Finance Index
What is a delegation of authority (DOA) matrix, and how do I build one for AP?
Reference guide to delegation of authority matrix AP, including control design, audit evidence, risk points, finance procedures, and compliance review.
A delegation of authority is the formal policy - anchored in board or executive action - that grants spending and approval authority to roles at defined dollar limits. The DOA matrix expresses it as a grid: role by transaction type by amount band. It exists so authority is granted deliberately, exercised consistently, and provable afterward.
At a Glance
| Aspect | Short Answer | Why It Matters |
|---|---|---|
| A delegation of authority (DOA) | A delegation of authority is the formal policy - anchored in board or executive action - that grants spending and approval authority to roles at defined dollar limits. | Keeps spend tied to policy, ownership, and review. |
| Related terms | There is no universal table, but the pattern is consistent: limits should step up roughly an order of magnitude per level and reflect what each role can actually evaluate. | Reduces payment errors, timing issues, and reconciliation cleanup. |
| Control point | Encode the matrix as system rules: amount-based routing that adds approvers as thresholds are crossed, authority limits that block an invoice from completing approval unless someone with sufficient authority has signed, and role-based permissions that prevent unauthorized users from approving at all. | Keeps vendor records and payment decisions reliable. |
| A delegation of authority | It is the documented grant of decision rights from the board down through management. | Helps finance decide what to do next. |
| Approval path | Treat the system as the operating truth and the document as the intended truth, then close the gap from both sides: pull who actually approved what over the last quarter, compare against the matrix, and either update the policy where practice is. | Keeps vendor records and payment decisions reliable. |
What spending authority should each level have - manager vs director vs vp vs CFO vs board?
There is no universal table, but the pattern is consistent: limits should step up roughly an order of magnitude per level and reflect what each role can actually evaluate. A common mid-market shape: managers approve up to low five figures within their budget, directors to mid five figures, VPs to low six figures, the CFO to a board-set ceiling, and the board (or a committee) above that. Calibrate to your invoice population - set the manager limit so the large majority of routine invoices clear at the first level, and reserve executive attention for the spend that warrants it.
How do I enforce a DOA inside an AP system instead of relying on people to follow the policy?
Encode the matrix as system rules: amount-based routing that adds approvers as thresholds are crossed, authority limits that block an invoice from completing approval unless someone with sufficient authority has signed, and role-based permissions that prevent unauthorized users from approving at all. Enforcement in-system converts the DOA from a document people are supposed to remember into a control that cannot be skipped - and produces the evidence that it operated.
What is a delegation of authority policy and why do companies need one?
It is the documented grant of decision rights from the board down through management. Without it, authority is whatever people assume it is - which fails the moment an auditor, investor, or dispute asks who was allowed to commit the company.
Our DOA lives in a word doc and the actual approvals in the system don't match it - how do we reconcile them?
Treat the system as the operating truth and the document as the intended truth, then close the gap from both sides: pull who actually approved what over the last quarter, compare against the matrix, and either update the policy where practice is sensible or fix the workflow where practice drifted. Then put the matrix under version control and review it on a schedule.
How often should the authorization matrix be reviewed and who owns updating it?
At least annually, plus after any reorg, acquisition, or leadership change. The controller typically owns the document; the CFO approves changes; significant expansions of authority should go back to the board level that granted them.
Should the ceo have unlimited approval authority or should the board approve above a threshold?
The CEO should have a ceiling. Unlimited single-person authority is a management-override risk auditors flag regardless of who holds it; boards commonly retain approval for commitments above a defined threshold and for related-party transactions at any amount.
What is the difference between approval authority and budget ownership?
Budget ownership is responsibility for a spending plan; approval authority is the right to commit funds. They usually overlap but aren't identical - an owner may approve within budget but still need higher sign-off above their DOA limit, and someone with authority shouldn't approve spend against budgets they don't own without the owner's review.
How should the DOA handle acting/interim roles and temporary promotions?
Grant the authority explicitly, in writing, with an end date - never let it transfer by assumption. Record who holds the acting authority, at what limit, effective when, and review the grant when the interim period ends.
Auditors found invoices approved by people not listed in our DOA - how serious is this and how do we remediate?
It is a real finding - the approval control didn't operate as designed. Remediate by quantifying the population, assessing whether the spend was nonetheless valid (re-approval by an authorized person), fixing the root cause (usually workflow rules out of sync with the matrix), and demonstrating a period of clean operation.
DOA design for a multi-entity company - should authority limits be set per entity or globally?
Set the framework globally and the limits per entity where entity scale differs materially - a $50K invoice means different things in a $500M subsidiary and a $5M one. Keep role definitions consistent across entities so consolidation and audit remain tractable.
How do I version-control the authorization matrix so we can prove what limits applied at any point in time?
Date every version, keep superseded versions retrievable, record the approval of each change, and ensure system workflow changes reference the matrix version that drove them. The test: for any historical invoice, can you produce the limits in force on its approval date?
Stampli perspective
Stampli lets administrators express authority limits directly in the approval workflow - amount-based routing rules and approval-amount controls that require an authorized approver before an invoice can move to export or payment, with a "more approvers required" state when no assigned approver has sufficient authority. Because the rules run on ERP-aligned fields, the enforced matrix stays consistent with the financial structure the DOA was written against, and every approval is logged against the limit that applied.