If your organisation can’t prove who submitted an expense, who approved it, what policy applied at the time, and whether the supporting evidence remained intact, do you really have expense management, or do you have a weak point in your control environment?
That question matters more than is often acknowledged. Gestione note spese is still often treated as a finance workflow with some HR policy around it. In regulated environments, that view is too narrow. Expense data contains personal data, payment evidence, approval decisions, policy exceptions, and retention obligations. It also creates an operational trail that auditors will test when they want to understand whether your controls work in practice.
A receipt is never just a receipt. It can be evidence of business purpose, proof of a reimbursable event, a record containing personal information, and a compliance artefact that needs to survive review years later. When organisations manage that evidence through email chains, spreadsheet uploads, and shared folders, they aren’t simplifying administration. They’re fragmenting accountability.
Rethinking Expense Management in Regulated Environments
The common assumption is simple. Note spese are low risk, repetitive, and administrative. Security teams focus elsewhere.
That assumption no longer holds. DORA, NIS2, and GDPR have changed the standard for what counts as an acceptable business process. The issue isn’t only whether employees get reimbursed correctly. The issue is whether the organisation can demonstrate control over a process that touches personal data, delegated approvals, external evidence, and long-term retention.
A modern expense workflow sits closer to document governance than many finance teams realise. That’s why organisations that already invest in structured records and evidence control usually handle gestione note spese more effectively. The same principles behind a strong document management software approach apply here. Controlled ingestion, role-based access, version discipline, and traceable exports matter just as much for receipts and reimbursement approvals as they do for formal policies.
Why expense processes now concern CISOs
An expense system is part of the control surface of the business. It receives uploads from employees and sometimes third parties. It stores receipts that may contain names, locations, payment details, and tax identifiers. It routes approvals between managers and finance staff. It exports data into accounting and payroll systems.
Every one of those steps creates security and compliance questions:
- Identity and authority. Who can submit, edit, approve, reopen, or export a claim?
- Evidence integrity. Can anyone replace a receipt after approval without leaving a trace?
- Data minimisation. Are unnecessary fields being captured and retained?
- Resilience. Can the process continue if a system fails during month-end close or an audit request?
- Auditability. Can the organisation reconstruct the full decision path for an exception?
A reimbursement workflow becomes a compliance issue the moment an auditor asks for evidence and the business can only provide screenshots and email fragments.
The real shift
The practical change is this. Expense management isn’t just about efficiency. It’s about producing evidence that survives scrutiny.
That requires a different design mindset. A useful system doesn’t only collect claims. It preserves context, links policy to approval, restricts unnecessary actions, and keeps an auditable trail of what happened and when. In regulated sectors, that’s the difference between a process that functions and a process that can be defended.
From Manual Inefficiency to Demonstrable Control
Control isn't lost in one dramatic failure. It is lost in small, accepted habits. Receipts arrive late. Managers approve by email. Finance rekeys data into ERP. Someone corrects a claim after approval. The folder structure makes sense until the person who set it up goes on leave.
That model still dominates. In Italy, 55% of companies still rely on manual, paper-based processes for note spese, with error rates that can exceed 20-30% and reimbursements delayed by 15-30 days. The same source says digital adoption can reduce processing time by 70% and achieve over 95% data extraction accuracy (Archiva Group).
What manual processes actually break
The visible problem is delay. The deeper problem is weak evidence.
A paper-heavy or spreadsheet-led process usually fails in four places:
| Process point | What teams think is happening | What auditors often find |
|---|---|---|
| Submission | Employees attach supporting documents | Missing files, unreadable images, inconsistent fields |
| Approval | Managers review policy compliance | Approvals without verifiable policy checks |
| Accounting handoff | Finance records the final values | Manual re-entry creates mismatches |
| Retention | Records are stored for later review | Documents exist, but provenance and version history don't |
The issue isn’t that people are careless. It’s that manual workflows rely on memory and goodwill instead of system-enforced control.
What demonstrable control looks like
A compliant design starts at capture, not at audit time. The organisation should be able to show that the original evidence entered the process in a controlled way, that the right people touched it, and that every material action produced a log.
That usually means:
- Structured intake instead of free-form email attachments
- Policy checks before approval instead of after-the-fact review
- System timestamps rather than inferred timelines
- Controlled changes with visible version history
- Exportable evidence that doesn’t require manual assembly
If you’re evaluating architecture options, it helps to understand what separates a workflow tool from an expense management system that can support finance, compliance, and audit use cases at the same time. The distinction usually sits in approvals, evidence handling, and integration discipline, not in the receipt scanner alone.
