§ Stack · Box

Invoice extraction from a Box folder.

Box is the document platform of choice for regulated-industry back offices — healthcare, legal, financial services, life sciences — because its compliance posture, encryption-at-rest defaults, and granular permissions are harder to trip over than the general-purpose alternatives. A Box folder labeled “AP Inbox” or “Invoices to Process” is where vendors drop PDFs; a scheduled extractor reads them, pulls line items, and queues draft AP records for reviewer approval.

Works on any Box business tier

Extraction reads via the standard Box API. Compatible with Business, Business Plus, and Enterprise tiers. No specific dependency on Box Shield or Box Governance — though if you have Shield or Governance policies on the source folder, the extractor respects them (it can only read what the authenticated user can read).

Scheduled sequence

1. Every N minutes (typically 15 during business hours, hourly off-hours), the process polls the designated Box folder for new files.
2. Each new invoice PDF runs through OCR and template matching. Structured invoices (same layout every time from the same vendor) hit an extraction template and return high-confidence results. Unstructured invoices fall back to field-level extraction with lower average confidence.
3. Fields extracted: vendor name, vendor ID (if present), invoice number, invoice date, due date, PO reference, line items (SKU/description, quantity, unit price, line total), subtotal, tax, invoice total, payment terms.
4. Vendor matching: the extracted vendor name + any identifiers are matched against the vendor master. Exact match auto-fills vendor ID. Fuzzy matches above a configurable confidence surface as a suggestion. No match routes the invoice to a “new vendor?” queue — never silently creates a vendor record.
5. Draft AP record created in the destination system (QuickBooks, NetSuite, Sage Intacct, Bill.com, or a custom AP queue). The draft is flagged for reviewer approval — never auto-posted.
6. Source file is tagged in Box with the destination record ID, moved to a dated archive subfolder, and locked against edits. The source-to-record link is queryable from both sides.

Audit trail by default

Every extraction event logs: source Box file ID and version, extraction timestamp, extraction template used (if any), field-level confidence scores, reviewer user ID and approval timestamp, destination system record ID. The log is queryable via Box custom metadata and via the extraction process’s own audit DB. When a regulator or an internal auditor asks “how did this invoice become this AP record,” the answer is a single query.

What the process does not do

• Does not auto-approve and post invoices. Every invoice is reviewer-gated. Silent auto-post to AP is how you find a duplicate payment two weeks after it cleared.
• Does not edit the source PDF. Source files are read-only; all annotations live in the extraction metadata, not the file.
• Does not create new vendors silently. No-match invoices are queued for vendor-master review.
• Does not send email to the vendor who submitted the invoice. This is back-office AP, not an accounts-receivable-style customer channel.

Typical quarter after go-live

AP throughput roughly doubles in the first month while review quality holds. The reviewer’s time shifts from keying fields to verifying extractions and handling the exception queue — which is where the real AP skill lives. Duplicate-payment risk drops because the same-vendor + same-invoice-number check catches duplicates before posting. The audit trail, already compliant with most regulated-industry requirements, becomes a five-minute pull instead of a half-day project.

See also: document controller role, Drive intake for non-regulated contexts.