In our environment, MediusFlow application authenticates using SSO. The logout option in MediusFlow does not trigger a Global Log Out. In the event where a user clicks the log out button on a shared device and does not close the browser, the application can be accessed by whoever uses the shared device next, with permissions to approve / reject pending invoices and browse past workflow items. This is a security issue and must be fixed by MediusFlow.

There is a risk that a vendor could send fraudulent invoices and work together with an employee to approve these and initiate payments. Any fraudulent expenses would be captured after the fact through corporate financial reporting.