Superficial digitisation isn't enough
Many organisations believe they’ve digitised note spese because receipts are scanned and approvals happen in email or chat. That’s not digital control. That’s digital transport.
Practical rule: If a claim can be altered, approved, or exported without a durable log, the process is easier to use than to verify.
Scanning paper into a shared drive doesn’t solve accountability. It often makes it harder to prove what the original document looked like, who validated it, and whether the final reimbursement matched the evidence. True modernisation means the workflow itself becomes the record of control.
Navigating DORA NIS2 and GDPR Requirements
The compliance burden around gestione note spese doesn’t come from one rule. It comes from the overlap between privacy, resilience, and security obligations.
That overlap is where many organisations struggle. Finance may own the policy. HR may define allowable categories. IT may operate the platform. Compliance may review retention. Security may only become involved after an incident or an audit request. The result is fragmented ownership over a process that regulators increasingly expect to be coherent.
A useful way to think about it is this: GDPR governs how expense data is handled, DORA tests whether the system and its supporting process are operationally resilient, and NIS2 raises the standard for security governance and evidence around critical business operations.
GDPR starts with restraint
Expense evidence often includes more personal data than teams expect. Names on receipts. Travel locations. Dates. Payment references. Sometimes identifiers that have no real value for reimbursement review but remain visible in archived images.
The practical GDPR questions aren’t abstract:
- Is each captured field necessary for reimbursement, tax treatment, or audit evidence?
- Are permissions limited to people who need access?
- Can the organisation explain how long different classes of expense data are retained?
- When an employee exercises a rights request, can the team identify what sits in the expense archive versus the ERP or email estate?
A weak process tends to collect too much, distribute too widely, and retain too ambiguously.
DORA turns process weakness into resilience weakness
In regulated sectors, an expense platform isn’t isolated from operational resilience. If the system fails, loses evidence integrity, or can’t support a control review, the problem is larger than reimbursement delay.
The overlooked point is traceability. A 2025 Assintel report found that 68% of Italian financial firms faced audit delays due to poor expense traceability, which highlights the effect of not connecting expense data to immutable audit trails and encrypted evidence storage (N2F).
That matters because auditors don’t only ask whether a process exists. They ask whether the organisation can prove that the process stayed controlled under stress. Teams working through broader resilience obligations often find it useful to align expense workflow review with their Digital Operational Resilience Act work, rather than treating finance operations as out of scope.
Poor traceability rarely appears as a single broken control. It appears as a slow audit, incomplete evidence, uncertain ownership, and delayed answers under pressure.
A good operating question is simple: if your expense platform became unavailable, corrupted, or disputed during a review, how quickly could you reconstruct approved claims, supporting evidence, and decision history from controlled records?
Here is a useful external briefing on the regulatory backdrop and operational implications:
NIS2 raises the bar on governance and supply chain handling
NIS2 has a practical effect on note spese even when the regulation doesn’t mention receipts directly. It pushes organisations to show that access, responsibility, and third-party interactions are governed.
That includes situations such as contractor reimbursements, consultant travel evidence, or vendor-submitted supporting documents. If external parties send evidence through uncontrolled channels, the organisation inherits risk without gaining good records.
A stronger model answers three questions clearly:
| Control question | Weak answer | Strong answer |
|---|---|---|
| How do third parties submit evidence? | Email it to finance | Through a controlled submission path |
| Who approves exceptions? | Whoever is available | A defined role with delegated authority |
| How do you prove what happened? | We can reconstruct it | We can export the record and logs |
The core requirement isn’t complexity. It’s clarity. Auditors want to see who owns the process, what the rules are, and whether the system consistently produces evidence that supports those rules.
Designing a Compliant Expense Policy and Control Framework
Most expense policies fail for one reason. They read like guidance, but the organisation uses them as if they were controls.
A compliant gestione note spese framework starts by separating policy from enforcement. Policy defines what is allowed, who decides, and which evidence is required. Controls make that policy executable. Audits then verify whether the controls operated as intended.
Write rules that a system can enforce
Vague policies create manual interpretation. Manual interpretation creates exceptions. Exceptions create inconsistent evidence.
The better approach is to define rules in terms the workflow can test:
- Allowed categories with explicit claim conditions
- Required fields for each category
- Approval paths based on role, spend type, or exception status
- Escalation criteria when evidence is missing or outside policy
- Retention treatment for the resulting records
Digital systems provide significant value. Digital gestione note spese platforms report error rates dropping below 5% by enforcing policy checks automatically, and those checks prevent non-compliant claims that historically account for 10-15% of total expenses in manual systems (TeamSystem).
