AP Exception Handling Under Audit Policy: What AI Can and Can't Do
AP exceptions are a great wedge for AI: they're high-volume, mostly repetitive, and starve teams of close-cycle predictability. They're also the wedge where AI vendors most often overpromise. This article tries to be honest about where Wisnots's agents help, where they don't, and how audit policy stays in charge.
Why AP exceptions are the right wedge
A typical AP team handles hundreds of exceptions a week — PO mismatches, missing approvals, duplicate vendors, currency mismatches, materiality escalations. Each exception has the same shape: pull the data from multiple systems, classify the exception, draft the resolution path, route to the right approver. The work is high-volume and structurally similar.
That's exactly the work AI is good at. Not the judgment calls — the legwork. An agent that integrates with your ERP, AP/AR system, and approval workflow can do the legwork in seconds. The judgment calls, especially the ones with audit consequences, stay with humans.
What "audit policy" actually means
When we say "under audit policy," we mean three things, all configurable per entity, per category, and per amount band:
- Materiality thresholds — below threshold X, autonomous post is allowed; above threshold, escalate to a human controller.
- Segregation of duties — the actor that drafts can't be the actor that approves; the rule set enforces this on every action.
- Sign-off chains — defined per category, per amount band, per business unit. The agent respects them; it never bypasses.
These rules are codified, not learned. You write them; we enforce them.
What AI does well
- Classifying exceptions: pulling the relevant context from connected systems and matching it to the policy category.
- Routing: handing the exception to the right approver, with the right prep, with the right SLA timer.
- Drafting journal entries: producing the proposed posting, with the supporting evidence, for human approval.
- Drafting customer-facing communications: dunning copy, dispute responses, payment-failure notifications — all in the language and tone of your historical AR comms.
- Surfacing patterns: flagging when the same exception type keeps escalating, so you can refine the policy rule.
What AI shouldn't do
- Override materiality thresholds: if the rule says "above €50k requires controller approval," the agent escalates. Always.
- Modify the rule set autonomously: the agent can DRAFT a proposed rule when it sees a gap; humans decide whether to adopt.
- Initiate legal escalation: collections that move to a legal posture always go through a human.
- Touch fraud-flagged exceptions autonomously: the rule set marks fraud-flagged categories as escalate-only.
The shadow-mode-to-autonomous progression
On day one, every exception gets a draft, and humans approve or correct. The agent learns from corrections — not by changing rules, but by improving its drafts within the rules.
Once you're confident in a category (and audit signs off), you set per-category materiality thresholds for autonomous posting. Routine 3-way matches under threshold might autonomous-post; multi-currency reconciliation variances always stay in shadow.
SOX trail: every action logged
Every action — context lookup, draft, approve, post, escalate, close — is logged with timestamps, actor, rule path, and the data the agent saw at decision time. Exports in CSV, Excel, or direct-to-ERP-audit-tool formats. Audit can replay any decision against the policy that was active when the decision was made.
This isn't a feature. It's the floor.
Pricing: pay per cleared exception
Pricing follows the audit-acceptable bar: pay per cleared exception. A clearance counts when audit accepts the resolution and the item stays closed for the agreed window. Reopens within the window aren't billed.