- 19
- February
Another classic problem every organization faces when adopting ERP — executives refuse to approve transactions themselves, delegating the task to their secretaries because they prefer signing physical documents over using the system. It may seem trivial, but the consequences are far greater than you might think.
Why Do Executives Refuse to Approve Themselves?
Before solving the problem, we need to understand the root causes:
- Ingrained "signature" culture — Many senior executives grew up signing paper documents. "Clicking a button" in the system doesn't feel like a real "signature" to them.
- Unfamiliar with technology — Small screens, too many buttons, fear of clicking the wrong thing, fear of approving the wrong item.
- No time — Executives are busy with meetings all day and don't have time to open the system and review items one by one.
- "What's a secretary for?" — They believe secretaries should handle all document-related tasks, including approvals.
- "We've always done it this way" — In the old days, secretaries brought documents for signing. With the new system, they just have secretaries click instead.
Scenario: One Secretary Managing Three Executives
Imagine a scenario that actually occurs in many organizations:
Scenario
Ms. Somsri is an executive secretary managing 3 executives:
- Executive A — Deputy Managing Director (approval limit up to 5 million baht)
- Executive B — Procurement Director (approves all POs)
- Executive C — Finance Director (approves payments)
All three refuse to approve themselves — they share their passwords with Ms. Somsri, who logs into all 3 accounts to approve every item on their behalf.
The Consequences — Bigger Than You Think
1. Internal Controls Collapse
A fundamental principle of internal control is Segregation of Duties (SOD) — separating responsibilities so that no single person can both create and approve the same transaction.
When the secretary approves on behalf of 3 executives, it means:
- Ms. Somsri has simultaneous access at the authority level of 3 executives
- If Ms. Somsri creates a PR, approves the PO (as Executive B), and approves payment (as Executive C), the entire flow is completed without any independent review.
- A well-designed SOD framework becomes worthless
2. Audit Trail Becomes Unreliable
The ERP system records "Executive A approved at 10:30 AM" but in reality, Ms. Somsri clicked the button — the entire audit trail is falsified
If issues arise, such as approving an incorrect payment or fraud:
- The system points to the executive — but the executive says "I didn't click"
- The secretary says "They told me to click"
- Nobody takes responsibility — because there is no evidence of who actually gave the order
3. Fraud Risk
A single person with 3 executives' passwords can:
| What Can Be Done | Using Authority Of | Impact |
|---|---|---|
| Create fraudulent purchase orders (POs) | Executive B | Order from a vendor they are personally connected to |
| Approve payment to a fictitious vendor | Executive C | Money leaves the organization with no actual goods |
| Approve high-value transactions | Executive A | Bypass items that normally require Board approval |
| Modify master data | All 3 executives | Change a vendor's bank account number |
This is not hypothetical — many major corporate fraud cases have resulted from sharing executive passwords with others.
4. Legal and Compliance Issues
- Thailand's Computer Crime Act (2017) — Accessing a system using another person's account is considered unauthorized access, even if the account owner instructed it.
- Accounting standards — Auditors will question IT General Controls if they discover password sharing.
- ISO 27001 — Section 9.2 requires individual user accounts and prohibits credential sharing.
5. The Secretary Bears All the Risk
A perspective often overlooked — the secretary is the most at-risk person in this situation:
- If issues arise, the system records the executive as the actor — but the executive will deny it
- The secretary has no written "instructions" — they received only verbal orders
- If fraud is committed by someone else during the secretary's login session — the secretary becomes the prime suspect
- Carries triple the workload — memorizing 3 sets of passwords, logging in 3 times, reviewing 3 queues of documents
Real Workload Analysis: One Secretary, Three Executives
Consider what happens when one secretary approves on behalf of 3 executives:
| Task | Executive A | Executive B | Executive C | Total/Day |
|---|---|---|---|---|
| Approve PR/PO | 5 | 15 | — | 20 |
| Approve Payments | 3 | — | 20 | 23 |
| Approve Leave/OT | 10 | 8 | 5 | 23 |
| Approve Other Documents | 5 | 5 | 5 | 15 |
| Daily Total | 23 | 28 | 30 | 81 items |
81 items per day — the secretary must log in and out of 3 accounts, review documents before clicking, and field questions from departments waiting for approval across all 3 queues.
Hidden Consequences
- Executive B is in meetings all day, so 28 documents are stuck waiting, and the entire procurement flow grinds to a halt.
- Ms. Somsri takes one sick day and none of the 3 executives can approve anything because they don't even know their own passwords.
