Finance teams that adopt an approval platform quickly - during a growth period, after a fraud event, or at the direction of an accountant - typically configure the tool around the process they already have, not the process they should have. This is the most consistent governance failure pattern in rapid finance system adoption: the tool is new, the habits are old, and the gap between them is where the exposure lives.
Urgency and governance are structurally in tension. Good governance configuration requires mapping the current process accurately, identifying which controls depend on individual judgment versus structural enforcement, designing the new process with explicit controls, translating that design into the platform’s configuration, and testing it against real invoice scenarios. Under time pressure, these steps compress into “configure the tool to do roughly what we already do, but faster.” The result is a faster version of the existing process, with the same governance gaps, in a new platform.
The Ballarat engineering firm: what rapid adoption looks like
A financial controller at a Ballarat engineering firm adopted ApprovalMax within a fortnight of their accountant recommending it. The configuration was straightforward: two approvers, invoices routed to the operations manager first, then to the director for anything over AU$10,000. The firm went live and the approval queue worked correctly.
What wasn’t addressed: the operations manager held Xero Adviser access and could approve invoices directly in Xero without using ApprovalMax at all. The authority limits were configured in ApprovalMax but not reflected in Xero’s user permissions. The same person was entering and approving invoices below AU$10,000 with no segregation of duties. This is the kind of gap a modern AP system is designed to close. The governance gap wasn’t reduced by the adoption - it was rehoused in a new platform with the same underlying structure.
Legacy access permissions survive the adoption
When an approval platform is added above an existing accounting system, the accounting system’s user permissions are rarely reviewed at the same time. Users who previously had full access continue to have it. The approval platform adds a routing step, but it can be bypassed by anyone with administrative access to the underlying accounting system.
This isn’t a platform failure - it’s a configuration oversight that’s common when adoption is fast. Fixing it requires reviewing accounting system user permissions alongside the approval platform configuration. This step is almost always skipped in rapid adoption scenarios because it’s seen as separate from the tool implementation. It isn’t. The platform and the accounting system’s permissions need to be configured as a system, not independently.
Authority thresholds are based on habit, not risk
The thresholds configured during rapid adoption are typically based on current approval habits rather than a risk-assessed authority matrix. If the financial controller has been approving all invoices up to AU$50,000 manually, the new platform is configured with a AU$50,000 threshold - not because AU$50,000 is the right threshold, but because it reflects the existing habit.
A well-designed approval matrix starts from the business’s risk profile: what invoice values represent material risk, what fraud exposure is relevant to the industry, and what level of dual sign-off is proportionate to that risk. Rapid adoption skips this analysis and inherits whatever threshold was informal practice before. An inherited threshold isn’t wrong by default, but it’s never been validated against the business’s actual risk tolerance. A properly designed approval matrix starts from risk assessment, not habit.
Exception handling is the least configured part of the workflow
Standard adoption platforms configure the routine approval path well. Exception handling - what happens when a supplier’s bank details differ from the last payment, when an invoice arrives without a matching purchase order, or when a new supplier appears - is usually not configured during rapid adoption. Exceptions are expected to be handled as they arise.
The result: the exception category, which carries the highest risk, is the least governed element of the new workflow. Routine invoices flow through the configured path correctly. Unusual invoices either follow the same path with a flag that nobody knows how to act on, or get deferred to manual review with no defined resolution process.
Where does the supplier validation gap sit between tools?
When an approval platform is adopted without a validation layer that checks supplier details against historical records, the historical payment data remains in the accounting system and isn’t accessible to the approval logic. When Dext handles capture and a separate tool handles approval, the supplier history from Dext’s extraction isn’t automatically available to the approval routing logic. The gap at the seam between the two tools is exactly where supplier bank detail changes would need to be caught - but aren’t.
This gap is specific to the two-tool, extraction-first/approval-second configuration that most Australian businesses end up with when they adopt quickly. Each tool does its part correctly. The governance failure sits in the interface between them.
Configuration drift after go-live
Governance frameworks adopted under urgency are often not maintained as the business changes. An authority matrix configured in February is still in the system in November even if three approvers have left and two new cost centres have been added. The platform routes invoices to accounts that no longer belong to current staff, or applies thresholds that were set before the business’s risk profile changed.
Regular configuration review - typically quarterly for businesses with active headcount change, annually for more stable operations - is the only way to prevent this drift. Robust internal controls require ongoing maintenance, not a one-time setup. Rapid adoption that doesn’t include a schedule for reviewing and updating the configuration creates a governance framework that starts accurate and becomes inaccurate over time, without anyone noticing until an incident surfaces the gap.
What does deliberate adoption look like?
The alternative to rapid adoption isn’t slow adoption. It’s planned adoption, which typically adds one to two weeks of preparation before configuration begins. In that time: document the current process including all accounting system access permissions, draft an authority matrix with roles and thresholds based on risk analysis rather than habit, define exception handling paths for new suppliers and changed bank details before touching the platform configuration, and confirm whether the platform addresses supplier validation or whether a separate step is needed.
At configuration: review accounting system user permissions alongside the platform setup, not after. After go-live: test against real invoice scenarios - changed bank details, duplicate submission, above-threshold amounts - before treating the platform as operational. These tests take an afternoon. The gap they prevent can take weeks to unwind.
For businesses evaluating whether their current AP configuration has governance gaps, the AP systems design guide covers the five decisions that need to be made before any software is configured.
Sources: ACCC National Anti-Scam Centre - Targeting Scams Report 2024 · ATO - ABN Lookup and verification · ACCC - Business Email Compromise
Further reading: How to Build an Audit-Ready Approval Matrix · Why Delegation of Authority Matters More Than Automation Speed · Best AP Automation Software Australia 2026