Expense Management Policy and Procedures

Version: 2 Date: March 13, 2026

Standards covered by this document: NIST SP 800-53: PL-1, PL-2, PL-4, PL-4(1), PL-8, PL-10, PL-11; Dispel Internal Finance Controls; IRS Accountable Plan Documentation

Keywords: expense reimbursement, corporate card, receipts, approvals, travel, meals, recurring charges

Purpose

This policy and procedures document covers the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for Dispel with respect to expense management, including corporate card use and employee expense reimbursement.

Scope

This policy and procedures document solely covers business expense reimbursement, corporate card issuance and use, receipt requirements, approvals, record retention, and related controls.

Roles and Responsibilities

The Policy Owner of this document is Finance - Treasurer is the current designated Finance Lead.

The Policy Owner is responsible for managing the development, documentation, and dissemination of the Expense Management Policy and Procedures.

Management Commitment

Management’s commitment to these policies and procedures is and shall be demonstrated through a variety of actions that raise awareness among Covered Persons. Some examples include:

1. This document was written and revised by senior members of Management. It was not outsourced to a third party.

2. Enforcement of the Dissemination, Acceptance, and Acknowledgement process.

3. Hosting Company all-hands meetings where this document is raised and feedback is solicited from Covered Persons on how to improve the policy and procedures.

4. Requiring subsets of Covered Persons to read the standards that drive the construction of these policies and procedures.

Coordination Among Organizational Entities

The procedures described throughout this document cover where intra-organizational coordination is known to be necessary to effectuate the documented policies. If a Dispel employee finds a procedure no longer reflects the current dynamics within the organization, or a procedure should be revised to achieve the same effect more efficiently, they shall notify the Policy Owner of the recommended change.

Covered Persons

All workforce members who incur, approve, process, or reimburse business expenses on behalf of Dispel are covered by this policy.

Dissemination, Acceptance, and Acknowledgement

The process of dissemination shall be made failsafe by holding, as a prerequisite to being authorized as a Covered Person, that an individual must first review, accept, and acknowledge this document. All Covered Persons must review, accept, and acknowledge this document at least Annually.

Policy and Procedures Review Tempo

The Policy Owner must review and, if necessary, update policies and procedures:

1. At least once annually.

2. Policies following discretionary off-cycle formal policy reviews; and,

3. Procedures following significant changes.

Development of the System Security and Privacy Plan

Finance & Accounting shall maintain documented expense management procedures that describe how Dispel workforce members request reimbursement, how approvals are obtained, how corporate cards are issued and reconciled, and how receipts and supporting documentation are retained. These procedures shall be implemented using Dispel’s designated expense management tools and/or forms ([Tool/System: TBD]), and must be kept consistent with this Policy. Finance shall ensure the procedures include segregation of duties (submitter vs. approver vs. processor), retention requirements, and periodic review/audit steps.

Rules of Behavior

These rules of behavior define what constitutes an allowable business expense and how expenses must be documented, submitted, and approved.

General principles

• Expenses must be reasonable, necessary for business purposes, and not excessive.

• Employees should choose the most cost-effective option that meets the business need.

• All expense submissions must be truthful, complete, and supported by documentation as required by this Policy.

Receipt and documentation requirements

• Itemized receipts are required for all individual expense line items.

• Receipts should clearly show merchant name, date, amount, currency, and itemization where applicable.

• If a required receipt is missing, the submitter must provide a written explanation; Finance may deny reimbursement or require manager and Finance approval as an exception.

Corporate cards

• Corporate cards will be issued only as needed and are not the default payment method.

• Primary intended uses for corporate cards include recurring billings/subscriptions, business travel bookings where a card is required, and roles with frequent business spending.

• Personal charges on a corporate card are prohibited. If a personal charge occurs in error, it must be reported to Finance immediately and repaid promptly.

• Cash advances, gift cards, and split-tender circumvention of receipt/approval rules are prohibited unless explicitly approved by Finance in advance.

