More specific question on SOX 1648
-
Perhaps I should have been m0re specific in relation to approval of purchases.
I agree that the materiality of the purchase is absolutely key. The allowable controls exceptions which we documented relate only to items of a capital nature, where the approval does not agree with our Group Capex policy, which also specifies approval levels based on cost
-
Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services. The exception to this is disclosure of capital commitments.
In terms of the business the priority is obviously to restore operations as expediently as possible and in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.
-
… in your scenario there is probably a solution in having some way in which ‘emergency’ purchases - up to an approriate value - can be without up front approval, provided that these are obtained retrospectively.
Indeed – the use of an autonomy level provides a good compromise in balancing financial controls with business emergency requirements
-
Ordinarily, I would say that approval of purchase orders is outside the scope of SOx as - generally - you don’t record orders in the financial statements. In a standard Purchase to Pay process the driver for recording the transaction is the receipt of goods or services.
Doesn’t that depend on how the process is setup?
If the approval is given at the Purchase Order stage, and the rest of the process is done based on this approval, than the approval of the PO is the authorisation of the commitment.
-
Sorry, loose language :oops:
The match of purchase orders to receipt of goods to invoice would almost certainly be a key control that I would expect to see. However I wouldn’t necessarily expect to see specific financial reporting risks around approval or recording of purchase orders. e.g. POs are not approved is not a SOX control risk imho.
Don’t get me wrong though, POs would feature on my flowchart and system narrative as the initiation of purchase transactions and controls involving POs would likely feature, it’s just that I would not have specific control risks or objectives related to approval of POs.
However, the original question was:
under SOX, will they be forced to wait until all the required signatures are gathered?
The answer should be NO. However, I am sure that there is many a company that has put in place a stupid process under the guise of SOX.
-
Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?
Of course, materiality should be considered, but this can be controlled by documenting a purchases approval matrix, therefore, avoiding the risk of last minute emergency purchases being held up?
-
Surely, if a purchase order does not need to be approved ( lines of approval can be determined in accordance with operations so as to ensure smooth transactions), then there is noting to stop machinery and equipment turning up on a company’s doorstep, or nothing to stop items being fraudulently purchased under the company name?
Well this is not a SOX problem if, when the equipment turns up and is signed for it is then matched with the subsequent invoice and recorded correctly in the accounts.
-
I’m not convined that this addresses fully the risk of fraud unless we are already assuming that there is adequate segregation of duties between ordering, receiving and authorising payment. Then again I suppose for most there would have to be a lot of this to make it a material fraud unless of course one of the Executive is up to mischief.
-
This is the point that I would make.
There should be adequate controls over the purchase of material items. It may be diffilcult to return such items once they have arrived and someone has signed for them. It will also be costly in terms of time and effort when the purchase needs to be investigated prior to sign off on the invoice
Purchases could become seriously over budget.
Any fraud risk associated should be obtained by appropriate and segregated approval of the purchase order. in addition, and approved purchase order will provide the company with back up should the invoice suddenly arrive with a different charge to that previously agreed
-
I agree with the need for the controls, but overspending of budget, buying items that are not needed, are operational controls, not financial. SOX does not care if you are inefficient in running your business as long as you report your financials correctly.
-
In context with the original post, the more expedited approval process would only be used in true emergencies (which hopefully there would be few of these). The standard 'process with more rigorous approvals and controls would be used for all normal business purchases
-
Prevention of fraud is not a SOX requirement, rather the requirement is to have processes that will correctly record correctly any losses that might occur.
Read the PCAOB guidance on Safeguarding of Assets.
-
In context with the original post, the more expedited approval process would only be used in true emergencies (which hopefully there would be few of these). The standard 'process with more rigorous approvals and controls would be used for all normal business purchases
%0AThe first thing I were told when I started looking at our project was that ‘SOx requires you to document day to day controls’%0AIf these emergencies happens on a daily basis, then there’s really something wrong with the operational controls. When documenting my companies controls I’ve always said to the people ‘I’m only looking for what happens in 95% of the instances’