with 1.21 EUR/unit. The unit difference is trivial. Accumulated volume is not: 2,400 units per month per site, four sites, six months, 0.03 EUR per unit. Total overpayment: 1,728.00 EUR. Detection: zero until external audit.

Line-by-line pre-tax control compares inv_unit_price with po_unit_price on the matched PO line. If the difference exceeds tolerance (defaults: 1.50 EUR absolute or 2% percentage, OR mode), the line is flagged as variance and the invoice is routed to purchasing for resolution before payment approval.

3. Paying for units not received

A construction company ordered 200 bags of cement from a supplier. The delivery note confirmed reception of 188 (12 bags arrived broken and were returned on the spot, noted on the delivery note). The invoice arrived for 200 units. Without three-way matching, the invoice matched the order on totals with an accepted 1% margin, and was approved. Overpayment: 12 units * 8.50 EUR/bag = 102.00 EUR in a single transaction. Replicated across 40 annual deliveries: 4,080.00 EUR.

Three-document control crosses inv_qty against (po_qty, receipt_qty). The quantity variance (inv_qty - receipt_qty) * po_unit_price is calculated pre-tax. The invoice is approved only for units actually received.

4. Unauthorized suppliers

An accounting firm managing accounting for 60 SME clients discovered, in a 2024 internal audit, that one of its clients (a light manufacturing company) was recurrently paying a supplier that had been removed from the authorized master 14 months earlier. The invoice came by email, an employee manually uploaded it to the ERP, accounting processed it without questioning. Accumulated amount over 14 months: 38,500 EUR. Subsequent investigation: the supplier was operational, but the legal-name change had not been updated and the billed services no longer matched what was contracted.

Control with an authorized supplier master automatically blocks any invoice whose issuer is not active in the master. Verification is by tax ID, not commercial name, and is logged in the audit trail.

5. Invoices without a PO

The most silent case. An invoice that arrives without a reference order is, by definition, a purchase that nobody supervised beforehand. In environments without control, these invoices are approved because "someone must have ordered it" and because the amount looks reasonable. In environments with control, an invoice without a PO enters a specific queue: either the order is generated after the fact with documented justification, or it is rejected. The operational rule is simple: no invoice gets paid without a PO and without a delivery note; documentary exceptions are the exception, not the rule.

The 3 levels of invoice control (matrix)

Supplier invoice control is not binary. Most Spanish SMEs today operate at an intermediate level that looks controlled but does not capture real variances. This matrix breaks down the three maturity levels with verifiable operational criteria.

Level	Typical stack	What it controls	What it does not control	Feasible volume
Level 1: Visual / manual	Excel + shared folders + admin email	That the invoice arrives, gets posted and gets paid	Duplicates, price or quantity variances, unauthorized suppliers, specific lines, real audit trail	Up to 50 invoices/month with growing risk
Level 2: Basic ERP	Holded, Sage 50, A3, Contasol, Quipu with generic OCR	Automatic extraction of total and supplier, posting, reconciliation by totals with percentage tolerance	Real line-level variances, cases where price overpayment offsets quantity underpayment and total matches, three-way with delivery note	Between 50 and 300 invoices/month with invisible compensated overpayments
Level 3: AP automation	Specific layer (ininvoice or equivalent) between email and ERP, line-by-line three-way matching, risk score	Duplicates with probabilistic score, separated price and quantity variances, validation against supplier master, exception routing by type, complete audit trail	Business decisions (renegotiate with supplier, open dispute): routed to humans	From 100 to 2,000 invoices/month with per-invoice processing time below 30 seconds

The critical operational jump is between level 2 and level 3. An SME at level 2 believes it has control; it has OCR, has its ERP, has tolerances configured. What it does not have is mathematical line-level matching. Level 3 is not a marginal improvement over level 2: it is a change in the nature of the control, because it moves from comparing totals with a percentage margin to comparing (unit_price, quantity) pairs line by line pre-tax. The comprehensive comparison by sector breaks down when each level is defensible.

Three-way matching: real control

Three-way matching is the mathematical backbone of invoice control. It is not a procedure, not a policy; it is an arithmetic operation over three sets of lines: invoice lines, PO lines and delivery note lines. The complete operational source is in the three-way matching guide; here is the canonical match.

For each invoice line identified by description and matched to the corresponding PO line:

• Price variance: price_variance = (inv_unit_price - po_unit_price) * inv_qty
• Quantity variance: qty_variance = (inv_qty - po_qty) * po_unit_price

Both variances are calculated pre-tax. This is critical because VAT introduces arithmetic noise and rates can vary between lines (standard, reduced, exempt). If the comparison includes VAT, a trivial rounding difference at line level gets amplified and produces false positives.

