ExpenseAnywhere Corporation

ExpenseAnywhere joins forces with FCM India to power next-gen T&E automation.
Gant Travel partners with ExpenseAnywhere to simplify enterprise T&E.
BCD Travel and ExpenseAnywhere unite to transform corporate T&E management.
ExpenseAnywhere wins exclusive AFI master agreement, a major nationwide mandate.
×

The 99% Policy Compliance Lie: Why the Metric Every Controller Reports Up Is Almost Meaningless

a finance leader check marking on compliance policy

Every quarter, somewhere in a board deck, a controller stands up and reports a policy compliance rate north of 98 or 99% for the company’s travel and expense program. The room nods. It sounds like control. It sounds like discipline. It sounds like the finance function is doing its job.

I want to gently suggest that number is closer to a magic trick than a metric.

Not because anyone’s lying. Most finance teams reporting a near-perfect travel and expense policy compliance score genuinely believe it reflects reality. The problem is structural, not ethical. The metric is built to produce a high number almost regardless of how well spend is actually being governed. And once you understand why, you’ll never read a 99% compliance slide the same way again.

What “99% Compliant” Actually Measures

Here’s the mechanic nobody explains clearly enough. Most compliance policy scores are calculated as the percentage of submitted expense line items that don’t trigger a policy exception flag. That’s it. That’s the whole formula in most policy compliance software and expense policy compliance dashboards.

Read that definition again and notice what it silently excludes:

  • Spend that was never submitted at all because an employee routed it around the system
  • Spend that technically matches a policy rule but was clearly a poor business decision (a policy can permit something dumb)
  • Spend where the policy itself hasn’t been updated in three years and no longer reflects real market pricing or business needs
  • Spend approved by an exception override that counts as “resolved” rather than “non-compliant” once a manager clicks approve

A 99% compliance rate doesn’t mean 99% of your spend was appropriate. It means 99% of what showed up in the system matched a rule that already existed. Those are not remotely the same claim, and treating them as equivalent is how finance leaders end up confidently reporting control they don’t actually have.

The Denominator Problem

If you want to understand why this KPI misleads, you have to understand its denominator, and its denominator is broken.

Travel policy compliance rates are calculated against submitted transactions, not total spend. But total spend includes categories that never reliably make it into the policy compliance tracking system in the first place – informal reimbursements handled outside the platform, personal card charges that get bundled into “miscellaneous,” or bookings made through side channels because the “compliant” option was more expensive or less convenient that week. None of that shows up as a violation. It just doesn’t show up.

This isn’t hypothetical. On the accounts payable side, the parallel problem is well documented at scale. The U.S. Government Accountability Office’s fiscal year 2024 report on federal improper payments found that agencies reported roughly $162 billion in improper payments across 68 programs, the vast majority of it, about 84%, attributable to overpayments rather than outright fraud. Cumulative improper payments across the federal government since 2003 sit at roughly $2.8 trillion. These are organizations with some of the most codified accounts payable policy frameworks and compliance reporting requirements in existence under the Payment Integrity Information Act, and the numbers still slip through because compliance reporting measures adherence to known, submitted transactions, not the true universe of spend. Private-sector T&E and AP programs, with far less regulatory scrutiny, are not magically better positioned than a federally mandated payment integrity framework.

Why a High Compliance Score Can Coexist with Real Leakage

Let’s make this concrete with the fraud data, because it illustrates the gap perfectly. The ACFE’s Occupational Fraud 2024 Report to the Nations found that asset misappropriation, the category that includes expense reimbursement schemes, occurs in 89% of all occupational fraud cases studied, with a typical scheme running around 12 months before anyone catches it. Median losses across all fraud types studied came in at $145,000 per case, and the report notes organizations lose an average of roughly 5% of annual revenue to occupational fraud in aggregate.

Now hold that next to a company reporting 99% expense policy compliance. Both things can be true simultaneously. A scheme can run for a year, generating real financial damage, while every individual submitted transaction technically passes a rules-based policy check, because the rule was never designed to catch it, or because the fraudulent submissions were structured just below whatever threshold triggers a flag. High compliance scores and active leakage are not contradictory. They’re two different measurements of two different things being mistakenly presented as one.

This is exactly why policy compliance management built purely around rule-matching at the reporting stage will always have a ceiling on what it can actually protect. It’s answering “did this match the rule” when the real question finance needs answered is “should this spend have happened at all?”

The Same Blind Spot Shows Up in Accounts Payable

It’s not just T&E. Accounts payable policy compliance suffers from an almost identical structural flaw, and it’s worth naming because the two functions often get evaluated with the same lazy logic.

Ardent Partners’ 2025 AP benchmarking research, drawn from 212 accounts payable professionals, found that only 32.6% of invoices industry-wide are processed without human intervention, meaning the majority still pass through manual touchpoints where policy enforcement depends on an individual’s judgment in the moment, not a systematized control. Best-in-class organizations have pushed touchless processing to 49.2%, meaningfully better, but still short of half. If a controller is reporting near-perfect compliance policy adherence for AP while more than two-thirds of invoices require manual handling somewhere in the process, that compliance number is measuring the diligence of individual reviewers on a given day far more than it’s measuring systemic control. People get tired. People get rushed at month-end close. A policy compliance rate that leans on human consistency at scale is a policy compliance rate with an expiration date.

