# Findings Report _Generated by TPRM Copilot · [lunariduo.com](https://lunariduo.com)_ ## F-1 — Wrong Approver — Incorrect Reviewer Assignment by Portal **Severity:** 🔴 High · **Affected controls:** C3, C7 · **Affected samples:** [2] **Description.** One or more vendor engagement approvals were provided by an employee who is NOT the requestor's direct supervisor per the Organizational Chart. Root cause traces to untimely intra-year updates to the Portal's Table of Employee Supervisors. **Root cause.** Intra-year personnel reassignments are not reflected in the Portal in a timely manner. The HR-to-IT update process for non-annual changes is not formally documented and there is no compensating reconciliation between the live Org Chart and the Portal table. **Recommended remediation.** (1) Document the intra-year update process with named owners and a service-level commitment. (2) Implement a quarterly reconciliation control between HR's authoritative Org Chart and the Portal's Table of Employee Supervisors. (3) Add a system-level flag when the assigned reviewer was newly assigned within the last 30 days for higher-risk approvals. --- ## F-2 — Retroactive Approval — Vendor Engaged Before Required Approval **Severity:** 🔴 High · **Affected controls:** C6 · **Affected samples:** [5] **Description.** One or more vendor engagements were submitted to the vendor BEFORE the required Portal approval was obtained. Policy prohibits retroactive approvals. **Root cause.** The pre-engagement approval timing control is detective/policy-based — operated solely through training, attestation, and individual employee compliance. No system-level (preventive) or downstream (AP/PO matching) control exists to detect or prevent vendor engagement before Portal approval. Policy also lacks an emergency/expedited approval workflow. **Recommended remediation.** (1) Implement AP-side matching that flags any invoice without a corresponding pre-dated Portal approval. (2) Add an expedited approval workflow to the Policy with defined trigger criteria. (3) Annual compliance reporting on timing exceptions to the Audit Committee. --- ## F-3 — Absent Control — No Approved Vendor Listing / Independent Vendor Vetting **Severity:** 🟠 Medium · **Affected controls:** (design gap — absent control) · **Affected samples:** — **Description.** No formal Approved Vendor Listing exists. Vendor appropriateness is assessed solely as part of the supervisor's review of each individual engagement request. Reliance on a single individual's point-in-time judgment introduces inconsistency and increases the risk of inappropriate vendors being engaged. **Root cause.** A preventive vendor-vetting control was not designed into the workflow. The workflow relies on a single individual's point-in-time judgment at the moment of approval. No independent vendor onboarding, vetting, or related-party review is performed prior to a vendor's first transaction. **Recommended remediation.** (1) Stand up an Approved Vendor Listing with periodic review by Procurement. (2) Introduce a vendor onboarding due-diligence questionnaire (TPRM intake) covering related-party, sanctions, and security posture screening. (3) Portal control restricting requests to listed vendors with a defined exception path. ---