Unfortunately it not quite that simple ; the product is quite flexible in the way that timesheet approvals are handled, so it really depends upon how this is set up in your instance as where to start to look for anomalies.
(for example ; approvals can be done by "anyone" who has the correct access right (if you are using access-right approvals)... OR if you are using an action-item approval method, then you need to look at the process which generates those action-items)
(and I'm talking mostly about the "Classic UI" here)