Tolerance is configured with two parameters: absolute (default 1.50 EUR per line) and percentage (default 2%). The failure combiner can be OR or AND:

• OR mode (default): the line is a variance if either active dimension is exceeded. fail = abs_fail OR pct_fail. Favors detection. Suitable to start with.
• AND mode (optional): the line is a variance only if both dimensions are exceeded simultaneously. It is a noise floor: it only escalates the severe. Suitable in sectors with high arithmetic noise (manufacturing with many SKUs and rounding by units of measure).

The comparison is strict (operator >): a value exactly equal to the threshold is within tolerance. Only when a line exceeds tolerance is it flagged as variance. An invoice with variance on any line moves to VARIANCE status and is routed for resolution. Zero variances across all lines is flagged MATCHED and auto-approved for payment.

What three-way matching detects and total-level matching does not:

• Compensated overpayment. Line with +49 EUR on price and another with -49 EUR on quantity: total matches; line-by-line flags two distinct variances requiring different actions.
• Billed line not ordered. A line appears on the invoice that does not exist on the PO: immediate detection.
• Partially received quantities. Delivery note confirms 188 out of an order of 200: invoice for 200 is approved only for 188.
• Systematic rounding. Supplier always rounding up cents: detectable in history, not in an isolated invoice.

How invoices are approved with control

Validation is mathematical; approval is human. Once the invoice is validated (matched or with variances assigned), it enters the approval flow. The operational standard for SMEs:

Amount-based levels. The typical approval structure segments the decision by thresholds. Up to 500 EUR: auto-approval if the invoice is matched. Between 500 and 5,000 EUR: area manager approval. Between 5,000 and 25,000 EUR: area manager and CFO approval. Above 25,000 EUR: additional CEO or board approval. Thresholds are adjusted to the company's profile; what matters is that they exist and are configured, not their concrete value.

Cost-center-based levels. In multi-site or multi-department companies, approval crosses two dimensions: amount and center. Supplier X's invoice posted to site A requires approval from the site A manager; the same invoice posted to site B requires another signature. This is configured by rules, not handled manually.

Complete audit trail. Each workflow step is recorded with timestamp, user, action and comment. Who validated, who approved, what exception was resolved, when it was sent to the ERP. The audit trail is not a nice-to-have; it is what sustains external audit and tax inspection response.

Exceptions with owner and deadline. An invoice with variance does not get stuck in limbo. It has an explicit owner (purchasing if the variance is price, warehouse if quantity, accounting if duplicate) and a deadline (typically 5 business days). If the owner does not resolve in time, automatic escalation.

Amount-based vs line-based approval. There are two paradigms. Amount approval: the approver signs the total, assuming lines are fine. Line approval: the approver sees flagged variance lines and decides line by line. The second paradigm is more laborious but more defensive; appropriate for suppliers with a history of incidents.

The operational detail on how this flow is implemented without touching the ERP is in touchless accounts payable.

Compliance: Verifactu, SII, FacturaE

Invoice control in 2026 is no longer just operational. It is also regulatory. Three regulatory frameworks converge on the payer side:

Verifactu (Royal Decree 1007/2023, postponed by Royal Decree-Law of 2025). Enters into force on January 1, 2027 for corporate income tax entities and July 1, 2027 for self-employed under personal income tax. Verifactu operates on the issuer's billing software, not the receiver's. But the receiver feels it: each invoice issued under the Verifactu regime will carry a QR code and a chained hash. The receiver can verify against the Spanish Tax Agency (AEAT) that the invoice exists in the issuer's records. This reduces fabricated invoices and duplicates issued with two different numberings.

FacturaE 3.2.x and mandatory B2B e-invoicing (Law 18/2022, "Crea y Crece"). The technical development regulation, pending definitive publication in the Spanish Official Gazette as of May 2026, foresees a staggered rollout. First, suppliers with billing > 8M EUR (12 months after publication of the regulation), then the rest (24 months). The obligation to receive is born in parallel to the obligation to issue: when a mandated supplier issues electronically, the receiver must be technically prepared to accept the structured XML. The detail by tax regime is in the e-invoice reception 2026 guide.

SII (Immediate Supply of Information). Active since July 1, 2017. Forces companies with volume > 6M EUR, VAT groups, REDEME and volunteers to report VAT books to the AEAT within 4 days. Invoice control must be designed so that the reception to validation to approval to posting chain fits within the SII deadline without collapsing.

The three frameworks do not exclude each other; they coexist. Operational control in an SME with active SII and suppliers already required to use Verifactu must process structured XML, verify the QR against the AEAT, run three-way matching and leave the invoice posted in less than 4 calendar days from reception. What looked operational in 2022 (paper, Excel, generic OCR) stops being so from 2027.