• All corporate card charges must be reconciled promptly in the expense system with business purpose and receipts as required within 30 days.

• Failure to provide required receipts within the applicable submission period may result in temporary payroll deductions, to the extent permitted by applicable law, until the required documentation is submitted. Any amounts deducted in connection with missing documentation will be restored once the required receipt is provided and the charge is verified as compliant.

Expense reimbursement (preferred for most spending)

• Employees should use personal payment methods and submit expense reimbursement requests for most non-recurring business expenses.

• Expense reimbursement requests must be submitted through Dispel’s designated expense management workflow ([System/Tool: TBD]) with required receipts and a clear business purpose.

• Expense submissions should be made within 30 days of the expense date. Submissions older than 90 days may be denied absent Finance-approved exception.

Approval workflow

• All reimbursements and corporate card expense reports require approval by the employee’s manager (or designated approver).

• Expenses greater than $50k require a 2^nd^ level approval.

• Managers must confirm the expense is business-related, reasonable, and properly documented before approving.

• Finance reviews submissions for completeness, policy compliance, and accounting/tax requirements and may reject or request corrections.

Travel, meals, and entertainment (high-level guidance)

• Travel should be pre-approved by a manager when it is material or non-routine.

• Airfare should be economy/coach unless a different class is pre-approved for business reasons.

• Lodging should be moderately priced and located to support the business purpose.

• Meals must have a clear business purpose; for group meals, list attendees and purpose in the submission.

• Gratuities should be reasonable (typically up to 20% in the US) unless local custom requires otherwise.

Non-reimbursable or restricted expenses (examples)

• Personal expenses, commuting, traffic/parking fines, and penalties.

• Alcohol without a clear business purpose or not associated with a business meal/event; any alcohol reimbursement may require additional approval.

• Luxury or excessive spending, including upgrades or add-ons without a documented business need and pre-approval where required.

• Any expense that is illegal, unethical, or would create a conflict of interest.

• IT software products unless preauthorized vendor

Disputes, fraud, and corrections

• Suspected fraudulent activity (including card misuse) must be reported to Finance immediately.

• Duplicate submissions or coding errors must be corrected as soon as discovered; Finance will coordinate reversals and adjustments.

Records retention

• Receipts and expense documentation will be retained in accordance with Dispel’s records retention requirements and applicable law.

Security and Privacy Architecture

Expense records (including receipts) may contain sensitive financial and personal data and must be protected accordingly.

• Finance shall ensure expense tools and storage locations enforce least-privilege access and appropriate segregation of duties.

• Receipts and supporting documents must be stored only in approved Dispel systems ([System/Repository: TBD]) and not in personal drives or unapproved cloud services.

• Access to corporate card administration functions (issuing cards, changing limits, vendor management) must be restricted to authorized Finance personnel.

Review Tempo of System and Privacy Architecture

Finance shall review expense tool access, approval routing, and corporate card program settings at least annually and after significant organizational changes.

• Changes to limits, approvers, and cardholder roles should be documented and reviewed for appropriateness.

Forward Planning

Dispel’s expense program aims to minimize corporate card issuance and encourage reimbursement workflows, except where corporate cards are necessary (e.g., recurring billings).

• Finance will periodically evaluate recurring vendors and migrate eligible recurring charges to centrally managed payment methods where feasible.

• Finance will review receipt thresholds, approval thresholds, and process friction at least annually and propose updates to Management.

Control Baseline Selection

Dispel establishes the following baseline controls for expense management:

• Receipts required for all line items.

• Manager approval required for all expense submissions.

• Additional approvals for high-dollar expenses ([thresholds: TBD]).

• Corporate cards issued only as needed and reconciled with required documentation.

• Finance review and periodic audit of expense reports.

Baseline Tailoring

Exceptions to this Policy (including receipt requirements, submission timelines, and approval routing) must be approved by Finance, documented in writing, and retained with the expense record.

• Repeated or standing exceptions should be reviewed at least annually and either formalized into the Policy or discontinued.

Revision History