Q&A on how delegation of authority supports SOX and internal controls: evidence, version history, segregation of duties, and common audit findings.
Definition: DOA-related internal controls are the governance mechanisms — including authority matrices, delegation records, workflow enforcement, and evidence capture — that enable an organization to prove who authorized a commitment, under what rules, and with what evidence, at any point in time.
If you have been through a SOX or internal controls audit, you know the uncomfortable moment: your team can prove an approval happened, but it cannot easily prove the approver had authority at that time. That gap between "someone approved this" and "someone with the right authority approved this, and here is the proof" is where most audit findings originate.
The stakes are rising. The KPMG 2025 SOX Survey found that the average SOX program budget reached $2.3 million in FY24 — a 44 percent increase from $1.6 million just two years earlier. Program hours climbed 32 percent to 15,581 hours, and testing hours per individual control rose from 12 to 16. Despite that investment, only 17 percent of controls are automated, down from 21 percent in FY22. Organizations are spending more time and money on compliance while becoming less efficient at it.
This Q&A covers what control owners, auditors, and compliance leaders need to understand about the relationship between delegation of authority programs and internal controls. According to the EY/Society for Corporate Governance study, roughly 90 percent of companies maintain DOA policies — but many struggle with the training, enforcement, and evidence that auditors actually need to see. Only 54 percent document authority through both a board memo and a formal delegation of authority matrix, and 36 percent identify training as their single greatest challenge.
A delegation of authority program establishes the foundational authorization controls that SOX compliance depends on to verify financial reporting integrity.
A: DOA is a foundational control because it defines who can authorize high-impact actions — spend commitments, contracts, payments, write-offs, and access to privileged functions. Internal controls rely on three things working together: clear authorization, consistent enforcement, and provable evidence. SOX Sections 302 and 404 specifically require management to certify that effective internal controls exist over financial reporting, and delegation of authority is a key component of those controls.
Definition: SOX Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting (ICFR). External auditors must independently attest to that assessment for accelerated and large accelerated filers.
The connection is direct. When a procurement manager approves a $500,000 purchase order, auditors need to verify not just that the approval happened, but that the organization's authority rules permitted that individual to approve that amount in that category at that time. Without a structured DOA program, that verification becomes a manual, time-consuming exercise — the kind of work that drives the KPMG finding that testing hours per control increased by 33 percent in just two years.
McKinsey's research on organizational decision-making found that Fortune 500 companies waste an estimated $250 million per year in management labor on ineffective decision processes, representing roughly 530,000 lost working days. While not every wasted hour is SOX-related, the pattern holds: unclear authority structures create cascading inefficiency across both operational and compliance processes.
Segregation of duties failures are now the fastest-growing category of material weakness, surging from 34 percent to 59 percent of disclosures in just three years.
A: Based on our experience working with enterprise organizations and corroborated by KPMG's analysis of SEC filings, these are the findings that appear most frequently:
These patterns persist because many organizations still manage authority through disconnected spreadsheets and policy documents. KPMG found that 40 percent of compliance teams still rely on spreadsheets, and 73 percent use analytics tools only minimally for SOX testing. A purpose-built approach to maintaining a single source of truth for authority addresses these root causes systematically rather than reactively.
A complete audit evidence package proves not just that an approval happened, but that the right person approved under the right rules at the right time.
A: A strong evidence package for a sampled transaction includes five elements. The specific requirements vary by auditor and framework, but the pattern is consistent.
The as-of authority proof is where most organizations struggle. Without versioned delegation records with effective dates, teams are forced to rely on after-the-fact attestations — which auditors view as a weaker form of evidence. The Ponemon Institute found that organizations spend $14.82 million annually on non-compliance consequences, nearly three times the $5.47 million spent on compliance itself. Much of that gap traces to evidence reconstruction costs when proactive records do not exist. The GAO's 2025 SOX study illustrated this vividly: one audit committee member reported auditor hours ballooning from 3,000 in 2012 to 8,000 in 2024, with fees tripling — driven in large part by the time required to reconstruct authorization evidence that should have been captured proactively.
