There is a meaningful difference between an invoice approval workflow that organises approval and one that enforces control. Most AP tools and invoice approval workflow software do the first well. The second requires configuration that most implementations don’t fully complete - not because the capability isn’t there, but because the principles behind it aren’t being applied systematically.
Ardent Partners research puts the error rate in manual AP processes at 5–10% of invoices. Payment redirection fraud cost Australian businesses AU$152.6 million in 2024, according to the ACCC National Anti-Scam Centre. Both figures reflect the same underlying condition: approval workflows that move invoices efficiently through a process without verifying whether the process is actually enforcing what it claims to. The delegation of authority for Australian SMBs guide covers how to design authority structures that address these gaps.
The Townsville healthcare case
A financial controller at a Townsville healthcare provider configured ApprovalMax to require two sign-offs for any invoice above AU$5,000. The logic was sound: a single approver could not authorise high-value invoices without a second set of eyes. The configuration was completed, the rules were tested with sample invoices, and the workflow was considered production-ready.
What was not addressed: the second approver held Xero Adviser access. That access level allows a user to create, approve, and publish bills directly within Xero, without passing through ApprovalMax at all. This is a failure of internal controls — the control existed on paper but did not exist in practice.
This is the gap that recurs across AP implementations regardless of which tool is used. The workflow rule specifies a control. The system permissions - in the accounting software, not in the approval tool - allow that control to be bypassed. These two configurations live in different places and are rarely reviewed against each other.
What does real enforcement of segregation of duties require?
Segregation of duties in AP means that no single person can complete the full invoice-to-payment sequence without another actor being involved at each stage. In practice, this means the person who enters an invoice into the system should not also be the person who approves it - and the person who approves it should not be the same person who executes the payment.
The complexity in a modern AP setup is that enforcement lives in two places simultaneously: in the approval workflow’s routing rules, and in the underlying accounting system’s user permissions. A workflow rule requiring a second approver is meaningless if that approver has platform-level access to bypass the workflow. Both layers need to be configured to match the control intent. Neither alone is sufficient.
For Australian SMBs using Xero, the relevant question is which roles hold Xero Adviser access - and whether any of those roles appear in the approval chain for invoices they could otherwise process unilaterally. The same question applies in MYOB: which users have the access level to publish bills directly, and are those users correctly excluded from sole-approval authority?
Approval limits: enforced by the system, not by memory
Most businesses have some form of documented delegation of authority - a policy that specifies which roles can approve which invoice values. In the majority of implementations, this policy document is not reflected in the workflow configuration. The routing rules route to the right person based on cost centre or supplier type. Whether that person has authority for the invoice amount is expected to be self-managed.
Under normal volume conditions, this works reasonably well. Under time pressure, high invoice volumes, or staff turnover, the self-managed compliance degrades. An operations manager approves an AU$45,000 invoice that their documented authority limits to AU$10,000 - not fraudulently, but because the system presented it to them and they were not prompted to check. The approval is recorded as valid. There is no flag, no escalation, and no audit evidence of the breach.
The structural fix is configuring value-based routing so the workflow itself handles the escalation. An invoice above a threshold is routed to the appropriate authority level automatically - not presented to a lower-level approver with a note in the policy document that they should not approve it.
What is the pre-approval gap in supplier verification and duplicate detection?
The principles above address the approval step itself - who makes decisions and under what authority. There is an equally important category of controls that need to operate before any invoice reaches an approver.
Supplier bank detail verification is the most material of these. Payment redirection fraud in Australia works because the invoice looks legitimate. The supplier name is familiar, the format is recognisable, the amount is plausible. The only signal that something is wrong is a bank account number that differs from the one used in the last payment. An approval workflow that routes the invoice efficiently to the right approver has not caught that signal. It has moved the fraud along faster.
Pre-approval supplier validation means the incoming bank details are compared against the historical record for that supplier before the invoice enters the approval queue. A mismatch is not a note visible to the approver - it is a hold that routes the invoice to a senior reviewer before standard approval can occur. The approver should not be in a position to approve a supplier bank detail change without knowing that is what they are approving.
Duplicate detection has the same pre-approval requirement. An invoice that matches an existing bill - on reference number, supplier name, and amount within a date window - should be held before approval, not discovered in a supplier statement reconciliation three months later. Implementing purchase order matching in AP workflows adds a further layer that connects authorised purchasing commitments to actual payments. Detection that operates at intake prevents the payment. Detection that operates at reconciliation corrects it, at greater cost and with more recovery complexity.
What the audit trail needs to capture
The minimum audit trail records who approved an invoice and when. That record satisfies basic compliance requirements but does not constitute governance evidence.
A trail that would hold up in an audit or fraud investigation captures the context of the approval decision: what bank details appeared on the invoice at the time of approval, whether any exception flags were active, what the approver’s authority level was, and whether the amount fell within their documented limit. This is the difference between a record that shows an approval occurred and one that shows the approval was made correctly.
The practical implication is that the audit trail needs to capture supplier data at the point of approval - not just the approval event. An approver’s identity tells you who signed off. The supplier’s bank details at the time tell you what they were signing off on. For any disputed invoice, the second piece of information is the one that matters.
Sources: ACCC - Targeting Scams Report 2024 · Ardent Partners - State of ePayables · ATO - Record-keeping requirements for business
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026