Invoice approval software automates the routing, review, and sign-off of supplier invoices before payment is made. Most tools do this well for speed. What they rarely address is the control layer that belongs before sign-off: verifying supplier details, flagging duplicates, and catching bank account changes before they reach the approver’s inbox. The difference between basic routing and genuine financial control is what determines whether faster processing reduces risk or accelerates it.
How basic approval routing and control-layer automation differ
Feature | Basic approval routing | Control-layer automation |
|---|---|---|
Invoice routing to approver | Yes | Yes, with conditional rules by value and supplier |
Approval audit trail | Basic (who approved, when) | Full (supplier data captured at point of approval) |
Supplier detail verification | No | Yes, flags changes against historical records |
Duplicate detection | Rarely | Yes, before approval not after |
Bank account change alerts | No | Yes, flagged before routing |
GST exception handling | No | Yes, at line level |
Two-way PO matching | Rarely | Yes, at line level |
The problem with automating approvals without first automating controls
Finance teams adopt AP automation to solve a volume problem. Invoices arrive by email, get entered manually into Xero or MYOB, coding decisions are made from memory, and GST treatment varies depending on who is handling it that day. Automation fixes the volume part. The risk does not go away - it just moves faster.
Payment redirection scams cost Australian businesses $152.6 million in 2024, a 66% increase from 2023, according to the National Anti-Scam Centre. These scams work by arriving as a normal-looking invoice with changed payment details. An automated workflow that routes invoices without checking supplier data first moves a fraudulent invoice toward payment faster than a manual process would have.
A financial controller at a Perth electrical subcontractor was processing around 70 invoices a week through Xero. Invoices arrived by email, were forwarded to the business owner for approval, then returned for payment. When a supplier’s email was compromised in late 2024, an invoice with altered bank details arrived in the usual inbox. The format was correct. The owner approved it. The automated payment ran. Verifying the supplier’s account number had never been built into the workflow.
This is not a failure of attention. It is a failure of process design.
Where the control gap creates the most exposure
The moment of highest risk in any AP workflow is bank detail verification. When a fraudulent invoice arrives with changed payment details, it looks identical to a legitimate one. Manual processes rely on whoever is handling the invoice to remember what the supplier’s bank details looked like last month. Automated workflows - if they only route and approve - do exactly the same thing at higher speed.
Three control failures account for the majority of AP fraud exposure in Australian SMBs:
No supplier validation before routing. The workflow receives the invoice, checks whether it matches a known supplier name, and forwards it for approval. It does not check whether the bank details match the last invoice from that supplier.
No duplicate detection before approval. Duplicate invoices - same supplier, same amount, same reference number re-submitted weeks later - enter the approval queue without a flag. The approver may not remember having already approved this invoice.
No approval thresholds enforced by role. The same person who initiated the purchase order is also approving the invoice. This breaks segregation of duties. When one person covers both functions, there is no independent verification.
What invoice approval software should actually do
An approval platform built for financial governance should handle these functions before an invoice reaches the approver’s inbox:
Verify that the supplier’s bank account details match historical records
Flag duplicate invoice numbers before routing, not after payment runs
Match invoice values to purchase orders at the line level, not just the total
Apply approval limits by invoice value, supplier category, and approver role
Handle multi-account line-item coding so a subcontractor invoice covering labour, materials, and equipment hire is coded correctly across accounts
Produce an audit trail that captures supplier details at the point of approval, not just the approval decision
These functions separate an approval workflow from an approval control platform. Most routing tools cover the workflow. Fewer cover the controls.
The evaluation checklist: what to look for before you commit
Before committing to any invoice approval software, apply this checklist:
Does it verify supplier bank details against historical records automatically?
Does it flag duplicate invoices before they reach the approver?
Does it enforce approval limits by value and approver role?
Does it support delegation of authority rules, not just email chains?
Does it match invoices to purchase orders at line level?
Does it produce an audit trail with supplier data captured at the point of approval?
Does it handle multi-account line-item coding for complex invoices?
Does it integrate natively with Xero or MYOB without requiring a separate sync?
