This document describes the standard operating procedures for all users of the SRM Portal, including timesponge uploads, billing management, QuickBooks integration, reconciliation, and system administration.
| Version | 1.1 |
| Effective Date | April 2026 |
| Prepared For | All SRM Portal Users |
| Classification | Internal Use Only |
| Review Frequency | Quarterly |
The SRM Portal is an internal web application that manages the full billing lifecycle for contractors and projects. It consolidates timesheet data, purchase order limits, payroll reconciliation, and invoice generation into a single workflow.
| Module | Purpose |
|---|---|
| Timesponge Upload | Import contractor hours from CSV exports |
| Limit Order | Track available invoiceable value per PO from SAP |
| PO Details | Maintain project, client, and purchase order metadata |
| Billing Summary | Compute billing amounts; push invoices to QuickBooks |
| Forecast | Plan and monitor hours vs. available PO capacity |
| Reconciling | Match payroll reports against billing calculations |
| Analytics | Cross-period KPIs, trends, and person-level summaries |
| Contracts | Track contract dates, rates, and expiry status |
| Candidate | Self-service time entry for contractors |
| Users | Role-based access control and user administration |
srm.db)Sessions expire after 8 hours of inactivity. You will be automatically redirected to the login page when your session expires.
The portal enforces three access levels:
| Role | Description | Capabilities |
|---|---|---|
| Admin | Full system access | All data CRUD operations, user management, QBO settings, period management, sync lock control, view analytics with hidden-person settings |
| Normal | Standard operational access | Create, edit, and delete all billing data; upload CSVs; push invoices to QBO; cannot manage users or change system settings |
| Viewer | Read-only access | View all data across all modules; cannot create, edit, delete, or trigger any data mutations |
All data in the portal is organised by period (typically a calendar month, e.g. 2026-04).
The period selector is available in the top navigation bar on all data pages.
YYYY-MM format (e.g. 2026-05) and a display label.Use the period dropdown in the navigation bar to switch between periods. All module data (timesponge, billing, limit order, reconciling) filters to the selected period.
The Timesponge module imports contractor hours from a CSV file exported from your time-tracking system. This is the primary data input that drives billing.
The upload file must contain the following columns (header names are case-insensitive):
| Column | Required | Description |
|---|---|---|
Date | Yes | Entry date in YYYY-MM-DD format |
Person | Yes | Full name of the contractor |
Employee Code | Yes | Unique employee identifier |
Hours Worked | Yes | Total hours submitted |
Hours Approved | Yes | Hours approved by the client |
Project | Yes | Project name (must match PO Details) |
Hourly Rate | Yes | Contractor's billing rate (ZAR) |
Approval | No | Approval status (defaults to Pending) |
Individual rows can be added manually by clicking + Add Row and filling in the inline form. This is useful for corrections or one-off entries.
Each timesponge row displays a colour indicator showing whether the person + project combination has a matching record in PO Details:
The Limit Order module imports the available invoiceable value per purchase order from your procurement system (e.g. SAP). This data feeds the Forecast and Billing modules to flag potential PO overruns.
| Column | Description |
|---|---|
Purchasing Document | PO number (must match PO Details) |
Short Text | Description of the PO |
Plant | Plant/site code |
Still to be Invoiced (Value) | Remaining invoiceable ZAR value |
Rows can also be added or edited manually using the inline table editor.
PO Details is the master reference table linking employees to projects, clients, and purchase orders. It must be maintained accurately for the Billing Sync to work correctly.
| Field | Required | Description |
|---|---|---|
| Employee Code | Yes | Unique contractor identifier |
| Person | Yes | Full name |
| Project | Yes | Project name (should match timesponge entries) |
| PO Number | Yes | Purchase Order number from procurement system |
| Client | Yes | Client/company name (must match QBO customer name if using QBO) |
| Send Invoice To | No | Email address for invoice delivery via QBO |
| EM Details | No | Employment/engagement detail notes |
| PO Link | No | URL to the signed PO document |
| SOW Link | No | URL to the Statement of Work |
| PO Date | No | Purchase order effective date |
| Notes | No | Free-text notes |
Multiple records can be imported by uploading a CSV with columns:
Employee Code, Person, Project, PO Number, Client.
