More specific question on SOX 1648



  • Alright, my boss has a specific question he wants answered. Here is the scenario: Say a truck breaks down at the coal mining site and they need a replacement part as fast as possible, because obviously, every minute not mining is money lost. What my boss wants to know is, under SOX, will they be forced to wait until all the required signatures are gathered? After my research, I think the answer is inevitibley ‘yes.’ However, I would like some input.



  • Hi - I’m thinking the expedient replacement process of equipment is more of an ‘operational’ than financial risk. SOX regulations are supposed to prevent folks from ‘cooking the books’ from an accounting standpoint. SOX compliancy should not be a bottleneck in your ability to get needed replacement parts on an emergency basis.
    Still, it’s good to think of all these types of scenarios and map out a strategy for handling them (so your manager did good on this one). If you have an emergency process defined, with perhaps written documentation and approval signatures even after the part is installed, hopefully this approach would address this issue.
    My background is more IT related, so please also check for other responses 🙂



  • So ‘operations’ don’t really fall under the realm of SOX?



  • I agree with Harrywaldron with the fact that SOX is an act that came into being to prevent management from ‘cooking the books’ so to say. It should not however, come at the cost of operational inefficiencies.
    I would assume that alternate controls could be implemented for situations such as these. After all, we are looking for controls in one way or the other. For example, the drivers could be given an authorization to make purchases upto a certain dollar limit. They could be provided with prenumbered purchase authorization booklets with the stipulation that the numerics have to be accounted for on a weekly/monthly basis and substantiated with receipts and subject to review. Of course, documentation is the key and the controls to be adopted will have to be well documented.
    I’d like to see what others think of tis situation. Good luck.



  • Strictly speaking, SOX is managements assertion of the adequacy of internal controls over financial reporting and most SOX controls are primarily aimed at controls over the financial statements.



  • So ‘operations’ don’t really fall under the realm of SOX?
    If operational risks involve USDUSDUSD then they need to be analyzed from a risk management perspective (e.g., an operational risk can also be a financial one as well). If it’s something that is likely (frequency) or costly (severity) to occur, it will need the most attention in your organization.
    The best and most reasonable control practices should be enacted for major financial risks. I also like working closely with audit in the process to ensure an appropriate solution is obtained.
    As a bottom line, SOX itself should not prohibit making quick purchases, (e.g., to facilitate expedient emergency repairs). However if the company’s accounting or approval systems aren’t efficient, that can play a factor in the process.



  • Our Operations Managers had the same question.
    The financial impact of such a decision is that the purchase orders may not be properly approved and there is no audit trail to identify why the approvals deviated from Sarbox key controls.
    THe controls would normally insist on a certain level of approval so as to ensure that overexpenditure does not occur, and that the purchase is valid to the company (e.g not being bought for personal use).
    In this case, we agreed to document in our process narratives where such an exception would be allowable, and to insist that the rationale for making such an emergency decision be reported to both Finance and Purchasing ASAP



  • My take on this is that the spending approvals are operational in nature. Unless lack of approval can impact your financial statements directly, then this is not a SOX-related control. One must also factor in the materiality of the item in question. For a one-time exception to the rules, how material can repairing a truck be?
    Materiality aside for a moment, if the company refuses to pay the vendor who repaired the truck or provided the parts for the repair because a proper PO was not obtained or the chain of command for obtaining approvals was not followed, then that is technically a SOX violation as the financial statements are now mis-stated for failure to recognize the liability or cost related to the repair.
    If we let SOX rule how individual transactions are executed, then we will just tie ourselves up in knots trying to comply and will discover the true meaning of bureaucracy.



  • If we let SOX rule how individual transactions are executed, then we will just tie ourselves up in knots trying to comply and will discover the true meaning of bureaucracy.
    Excellent point 🙂 … If the current process is cumbersome or you need to a design special approach to deal with emergencies – then you’re better served in changing it. Certainly, you want to keep all accountability and controls intact. Still, don’t let SOX requirements govern sound ways of doing business.



  • Perhaps I should have been m0re specific in relation to approval of purchases.
    I agree that the materiality of the purchase is absolutely key. The allowable controls exceptions which we documented relate only to items of a capital nature, where the approval does not agree with our Group Capex policy, which also specifies approval levels based on cost



  • Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services. The exception to this is disclosure of capital commitments.
    In terms of the business the priority is obviously to restore operations as expediently as possible and in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.



  • … in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.
    Indeed – the use of an autonomy level provides a good compromise in balancing financial controls with business emergency requirements 🙂



  • Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services.
    Doesn’t that depend on how the process is setup?
    If the approval is given at the Purchase Order stage, and the rest of the process is done based on this approval, than the approval of the PO is the authorisation of the commitment.



  • Sorry, loose language :oops:
    The match of purchase orders to receipt of goods to invoice would almost certainly be a key control that I would expect to see. However I wouldn’t necessarily expect to see specific financial reporting risks around approval or recording of purchase orders. e.g. POs are not approved is not a SOX control risk imho.
    Don’t get me wrong though, POs would feature on my flowchart and system narrative as the initiation of purchase transactions and controls involving POs would likely feature, it’s just that I would not have specific control risks or objectives related to approval of POs.
    However, the original question was:
    under SOX, will they be forced to wait until all the required signatures are gathered?
    The answer should be NO. However, I am sure that there is many a company that has put in place a stupid process under the guise of SOX.



  • Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?
    Of course, materiality should be considered, but this can be controlled by documenting a purchases approval matrix, therefore, avoiding the risk of last minute emergency purchases being held up?



  • Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?

    Well this is not a SOX problem if, when the equipment turns up and is signed for it is then matched with the subsequent invoice and recorded correctly in the accounts.



  • I’m not convined that this addresses fully the risk of fraud unless we are already assuming that there is adequate segregation of duties between ordering, receiving and authorising payment. Then again I suppose for most there would have to be a lot of this to make it a material fraud unless of course one of the Executive is up to mischief.



  • This is the point that I would make.
    There should be adequate controls over the purchase of material items. It may be diffilcult to return such items once they have arrived and someone has signed for them. It will also be costly in terms of time and effort when the purchase needs to be investigated prior to sign off on the invoice
    Purchases could become seriously over budget.
    Any fraud risk associated should be obtained by appropriate and segregated approval of the purchase order. in addition, and approved purchase order will provide the company with back up should the invoice suddenly arrive with a different charge to that previously agreed



  • I agree with the need for the controls, but overspending of budget, buying items that are not needed, are operational controls, not financial. SOX does not care if you are inefficient in running your business as long as you report your financials correctly.



  • In context with the original post, the more expedited approval process would only be used in true emergencies (which hopefully there would be few of these). The standard 'process with more rigorous approvals and controls would be used for all normal business purchases 🙂


Log in to reply