Neither Xero nor MYOB prevents someone from approving a bill they shouldn’t have. This is a gap that AP approval software is specifically designed to close. Both record who approved - they don’t verify that the person had authority to approve that value. Building an audit-ready approval matrix means documenting who can authorise what, at what dollar value, and under what conditions - and then configuring your workflow so the matrix is enforced rather than assumed.
What the Cairns audit finding looked like
A financial controller at a Cairns industrial services business spent three days during an external audit compiling approval evidence for the previous 12 months. Most invoices had been approved by whoever was available at the time rather than by the role specified in the company’s undocumented authority policy. The auditor accepted the approval records but noted the absence of a formal authority matrix as a finding.
This is the most common AP governance finding in Australian SMB audits: approvals happened, but they can’t be traced to a defined authority structure. The business had a process. It didn’t have a documented, enforceable policy. When the auditor asked “who was authorised to approve the AU$38,000 invoice on 14 March?”, the answer was “whoever was in that day.”
Twelve months later, the business still didn’t have a formal matrix. The next audit would find the same gap.
Define roles, not names
The most common mistake in building an approval matrix is listing individuals rather than roles. When the financial controller leaves, every workflow that referenced them by name needs to be updated. When a role changes, the policy doesn’t.
Structure the matrix around roles:
- AP Officer: routine invoices up to AU$500 from approved suppliers only
- Operations Manager: up to AU$5,000, excluding capital expenditure
- Financial Controller: up to AU$20,000, all categories
- Director: up to AU$100,000
- Board: above AU$100,000 or any item requiring capital approval outside budget
Map current team members to these roles separately. The matrix should survive a staffing change without requiring a rebuild.
Category-based triggers matter more than dollar thresholds for fraud prevention
Dollar thresholds tell you who reviews what value. Category triggers tell you what always needs extra scrutiny regardless of amount. These are the more important fraud prevention controls.
Every new supplier - first invoice ever received - should require verification through a formal supplier onboarding process before it enters the standard approval queue. The accounts payable fraud vulnerability guide explains why new-supplier verification is the highest-priority category trigger. Supplier bank detail changes on any invoice, at any amount, should route to the CFO before approval, not the standard approver. Capital expenditure items should require director approval regardless of dollar value. These category triggers are the controls that prevent the most common fraud vectors, which don’t always come as high-value invoices.
How do you solve the backup approver problem?
An approval matrix with no delegation clause creates a bottleneck every time an approver is on annual leave. For each role in the matrix, document: who holds delegated authority in the approver’s absence, what value limit applies to delegated authority (often reduced from the primary limit), and how the delegation is communicated.
In Xero, there’s no automated substitution - approvals need to be manually reassigned. If the matrix requires substitution to be enforced automatically, a third-party workflow tool is required. The matrix needs to specify this explicitly rather than leaving it implicit.
Translating the matrix into system configuration
An approval matrix that exists only in a PDF document is a procedural control - it depends on people remembering and following it. An approval matrix configured into the AP system is a structural control - it enforces itself regardless of who’s processing invoices that day.
In Xero’s native setup, user permission levels can enforce basic segregation of duties (separating entry from approval) but cannot enforce dollar-value thresholds. For threshold enforcement, either a third-party approval workflow tool or a dedicated AP platform is required. The matrix document and the system configuration need to match exactly - an auditor who compares the policy document against the system settings and finds discrepancies will treat both as unreliable.
Review the matrix at minimum annually, and immediately when any of these change: a key approver joins or leaves, the business adds a new entity or cost centre, invoice volumes shift significantly, or the business’s risk profile changes.
Sources: ATO - Record-keeping requirements for business · ASIC - Financial reporting obligations
Further reading: Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026