For organizations building their evidence frameworks from scratch, the DOA policy guide covers how to structure authority documentation so it naturally produces the evidence auditors expect.
Authority changes constantly through reorganizations, promotions, leaves, and policy updates — making point-in-time proof essential for every sampled transaction.
A: Authority is not static. A VP may have had approval authority last quarter but lost it after a reorganization. A regional director may have temporarily received expanded authority during a colleague's leave, but that delegation expired. Without a clear history showing who held what authority on what dates, audit teams must reconstruct authorization after the fact — a process that is both expensive and unreliable.
Definition: As-of authority proof is a verifiable record demonstrating that a specific individual held a specific delegation of authority on the exact date a transaction was authorized, including the delegation's effective start date, any conditions or limits, and the source policy or board action.
West Monroe's 2026 Speed Wins research found that 73 percent of C-suite executives believe halving decision cycle times would unlock at least five percent in additional revenue. The same principle applies to audit response: organizations that maintain continuous, versioned delegation records can respond to audit sample requests in hours rather than weeks. Each request for additional analysis adds an average of three weeks of delay, and audit evidence reconstruction follows the same escalating pattern.
The financial consequences of getting this wrong are severe. KPMG's analysis of SEC filings found that companies disclosing material weaknesses face audit fee increases of approximately 150 percent and spend an estimated $7.8 million on average to remediate each weakness — with an average remediation timeline of roughly one year. When Archer-Daniels-Midland announced an internal accounting investigation in January 2024, the disclosure triggered a 24 percent share price decline and wiped $8.8 billion from its market capitalization.
Delegation of authority provides the structural framework that makes segregation of duties enforceable, auditable, and sustainable across the organization.
A: Segregation of duties (SoD) prevents one person from controlling an entire risky process end-to-end — for example, initiating a payment request, approving it, and executing the payment. DOA provides the structural framework that makes SoD enforceable by defining who can approve what, designing and enforcing separations between requestors, approvers, and executors, and documenting exceptions and compensating controls when perfect separation is not feasible.
Definition: Segregation of duties (SoD) is an internal control principle requiring that no single individual controls all phases of a transaction or process, reducing the risk of errors and fraud by distributing critical functions across multiple people.
The urgency here is data-driven. KPMG's material weakness analysis shows SoD failures are now present in the majority of material weakness disclosures, having grown from 34 percent of cases in FY21 to over 55 percent in FY23. RSM US's root cause analysis explicitly identifies "inadequate access controls, improper role definition, and segregation of duties conflicts" as common triggers. CFGI provides a specific example of a textbook failure: a controller who approves his or her own purchase requisitions — a delegation-of-authority design flaw that automated enforcement would prevent.
Build SoD validation into the authority change workflow itself. When a new delegation is requested, check whether it creates a conflict before it is approved — not after an auditor discovers it months later. For more on designing effective separations, see Preventing Unauthorized Signatures.
SOX, the UK Corporate Governance Code, MiFID II, the EU AI Act, and APRA CPS 510 all require or strongly imply formal delegation of authority structures.
A: Multiple regulatory frameworks either explicitly require or strongly imply a formal delegation of authority structure. The landscape is expanding, not contracting — particularly with the UK's new Provision 29 requirements effective January 2026.
The UK Provision 29 development deserves special attention. Unlike SOX Section 404, which covers only internal controls over financial reporting, Provision 29 requires boards to declare the effectiveness of material controls spanning financial, operational, compliance, and reporting categories. PwC's September 2025 benchmarking exercise with nearly 100 companies found that zero percent rated themselves as fully prepared, with 50 percent at the midpoint of a five-point readiness scale. In January 2026, the UK government scrapped the Audit Reform and Corporate Governance Bill, making Provision 29 the primary mechanism for strengthening internal controls accountability — and elevating its significance for every London-listed company.
