All courses > Business administration > Purchasing management ::

Approvals, Budget Control, and Delegation of Authority in Purchasing

Capítulo 3

Estimated reading time: 8 minutes

+ Exercise

Why approvals matter: protection with speed

Approvals are decision checkpoints that confirm a purchase is necessary, affordable, and allowed. Done well, they reduce waste, prevent fraud, and ensure compliance—without slowing the business. The goal is not “more approvals,” but “the right approvals” based on risk and value.

Approvals enable speed when they are: (1) risk-based (higher risk = more scrutiny), (2) standardized (clear rules and thresholds), (3) delegated (decisions made close to the work), and (4) automated (routing, reminders, and audit trails).

Approval types and what each one validates

1) Managerial approval (need validation)

Managerial approval confirms that the request is legitimate and aligned with operational priorities. It answers: “Do we need this, now, at this quantity/specification?”

  • Typical approver: line manager, department head, project manager.
  • Common checks: business justification, scope alignment, duplication (already available?), correct category, urgency, and whether a preferred supplier or contract should be used.
  • Practical example: A marketing team requests new design software licenses. The manager verifies headcount, confirms existing licenses are fully used, and approves only the required number.

2) Budget/finance approval (funds availability)

Budget/finance approval confirms that funds are available and the spend is coded correctly. It answers: “Is there budget, and is the financial impact understood?”

  • Typical approver: budget owner, finance controller, FP&A, cost center owner.
  • Common checks: remaining budget, correct cost center/project code, capex vs opex treatment, timing (this month/quarter), and whether the spend should be split across periods.
  • Practical example: A department requests $40,000 of equipment. Finance confirms the correct account and whether it should be capitalized, and verifies budget availability before approval.

3) Compliance approval (IT security, legal, safety, and other controls)

Compliance approvals ensure the purchase meets internal policies and external obligations. It answers: “Is this purchase allowed and properly controlled?”

Continue in our app.
  • Listen to the audio with the screen off.
  • Earn a certificate upon completion.
  • Over 5000 courses for you to explore!
Or continue reading below...
Download App

Download the app
  • IT/security approval: for software, cloud services, devices, integrations, or anything handling company data. Checks include data classification, vendor security posture, access controls, and integration risk.
  • Legal approval: for contracts, terms, liability, IP, confidentiality, data processing, and regulatory clauses.
  • Safety/EHS approval: for chemicals, machinery, site work, PPE, or services performed on premises. Checks include risk assessments, certifications, and safe work requirements.
  • Practical example: A team wants a new SaaS tool that stores customer data. IT security reviews encryption, access logging, and vendor compliance; legal reviews data processing terms; only then can the purchase proceed.

Approval thresholds and Delegation of Authority (DOA)

Approval thresholds define who can approve what, based on spend amount and risk. Delegation of Authority (DOA) is the formal policy that assigns approval limits to roles (not individuals), often with category-specific rules. DOA prevents “rubber-stamping” and ensures decisions are made at the right level.

How to apply thresholds (step-by-step)

  1. Classify the purchase by category (e.g., general supplies, IT/software, professional services, facilities, safety-critical items).
  2. Determine total commitment (not just the first invoice): include subscription term, renewals, implementation fees, and any minimum spend.
  3. Check threshold rules for that category and amount.
  4. Route to required approvers (managerial + budget + compliance as applicable).
  5. Record decisions with justification and any conditions (e.g., “approved if vendor signs standard terms”).

Sample DOA matrix (illustrative)

Spend (total commitment)General goods/servicesIT / Software / Data toolsSafety-critical / regulated
Up to $1,000Requester’s managerManager + IT security (light review)Manager + EHS
$1,001–$10,000Dept head + budget ownerDept head + budget owner + IT securityDept head + budget owner + EHS
$10,001–$50,000Director + finance controllerDirector + finance controller + IT security + legal (if contract)Director + finance controller + EHS + legal (if on-site services)
$50,001–$250,000VP + finance + (legal if contract)VP + finance + IT security + legalVP + finance + EHS + legal
Over $250,000CFO/CEO per policy + finance + legalCFO/CEO per policy + finance + IT security + legalCFO/CEO per policy + finance + EHS + legal

Notes to adapt the matrix: Some organizations add special rules (e.g., “any new vendor requires procurement review,” “any contract term over 12 months requires legal,” or “any tool processing personal data requires privacy review”). The key is clarity: people should know the route before they submit.

Segregation of duties (SoD): preventing errors and fraud

Segregation of duties means no single person controls all steps of a transaction. In purchasing, SoD reduces the risk of unauthorized buying, fake receiving, and improper payments.

Core roles and why they must be separated

  • Requester: identifies the need and provides specifications. Risk if combined with approval: self-approval of unnecessary spend.
  • Approver: validates need/budget/compliance. Risk if combined with payment: approving and paying without independent checks.
  • Receiver: confirms goods/services were delivered. Risk if combined with requester/approver: confirming receipt of items never received.
  • Payer (Accounts Payable/Finance): releases payment based on approved documentation and receipt evidence. Risk if combined with supplier setup/approval: paying a fraudulent supplier.

Practical SoD rule of thumb: The person who benefits from the purchase (requester) should not be the final approver; the person who confirms receipt should not be the person who approves payment.