How much real control costs

The inverse question is more useful: how much costs not having it. With IOFM and Ardent Partners figures, an SME with 800 invoices/month and 6M EUR of annual purchases loses between 90,000 and 210,000 EUR/year in undetected overpayments, plus between 15,000 and 25,000 EUR/year in admin hours on manual reconciliation, plus opportunity cost of unquantifiable errors (unauthorized suppliers, delays from badly handled exceptions).

The ininvoice plan is 249 EUR/month up to 300 invoices per month. No implementation cost, no commitment, instant activation. For an SME with 200-300 invoices/month, the annual cost is 2,988 EUR. Operational profitability is direct: detecting two material overpayments per year covers the cost. At an 800 invoices/month horizon, the plan grows linearly but the cost / overpayments avoided ratio stays favorable.

Operational details, comparison and conditions in pricing. Comparison against alternatives and decision matrix by sector in comparisons.

If what you need is to specifically understand the automatic extraction layer that feeds control (the step before three-way matching), see OCR for supplier invoices. If the context is Verifactu coming into force and its impact on the receiving SME, see Verifactu for the receiving SME.

FAQ

What is meant by supplier invoice control?

It is the set of processes ensuring that a received invoice is legitimate, correctly issued, reflects goods or services actually requested and delivered, and is approved per purchasing policy before being paid. It breaks down into three layers: reception (channel and document identification), validation (line-by-line pre-tax matching with PO and delivery note, duplicate detection, tax checks) and approval (workflow with owners, amount-based levels and audit trail). Without all three operational layers, the SME pays wrong invoices structurally.

What is the difference between invoice validation and approval?

Validation is the technical and arithmetic check: the invoice matches the PO and delivery note, is not a duplicate, taxes are correctly applied, the supplier is authorized. It is system work. Approval is the human decision to authorize payment, generally segmented by amount levels and cost center, with audit trail. An invoice can be validated (matches) and still require manager approval; the other way around does not work: approving without validating is paying blindly.

Why is an ERP alone not enough to control invoices?

ERPs are designed to post and archive, not to reconcile line by line with POs and delivery notes. Their default validation matches totals with percentage tolerance, which hides overpayments compensated between price and quantity. To detect real variances you have to cross unit_price and quantity line by line pre-tax, a capability most ERPs do not offer out of the box.

What is the difference between two-way and three-way matching?

Two-way matching compares the invoice with the purchase order: agreed price and quantity. Three-way matching adds the receipt delivery note: what actually entered the warehouse. The difference is operationally critical because the PO reflects what was ordered and the delivery note what was received; without the delivery note you do not catch invoices for undelivered units, defective products returned or partially shipped orders. In SMEs with physical stock, three-way is the standard. Full detail in the three-way matching guide.

How are duplicate invoices avoided?

Duplicate detection is not comparing invoice numbers: suppliers reuse numberings, error copies arrive through different channels (PDF and structured XML), and sometimes the same invoice arrives with two numbers because the supplier reissued it. Real control crosses issuer + amount + date + lines and produces a duplicate probability score. Invoices with a high score are automatically blocked for human review before being approved for payment.

What changes in invoice control with Verifactu and FacturaE?

Verifactu (active from January 1, 2027 for entities and July 1, 2027 for self-employed) introduces QR and chained hash on every invoice issued by software, verifiable against AEAT. That reduces fabricated invoices. FacturaE 3.2.x is the mandatory Spanish XML format for invoices to public administrations and will extend to B2B when the Law 18/2022 regulation is published. Technical control changes: it stops depending only on OCR over PDF and starts parsing structured XML. Line-by-line matching is still necessary. More detail in Verifactu for the receiving SME.

What tolerance should be applied to line-by-line matching?

Defaults: 1.50 EUR absolute and 2% percentage tolerance, OR mode (the line is variance if either of the two dimensions is exceeded). The comparison is strict (>): a value exactly equal to the threshold is within tolerance. OR mode favors detection and should be the initial setting; AND mode (variance only if both dimensions fail) is an optional noise floor for sectors with high arithmetic noise. Tolerance can be configured per supplier or per product category.

How much does it cost to deploy supplier invoice control with ininvoice?

The plan is 249 EUR/month up to 300 monthly invoices, no implementation cost, no commitment. Plug and play. Includes multi-channel ingestion, OCR, structured XML parsing (Factur-X, UBL, CII, FacturaE), line-by-line three-way matching, risk score and exception routing. Operational details and comparison in pricing.

This guide is reviewed monthly to reflect regulatory changes and operational patterns observed in SMEs in the 100-2,000 invoices/month range. Last review: May 13, 2026 by the ininvoice team. Cited sector figures refer to Ardent Partners and Institute of Finance and Management (IOFM) 2024 reports. Always consult your tax advisor before making operational decisions that affect tax matters.