'Authorisation' - is this an FS risk? 1347



  • I am reviewing a piece of documentation and as is normal practice in teamwork, am discussing points with a colleague.
    One of the broad risks documented is the risk that assets or liabilities do not exist (existence). A specific risk documented under this is that assets are acquired without appropriate authorisation. My colleague is of the opinion that lack of authorisation is not a financial statement risk. I am of the opinion that it absolutely is because if an asset is recorded in the accounting systems without obtaining the right authorisation be it a signature or system authorisation or whatever then assets could be overstated in the financial statements.
    He still disagrees. Am I going mad? It seems clear as glass to me.



  • Hi,
    The following is an excerpt from Management’s Report on Internal Control Over Financial Reporting:
    ‘Management’s report on internal control over financial reporting
    Management is responsible for establishing and maintaining adequate internal control over financial reporting of the company. Internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with accounting principles generally accepted in the United States of America.
    The company’s internal control over financial reporting includes those policies and procedures that (i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (iii) provide reasonable assurance regarding prevention or timely detection of UNAUTHORIZED acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.’
    The complete Report may be found at:
    http://www.ibm.com/annualreport/2004/annual/rom.shtml
    In short, a quick review of related guidance indicates the authorization controls ARE a part of SOX and must be considered in the documentation and assessment process.
    I dunno if you’re going mad…I’m not a shrink. But the SOX process documentation requirements established by the governing bodies (PCAOB and SEC) are quite clear…sorry, but your colleague is incorrect.
    Hope this helps,
    milan



  • Thanks for that. I thought so. It seemed fairly obvious but I thought I’d check that I haven’t missed any new announcements or anything. Your response is appreciated.



  • I would disagree. If you look at PCAOB Standard #2 the standard financial statements assertionsa re:
    Completeness
    Existence
    Valuation
    Rights and Obligations
    Presentation and Disclosure
    Risks around authorisation may exist in relation to those assertions but it is not a given. I would generally see authorisation as a control.



  • What is the financial statement risk if an asset is acquired without the proper authorization? In other words, I am only authorized to approve up to USD50,000 of capital spending. I acquire a piece of machinery that costs USD100,000, approve the invoice for payment and the invoice is paid. The financial statement process would likely capture this as a capital asset and properly record the asset. The financial statements are not misstated.
    I would argue that authorization is a safeguarding of assets (fraud) control which is also required by SOX. Financial statements may not be misstated, but could contain assets that were not authorized to be purchased with company cash. In that case, I have misused company resources and possibly purchased an asset that has little or no value to the company.
    Of course all of this needs to be looked at with materiality in mind.
    I think that you are right that authorization controls need to be in place and tested, but you were arguing for them for the wrong reason.



  • Authorization controls are a must,
    it ensures that a track of what was done, when was it done, who did it and stuff like that , meaning to say that if a structured authorisation flow does exist and is followed( should be followed ideally) then the above becomes an assumption for all activities in course of the business.
    Like if authorizations are set for AP process, then the first thing required to chek the flow of approvals would be the authorization matrix. 😉
    If proper authorization matrix did exist, then it could have been easily established as to who SHRED THE DEBT DOCUMENTS, rite :lol:
    cheers



  • Gents,
    The person who posted the question for feedback stated that while reviewing documentation, some points were discussed with a collegue.
    Mocha states:
    One of the broad risks documented is the risk that assets or liabilities do not exist (existence). A specific risk documented under this is that assets are acquired without appropriate authorisation.
    I am of the opinion that it absolutely is because if an asset is recorded in the accounting systems without obtaining the right authorisation be it a signature or system authorisation or whatever then assets could be overstated in the financial statements.
    Mocha states the following about comments and discssion points with a colleague:
    My colleague is of the opinion that lack of authorisation is not a financial statement risk.
    So the point to address is ‘lack of authorisation is not a financial statement risk.’
    I cited select text and relevant language from an example Management’s Report on Internal Control Over Financial Reporting. The language clearly states.
    …(iii) provide reasonable assurance regarding prevention or timely detection of UNAUTHORIZED acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
    In short, the language evidences that authorization controls are relevant for SOX and an opinion on them must be stated in writing when giving an opinion on the ICOFR.
    The language cited above might vary slightly, but management’s reports consistently address the autorization controls.
    Although inadequate authorization controls might not lead financial misstatement, the same could be stated of other internal controls. However, it is clear from the published guidance from the PCAOB, SEC and in the management’s reports published by companies that are compliant with SOX, that authorisation controls were evaluated and a direct statement was made in the assessment to state management’s conclusion on them.
    I agree that authorization controls are not to be confused with the standard FS assertions (PREVC) considered when conducting an audit of the FS. However, the person who posted the question did not ask for clarification about the generally accpeted FS assertions. The objective was to provide feedback for consideration if there is a relationship between authorization controls and FS Risk.
    Regards,
    milan



  • Hi all
    Sox talks about the existence and effectiveness of internal control systems as a perfect backup for the correctness of financial statements.
    Iam sure all agree that anything and everything in a business has its end in the financial statement. Be it an expense an asset or whatever. And the possibility of mistatement is very much there if the process involved has some lacuna.
    Like Milan told, an un-authorized asset purchase can be under or overstated and that would surely have implications on the financials of the organization.
    No wonder the ACT does not get into specifics as to what controls must exist and what must not.
    cheers



  • Standard No. 2 provides several examples of deficiencies that are at least significant deficiencies, including lack of:
    Controls over the selection and application of accounting principles that are in conformity with generally accepted accounting principles.
    Antifraud programs and controls.
    Controls over non-routine and non-systematic transactions.
    Controls over the period-end financial reporting process.
    These are bullets under Paragraph 139 of AS 2 which reads:
    'The interaction of qualitative considerations that affect internal control over financial reporting (ICOFR) with quantitative considerations ordinarily results in the following areas being at least significant deficiencies in internal control over financial reporting.
    The bullet directly related to mitigation of absence of authorization is ‘Antifraud programs and controls.’ Therefore, Peekaboo is definitely making mention of authorization in AS2 although, in a veiled manner.
    Schedule D-2 of the Appendix D of AS2 talks about Authorization related scenario.
    Using traditional auditing parlance, lack of authorization has led to going concern issues, therefore, Authorization is an imperative control for all facets of governance including presentation of financial statement.
    So authorization is a must.



  • I am truly grateful for all your replies. After further discussion my colleague has clarified that while authorisation is not an FS risk, it is however a control to mitigate the risk of recording an asset that does not exist (prevent overstating assets balance in BS), and also a control to mitigate the risk of recording expenditure on an asset which does not exist in the first place (prevent overstating expenses in the P-and-L).
    I’ve found all answers to be helpful in this discussion and in general.


Log in to reply