Speed is the feature finance teams ask about when evaluating AP automation. Delegation of authority is the control that determines whether the approvals that speed generates are actually valid. Without a proper approval matrix, faster processing just means faster exposure. A fast AP system without delegation enforcement is a faster path to the same governance failures as a slow manual process.
Why does the speed comparison mislead?
When a business evaluates AP automation, the speed comparison is immediate and measurable: software A processes invoices in two days, software B takes a week. The improvement is visible and the business case is obvious.
Delegation of authority is harder to measure. It asks: when an invoice was approved, did the person who approved it have actual authority for that amount? Was that authority enforced by the system, or assumed based on job title? The absence of enforcement doesn’t create a visible problem on any given day. This is the same dynamic explored in the real cost of manual AP - invisible costs that compound. It creates a condition where problems - fraudulent invoices, unauthorised spending, audit findings - can accumulate without triggering any alarm until they’re discovered retrospectively.
The ACCC’s 2024 Targeting Scams Report documented AU$152.6 million in payment redirection fraud losses - most exploiting approval processes where the approver trusted the invoice rather than verifying it against a delegation framework. Speed made those approvals faster. Controls would have made them safer.
The Perth civil engineering scenario
A financial controller at a Perth civil engineering firm manages AP for sixty to eighty invoices per week. The business has a documented delegation policy: she can approve up to AU$50,000, the CFO up to AU$200,000, and anything above requires board sign-off. In Xero, all three roles can approve any bill - the system does not enforce the thresholds.
In practice, she approves everything she’s comfortable with and emails the CFO for larger items. Board sign-off happens for capital purchases but not consistently for large subcontractor invoices that would technically require it. No one has flagged this because the approvals have all been legitimate and no incident has occurred.
The governance risk is that the control environment documented in the policy does not match the control environment operating in the system. If a fraudulent invoice for AU$180,000 arrives and is approved by the financial controller, the four-eyes principle has been bypassed - the policy says it should not have been. The system shows that it was. Without enforcement, the policy is a statement of intent rather than a control. An auditor who discovers this gap will treat every approval as potentially unauthorised - not just the one in question.
What Xero and MYOB enforce
Neither Xero nor MYOB enforces dollar-value thresholds natively. There is no segregation of duties enforcement built in. This is one of the fundamental gaps that AP approval software addresses. A user with Standard-level access in Xero can approve a AU$1,000 stationery invoice and a AU$90,000 subcontractor payment with identical permissions. The threshold policy - invoices above AU$10,000 require CFO approval - exists in a document. Nothing in the accounting system enforces it.
This is not a deficiency in either platform. It reflects what accounting systems are built to do: record transactions accurately, not govern the authority structure behind them. The governance layer belongs upstream, in a dedicated AP workflow that enforces the delegation structure before bills reach the accounting system.
The distinction between approval routing and delegation enforcement is the difference between a system that records approvals and one that validates them. A system that routes invoices to the right person but allows that person to approve at any amount is a routing tool. A system that blocks the approval, auto-escalates to the correct authority level, and records which delegation rule applied is a control.
What does the gap look like at audit?
The finding auditors look for is not whether approvals happened. It is whether they happened within documented authority. The test: take a sample of approved invoices from the period, identify the approver, and compare the amount against the delegation matrix. Any approval above the approver’s documented limit is a finding - even if the payment was legitimate and appropriate.
The gap between the Perth financial controller’s documented delegation policy and what her Xero configuration actually enforces is exactly the gap an auditor would find. The finding is not that she approved payments inappropriately. It is that the system she operates provides no evidence that the policy was followed.
Configuration investment is required to close this. The delegation matrix needs to be documented, signed off by management, reflected in the AP system’s approval rules, and reviewed whenever roles change, thresholds need adjustment, or the business adds an entity. That ongoing maintenance is the cost of operating an actual control rather than a documented one.
Sources: ACCC - Targeting Scams Report 2024 · ATO - Record-keeping requirements for business
Further reading: Best Invoice Approval Workflow Software Australia 2026 · Invoice Workflow Software: What It Actually Needs to Do · Invoice Approval Workflow Software: What Australian Businesses Need