This matters even more for multinational organizations trying to answer a question that comes up constantly in vendor evaluations: which accounts payable platforms support global compliance across jurisdictions with different tax, VAT, and regulatory reporting requirements? The honest answer is that very few do this well out of the box, because global compliance isn’t a single rule set; it’s dozens of overlapping rule sets (GST e-invoicing and IRN requirements in India, VAT reclamation logic across the EU, use-tax geo-code validation in the U.S.) that have to be enforced simultaneously without creating a bottleneck. A platform that only validates against one region’s framework and calls the result “compliant” is running the same denominator problem described above, just with a geographic blind spot layered on top.

What Actually Improves Policy Compliance, Not Just the Metric

If the goal is real control rather than a reassuring number, the fix isn’t a better dashboard. It’s changing where enforcement happens.

1. Move enforcement to the point of commitment, not the point of review

Policy compliance software that only evaluates transactions after they’re submitted is auditing history. Enforcement embedded at the corporate card level, the pre-trip approval stage, or the purchase requisition stage stops the non-compliant transaction before it becomes a data point at all, which means it never needs to be “caught,” because it never happened.

2. Track exception override rates, not just exception rates

If a policy engine flags a violation and a manager routinely clicks “approve anyway,” that transaction still resolves as compliant in most reporting. The override rate, how often exceptions get waved through versus genuinely resolved, is a far more honest signal of whether policy is actually governing behavior.

3. Audit the policy itself on a schedule, not just the spend against it

A travel and expense policy that hasn’t been benchmarked against current market rates, current per diem tables, or current business travel patterns in two or three years will produce compliant-looking data that’s quietly out of step with reality. Static policy compliance software mapped to a static policy will always report high adherence to rules that themselves need updating.

4. Separate volume-based compliance from risk-weighted compliance

Not every policy violation carries equal risk. A $40 meal overage and a duplicate $4,000 vendor payment should not be scored with the same weight in a compliance rollup, yet most simple policy compliance tracking software treats every flagged line item identically. Risk-weighted reporting tells the CFO something a flat percentage never will.

What I’d Put in Front of the Board Instead

If I were rebuilding that quarterly slide, the 99% number wouldn’t survive. In its place:

  • Percentage of total spend under active policy enforcement, not just submitted spend that happened to comply
  • Override rate on flagged exceptions, trended over time
  • Time between policy update cycles, to show the policy itself is a living document
  • Cross-functional compliance parity between T&E and AP, since a strong number in one and a weak number in the other suggests siloed governance rather than enterprise-wide control

None of these are as clean or as flattering as “99% compliant.” That’s precisely why they’re more useful. A metric that always looks good regardless of what’s actually happening underneath it isn’t a control mechanism; it’s reassurance dressed up as data.

The Real Test

Next time someone hands you a compliance percentage, ask one question before you accept it: what does this number exclude? If the honest answer includes “spend that was never submitted,” “policy overrides,” or “categories we don’t track well,” you don’t have a compliance metric. You have a well-dressed guess, and CFOs who build strategy on well-dressed guesses eventually find out the hard way what the real number was.

FAQs

Because compliance rates are typically calculated only against transactions that were submitted and matched against existing rules. Spend that's routed around the system, approved through manual overrides, or technically permitted by an outdated policy never registers as a violation. So, the percentage can stay high even as real leakage continues.

Rules-based compliance treats every policy match or mismatch equally, producing a flat percentage. Risk-weighted compliance accounts for the financial and operational severity of each exception, so a minor meal overage and a major duplicate payment aren't scored the same way in reporting, giving leadership a far more accurate picture of actual exposure.

Most finance teams review policy far less often than market conditions change. An annual review is a reasonable minimum, but per diem rates, airfare and lodging benchmarks, and category thresholds shift often enough that a policy compliance program built on a two- or three-year-old policy is likely measuring adherence to outdated assumptions.

Very few platforms, like ExpenseAnywhere, handle multi-jurisdictional compliance natively because requirements such as GST e-invoicing and IRN validation in India, VAT reclamation across the EU, and use-tax geo-code checks in the U.S. each require distinct rule engines. Companies operating across regions should evaluate AP platforms specifically on whether compliance logic is localized per jurisdiction rather than applied as a single global rule set.

ExpenseAnywhere builds policy enforcement into the transaction itself, through configurable, role-based policy engines across ExpenseAnywhere for travel and expense and InvoiceAnywhere for procure-to-pay, rather than relying solely on post-submission flagging. That includes built-in support for country-specific regulatory requirements such as GST, IRN, and TDS for the Indian market and CONUS/OCONUS federal per diem compliance for U.S. public sector clients, so compliance reporting reflects enforcement that already happened upstream rather than a rules-match performed after the fact.

Share:

Recent Post

Know about the latest happenings in the fintech automation.

Click below to subscribe to our newsletter!

Subscription