Skip to content

Workflow & Roles


┌──────────────┐
│ pending │
└──────┬───────┘
│ (auditor picks up)
┌──────▼───────┐
│ under_review │
└──────┬───────┘
┌────────────┼────────────┐
│ │ │
┌──────▼──┐ ┌──────▼──┐ ┌─────▼────┐
│ approved │ │ rejected │ │ queried │
└──────┬───┘ └──────┬──┘ └─────┬────┘
│ │ │
┌──────▼──┐ ┌──────▼────┐ ┌────▼──────────┐
│ paid │ │resubmitted│ │vendor_responded│
└─────────┘ └──────┬────┘ └────┬───────────┘
│ │
┌──────▼───────────▼┐
│ under_review │
└───────────────────┘
StateDescription
pendingInvoice received, not yet reviewed
under_reviewAuditor is actively reviewing; validation engine has run
approvedAll checks passed or findings resolved; cleared for payment
rejectedSignificant issues found; invoice sent back to vendor
queriedSpecific questions sent to vendor about certain line items
vendor_respondedVendor has replied to query; awaiting auditor re-review
resubmittedVendor submitted a corrected invoice after rejection
paidInvoice approved and payment processed

RoleDescription
AdminFull system access. Manages organization settings, users, vendors, contracts.
Senior AuditorFull audit capabilities. Can approve any invoice, waive findings with documented reason.
AuditorStandard audit role. Can review, query, and approve invoices within threshold.
ViewerRead-only access. Can view invoices, findings, dashboards, and reports.
ActionAdminSenior AuditorAuditorViewer
Manage usersYesNoNoNo
Manage vendorsYesYesNoNo
Manage contractsYesYesNoNo
Create/edit rate cardsYesYesNoNo
Submit invoicesYesYesYesNo
Run validationYesYesYesNo
Review findingsYesYesYesYes (read-only)
Approve invoices (below threshold)YesYesYesNo
Approve invoices (above threshold)YesYesNoNo
Reject invoicesYesYesYesNo
Query vendorYesYesYesNo
Waive findingsYesYesNoNo
View dashboardYesYesYesYes
Generate reportsYesYesYesNo
View audit trailYesYesYesNo
Export dataYesYesYesNo
Manage organization settingsYesNoNoNo

Configurable per organization:

Invoice AmountRequired Approval
Under R50,000Any Auditor
R50,000 - R500,000Senior Auditor
Over R500,000Two approvals (dual sign-off)

These thresholds are stored in Organization.settings and can be adjusted by the Admin.

For high-value invoices requiring two approvals:

1. First approver reviews and approves → status stays "under_review"
2. System records first approval in audit log
3. Second approver (different user) reviews and approves → status becomes "approved"
4. Both approvers recorded in audit log

When an auditor queries a vendor about specific findings:

  1. Auditor initiates query

    • Selects specific findings to query
    • Writes a message to the vendor
    • Invoice status changes to queried
  2. System records the query

    • Query details stored with references to specific findings
    • Timestamp and auditor recorded in audit log
  3. Vendor notification (configurable)

    • Option A: Email sent to vendor contact with query details
    • Option B: Vendor logs into portal to see queries (post-MVP)
    • Option C: Manual — auditor handles communication externally
  4. Vendor response captured

    • Response text recorded against the query
    • Supporting documents can be attached
    • Invoice status changes to vendor_responded
  5. Auditor re-reviews

    • Reviews vendor response alongside original findings
    • Can approve, reject, or query further
    • All actions recorded in audit log
InvoiceQuery
├── id
├── invoiceId → Invoice
├── findingIds (JSON array — which findings this query relates to)
├── queryMessage (text sent to vendor)
├── queriedBy → User
├── queriedAt
├── vendorResponse (text — vendor's reply)
├── respondedAt
├── attachments (JSON array — file references)
├── status (open | responded | resolved)
└── resolvedBy → User

Each validation finding has its own lifecycle:

open → acknowledged → resolved
→ waived (with mandatory reason)
StatusDescription
openFinding detected by validation engine, not yet addressed
acknowledgedAuditor has seen the finding and is investigating
resolvedIssue was corrected (vendor resubmitted) or explained satisfactorily
waivedAuditor accepts the discrepancy with documented justification

Waivers are a sensitive action — they mean accepting a known discrepancy. Requirements:

  • Only Senior Auditor or Admin can waive findings
  • A written reason is mandatory
  • The waiver is permanently recorded in the audit log
  • Waivers are highlighted in monthly reports
  • Organizations can set a maximum waiver amount per period (configurable)

EventNotified Role
New invoice submittedAuditor, Senior Auditor
Critical findings detectedSenior Auditor
Invoice queried(External — vendor contact)
Vendor responded to queryOriginal querying auditor
Invoice pending approval (> 48 hrs)Senior Auditor
Monthly report readyAdmin, Senior Auditor

Email Notifications (Optional, Configurable)

Section titled “Email Notifications (Optional, Configurable)”
  • Can be enabled/disabled per notification type
  • Digest mode available (daily summary instead of real-time)