The Billing Summary is the central operational screen. It aggregates timesponge data with PO Details to produce one billing row per employee + project combination per period.
| Field | Description |
|---|---|
| Hours to Invoice | The hours actually billed. Pre-filled from approved hours; can be manually overridden. |
| Hourly Rate | ZAR rate per hour for this person/project. |
| SDL % | Skills Development Levy percentage (default per company policy). |
| UIF % | Unemployment Insurance Fund percentage (statutory cap applies). |
| COIDA % | Compensation for Occupational Injuries and Diseases percentage (statutory cap applies). |
| Management Fee % | SRM management fee applied on top of labour costs. |
| Expense | Non-VAT expense amount added to the invoice. |
| Adjustment | Manual positive or negative adjustment (non-VAT). |
| Status | Invoice lifecycle status (see below). |
| Invoice No | QBO or manual invoice number. |
| Notes | Internal notes visible on the billing row. |
| Status | Meaning |
|---|---|
| Need SOW | Statement of Work not yet received – cannot invoice |
| Need PO | Purchase Order not yet received – cannot invoice |
| Ready To Invoice | All prerequisites met; invoice can be raised |
| Invoiced | Invoice has been created in QBO or manually |
| Emailed | Invoice has been sent to the client |
The To-Be-Approved button automatically sets Hours to Invoice to the approved hours for all rows in the current period. Use this at the end of an approval cycle to quickly prepare the billing run.
Click the Columns button to show or hide specific columns. This preference is saved per browser session.
The OAuth token is stored securely in the database and refreshed automatically. Re-authorisation is required if the token cannot be refreshed (typically after 100 days of inactivity).
The following line items are added to the QBO invoice:
| Line Item | QBO Item Code |
|---|---|
| Basic Salary | 6 Salaries |
| SDL | 006S |
| UIF | 006U |
| COIDA | 006C |
| Expense | 17 |
| Management Fee | 1 - EY |
VAT is applied at 15% on all items except Expense and Adjustment. The invoice due date is set to the 25th of the current month.
Click Refresh QBO Status in the toolbar to pull the latest payment and email status from QBO for all rows in the current period. Updated fields include:
If an invoice was raised manually in QBO and you need to pull the document number into the portal, click Fetch Invoice No on the row (requires the QBO Invoice ID to already be populated).
The Forecast page compares actual hours worked against available PO capacity and planned forecast hours, helping identify potential overruns before invoicing.
| Column | Description |
|---|---|
| Hours Worked | Total hours from timesponge for the period |
| Hours Approved | Client-approved hours for the period |
| Hours Available | Derived from Limit Order: Still to be Invoiced ÷ Hourly Rate |
| Hours Forecasted | Editable – planned hours for the period (enter your forecast here) |
| Hours Short | Hours Available – Hours Worked (negative = PO overrun risk) |
The Reconciling module matches payroll report data (basic salary paid to contractors) against the billing calculations in the portal to identify discrepancies.
The table shows both the Payroll Report Basic (what was paid) and the Calculated Basic Salary (from billing). Rows where these values differ are highlighted in red.
Investigate and resolve any highlighted rows before finalising the period.
Analytics provides a cross-period view of KPIs, trends, and per-person summaries. All periods are aggregated unless a specific filter is applied.
The dashboard displays the following metrics:
Per-person cumulative totals across all periods (hours, salary, invoice totals).
The Contracts module tracks contractor engagement contracts, including rate, start/end dates, and contract document links.
| Field | Description |
|---|---|
| Employee Code | Unique contractor identifier |
| Person | Full name |
| Start Date | Contract commencement date |
| End Date | Contract expiry date |
| Hourly Rate | Rate specified in the contract (ZAR) |
| Contract Link | URL to the signed contract document |
Click the Delete icon next to the user and confirm. Admins cannot delete their own account.
Any logged-in user can change their own password via the account menu in the navigation bar, without requiring Admin access.
The following formulas are applied automatically by the system when calculating billing amounts. All monetary values are in South African Rand (ZAR).
Follow this sequence at the start of each billing cycle:
Admin Add the new period (e.g. 2026-05) via the period selector.
Add or update PO Detail records for any new contractors or projects starting this period.
Export the limit order report from SAP and upload it to the Limit Order page for the new period.
Export the timesheet CSV from your time-tracking system and upload it to the Timesponge page.
Navigate to Billing Summary and click Sync from Timesponge. Review the generated rows.
Check the Forecast page for any rows with negative Hours Short. Resolve PO overruns with the client before invoicing.
For each billing row:
For each row with status Ready To Invoice, click Push to QBO. Verify the Invoice No is populated.
Upload the payroll CSV to Reconciling and resolve any discrepancies highlighted in red.
Click Refresh QBO Status to pull payment and email status from QBO. Confirm invoices are marked Emailed.
Admin Once all invoices are confirmed and reconciliation is complete, enable the Sync Lock for the period to protect the data.
All users of the SRM Portal are responsible for maintaining the security and integrity of the system and the personal and financial data it contains. The following policies apply at all times.
srm.db) must be included in regular, encrypted backups.