For organizations managing authority across multiple regulatory jurisdictions, a foundational DOA framework provides the structural consistency that satisfies overlapping requirements without duplicating effort.
The policy sets governance principles; the matrix and delegation records are what auditors test against in practice.
A: The DOA policy establishes governance principles, ownership, scope, and the rules for how authority is managed across the organization. The operational source of truth is the authority matrix + delegation records + workflow enforcement — the artifacts that prove how decisions were authorized in practice.
In audits, auditors ask for both. The policy demonstrates that governance intent exists. The matrix and recorded delegations demonstrate that the intent was operationalized. The EY study found that 54 percent of companies use a combined memo-and-matrix format — but the critical factor is whether the matrix is actively maintained and enforced, not just documented. Organizations that manage their authority matrix in spreadsheets face particular risk: NorthRow's 2023 research found that 40 percent of compliance teams still rely on spreadsheets, and these tools cannot provide the version history, access controls, or enforcement capabilities that auditors increasingly expect. For a step-by-step approach, see How to Build a Delegation of Authority Matrix.
Eight percent of public companies disclosed material weaknesses in FY24, with 31 percent of affected companies reporting weaknesses in multiple years — indicating persistent control failures.
A: Material weakness rates have climbed steadily. KPMG's analysis of 3,502 annual filings found that 279 companies — eight percent — disclosed material weaknesses in FY24, up from four percent in FY21 and seven percent in FY23. Over the five-year period from 2020 to 2024, 757 unique companies filed at least one material weakness disclosure, and 236 of those (31 percent) reported weaknesses in multiple years.
IPO companies face particularly acute exposure. KPMG's 2024 IPO Material Weakness Study found that 44 percent of 122 traditional IPOs that closed in 2023 reported material weaknesses in their initial registration filings. PwC's analysis covering 2019 through 2024 showed an average of 46 percent of companies going public disclosed at least one material weakness.
The PCAOB's March 2025 Spotlight on inspection activities reported that the overall deficiency rate fell to 39 percent, down from 46 percent in 2023. However, 68 percent of deficient engagements included an ICFR-related finding, and AS 2201 (the standard governing ICFR audits) remained the most frequently cited standard by a wide margin. Research published in the Journal of Accounting, Auditing, and Finance found that companies reporting material weaknesses are 12 to 48 percent more likely to experience future stock price crashes — underscoring why persistent weaknesses carry compounding market consequences. Organizations looking to strengthen their control posture can start with authority monitoring and reporting metrics that provide early warning of control drift.
Modernization requires shifting from manual, spreadsheet-driven authority management to automated, version-controlled systems that produce audit evidence as a byproduct of normal operations.
A: The automation gap is widening at precisely the wrong time. KPMG found that automated controls actually declined from 21 percent to 17 percent of total controls between FY22 and FY24, while the average number of in-scope systems more than doubled from 17 to 40. Organizations are responding to increasing complexity with manual processes — a fundamentally unsustainable approach.
Protiviti's 2023 SOX Compliance Survey found that 58 percent of organizations reported increased compliance hours and 74 percent were actively seeking further automation. Their 2024 SOX Innovation Poll confirmed that internal audit functions devote 47 percent of total time to SOX compliance alone. PwC's analysis established that a 15 percent increase in automation yields a 10 percent decrease in SOX compliance spending — a clear business case for technology investment. The broader GRC market reflects this demand — Grand View Research estimated it at $62.9 billion in 2024, growing to $135 billion by 2030 — but satisfaction with existing SOX technology plummeted from 92 to 58 percent between FY22 and FY24, signaling that general-purpose GRC platforms are not solving the specific authority management problem.
Definition: Controls rationalization is the process of evaluating and streamlining an organization's control portfolio to eliminate redundant or low-value controls while strengthening high-risk areas, reducing total testing burden without increasing risk exposure.
