A Procurement Team Has Been Routinely Bypassing a Required Three-Way Match Approval for One Trusted Vendor Because It “Slows Things Down.” No Problems in Six Months. Is That a Risk Issue?

Quick Answer

Does a routine bypass of a required internal control — even for a trusted vendor with no prior problems — create a compliance and governance risk that should be escalated?

Yes. Internal controls exist because trust is not a substitute for verification. A three-way match control — matching purchase orders, receiving records, and invoices before payment — exists specifically to catch invoice fraud, billing errors, and unauthorized charges. Bypassing it for a trusted vendor does not reduce the risk of those problems occurring. It eliminates the mechanism designed to detect them. The six months without incident is not evidence that the bypass is safe. It is evidence that no problem has been detected, which is different.

The Situation

A procurement coordinator at a manufacturing company has been processing invoices from one of the company’s longest-standing suppliers — a materials vendor the company has worked with for eight years — without completing the required three-way match approval process. The standard process requires matching the supplier’s invoice against the original purchase order and the receiving department’s delivery confirmation before approving payment. For this vendor, the coordinator’s manager told them six months ago to just process the invoices directly because “they always bill correctly and the approval process just creates delays.”

A new internal auditor is conducting a routine procurement audit and has noticed that six months of invoices from this vendor lack three-way match records. The coordinator explains the manager’s instructions. The auditor asks the coordinator what they think should happen next.

The coordinator has been following their manager’s direct instruction. The vendor has been a reliable partner for years. Nothing has gone wrong. They’re not sure there’s actually a problem.

Choice AExplain the manager’s instruction to the auditor and let the auditor handle it. The coordinator was following direct instructions from their manager. The decision to bypass the control was the manager’s, not the coordinator’s. This is now an audit finding and not the coordinator’s responsibility to resolve.

Choice BCooperate fully with the auditor, confirm that the bypass has been occurring for six months, and immediately reinstate the three-way match process for all future invoices from this vendor — regardless of the manager’s prior instruction — pending a formal review of the control exception by Finance leadership or Internal Audit.

Choice CAsk the manager to speak to the auditor directly — this was the manager’s decision and they should explain it. The coordinator should not make commitments about changing the process without the manager’s involvement.

The Right Call

Choice B — Cooperate fully, confirm the situation accurately, and reinstate the control immediately.

Choice A is partially correct — explaining the manager’s instruction is appropriate — but stopping there leaves the control bypass in place. Choice C defers to the manager in a situation where an internal audit is active, which is inappropriate — the auditor’s authority in this context is independent of the management chain, and the coordinator should not wait for manager approval to cooperate with an audit or to reinstate a required control. The manager’s instruction to bypass the control was outside the manager’s authority. Reinstating the control is not insubordination. It is correcting a governance error.

Trust is not a substitute for controls — it is why controls are necessary.

The rationalization for bypassing the three-way match is that the vendor is trusted and reliable. But internal controls are not designed for untrustworthy vendors — they are designed to catch errors, billing discrepancies, and fraud that trusted relationships make it easy to overlook. An eight-year vendor relationship creates exactly the conditions under which a fraudulent billing pattern could develop undetected — because the trust makes verification feel unnecessary. The control exists to prevent that outcome. Bypassing it because of trust defeats the purpose entirely.

“Six months without problems” is not evidence that the bypass is safe.

Six months without detected problems is not the same as six months without problems. Invoice fraud and billing errors often run for extended periods before being caught — precisely because the detection mechanism has been removed. The absence of a detected problem during the bypass period is consistent with both “the bypass is fine” and “the bypass has allowed a problem to develop undetected.” Only reinstating the control and auditing the six-month period can distinguish between the two.

A manager cannot authorize the permanent bypass of a required internal control.

Internal controls are established by the organization — through Finance, Internal Audit, or the board’s audit committee — not by individual managers. A manager who instructs a direct report to bypass a required control has exceeded their authority, regardless of their business rationale. The coordinator who followed that instruction was not at fault for following their manager’s direction. But the coordinator who continues to follow it after an internal auditor has identified it as a control gap has a clearer obligation: reinstate the control and let the audit process assess the period when it was bypassed.

What is a three-way match and why is it a required internal control?

A three-way match is a procurement control that requires matching three documents before approving payment: the purchase order (what was ordered and at what price), the receiving document (confirmation that goods or services were received), and the vendor invoice (what the vendor is billing). The control prevents payment for goods not received, overbilling, and fraudulent invoices. It is one of the most fundamental accounts payable controls and is required by most internal control frameworks, including SOX for public companies.

Can a manager authorize an exception to a required internal control?

Generally, no, not permanently and not informally. Most internal control frameworks allow for documented, formal exceptions under specific circumstances, which are reviewed and approved by Finance leadership or Internal Audit. An informal verbal instruction from a line manager to bypass a control is not a legitimate control exception. It is a control failure that creates audit exposure for the organization and personal liability for the manager who gave the instruction.

What should an employee do if a manager instructs them to bypass a required internal control?

Ask for the instruction in writing and request that it be approved through the formal control exception process. If the manager declines to formalize the exception, that is a signal that the bypass is not authorized. Escalate to Finance leadership, Internal Audit, or Compliance. Document the escalation. Following a manager’s informal verbal instruction to bypass a required control creates personal risk for the employee because the manager’s instruction does not transfer the employee’s accountability for the control failure.

How to Use This Scenario in Training

Recommended for procurement, accounts payable, finance operations, and internal audit teams. Also valuable for managers in any function where internal controls govern operational processes, the scenario makes clear that informal bypass instructions exceed managerial authority regardless of business rationale.

This scenario illustrates the normalization pressure signal at the heart of the Decision Readiness Engine™: “We’ve been doing this for six months, and nothing has gone wrong” is one of the most powerful rationalizations in risk management. Decision-ready employees recognize that normalization of a control bypass is itself a risk signal — not evidence that the bypass is acceptable.

More GRC Scenarios