← Back to resources

5 Approval Workflow Red Flags Your Auditor Will Find Before You Do

  • compliance
  • audit
  • approvals
  • NetSuite

Nobody gets excited about approval workflows. When they’re working, they fade into the background. Then an audit happens.

In 8+ years of NetSuite consulting I’ve seen the same issues show up again and again. Usually not fraud, not intentional bypasses — just structural gaps that pile up while everyone assumes the process is fine. Here are the five I see most, and what to do about them.

1. Transactions that changed after approval. PO submitted for $8K, manager approves. Before it posts, someone adds a line — total goes to $14K, past the VP threshold. The VP never sees it. From the inside nothing looks wrong; the auditor comparing posted amount to thresholds finds the gap. I’ve seen 150+ POs with this in one environment over six months. Check: Compare posted amounts to thresholds; look for ones where the final amount would’ve required a different approver.

2. One approver does everything. Pull a report of who’s approving what. In a lot of orgs, one or two people do 70–80% of approvals. Not always wrong, but auditors see concentration risk — and if that person also creates or edits some of those transactions, you’ve got a segregation question. It usually creeps in: someone’s reliable, so more gets routed to them, or “temporary” coverage becomes permanent. Check: Top 5 approvers by volume and by dollar amount; anyone approving what they also submitted?

3. No record of what was actually reviewed. Auditors ask: “When your VP approved this $50K bill, what did they see?” In a lot of setups the approval is just a status change and a timestamp. It proves someone clicked; it doesn’t prove what was on screen. If the transaction was edited after approval, the “approved” version and the posted version can differ. Check: For a few recent approvals, can you reconstruct what the transaction looked like at approval time, or only what it looks like now?

4. Rules that only exist in someone’s head. I asked a Controller for her approval policy — she had a Word doc from 2019. Then I asked how it was configured in NetSuite. The doc said POs over $25K need CFO sign-off; the system was set to $50K. Nobody knew when or why it changed. Policy and system drift apart all the time; auditors test whether the system enforces the policy. Check: Line up your written policy with the actual config. If the rules live in code only, can anyone on the finance team verify they’re right?

5. The vacation workaround. Queue backs up, someone asks the admin to push things through or someone shares their login. Crisis averted — and you’ve got transactions “approved” by an admin or by someone who wasn’t there. Auditors look for admin approvals, bulk clears, and approver inconsistency. We wrote a deeper dive on the delegation problem and how to fix it. Check: Any approvals by admin roles or outside normal workflow? Odd patterns (time of day, volume spikes)?

None of these are about bad intent. They’re about reasonable people and systems that don’t quite enforce what the policy says. The gap between “we have an approval process” and “it’s audit-ready” is wider than most orgs realize. And when these gaps force someone to break the approval chain, the cost compounds. The good news: all five are fixable. First step is knowing where you stand before the auditor does.

Patrick is the founder of Greenlight Approvals, a NetSuite-native approval workflow platform built for audit readiness. Questions? LinkedIn.