Approval limits matrix with spending thresholds

Approval limits belong inside live workflows, not static spreadsheets. Here is how we approach approval management.

I’ve spent years watching organizations build beautiful approval limits matrices. Color-coded Excel files. Laminated PDFs pinned to cubicle walls. Elaborate SharePoint pages with version histories nobody reads.

They all share the same fate. Within three months, the matrix is wrong. Someone left. Budgets changed. A new VP arrived with different spending authority. And the person who built the original spreadsheet? They moved to another department.

This is the fundamental problem with every static approval limits matrix. It describes a moment in time. Organizations don’t hold still.

What an approval limits matrix actually defines

Before I get into why most of these break, let’s be clear about what we’re building. An approval limits matrix — sometimes called a spending authority matrix or delegation of authority matrix — maps dollar thresholds to specific roles. It answers one question: who can approve spending of this amount?

Here is a typical tier structure you would see at a mid-market company with 200-500 employees:

That looks clean. Logical. The kind of thing you’d put in a delegation of authority policy and feel good about.

The trouble starts on day one of implementation.

Your marketing director wants to approve a $30,000 campaign buy. The matrix says VP approval required. But the VP is traveling for two weeks. Does marketing wait and miss the campaign window? Does someone else approve it outside the matrix? Does the director just… do it anyway and hope nobody notices?

That last option happens far more than anyone admits.

Why dollar thresholds need context, not just numbers

In discussions we’ve had about approval workflows, one pattern shows up constantly: companies copy threshold numbers from templates they find online without asking whether those numbers match their actual risk profile.

A $5,000 threshold makes sense for a bootstrapped startup where that amount is a meaningful percentage of monthly operating expenses. For a company doing $50 million in annual revenue, requiring director-level sign-off on a $5,000 purchase creates bottlenecks without reducing risk. That same company might need tighter controls on $50,000+ commitments where real financial exposure begins.

Here is how threshold tiers should shift based on company size:

These aren’t universal rules. They’re starting points. Your actual thresholds should reflect your industry, cash position, and how much damage a bad approval could cause. A healthcare company might need lower thresholds for vendor contracts because of compliance requirements. A construction firm might have higher thresholds for materials purchasing because their project costs naturally run bigger.

The point is — the numbers aren’t the hard part. Enforcing them is.

Audit problem nobody talks about until it is too late

Auditors don’t care what your approval limits matrix says. They care what actually happened. I’ve seen this play out dozens of times in conversations about compliance workflows. A company has a perfectly documented spending authority matrix. It lives in a policy manual. Everyone signed an acknowledgment form during onboarding. And then the auditor pulls transaction records and finds that 15% of purchases were approved by people without the required authority level. SOX Section 404 requires companies to assess and report on internal controls over financial reporting. If your approval matrix says the CFO must approve anything over $100,000, but your systems allow anyone with a login to process a $200,000 purchase order, you have a material weakness. Not a minor finding. A material weakness.

The ACFE’s 2024 Report to the Nations drives this home hard. They analyzed 1,921 real fraud cases and found that 32% of occupational fraud occurred because internal controls simply didn’t exist, and another 19% happened because existing controls were overridden. That’s over half of all fraud cases tied to control failures.

Anti-fraud controls — when they actually work — reduce median losses by 23% to 63%. But a static PDF doesn’t qualify as a working control. A matrix that nobody enforces is the same as having no matrix at all.

This is where most organizations fool themselves. They document controls to satisfy auditors during the annual review, then run their actual operations through email approvals, Slack messages, and verbal sign-offs that leave zero trail.

How spending categories change the game

Dollar amount is only one dimension. Smart approval limits matrices also consider what is being purchased, not just how much it costs.

After watching hundreds of teams try this, the ones that get it right split their matrix across spending categories, not just dollar amounts. Different spending categories carry different risk profiles:

Capital expenditures (equipment, real estate, technology infrastructure) — these commit the organization long-term. A $50,000 server purchase locks you into a 5-year depreciation schedule. These typically need tighter controls than operating expenses of the same amount.

Recurring commitments (SaaS subscriptions, service contracts, leases) — a $2,000/month subscription looks small until you realize it’s a $24,000 annual commitment with auto-renewal. Some organizations treat these as the annualized value for approval purposes. Others don’t, and that’s how you end up with $500,000 in SaaS sprawl that nobody approved at the aggregate level.

One-time operational expenses (travel, supplies, marketing spend) — lower risk because they don’t create ongoing obligations. These can often tolerate higher thresholds before escalation.

