Q&A on how delegation of authority supports SOX and internal controls: evidence, version history, segregation of duties, and common audit findings.
Definition: DOA-related internal controls are the governance mechanisms — including authority matrices, delegation records, workflow enforcement, and evidence capture — that enable an organization to prove who authorized a commitment, under what rules, and with what evidence, at any point in time.
If you've ever gone through a SOX or internal controls audit, you know the uncomfortable moment: you can prove an approval happened, but you can't easily prove the approver had authority at that time.
This Q&A focuses on what control owners and auditors typically look for. According to the EY/Society for Corporate Governance study, roughly 90 percent of companies have DOA policies — but struggle with the training, enforcement, and evidence that auditors actually need to see.
A: DOA is a foundational control because it defines who can authorize high-impact actions (spend, contracts, payments, write-offs, access to privileged functions). Internal controls rely on clear authorization, consistent enforcement, and provable evidence. SOX Sections 302 and 404 specifically require management to certify that effective internal controls exist over financial reporting — and delegation of authority is a key component of those controls.
A: Based on our experience working with enterprise organizations, these are the five findings that appear most frequently:
A: It varies, but a strong evidence package for a sampled transaction includes five elements:
| Evidence Element | What It Proves | Common Gap |
|---|---|---|
| Transaction details (amount, type, date, entity) | What the commitment was | Usually available in system of record |
| Approval record (who approved, when, in what system) | That an approval happened | Usually available but may be in multiple systems |
| Authority rule reference (matrix/policy) | That the approval was required at this level | Often missing — systems capture approval but not the rule |
| As-of authority proof (delegation record + effective dates) | That the approver had authority on that specific date | Most common gap — requires versioned delegation history |
| Exception documentation (if applicable) | That deviations were approved and documented | Often handled via email with no formal record |
The as-of authority proof is where most organizations struggle. Without versioned delegation records with effective dates, you're forced to rely on after-the-fact attestations — which auditors view as a weaker form of evidence.
A: Because authority changes over time. A VP may have had authority last quarter but not after a re-org. Without a clear history (including effective start/end dates), you're forced to rely on after-the-fact attestations, which are weaker than a controlled record. West Monroe's research found that each request for additional analysis adds an average of three weeks of delay — and audit evidence reconstruction follows the same pattern of escalating time costs when records aren't proactive.
A: Segregation of duties (SoD) is about preventing one person from controlling an entire risky process end-to-end (e.g., request + approve + pay). DOA helps by:
Our recommendation: Build SoD validation into the authority change workflow itself. When a new delegation is requested, check whether it creates a conflict before it's approved — not after an auditor discovers it months later.
A: The policy sets principles and governance. The operational source of truth is typically the authority matrix + delegation records + workflow enforcement.
In audits, policy is necessary, but the matrix and recorded delegations are what prove how decisions were authorized in practice.
A: Focus on three practical improvements:
A: Multiple regulatory frameworks either explicitly require or strongly imply a formal delegation of authority structure:
| Framework | Jurisdiction | DOA Relevance |
|---|---|---|
| SOX Sections 302 & 404 | United States | Requires effective internal controls including authorization controls for financial transactions |
| UK Corporate Governance Code (Provision 29) | United Kingdom | Requires boards to document delegated authorities to committees and management |
| MiFID II | European Union | Requires clear governance and decision-making authority for financial services firms |
| EU AI Act (Article 14) | European Union | Requires human oversight and authority structures for high-risk AI systems |
| APRA CPS 510 | Australia | Requires documented delegation frameworks for regulated financial institutions |
A: Aptly is built for the operational side of authority governance: controlled issuance of delegations, time-bound coverage, version history, and audit-ready logs. In audits, that typically means less time reconstructing history and fewer "manual evidence" cycles.
Next: Read Avoiding Sync Drift: Keeping Authority Consistent Across Systems if your approvals are split across multiple platforms.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