How approval workflows operate in practice

Approval workflows are the routing rules and system steps that move a request through the right checkpoints. A good workflow is predictable, time-bound, and auditable.

Workflow mechanics: routing, escalation, and audit trails

  • Routing: The system routes the request based on category, amount, cost center, vendor status (new vs existing), and risk flags (data access, on-site work, regulated items).
  • Parallel vs sequential approvals: Low-risk approvals may run in parallel (manager and budget owner at the same time). High-risk approvals may be sequential (IT security before legal, or legal before executive sign-off).
  • Escalation: If an approver does not act within a defined time (e.g., 48 hours), the request escalates to a delegate or next-level manager. Escalation rules should be documented to avoid “approval shopping.”
  • Audit trail: Every action is logged: who approved, when, what changed, comments, attachments, and version history. This supports internal audits and dispute resolution.

Step-by-step example workflow (mid-value SaaS purchase)

  1. Requester submits a $18,000/year SaaS request with business justification, data type handled, and vendor details.
  2. System calculates total commitment (e.g., 2-year term = $36,000) and identifies category = IT/software.
  3. Manager approves need and confirms the tool is required.
  4. Budget owner/finance approves funds availability and correct coding.
  5. IT security reviews security questionnaire, access model, and data handling.
  6. Legal reviews contract terms (if a contract or click-through terms exceed policy thresholds).
  7. Final approval by director (per DOA for $36,000 IT spend).
  8. Workflow locks key fields (vendor, amount, term) to prevent post-approval changes without re-approval.

Compliant vs non-compliant approval chains

Example A: Compliant chain (professional services, $25,000)

Scenario: A department needs a consultant for process mapping, $25,000 total.

  • Requester: Operations analyst submits scope and deliverables.
  • Managerial approval: Operations manager validates need and scope.
  • Budget/finance approval: Cost center owner confirms budget; finance controller confirms correct coding.
  • Compliance: Legal reviews the consulting agreement and confidentiality clauses.
  • DOA: Director approves final commitment (per threshold).

Why it’s compliant: Need, budget, and contract risk are independently validated; approvers match the DOA; audit trail exists.

Example B: Non-compliant chain (self-approval and missing compliance)

Scenario: A team lead buys a new cloud tool using a corporate card for $9,500/year, storing employee data.

  • Issues: The requester is also the approver (self-approval). No IT security review for data handling. No legal review of terms. Spend is fragmented (monthly charges) to stay under thresholds.
  • Why it’s non-compliant: Violates SoD, bypasses required compliance approvals, and may be considered threshold avoidance.

Example C: Non-compliant chain (post-approval changes)

Scenario: A $12,000 equipment purchase is approved, then the requester changes the supplier and increases the amount to $17,000 after approval.

  • Issue: Material change after approval without re-approval.
  • Control expectation: Any change to amount, supplier, scope, or term should trigger re-routing to the required approvers.

Mini-case: what happens when purchases bypass approvals

Scenario

A facilities coordinator urgently hires a contractor to perform after-hours electrical work for $48,000. To “move fast,” they skip the formal approval route and agree via email. Work starts immediately. The contractor later submits an invoice with additional charges, bringing the total to $62,000.

What goes wrong (and why)

  • Budget impact: Finance discovers the cost center is over budget; other planned maintenance is delayed or canceled.
  • Compliance exposure: No safety/EHS review occurred; required permits and risk assessments were not documented.
  • Legal/contract risk: No agreed terms on liability, warranty, or change orders; the “extra charges” are disputed.
  • Operational disruption: Payment is put on hold pending review, creating supplier conflict and potential work stoppage.
  • Audit finding: The transaction is flagged for bypassing DOA and SoD controls; management must document remediation.

How it should have been handled (fast but controlled)

  1. Use an emergency route with predefined approvers (e.g., facilities director + finance + EHS) and short SLA times.
  2. Confirm total commitment including potential overtime and call-out fees before approval.
  3. Require minimum safety documentation (permits, method statement, proof of certifications) before work starts.
  4. Document scope and change control so any additional charges require written approval.
  5. Ensure audit trail by capturing approvals in the system (or an approved interim method) and backfilling within a defined timeframe.

Now answer the exercise about the content:

Which action best reflects a “fast but controlled” way to handle an urgent, high-value facilities contractor request?

You are right! Congratulations, now go to the next page

You missed! Try again.

A controlled emergency approach keeps speed while maintaining approvals, budget control, safety checks, change control, and an auditable record.

Next chapter

Supplier Selection and Sourcing: RFQ, Quotes, and Evaluation

Arrow Right Icon
Free Ebook cover Purchasing Management Fundamentals: From Request to Payment
30%

Purchasing Management Fundamentals: From Request to Payment

New course

10 pages
Learn Purchasing management

LearnPurchasing management

Learn about Purchasing management with our free online courses. Improve your skills, and earn free certifications. Take care of your company's patrimony today!

 Learn Business administration

LearnBusiness administration

Explore our free online Business Administration courses covering Entrepreneurship, Management, Digital Marketing, and more. Earn free certification with each course.
Download the app to earn free Certification and listen to the courses in the background, even with the screen off.
QR Code - Baixar Cursa - Cursos Online

Download our app via QR Code or the links below:.

Get it on Google Play Get it on App Store