Invoice approval methodology
This document explains what Sigmodx records when your organization uses autonomous agents to approve or reject invoices, and how an independent auditor can confirm those records have not been altered.
What Sigmodx records
For each agent decision, Sigmodx stores the decision type (approve, reject, or escalate), a short written rationale from the agent, optional confidence score, and structural invoice fields your integration submits (amount, vendor name, purchase order reference, and similar metadata). Sigmodx does not store full invoice documents or general ledger detail unless you choose to send them; the default integration sends only references and amounts.
Input hashing
Before submitting a decision, your agent computes a fingerprint (hash) of the input payload it used. Sigmodx stores only that fingerprint, not the underlying payload. The fingerprint lets you prove later which inputs were considered, without exposing sensitive content in the Sigmodx database. If you exclude a field from the hash, Sigmodx cannot verify that field was part of the agent's reasoning.
Reliability state
Sigmodx tracks three signals over a rolling window: how often human reviewers agree with the agent, how often hard errors occur (such as duplicate purchase orders or reversed outcomes), and how often the agent escalates. These signals map to an execution state:
- ALLOW — all signals within policy thresholds.
- LIMIT — elevated risk; additional scrutiny recommended.
- BLOCK — agent should not execute new approvals until reviewed.
A supervisor may place a time-bounded manual override on an agent. Overrides are logged and take precedence over computed state until they expire.
Attestations
An attestation is a point-in-time summary of all invoice decisions and reviewer activity in a date range. Sigmodx locks the underlying decision records, builds a canonical summary, and publishes a verification string and report hash. Any change to included decisions would change the hash, which makes tampering detectable.
Independent verification
Your auditor receives the verification string and period dates. They enter the string at sigmodx.com/verify to retrieve the attestation summary and confirm it matches the report hash on file. No Sigmodx account is required for verification.