An invoice lands in your inbox for $14,500. The vendor name looks right, the logo is there, and the amount sits close enough to what you expected that nobody blinks. So you pay it. Three weeks later you learn the real vendor never sent it, the bank details were swapped, and your money is sitting in an account you'll never see again.
That scenario plays out more often than most finance teams want to admit. The FBI's Internet Crime Complaint Center logged $3.04 billion in business email compromise losses in 2025 alone, much of it tied to fake invoices and spoofed vendor requests. The thing standing between a clean payment and an expensive mistake is usually something unglamorous: a purchase order, and the habit of matching it against the invoice before any money moves.
For finance leaders, this isn't a paperwork problem. It's a control problem. And the defense is something most teams already have in their AP process and underuse: purchase order matching. Done right, it's the quietest, most reliable way to stop a bad invoice before it ever gets paid.
A purchase order is what you send out before anything ships. It's your written commitment, the buyer saying this is what we're buying, at this price, in this quantity. An invoice is what the vendor sends back after delivery, asking to be paid. The PO is the promise. The invoice is the bill. That gap between the two, between what you agreed to and what someone is now asking you to pay, is exactly where fraud and errors slip in. Every PO carries a unique number, and a legitimate invoice references it, which is what lets you tie a bill back to a real order in seconds.
Matching invoices to purchase orders means lining up the invoice against the original PO, and often the receiving record, to confirm three things agree: what was ordered, what showed up, and what you're being billed for. When all three line up, the invoice clears for payment. When something is off, it gets flagged before a dollar leaves the building.
Most teams run one of two versions. A two-way match compares the invoice to the PO and asks a simple question: did we order this, at this price? A three-way match adds the receiving record and asks one more: did we actually get it? That third check is what stops you from paying for a shipment that never arrived, and it's the version most controllers lean on for anything that touches inventory or equipment.
This is where matching earns its reputation as a control. The Association for Financial Professionals' 2025 Payments Fraud and Control Survey found that 79% of organizations faced attempted or actual payments fraud. Fake invoices and vendor impersonation rank among the fastest-growing schemes, and a match is what catches the invoice with no PO behind it, the bank details that quietly changed, or the vendor name that's almost right but not quite. It's the check that would have stopped the $14,500 problem we opened with.
Matching pays off on the quieter stuff too. A quantity that doesn't add up, a duplicate invoice that's already been paid, a price that drifted from what you agreed to. Those slip through and add up over a year, and a disciplined match stops them before the money goes out.
The damage from weak matching rarely shows up as one big number. It accumulates quietly, in overpayments that never get clawed back, duplicate invoices paid twice, late fees on invoices stuck in review, and early-payment discounts left on the table because an approval took too long. APQC's benchmarking data shows that even top-performing AP teams pay out 0.8% of their annual disbursements as duplicate or erroneous payments, while weaker performers hit 2%. On a large spend, that gap turns into real money you never decided to spend.
Then there's the human cost. PYMNTS Intelligence reports that 68% of firms still process invoices manually, which means the majority of AP teams are still one distracted moment away from a missed match. That work is slow, repetitive, and exactly the kind of task where focus drifts and mistakes creep in. The more invoices your team touches by hand, the more chances a bad one has to slip through.
At the far extreme sits outright fraud. The ACFE estimates the typical organization loses 5% of revenue to fraud every year, and a meaningful share of that runs through billing schemes and bogus invoices that a solid match would've caught. Matching isn't busywork. It's the cheapest insurance policy your AP team will ever run.
Not every purchase needs a PO, and forcing one onto everything will only slow your team down. The trick is knowing where to draw the line.
Require a PO for anything planned, repeatable, or high-dollar: inventory, equipment, parts, recurring vendor contracts, large service engagements. These are the spends where a match gives you real protection and a clean audit trail, and any purchase where the amount or quantity matters is a strong candidate.
Non-PO invoices make sense for the small, one-off, or unpredictable stuff, like a utility bill, a quick reimbursement, or a low-dollar subscription. The key is to set a clear dollar threshold and an approval path so non-PO spend gets a second set of eyes instead of a free pass. The goal is sensible controls, not bureaucracy for its own sake.
Most match failures aren't fraud. They're small, human discrepancies that gum up the works and force someone to chase down an answer. A few show up over and over:
Vendor name mismatches. The PO says "Acme Manufacturing Inc." and the invoice says "Acme Mfg." A person knows those are the same company, but a rigid system stops cold and kicks it to a human.
Partial deliveries. You ordered 100 units, 60 arrived, and the invoice bills for 60. The numbers don't match the PO total even though nothing's actually wrong, so someone has to confirm the rest is still coming.
Freight and surcharges. The invoice includes shipping or a fuel surcharge that never appeared on the PO. The charge is legitimate, but it throws off the dollar match and triggers a review.
Tax discrepancies. Sales tax gets calculated differently, or applied where the PO didn't account for it, and the totals drift apart by a few dollars. Small gap, same result: a stuck invoice.
None of these are disasters on their own. Pile up a few hundred of them a month, though, and your team spends its days resolving exceptions instead of doing higher-value work.
Catching all of this by hand doesn't scale, which is why the teams handling real invoice volume hand it off to automation. Older systems matched on exact values, so every "Acme Mfg." and every freight charge landed in a manual exception pile. Modern AP automation reads context instead of characters, working through those gaps the way an experienced clerk would.
AI-powered capture pulls the data off any invoice, in any format, and knows that "Acme Mfg." and "Acme Manufacturing Inc." are the same vendor. It checks line items against what was actually received, so a partial delivery clears on its own, and it treats freight and tax as the expected variances they are instead of stopping the match. Clean invoices move through untouched, and only the ones that truly need a person land on the right approver's desk.
That changes the math for your team. Instead of touching every invoice, they review the small slice that actually warrants attention. Approvals move faster, fraud has fewer places to hide, and the controller gets real visibility into what's been matched, what's pending, and what's been flagged. The control gets stronger and the work gets lighter at the same time.
A purchase order and an invoice are two sides of the same deal: one sets the terms, the other asks for payment. Matching them is how you confirm the story holds together before the money moves, and it's one of the most reliable defenses against the fraud and errors quietly draining finance teams every year.
The companies doing this well aren't matching by hand anymore. They've handed the repetitive, error-prone work to automation and freed their people to focus on the exceptions that matter. That's the shift onPhase was built for: turning AP from a backlog of manual checks into a fast, controlled process you can actually trust.
Matching is one piece of that picture. Once it's running clean, the real payoff comes from seeing how the whole AP process performs, and the metrics that show you where it still slips.