- Ms. Somsri mistakenly approves the wrong item under Executive C's account. Who is responsible — Executive C or Ms. Somsri?
- Auditors discover a transaction was approved at 8:30 AM, but Executive A hadn't arrived at the office yet — Red Flag
Solutions — How to Get Executives to Approve Themselves
1. Make Approval as Easy as Possible
The core problem is that it's "difficult" and "inconvenient" — so address the root cause:
- Mobile Approval — Approve via smartphone without needing a computer. Executives can approve between meetings.
- LINE / Email Notification — The system sends alerts when items await approval, with a direct approval link (LINE notifications incur additional costs).
- Summary Dashboard — A single screen showing all pending approvals at a glance, with one-click approval from the same page.
2. Formally Appoint Acting Authorities
If executives are genuinely unavailable, a good ERP system should offer:
- Acting Authority — Officially appoint a delegate through the system. When the approver is absent, documents are automatically routed to the acting authority, with a full record of who appointed whom and for what period.
- Escalation Rule — If an item has been pending beyond a set number of hours, it's automatically escalated to the next level of management.
- Auto-Approval — Transactions below a defined threshold are automatically approved without executive intervention.
3. Establish a Clear "No Password Sharing" Policy
Organizations must have a clear IT security policy that states:
- Passwords are personal and confidential — sharing with others is prohibited under any circumstances.
- Account owners are responsible for all transactions — made under their account.
- Disciplinary measures — for both those who share and those who use others' passwords.
- Implement 2FA — Adding two-factor authentication makes it harder for others to approve on someone's behalf.
4. Change the Executive Mindset
The most effective approach is helping executives "understand" why they must approve personally:
- Explain through risk — "If the secretary commits fraud, the system will point to you because your account was used."
- Explain through legal implications — "If auditors find password sharing, it will impact the audit report."
- Explain through image — "Executives who use the system are seen as modern leaders."
- Lead by example from the CEO — If the CEO approves personally, others will follow.
How Saeree ERP Supports Approvals
| Feature | Description |
|---|---|
| Multi-Level Approval | Define approval sequences based on amount thresholds and document types |
| Mobile Approval | Approve via smartphone anytime, anywhere |
| Notification | Email / LINE notifications when items await approval (LINE incurs additional costs) |
| Acting Authority | Appoint an acting authority. Documents are automatically routed to the delegate with full audit trail. |
| Escalation | Overdue items are automatically escalated to backup approvers |
| 2FA Authentication | Two-factor authentication to prevent unauthorized account use |
| Audit Trail | Every action is logged — who, what, when, and from which IP address |
Why Doesn't Saeree ERP Have Batch Approval?
Many systems offer "Batch Approval" — select multiple items and approve them all at once. It sounds convenient, but in practice it creates new and even more serious problems:
- Approvers don't review documents individually — they approve the entire batch without reading
- Problematic or irregular documents slip through alongside normal items
- The audit trail records "approved" but the approver never actually saw the content
- Internal controls are equally compromised — just shifting from "having the secretary click" to "clicking yourself without looking"
Saeree ERP is therefore designed so that every item must be opened and reviewed before approval — but the review and approval process is made as quick and easy as possible, taking just 3 seconds per item on mobile.
Conclusion: "Having the Secretary Click" Is Not the Same as "Appointing an Acting Authority"
A common misconception among executives is that having a secretary approve on their behalf is equivalent to appointing an acting authority. In reality:
| Having the Secretary Click (Sharing Passwords) | Appointing Acting Authority Through the System | |
|---|---|---|
| Audit Trail | Records executive as the actor (false) | Records the delegate as the actor on behalf of the executive (true) |
| Accountability | Unclear — who is responsible? | Clear — there is a record of the delegation |
| Scope | Secretary has full access equal to the executive | Can be limited — by document type and amount threshold |
| Duration | Indefinite — secretary knows the password permanently | Configurable — with start and end dates |
| Compliance | Violates every standard | Passes audits |
If your organization faces this problem — don't let it become "normal". When a real incident occurs, nobody will take responsibility, and the system you invested in won't be able to protect your organization.
Saeree ERP — Designed for Easy Executive Approval
Saeree ERP is designed to make approvals as easy as possible — approve via mobile in just 3 seconds, with LINE notifications (additional cost), an acting authority system for when approvers are absent (documents automatically reroute to delegates), and escalation rules for automatic forwarding. Everything has a complete audit trail and meets all compliance standards. By design, there is no Batch Approval because every item must be reviewed before approval.
