Approval Bypass and Control Override

Approval bypass is the processing of an invoice or payment without completing the approval steps required by the business's AP policy. Control override is a broader term covering any deliberate action to circumvent a defined internal control -- whether by bypassing an approval step, suppressing a system flag, or instructing another person to process something in a way that avoids required scrutiny. Both are treated as serious governance failures in any well-run finance function, regardless of whether the underlying payment was legitimate.

The reason approval bypass is a serious issue even when the invoice is genuine is that internal controls exist to prevent fraud and error, not merely to catch them after they occur. A culture where approvals are regularly bypassed "for efficiency" or "because it was urgent" is a culture where fraud can operate without triggering any of the controls designed to detect it. An employee who regularly processes invoices without required approvals provides cover -- intentionally or not -- for fraudulent invoices to move through the same bypass mechanism.

How approval bypass occurs

The most common form of approval bypass is informally sanctioned workarounds. An invoice arrives late, an approver is unavailable, a payment deadline is looming, and a senior employee instructs the AP team to process the invoice now and "get approval retrospectively." The retrospective approval rarely happens, the control gap is not recorded, and the pattern repeats. Over time, the exceptions become normalised to the point where the approval policy exists on paper but not in practice.

System-level bypass occurs when an AP manager or system administrator has access to override system controls -- marking an invoice as approved directly in the accounting system database, releasing a payment file that has not completed the workflow, or modifying approval status flags. These overrides are typically logged in system audit trails, but if nobody reviews the audit trail regularly, they go undetected for extended periods.

Emergency payment processing is a legitimate operational requirement -- suppliers sometimes threaten service interruption for overdue invoices, and urgent situations do occur. But emergency payments should have their own documented process with compensating controls: same-day review by the CFO or financial controller, mandatory post-payment approval documentation within 24 hours, and a monthly report of all emergency payments for management review. The existence of an emergency process that is fast should not be an excuse for the elimination of accountability.

Control override as a fraud enabler

Control override is most dangerous when it is used to conceal a transaction that would not have survived normal scrutiny. An employee processing a fraudulent invoice cannot afford for it to go through a second approver who might question the supplier or the amount. Bypassing the approval step removes the control most likely to catch the fraud. This is why approval bypass patterns -- particularly for specific employees, specific suppliers, or specific amount ranges -- are a primary indicator of potential fraud, not just a process discipline problem.

Forensic investigations of AP fraud consistently find approval bypass and control override as enabling factors. The fraud did not survive because the controls failed to detect it; it survived because the controls were deliberately not applied. Treating bypass patterns as a fraud risk indicator rather than an operational inconvenience is the correct response.

Prevention and detection

Automated AP systems that enforce sequential workflow steps -- an invoice cannot be marked approved until the required approvers have confirmed it, and cannot be paid until it is approved -- are the most effective technical control against approval bypass. They remove the ability to process an invoice out of sequence without administrative intervention, which creates a clear audit trail of any override.

Regular review of the approval audit trail -- looking for invoices where approval status was changed directly rather than through the workflow, payments released before approval completion, and retrospective approvals applied more than 48 hours after payment -- should be part of the AP manager's monthly control checks. Anomalies should be investigated and documented, not simply accepted.