Our Key Worker security testing will focus on identifying workers who are able to perform actions like the above. e.g. we will look for workers who can (1) Edit a Suppliers bank details, (2) create a Supplier Invoice or (3) Pay a Supplier invoice. What your security tests are doing is casting a net to uncover risk scenarios, however these are just potential risks. By using targeted risk based chained scenarios we are able to help ensure the customers tenanted configuration is protecting them from these risks via approvals, thresholds, Custom Validations etc.