Xero’s approval workflow is a routing mechanism, not a control layer. Understanding the distinction before configuring your AP setup saves discovering it under pressure when something goes wrong.
When a user submits a bill in Xero, it moves to Awaiting Approval and a nominated approver receives a notification. The approver can approve or return it to draft. What Xero doesn’t do: enforce that the person approving has authority up to the invoice amount, prevent a user with Adviser access from bypassing the approval queue entirely, verify that the supplier’s bank details match previous payments, or catch a duplicate invoice before it enters the approval queue. These aren’t Xero shortcomings - they’re outside the scope of what an accounting system is designed to do. The control layer belongs in a dedicated AP workflow that sits upstream.
Configuring Xero user roles for basic segregation
The most important control Xero’s native structure can enforce is separating invoice entry from invoice approval — a basic form of segregation of duties. In Xero Settings → Users, assign roles deliberately. A user set to “Invoice Only” can create draft bills but cannot approve or pay them. A user set to “Standard” can approve but not pay. Payment access should be restricted to a separate Adviser account that the approver doesn’t hold.
This role structure is the minimum viable segregation of duties. If the person who approves invoices is also the person who processes payments, the control collapses - any fraudulent invoice that clears the approval step goes straight to payment with no second checkpoint.
What this doesn’t solve: a user with Adviser access can bypass the Awaiting Approval queue and approve directly. If anyone on the team holds Adviser access for legitimate reasons (accountants, senior staff who also do accounting tasks), the approval step is technically optional for those users unless addressed separately.
The threshold problem and the Sydney inflection point
Xero’s “Standard” user permissions don’t enforce dollar-value thresholds. A Standard user can approve a AU$1,000 stationery invoice and a AU$90,000 subcontractor payment with the same permissions. The threshold policy - invoices above AU$10,000 require CFO approval, above AU$50,000 require a director - exists in a document somewhere. Nothing in Xero enforces it.
A financial controller at a Sydney manufacturing business described what happened when their weekly invoice volume passed 60 bills. The manual threshold check - the AP officer knowing to escalate above-threshold invoices based on the policy document - became unreliable. Approvers started approving by memory rather than by checking the written policy. The invoices kept flowing but the thresholds stopped being applied consistently.
The solution she implemented wasn’t a new policy. It was a system that prevented approval of above-threshold invoices by anyone below the designated authority level. That required an AP automation layer outside Xero, not a configuration change inside it.
What does a defensible audit trail require?
Xero logs basic bill history: who created a bill, who approved it, when. It doesn’t capture what information the approver had at the time - what the supplier’s bank details were, whether the amount was within the approver’s authority, whether any exceptions were noted. For a routine internal review, the Xero bill history is useful. For an external audit that asks “what did the approver verify before signing off on this AU$45,000 invoice?”, the Xero record doesn’t answer the question.
A complete audit trail for AP purposes needs: the invoice data at point of intake, any supplier detail changes flagged during processing, the approval decision with the approver’s stated authority, and resolution of any exceptions. This level of detail requires a dedicated workflow tool that captures it systematically, not a notes field filled in manually.
When to extend beyond Xero native
For businesses processing under 20 invoices per week from a stable, familiar supplier list with a single approver, Xero’s native tools plus a documented manual process are often sufficient. The controls are procedural rather than system-enforced, but the volume makes that workable.
The signals that you’ve outgrown the native setup: a second person starts approving invoices; threshold enforcement has become inconsistent; a near-miss occurs with a duplicate or changed bank detail; an auditor flags the approval process as a control gap. At any of those points, the right response is an AP automation layer that handles validation and routing before invoices reach Xero - not a more detailed policy document that relies on manual compliance.
The purpose of the Xero integration is to receive clean, coded, validated, approved invoices and record them accurately. The upstream decisions should happen in a purpose-built AP workflow. When the accounting system is also the control layer, it ends up doing neither job as well as a system designed for that specific function.
Sources: ATO - Record-keeping requirements for business · ATO - E-invoicing and invoice processing in Australia
Further reading: AP Software: What Finance Teams Need That Xero Does Not Provide · Automated Line-Item Coding for Mixed GST Split Invoices · Best AP Automation Software Australia 2026