That result doesn’t come from better reminders. It comes from refusing to let invalid claims move forward unnoticed.
Build ownership before automation
Automation without assigned responsibility only accelerates confusion. Every mature expense process needs named ownership across several layers.
A simple ownership matrix usually covers:
-
Policy owner
Usually finance, tax, or compliance. This role defines categories, thresholds, required evidence, and exception rules. -
Control owner
Often IT or operations. This role configures the workflow, permissions, logging, and integrations. -
Approval owner
A line manager or delegated approver. This person confirms business purpose and reasonableness within defined authority. -
Evidence custodian
Usually records, compliance, or finance operations. This role ensures the archive remains complete, retrievable, and defensible.
If one person tries to hold all four roles, the process becomes opaque. If nobody owns one of them, the control fails.
Reduce exceptions by design
Many teams spend too much time teaching approvers to spot invalid claims manually. That doesn’t scale. It also creates different outcomes for similar submissions.
A better control model reduces ambiguity before the claim reaches approval. Teams that need a practical primer on how to track business expenses often discover the same pattern: consistency comes from structured categories, timely capture, and clear ownership, not from longer policy PDFs.
The strongest expense policy is the one that leaves the fewest judgement calls for routine claims.
A good policy framework should let an approver answer three questions quickly: Is the expense in scope, is the evidence complete, and does this claim require exception handling? If the system can’t support those answers directly, the policy is still too dependent on individual interpretation.
Secure Evidence Capture Retention and Archival
Most discussions about gestione note spese focus on workflow speed. The harder problem is evidence durability.
The organisation needs to preserve not only the data extracted from a receipt, but also the trustworthiness of the original evidence, the surrounding approvals, and the retention chain that follows. If any part of that lifecycle becomes uncertain, audit quality drops fast.
Capture evidence at the point of creation
The best control is early capture. Receipts and supporting documents should enter the system as close as possible to the actual expense event.
That matters for three reasons:
- Context is still available. The claimant remembers business purpose, project, and payment method.
- Loss risk is lower. Evidence isn’t left in wallets, inboxes, or travel bags for later recovery.
- Validation can start immediately. Missing fields or unsupported categories can be flagged before month-end.
OCR helps, but it shouldn’t be treated as the control itself. OCR is an extraction mechanism. The control is the combination of original image preservation, required metadata, validation rules, and audit logging around any correction.
Retention needs integrity, not just storage
Once evidence is captured, the organisation has to ensure it remains intact and retrievable. That means more than keeping files in cloud storage.
A defensible retention design usually includes:
| Control area | What good looks like |
|---|---|
| Evidence preservation | Original receipt image retained alongside extracted fields |
| Access control | Permissions limited by role and business need |
| Change visibility | Any edit, reclassification, or replacement leaves a durable record |
| Exportability | Records can be produced in a coherent package for review |
| Separation of duties | The same person can't silently submit, approve, and alter the record |
A lot of weak implementations fail on the middle step. They capture evidence well enough, then store it in a repository where later changes are possible without clear traceability.
Long-term archival is a compliance function
Italian fiscal rules require a 10-year storage period for expense justifications, and post-2025 updates mandate qualified electronic archiving, or conservazione sostitutiva. The same source notes that 52% of firms reported archival errors in 2025 (Danea).
That changes the design requirement. Archival can’t be an afterthought or a folder export at year end. It has to be part of the system model from the beginning.
For many teams, the missing piece is the connection between workflow records and archive records. The archive shouldn’t just hold documents. It should preserve the approved state of the claim, the supporting evidence, and the trace needed to explain how that state was reached. That’s where a stronger document archiving software model becomes relevant to expense operations.
Store the evidence in a way that your future auditor can trust, not in a way that your current team finds convenient.
What usually doesn't work
Three patterns repeatedly cause trouble:
- Hybrid paper-digital handling. A scan exists, but the paper original or an emailed version remains the practical reference.
- Archive by export. Claims are processed in one system and dumped into another without preserving context.
- Uncontrolled corrections. Finance adjusts fields for accounting purposes but the archive doesn’t make the correction path visible.
None of these problems are unsolvable. But they only get fixed when retention is treated as part of control engineering, not as a storage decision.
Building Workflows for Continuous Audit Readiness
An auditable expense process isn’t built on the day the auditor sends a request. It’s built in ordinary operations, then tested by whether the organisation can produce complete, ordered evidence without improvisation.
