More specific question on SOX 1648
-
So ‘operations’ don’t really fall under the realm of SOX?
If operational risks involve USDUSDUSD then they need to be analyzed from a risk management perspective (e.g., an operational risk can also be a financial one as well). If it’s something that is likely (frequency) or costly (severity) to occur, it will need the most attention in your organization.
The best and most reasonable control practices should be enacted for major financial risks. I also like working closely with audit in the process to ensure an appropriate solution is obtained.
As a bottom line, SOX itself should not prohibit making quick purchases, (e.g., to facilitate expedient emergency repairs). However if the company’s accounting or approval systems aren’t efficient, that can play a factor in the process.
-
Our Operations Managers had the same question.
The financial impact of such a decision is that the purchase orders may not be properly approved and there is no audit trail to identify why the approvals deviated from Sarbox key controls.
THe controls would normally insist on a certain level of approval so as to ensure that overexpenditure does not occur, and that the purchase is valid to the company (e.g not being bought for personal use).
In this case, we agreed to document in our process narratives where such an exception would be allowable, and to insist that the rationale for making such an emergency decision be reported to both Finance and Purchasing ASAP
-
My take on this is that the spending approvals are operational in nature. Unless lack of approval can impact your financial statements directly, then this is not a SOX-related control. One must also factor in the materiality of the item in question. For a one-time exception to the rules, how material can repairing a truck be?
Materiality aside for a moment, if the company refuses to pay the vendor who repaired the truck or provided the parts for the repair because a proper PO was not obtained or the chain of command for obtaining approvals was not followed, then that is technically a SOX violation as the financial statements are now mis-stated for failure to recognize the liability or cost related to the repair.
If we let SOX rule how individual transactions are executed, then we will just tie ourselves up in knots trying to comply and will discover the true meaning of bureaucracy.
-
If we let SOX rule how individual transactions are executed, then we will just tie ourselves up in knots trying to comply and will discover the true meaning of bureaucracy.
Excellent point
… If the current process is cumbersome or you need to a design special approach to deal with emergencies – then you’re better served in changing it. Certainly, you want to keep all accountability and controls intact. Still, don’t let SOX requirements govern sound ways of doing business.
-
Perhaps I should have been m0re specific in relation to approval of purchases.
I agree that the materiality of the purchase is absolutely key. The allowable controls exceptions which we documented relate only to items of a capital nature, where the approval does not agree with our Group Capex policy, which also specifies approval levels based on cost
-
Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services. The exception to this is disclosure of capital commitments.
In terms of the business the priority is obviously to restore operations as expediently as possible and in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.
-
… in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.
Indeed – the use of an autonomy level provides a good compromise in balancing financial controls with business emergency requirements
-
Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services.
Doesn’t that depend on how the process is setup?
If the approval is given at the Purchase Order stage, and the rest of the process is done based on this approval, than the approval of the PO is the authorisation of the commitment.
-
Sorry, loose language :oops:
The match of purchase orders to receipt of goods to invoice would almost certainly be a key control that I would expect to see. However I wouldn’t necessarily expect to see specific financial reporting risks around approval or recording of purchase orders. e.g. POs are not approved is not a SOX control risk imho.
Don’t get me wrong though, POs would feature on my flowchart and system narrative as the initiation of purchase transactions and controls involving POs would likely feature, it’s just that I would not have specific control risks or objectives related to approval of POs.
However, the original question was:
under SOX, will they be forced to wait until all the required signatures are gathered?
The answer should be NO. However, I am sure that there is many a company that has put in place a stupid process under the guise of SOX.
-
Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?
Of course, materiality should be considered, but this can be controlled by documenting a purchases approval matrix, therefore, avoiding the risk of last minute emergency purchases being held up?
-
Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?
Well this is not a SOX problem if, when the equipment turns up and is signed for it is then matched with the subsequent invoice and recorded correctly in the accounts.
-
I’m not convined that this addresses fully the risk of fraud unless we are already assuming that there is adequate segregation of duties between ordering, receiving and authorising payment. Then again I suppose for most there would have to be a lot of this to make it a material fraud unless of course one of the Executive is up to mischief.
-
This is the point that I would make.
There should be adequate controls over the purchase of material items. It may be diffilcult to return such items once they have arrived and someone has signed for them. It will also be costly in terms of time and effort when the purchase needs to be investigated prior to sign off on the invoice
Purchases could become seriously over budget.
Any fraud risk associated should be obtained by appropriate and segregated approval of the purchase order. in addition, and approved purchase order will provide the company with back up should the invoice suddenly arrive with a different charge to that previously agreed
-
I agree with the need for the controls, but overspending of budget, buying items that are not needed, are operational controls, not financial. SOX does not care if you are inefficient in running your business as long as you report your financials correctly.
-
In context with the original post, the more expedited approval process would only be used in true emergencies (which hopefully there would be few of these). The standard 'process with more rigorous approvals and controls would be used for all normal business purchases
-
Prevention of fraud is not a SOX requirement, rather the requirement is to have processes that will correctly record correctly any losses that might occur.
Read the PCAOB guidance on Safeguarding of Assets.
-
In context with the original post, the more expedited approval process would only be used in true emergencies (which hopefully there would be few of these). The standard 'process with more rigorous approvals and controls would be used for all normal business purchases
%0AThe first thing I were told when I started looking at our project was that ‘SOx requires you to document day to day controls’%0AIf these emergencies happens on a daily basis, then there’s really something wrong with the operational controls. When documenting my companies controls I’ve always said to the people ‘I’m only looking for what happens in 95% of the instances’