How do I prevent maverick spend without becoming the department of no?

Lead with the why, not the rule. The "moment of reflection" before an irreversible purchase isn't bureaucracy - it's the thing that keeps spend aligned with priorities, and people accept that framing far better than "because finance said so." Then make it real: a request takes two minutes, approvals come back in a day, and status is visible. Pair that with visible wins - department heads getting real-time budget visibility, faster purchasing than the old chaos - so the process is something teams want, not endure. Reserve hard enforcement for repeat offenders after the easy path exists; punishing people for avoiding a painful process they had no good alternative to just breeds resentment.

A strict no-PO-no-pay policy works only after the sanctioned path is genuinely fast and well-known - otherwise it punishes people for a process failure that's yours, not theirs. Sequence it: fix intake and approval speed first, communicate relentlessly, give a grace period, then enforce. Even then, keep a documented emergency-ratification path for genuine edge cases. Done in the wrong order, no-PO-no-pay blows up vendor relationships (the vendor still expects payment) and drives spend further underground; done after the easy path exists, it's the backstop that makes the process stick.

Give software purchasing a fast sanctioned path (intake with IT review built in, quick approval), make what's already approved visible so people stop re-buying, then redirect expensed software to the process. Say yes faster, not no harder.

Carrots first (a faster, easier sanctioned path and budget self-service), communication always (why the ask matters), sticks last (enforcement for repeat offenders). The durable mix is mostly carrot; sticks alone just relocate the spend.

It's a rule that invoices without a valid PO won't be paid. Implement it after the request path is fast, with vendor communication (tell them to quote PO numbers) and a grace period, so vendors aren't caught by a policy your employees couldn't comply with. Phase it; don't flip it overnight.

Two-minute intake, automated routing with reminders and escalation, pre-approved common cases, and visible status. Benchmark your sanctioned path against the alternative (swiping a card) and close every gap where the workaround is faster.

Coach first (often they don't know the path or find it painful), then escalate to their manager with the data, then enforce consequences. Distinguish the confused from the willful - most "offenders" are the former, and the fix is process, not discipline.

Software/SaaS (easy to buy on a card, easy to duplicate), travel and entertainment, professional services, and low-dollar online purchases. Tighten controls and guided buying where the friction-to-bypass ratio is worst - usually SaaS.

Days 1 - 30: stand up one intake front door and a basic approval matrix; 30 - 60: turn on budget visibility at approval and a non-PO/off-process detection report; 60 - 90: tighten thresholds, add no-PO-no-pay for the categories that need it, and report the leak you've closed. Fast preventive control beats a year-long suite rollout.

Define what's legitimately a card/expense purchase (in-policy incidentals, true emergencies) versus a request, set card controls and limits, and redirect expensed purchases that should have been requests. The card stays for what it's good at; the request process owns committed spend.

Detect-and-coach wins long-term because it addresses why people bypass; pure block-and-control invents new workarounds. Use hard blocks surgically (the few categories where overruns are unacceptable) and coaching plus a faster path everywhere else.

Stampli's entire procurement design is a prevention strategy - make requesting simple, keep control sophisticated. One guided intake front door, AI that suggests preferred vendors and items and fills fields, budget validation before approval, fast automated routing, and real-time request status mean the sanctioned path is faster than going rogue. That's the core thesis: the "moment of reflection" at request time is the control, and it's designed to feel like alignment, not bureaucracy - which is what makes it stick where block-only approaches fail. Approved requests fan into POs, cards, or service tickets, so there's a clean path for every kind of purchase instead of a gap that invites the workaround.