That’s the practical meaning of continuous audit readiness. Not permanent audit activity. Permanent control discipline.
Design workflows around evidence packages
The most useful test is simple. Assume an auditor asks for a sample of claims involving travel, exceptions, and management approvals over a defined period. Can your team produce a coherent package without opening old mailboxes or reconstructing approval logic from memory?
A good workflow should already support that outcome. Each claim should resolve into a compact evidence set containing the original submission, extracted data, policy context, approval path, exception rationale where relevant, and system logs showing material actions.
This is one reason the broader market for expense tools keeps growing. The global expense management software market is projected to grow from $6.62 billion in 2024 to $7.49 billion in 2025, a 13% CAGR, driven by the need for automation that produces immutable digital trails. That aligns directly with reducing audit risk where non-compliance fines can reach €50,000 per incident under Italian privacy laws (Unid Formazione).
The value isn’t the software category itself. It’s the operating model the software makes possible.
Handle third-party evidence with narrow access
Contractors, consultants, and vendors sometimes need to provide supporting evidence related to expenses or reimbursable costs. Many organisations solve that informally by asking for email attachments. That creates a poor audit trail and broadens data exposure unnecessarily.
A safer pattern uses a controlled submission channel with limited scope. The external party should be able to upload only what is needed for the specific request. They shouldn’t need a general internal account. Internal reviewers should receive the evidence inside the same controlled process as employee claims, with ownership and review steps already defined.
That approach improves both security and operations. It reduces ad hoc mail handling and makes later retrieval much easier.
Treat the audit pack as a product of the system
The phrase “Audit Day Pack” is useful because it changes how teams think. Instead of preparing for an audit by collecting documents, you design the workflow so the system can generate a reviewable pack on demand.
A strong pack usually contains:
- Indexed evidence so the reviewer can find information quickly
- Policy references tied to the claim period
- Approval logs showing who decided what
- Exception records for anything outside standard rules
- Export metadata proving what was extracted and when
This also supports simulation exercises. If resilience teams want to test how the organisation would respond to a disputed reimbursement pattern, a suspected misuse case, or a platform outage during close, structured expense data gives them something they can work with. The process stops being a black box and becomes a verifiable operational component.
An Implementation Playbook for Regulated Teams
Most regulated teams don’t need a more ambitious expense policy. They need a cleaner implementation path.
The mistake is trying to modernise note spese as a finance-only tool rollout. That usually improves submission convenience while leaving retention, access design, exception handling, and audit exports unresolved. A better approach treats gestione note spese as a scoped control system.
Step one defines scope properly
Start with the process boundary. Decide which expense types, claimant groups, approvers, systems, and archives are in scope.
Don’t stop at employees. Include contractors, delegated approvers, finance operators, and any downstream accounting or payroll handoff. If a person or system can change the record, that actor belongs in the design.
Step two maps responsibility clearly
Name the owners before you configure anything. Policy, platform administration, approval authority, archive oversight, and audit response should all have accountable roles.
Write those assignments down in an ownership matrix. If teams rely on habit instead of explicit role mapping, exceptions will bypass the intended route the first time someone is absent or the organisation restructures.
Step three configures controls before launch
Set up the workflow to reflect the actual policy. Required evidence, approval paths, exception routes, retention classes, and export requirements should exist in the system before broad rollout.
Use pilot claims to test edge cases. Travel without receipts. Split-cost submissions. Late claims. Rejected claims that are resubmitted. Manager delegation. These edge cases reveal whether the process is effectively controlled or only convenient under ideal conditions.
Step four verifies the evidence path
Run a small internal audit before the external one. Pick a sample of completed claims and ask the same questions an auditor would ask.
Can you show the original evidence, the applicable policy, the approval chain, the exception history, and the archived record without manual reconstruction? If not, fix the process now, not during the next review cycle.
Step five makes control ongoing
Treat this as an operational discipline. Review permissions. Test exports. Confirm retention outcomes. Check whether policy changes are reflected in the workflow and whether approver delegations remain valid.
Compliance works best when the team can prove routine control from routine operations.
A regulated organisation doesn’t need perfection on day one. It needs a system that makes ownership clear, evidence durable, and verification repeatable. That’s what turns declared compliance into demonstrable control.
AuditReady helps regulated teams turn expense and evidence-heavy processes into something auditors can verify without chaos. If you need a practical way to map ownership, link policies to controls, collect encrypted evidence, maintain append-only audit trails, and generate review-ready exports for DORA, NIS2, and GDPR work, AuditReady is designed for that operating model.