Case Study: Transforming Purchase-to-Pay in a Complex Estates Environment

SUMMARY

This case study presents a classic inherited control vacuum — not a single catastrophic failure, but a slow accumulation of workarounds, informal practices and unmanaged risk that had compounded over years, likely accelerated by staff turnover, and under-investment in finance systems. The organisation was operationally exposed on multiple fronts simultaneously: fraud risk, duplicate payment risk, budget control failure, audit vulnerability and supplier relationship damage — all running concurrently, largely invisible to management.

The response was proportionate, pragmatic and effective.

Over time the problems had compounded:

  • No invoice register — status was unknown on arrival

  • Duplicate invoice approvals — managers approving invoices even where the PO had already been authorised. PO approval is the authorisation to spend: when a manager approves the requisition, they confirm the supplier, value, and budget code. Re-approving the subsequent invoice duplicates effort and introduces avoidable delay. Where the invoice matches the approved PO, it should proceed directly to payment.

  • POs being raised after invoices arrived, not before work was commissioned. Manual PO insertion into invoice PDFs. When invoices arrived without a PO number, a requisition had to be raised in the ERP, waited a few hours, and the resulting PO number manually typed into the invoice PDF using Adobe Acrobat before it could progress. This created risk: the invoice may already have been paid.

  • Managers raising POs against invoices — not quotations. The organisation policy required POs to be raised on quotations, before work was commissioned. In practice, managers were routinely raising POs after the fact, directly from invoices — including seven in a single day. This created duplicate payment risk and made it impossible to budget-control expenditure in advance.

  • Expired POs used by suppliers. Suppliers were referencing PO numbers that had been closed for years (in one case, a PO raised in 2013 and closed in 2014 was still appearing on invoices in 2023). These invoices could not be processed and required time-consuming investigation and negotiation.

  • No supplier master database. There was no central record of which suppliers were active, what recurring charges to expect, or which buildings and budgets each supplier related to. Ledger coding had to be recalled from memory or investigated each time.

  • Different people followed different steps and there was no single, agreed process to rely on (no SOPs )

The response was proportionate, pragmatic and effective.

This improved process introduces three key changes: (1) a No PO, No Pay policy — invoices with a valid PO are processed directly without a separate invoice approval, because the PO is the authorised commitment to spend. (2) Manager

self-certification of delivery in Notion — managers update the PO record when goods arrive, eliminating the admin chasing loop entirely. (3) A Notion P2P Register runs in parallel with Oracle at every stage, providing a searchable, real-time register for duplicate checking and status tracking.

LESSONS LEARNED

1. Workarounds are a symptom of process failure, not individual failure. The team were capable and committed — but working around a broken system. The problem was the absence of governance, not the absence of effort.

2. A helpdesk is not a financial control environment. Tools must be selected for fitness of purpose. Using a support ticketing system as an AP inbox removed every financial control that should exist at the point of invoice receipt.

3. Volume and complexity amplify control gaps. 100 invoices per week across a large estate will expose every weakness in a process. Scale demands discipline; informal processes collapse under load.

4. Document modification — however well-intentioned — is never an acceptable compensating control.The PDF editing practice needed to stop the day it was discovered. The correct response is to fix the upstream process, not legitimise document alteration.

5. Management information is a control, not a luxury. Without MI, management cannot see the problem. What cannot be measured cannot be managed, and what cannot be managed cannot be controlled.

6. The right time to fix a P2P process is before audit — not during it. The remediation gave the team a more reliable control environment going into audit. Ideally, the controls would never have degraded to this point — but the recovery before audit scrutiny was the correct priority.