Does exception handling happen before invoices reach the ledger, or after?
Any tool that cannot answer yes to the first three items is routing invoices, not controlling them.
Who this fits and who it does not
Business profile | What fits |
|---|---|
Fewer than 20 invoices per week, single approver, stable supplier base | Xero or MYOB native approvals may be sufficient |
20-80 invoices per week, multiple approvers, growing supplier count | A dedicated approval layer with exception handling is worth evaluating |
Construction or industrial businesses with PO-based workflows | Full control-layer automation with PO matching and supplier validation |
Multi-entity operations | Specific multi-entity workflow support is required - most basic tools manage this poorly |
Bookkeepers and accountants managing multiple clients | Look for pricing that does not penalise per-client or per-entity usage |
Questions to ask vendors before buying
Where does supplier bank detail verification happen - before routing, or not at all?
How does duplicate detection work, and at what point in the workflow is it applied?
Can approval limits be set by value, supplier type, and approver role simultaneously?
Does the audit trail capture supplier data at the moment of approval, or only the approval decision itself?
What happens when an invoice arrives with changed bank details from a known supplier?
If an invoice has no matching purchase order, is it flagged, held, or routed as normal?
How does GST exception handling work for invoices where line items carry different tax treatments?
What happens when the nominated approver is unavailable - does the invoice stop, or escalate automatically?
A vendor who cannot answer questions 1, 5, and 6 specifically is selling routing, not controls.
What good looks like: governance principles that protect AP workflows
Financial controls in AP come down to three principles: segregation of duties, documented approval limits, and independent verification of supplier details before payment. Most Australian SMB finance teams understand these principles. The challenge is that the tools many of them use were not designed with these controls as primary requirements.
Xero is effective as a ledger. Its native bill approval handles basic routing. It does not include supplier validation, duplicate detection at the pre-approval stage, or PO matching at the line level. This is a design choice, not a deficiency. Xero is built to record and report, not to control what enters the record. Adding a dedicated control layer above Xero is the practical approach for any business where invoice volume or fraud risk is a real concern.
A structured approval workflow enforces these principles without requiring finance teams to hold them in memory under volume pressure. For teams where exception flagging is a current gap, that validation layer should operate before invoices reach the ledger - not after. Pulsify’s validation and exception review sits at this stage, comparing supplier details against history and flagging anomalies before bills are published to Xero or MYOB.
The goal is not slower approval. It is making the moments that matter - supplier verification, duplicate checks, threshold enforcement - happen automatically, so the approver is reviewing real information rather than trusting memory.
If you want to assess where your current AP workflow leaves controls gaps, a workflow audit is the right starting point.
FAQ
What is invoice approval software and what does it do?
Invoice approval software routes supplier invoices to the appropriate person for review and sign-off before payment. Better platforms also include supplier bank detail verification, duplicate detection, and purchase order matching as part of that process - not just signature collection and routing.
Does Xero have built-in invoice approval?
Xero includes basic bill approval that allows invoices to be submitted and approved by nominated users. It does not include supplier bank detail validation, duplicate detection before approval, or line-level PO matching. For teams managing high invoice volumes or managing fraud risk, a dedicated control layer above Xero provides meaningful additional protection.
How does AP automation increase fraud risk when controls are missing?
Automated workflows that route invoices without verifying supplier details first move a fraudulent invoice through the process at the same speed as a legitimate one. The National Anti-Scam Centre reported that payment redirection scams cost Australian businesses $152.6 million in 2024. Speed without verification is exposure.
What is the most important control to add to an approval workflow?
Supplier bank detail verification is the single highest-impact control. Most AP fraud in Australia involves a legitimate-looking invoice with changed payment details. A workflow that checks the supplier’s bank account against historical records before routing catches this before it reaches the approver.
How many approval steps does an Australian SMB typically need?
For most SMBs, a two-step process - one operational reviewer and one financial authoriser above a threshold value - is sufficient. The threshold level matters more than the number of steps. A structure where invoices below $5,000 route to a single approver with no escalation for changed bank details will miss the most common fraud vector regardless of how many approvers are in the chain.