Vendor onboarding — the first purchase from a new vendor deserves a different approval path than a repeat order from an existing supplier. New vendor risk isn’t just about dollars. It’s about due diligence, compliance screening, and payment terms that create exposure.

At Tallyfy, we’ve seen organizations that map their approval matrix across both axes — amount AND category — catch problems that a simple dollar-threshold approach misses entirely. A purchase order process that routes differently based on vendor status and spending category is dramatically more effective than one that only looks at the price tag.

Why static matrices break when organizations change

Here is where I get genuinely frustrated. Every organization knows that people come and go. Roles change. Departments restructure. Budgets get revised quarterly. And yet they build their approval limits matrix as a fixed document.

Think about what happens during a reorg. Your VP of Operations leaves. The CFO absorbs their responsibilities temporarily. Three directors who reported to that VP now report to someone in a different division. The approval matrix still lists the departed VP as the required approver for $25,000-$100,000 in operations spending.

What happens? One of three things:

1. Requests stall because nobody knows who should approve them
2. Someone picks a random senior person and routes the approval there
3. People bypass the matrix entirely and get approvals through back channels

None of these are acceptable. All three create audit risk. And all three happen constantly in organizations that rely on static approval matrices.

What caught us off guard is how often companies restructure some part of their approval hierarchy — at least twice per year. Annual budget cycles, mid-year headcount changes, M&A activity, new product lines — any of these can invalidate your carefully constructed delegation of authority matrix.

The fix isn’t building a better spreadsheet. It’s embedding approval rules into a system that updates when roles change. When someone’s title changes in your HR system, their approval authority should update automatically. When a new VP joins, they should inherit the approval thresholds for that role without someone manually updating a spreadsheet.

This is exactly why we built Tallyfy to handle approval routing dynamically. The approval logic lives in the workflow, not in a document that someone has to remember to update.

Building an approval limits matrix that survives contact with reality

If you’re going to build one of these — and you should — here’s what matters more than the specific dollar amounts.

Start with your actual transaction data. Pull the last 12 months of purchases. What’s the distribution? If 80% of your transactions fall under $5,000, your matrix needs to be fast and frictionless at that level. Don’t create a three-person approval chain for the volume of transactions that represent your bread and butter.

Map exceptions before they happen. Emergency purchases. Sole-source vendors. Contract renewals with escalation clauses. Pre-approved budgets where the approval happened at the budget level, not the transaction level. Every one of these will hit your matrix, and if you haven’t planned for them, people will route around the system.

Build escalation paths, not just approval levels. What happens when an approver is on vacation? What happens when a request sits unapproved for 48 hours? What happens when someone needs to split a purchase across two budget codes? Your matrix needs answers for these scenarios or it will be ignored.

Review thresholds quarterly, not annually. Annual reviews mean your matrix is wrong for 11 months of the year. Quick quarterly checks — do these thresholds still match our risk tolerance, have roles changed, are we seeing bottlenecks at specific levels — keep the matrix relevant.

Separate the authority from the person. The VP of Marketing should be able to approve up to $100,000. When that VP leaves and a new one starts, the authority transfers with the role, not the individual. This sounds obvious but I am amazed how many companies tie approval authority to specific named individuals instead of roles.

In our experience with workflow automation, the organizations that succeed with approval limits aren’t the ones with the most detailed matrices. They’re the ones that embed their approval rules into automated workflows where the system enforces what the policy defines. No memory required. No spreadsheet lookups. The request hits the right desk at the right threshold every time.

The real trend shaping approval governance

Everyone’s building AI agents. Nobody’s building the workflows they need to follow.

Think about what happens when an AI agent can initiate purchase orders, process expense reports, or commit to vendor contracts. The approval limits matrix isn’t just a governance document anymore — it’s the guardrail that prevents autonomous systems from spending without oversight.

An AI agent that can place orders up to $10,000 without human review needs the same kind of threshold controls that a junior manager does. Probably tighter ones, honestly, because an AI agent doesn’t get tired, doesn’t take lunch breaks, and can process hundreds of transactions per hour. Without embedded approval limits, an AI purchasing agent could burn through a quarterly budget before anyone notices.

This isn’t a theoretical concern. It’s the next wave of approval management that most organizations aren’t preparing for. The companies that embed their approval limits into structured workflows now will be the ones ready to add AI agents to those workflows later. The ones still running on spreadsheets and email approvals? They’ll be scrambling to bolt on controls after something goes wrong.

My guess is that within two years, every serious approval limits matrix will include a row for automated systems alongside the human roles. And the organizations that treat their matrix as a living, enforced system — not a static document — will be the only ones that transition smoothly.