One of the most difficult and elusive types of support for control owners to provide to auditors is evidence of approval. The more informal the archiving process, the more challenging and time consuming it can be for control owners to locate and provide such support. Often times, control owners find themselves having to search for some form of approval buried in their inbox alongside thousands of other e-mails which can feel like searching for a needle in a haystack. Experienced auditors know this all to well as do control owners.
When it comes to performing SOX testing, evidence of approvals is one of the primary types of support requested by external auditors and a company’s SOX testers. Surprisingly, one myth that seems to surface from time to time is the absence of audit literature that explicitly addresses evidence of approvals. Perhaps this is due to terminology. Both the Sarbanes-Oxley Act of 2002 and the Auditing Standards of the Public Company Accounting Oversight Board address the issue of approvals, a.k.a. “authorizations”. While many auditors tend to use the term “approvals”, the audit literature seems to favor the term “authorizations”. Rather than cite the sections of the literature on this blog, just pull up an electronic copy of the Act or Audit Standards and perform a keyword search on the term “authorizations” and check the search results for yourself. You might be surprised by what you find if you’ve been a victim of this myth in the past.