While permissions restrict who can make changes, the real concern is fraud risk. Best practice is segregation of duties: one person makes a change, and another approves it. Currently, the Vendor Approval workflow does not prevent the Vendor Card from being used until approval is granted or rejected. This creates a risk where someone could alter vendor bank details and process payments before the change is noticed. A stronger control is needed to ensure the Vendor Card is locked for use until the approval workflow is completed.