The SRM Portal is published to authorised users over the internet via a
Cloudflare Tunnel (cloudflared). This eliminates the need to open
inbound firewall ports on the host machine. The layers of protection provided, in order, are:
| # | Protection Layer | What It Does |
|---|---|---|
| 1 | Encrypted Tunnel (TLS) | All traffic between the host machine and Cloudflare's edge is encrypted via a mutually authenticated TLS tunnel. No inbound ports are opened on the server — the connection is outbound-only. |
| 2 | HTTPS Enforcement | Cloudflare terminates HTTPS for all users. Plain HTTP requests are automatically redirected to HTTPS, ensuring data in transit is always encrypted (TLS 1.2 / 1.3). |
| 3 | DDoS Protection | Cloudflare automatically detects and absorbs Distributed Denial of Service (DDoS) attacks at the network and application layers before they reach the server. |
| 4 | Web Application Firewall (WAF) | Cloudflare's WAF inspects incoming HTTP requests and blocks common web attack patterns including SQL injection, cross-site scripting (XSS), and OWASP Top 10 threats. |
| 5 | Bot & Crawler Protection | Automated bots and malicious crawlers are identified and challenged or blocked before they reach the application. |
| 6 | IP Reputation Filtering | Requests from IP addresses with known malicious reputations (based on Cloudflare's global threat intelligence) are blocked at the edge. |
| 7 | Rate Limiting | Excessive request rates from a single source can be throttled or blocked, protecting against brute-force login attempts and scraping. |
| 8 | Zero Trust Access (if configured) | Cloudflare Access policies can require additional identity verification (e.g. email OTP, SSO) before a user can even reach the portal login page, adding a layer of authentication in front of the application itself. |
The SRM Portal processes personal information of contractors and employees as defined under the Protection of Personal Information Act 4 of 2013 (POPIA), which governs the lawful processing of personal information in South Africa. All users must comply with the following obligations.
The portal processes the following categories of personal information:
| Category | Examples |
|---|---|
| Identification | Full name, Employee Code |
| Financial | Hourly rate, basic salary, payroll amounts, invoice totals |
| Employment | Project assignments, hours worked, contract dates |
| Contact | Invoice email addresses |
Contractors and employees have the following rights regarding their personal information:
Requests must be directed to the designated Information Officer within the organisation.
Where the organisation operates in or processes personal data of individuals located in the European Economic Area (EEA), the General Data Protection Regulation (EU) 2016/679 (GDPR) applies in addition to POPIA. Many GDPR principles align with POPIA; the following outlines GDPR-specific obligations.
| Basis | Application in SRM Portal |
|---|---|
| Contract performance (Art. 6(1)(b)) | Processing contractor hours and billing data to fulfil contractual obligations |
| Legal obligation (Art. 6(1)(c)) | Statutory deductions (UIF, SDL, COIDA) and tax record-keeping |
| Legitimate interests (Art. 6(1)(f)) | Financial management, invoicing, and business operations |
| Right | Description |
|---|---|
| Right of access (Art. 15) | Data subjects may request confirmation of and access to their personal data |
| Right to rectification (Art. 16) | Data subjects may request correction of inaccurate data |
| Right to erasure (Art. 17) | "Right to be forgotten" – applicable where retention is no longer necessary |
| Right to restriction (Art. 18) | Data subjects may request limited processing while a dispute is resolved |
| Right to portability (Art. 20) | Data subjects may request their data in a structured, machine-readable format |
| Right to object (Art. 21) | Data subjects may object to processing based on legitimate interests |
All rights requests must be responded to within 30 days and directed to the Data Protection Officer (DPO) or designated contact.
| Issue | Likely Cause | Resolution |
|---|---|---|
| Timesponge rows showing orange PO indicator | No matching PO Detail record for this employee + project | Add the record in PO Details, then re-sync billing |
| Billing sync produces no rows | No timesponge data for the period, or no PO Detail matches | Verify timesponge upload and PO Details are correct for the period |
| QBO push fails with "Customer not found" | Client name in Billing does not match QBO Customer name | Update the Client field in Billing / PO Details to match QBO exactly |
| QBO push fails with "Token expired" | OAuth token has expired and could not be refreshed | Admin must reconnect to QBO via Connect to QuickBooks |
| Reconciling shows red mismatches | Payroll amount differs from billing calculation | Check Hours to Invoice and Hourly Rate; adjust Payroll Report Basic if the payroll figure is correct |
| Cannot edit data (all fields read-only) | Logged in as Viewer role, or period Sync Lock is active | Check your role with Admin; ask Admin to unlock the period if needed |
| Server not accessible | Node.js server is not running | Contact your administrator to restart the server |
| CSV upload fails or imports no records | Missing required columns or incorrect column names in CSV | Check column headers against the format table in this document; ensure no BOM characters in the file |
| Session expires unexpectedly | 8-hour session timeout reached | Log in again; session tokens are not persistent |
SRM Portal – Standard Operating Procedure | Version 1.1 | April 2026 | Internal Use Only