How do AP approval controls differ by industry and company size?

Levels, thresholds, and formality scale with complexity. Smaller organizations often run a single approval level with the owner reviewing larger items - minimal documentation, high reliance on the owner. Mid-market typically runs two or three levels tied to a documented DOA, with routing by department and entity and the first real need for system-enforced limits and access reviews. Enterprises run multi-level chains calibrated per entity, formal RCMs, periodic access certifications, and tested controls - because the audit, multi-entity, and volume demands make informal control untenable. The trap is a mid-market company still running SMB-style informal controls after it has outgrown them - usually exposed by the first serious audit or investor.

A 50-person company can run a lean but real set: invoice approval by someone other than the entry clerk, owner/CFO review of payments before release, monthly bank reconciliation by someone not handling payments, and basic access discipline (no shared logins, prompt offboarding). A 500-person company needs the documented and tested version: a formal DOA with system-enforced limits, full segregation across vendor setup/entry/approval/payment/reconciliation, periodic user access reviews, change management over workflow rules, and an audit trail that proves it all operated. The progression isn't about adding controls for their own sake - it's that scale removes the owner's ability to personally see everything, so the system has to.

Job-cost coding on every invoice so approvals tie to the right project and budget, lien-waiver collection linked to payment release, and retention/retainage sign-off as a distinct step. Approvals usually route first to the project manager (who knows whether work happened), then to financial authority - the project lens is the control that generic AP misses.

HIPAA exposure where invoices touch PHI (restrict and account for access; keep PHI out of routing where possible), plus oversight of physician and clinical-department spend, which can carry conflict-of-interest and regulatory (anti-kickback) sensitivity. Approval routing should surface those categories for appropriate scrutiny rather than treating all spend identically.

Board treasurer or finance-committee involvement in disbursements above a threshold, tight controls on donor-restricted funds (approvals confirming spend matches restriction), and the governance practices Form 990 asks about. Many nonprofits run dual-signature or dual-approval norms; the challenge is doing so with thin or volunteer finance staff.

Handling of factory/OEM invoices and floorplan (flooring) financing, plus multi-rooftop approval structures where each store needs local approval within an enterprise framework. Routing by rooftop/entity with consolidated oversight is the core pattern; flooring interest and chargebacks warrant their own review.

Owner-trust accounting discipline (each property/owner's funds and approvals kept distinct, never commingled) and approval structures that scale across hundreds of properties without losing per-property accountability. Routing by property and owner, with trust-compliance checks, is the differentiator.

Procurement-law compliance (competitive bidding, sole-source justification), grant-fund tracking and approval documentation, and the heightened documentation standards public-money stewardship demands. Approvals must evidence not just authority but compliance with the procurement and grant rules governing the spend.

Usually a hybrid: centralize processing and standards (one AP operation, consistent controls) while letting each location approve its own operational spend within entity-calibrated limits, escalating above. Pure local control loses consistency; pure central control can't verify what happened at a location it never sees.

High PO coverage makes three-way match the workhorse control; GRNI (goods-received-not-invoiced) account oversight matters for accruals and cutoff; and the design of match tolerances plus how out-of-tolerance exceptions route to a human are the control decisions auditors probe. Strong receiving data is the foundation everything else relies on.

Stampli's workflow flexibility is what lets the same platform fit a multi-rooftop dealer, a project-based contractor, and a multi-entity healthcare system without forcing any into one model - routing runs on ERP-aligned dimensions (entity, location, department, GL, project, amount), so the control structure mirrors how each business actually operates. Role-based permissions, enforced segregation of duties, and an immutable audit trail provide the same control backbone whether a customer runs two approval levels or a multi-stage per-entity matrix, and the controls scale up without re-platforming as complexity grows.