By Ryan Godbey, CPA

Throughout my career, I’ve frequently encountered a fundamental question about the scope of SOX 404: Is it just about making sure the numbers are right, or something more? Let’s explore whether asset safeguarding and expenditure authorization fit into the SOX framework and if internal controls matter beyond the financial statements. And to keep things interesting, we’ll put the procure-to-pay cycle under the microscope.

A Real-World Scenario: Hooked by Phishing

Consider this common case:

An accounts payable manager receives an urgent email appearing to be from the CEO, requesting a wire transfer. Believing it’s legitimate, the manager processes the payment. The next day, they discover the email was fraudulent. Since the funds are unrecoverable, management immediately records the loss in the financial statements.

At first glance, this may seem like an unfortunate but contained incident. However, under SOX 404, the implications go deeper. 

Here’s a common conversation I have with management when discussing these incidents:

When “We Caught It” Isn’t Good Enough

MANAGEMENT: “We recorded the loss properly and are implementing new procedures to prevent this from happening again. Since we caught the issue and the expense is reflected in the financial statements, it doesn’t impact our SOX 404 environment, right?”

ME: “SOX 404 isn’t just about recording losses—it’s about preventing unauthorized transactions in the first place. Internal controls must provide ‘reasonable assurance’ that company assets are safeguarded. If an unauthorized transaction occurred, that means the controls failed. Detecting an issue after the fact isn’t the same as having effective controls—proper safeguards should prevent the transaction from happening at all. Even if this was a one-time event, a breakdown in controls signals a potential broader risk. If it happened once, it can happen again.”

MANAGEMENT: “So does this mean we have a material weakness?”

ME: “Not necessarily, but it might be an indicator of one. You will need to assess the broader likelihood and magnitude of potential issues stemming from inadequate procurement controls. At a minimum, it’s a control deficiency that needs assessment.”

Management: “Okay, that makes sense—we should have had better controls in place. But at the end of the day, the financial statements are still correct, right? The loss is recorded, so there’s no issue there.”

ME: “Accuracy is just one financial statement assertion. Financial reporting also requires fair presentation and disclosure. If a fraud-related loss is simply buried in SG&A, investors and stakeholders might not realize that the company was exposed to unauthorized transactions. The nature of a transaction matters—not just that it was recorded. Without proper disclosure, financial statements can be technically accurate but still misleading.” 

This example highlights a critical gap in thinking about SOX 404: it’s not just about reacting to financial statement errors—it’s about proactively preventing unauthorized transactions from occurring in the first place. So, how can organizations design effective controls that go beyond simply catching issues after the fact? Let’s examine key strategies for strengthening expenditure controls and mitigating procurement risks.

Designing Effective Expenditure Controls

Rather than reacting to an issue after it happens, organizations should focus on proactive risk assessment and control design. Here’s how:

1. Recognize the Many Layers of Procurement Risk

- Many companies assume that once an invoice is approved, risks are mitigated. However, vulnerabilities exist at multiple stages:

- Vendor Setup: Unauthorized or fictitious vendors added to the system.

- Purchase Requisition: Lack of proper authorization before committing to an expense.

- Receipt of Goods & Services: Unverified vendor performance.

- Invoice Processing: Inconsistencies with terms and conditions.

- Payment Execution: Fraudulent or duplicate payments processed.

Compounding the challenge, processes and IT systems often differ based on expenditure type (e.g., capital projects, professional services, employee reimbursements). To assess risks effectively, companies must understand how controls should be adapted to each category and stage of the expenditure process.

2. Set the Right Materiality Threshold for Expenditures

Companies often apply the same quantitative materiality threshold across all accounts when setting its SOX 404 scope. However, for certain expenditure-related accounts, a lower threshold may be necessary due to qualitative risks that could make even small transactions significant.

• Fraud and Improper Payments: Unauthorized or misclassified expenditures may not breach traditional thresholds but can still undermine investor confidence.
• Regulatory and Compliance Risks: Certain payments—such as those involving government contracts or executive expenses—can attract scrutiny regardless of dollar amount.

Companies should evaluate both quantitative and qualitative factors when setting materiality thresholds for expenditures to ensure risks are properly addressed.

3. Enhance Controls for Authorization, Fraud Prevention, and Monitoring

To mitigate unauthorized transactions and improve financial transparency, organizations should consider control enhancements such as:

--> Strengthen Authorization Controls: Implement multi-factor authentication for high-value disbursements, enforce segregation of duties, and approvals for high-risk transactions.

--> Enhance Fraud Prevention Measures: Conduct vendor due diligence, utilize AI-driven anomaly detection for unusual payment patterns, and establish comprehensive audit trails.

-- >Implement Continuous Monitoring: Integrate advanced analytics to proactively detect and address procurement fraud, waste, and abuse in real time.

Pro-Tip: Periodically seek out external resources to help you stay on the leading edge of managing procurement risks. 

Conclusion: A Broader View of SOX 404

SOX 404 isn’t just about ensuring that financial statements are accurate—it’s about the safeguarding of assets and ensuring expenditures are authorized. And remember that these SEC principles apply to other risks such as unauthorized asset disposals, inventory theft, and executive misuse of funds. Organizations that adopt a proactive approach will not only strengthen their SOX 404 compliance but also enhance financial integrity and investor trust.

What’s Your Take? Are companies too complacent in asset safeguarding and expense authorization? What strategies have you seen work well in strengthening internal controls?

Let’s keep the conversation going—share your thoughts in the DataSnipper Community, in the comments, or send me a direct message.

Follow Ryan Godbey, CPA, and DataSnipper on LinkedIn for more insights on governance, financial reporting, and technology.

‍