Deloitte's SOX Modernization framework identifies four pillars: operating model optimization, controls rationalization, program enhancement, and technology and automation. The delegation of authority program touches all four. Centralizing authority rules eliminates redundant controls across business units. Automating delegation workflows reduces manual testing hours. Maintaining version-controlled delegation records turns evidence production from a reactive audit exercise into a continuous byproduct of normal operations.
For a practical roadmap, the operating model for authority management covers how to structure governance, roles, and technology for sustainable compliance.
The costliest mistakes involve treating delegation of authority as a documentation exercise rather than an operational control that requires enforcement, monitoring, and version management.
A: These are the patterns we see most frequently in organizations facing audit findings:
Aptly provides the operational infrastructure that turns delegation of authority from a documentation exercise into an enforceable, auditable, and continuously monitored control system.
A: Aptly is purpose-built for the operational side of authority governance: controlled issuance of delegations with defined effective dates, time-bound temporary coverage that expires automatically, complete version history for every authority change, and audit-ready evidence logs that satisfy as-of proof requirements without manual reconstruction.
In the context of SOX and internal controls, Aptly directly addresses the control gaps that drive the most common audit findings. Instead of reconstructing who had authority after the fact, the platform maintains a continuous, versioned record that auditors can query directly. Instead of relying on email-based delegations that never expire, temporary authority is scoped and time-limited by design. Instead of managing authority across disconnected spreadsheets and policy documents, a single system of record for decision rights ensures consistency across the organization.
For organizations evaluating their readiness, the embedding authority checks into workflows guide covers how to integrate authorization controls into existing business processes.
Use this checklist to assess and strengthen the delegation-of-authority controls in your SOX compliance program.
A material weakness is a deficiency, or combination of deficiencies, in internal controls over financial reporting such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. A significant deficiency is less severe — it is a deficiency important enough to merit attention by those responsible for oversight but does not rise to the level of a material weakness. Both require remediation, but material weaknesses must be disclosed publicly and often trigger restatements, increased audit fees, and market consequences.
The average remediation timeline is approximately one year, with an estimated cost of $7.8 million per weakness. However, research published in Contemporary Accounting Research found that companies claiming remediation in less than one year are significantly more likely to experience recurrence, suggesting that rushing remediation often fails to address root causes.
SOX Sections 302 and 404 apply to publicly traded companies registered with the SEC. However, many private companies adopt SOX-aligned controls voluntarily — particularly those preparing for IPO, those with institutional investors who expect governance rigor, and those operating in regulated industries. Given that 44 percent of traditional IPOs in 2023 reported material weaknesses in their initial filings, pre-IPO SOX readiness is increasingly recognized as essential.
SOX Section 404 requires management assessment and external auditor attestation of internal controls over financial reporting only. The UK's Provision 29, effective for financial years beginning January 2026, requires boards to declare the effectiveness of all material controls — financial, operational, compliance, and reporting — but operates on a comply-or-explain basis without mandatory external attestation.
PwC found that a 15 percent increase in automation can yield a 10 percent decrease in SOX compliance spending. However, KPMG's 2025 survey revealed that automated controls actually declined from 21 to 17 percent of total controls between FY22 and FY24, and satisfaction with SOX technology dropped from 92 to 58 percent over the same period — suggesting current tools are not meeting expectations.
At minimum, review and update the matrix with every organizational change (reorganization, leadership transition, M&A), every policy revision, and at least quarterly as a standing review. The KPMG finding that 31 percent of companies with material weaknesses report them in multiple years indicates that annual-only review cycles miss emerging control gaps.
The PCAOB's 2024 inspection results showed an overall deficiency rate of 39 percent, with AS 2201 (ICFR audit) as the most frequently cited standard. Sixty-eight percent of deficient engagements included ICFR-related findings. Common deficiencies included insufficient testing of control design and operating effectiveness, and insufficient testing of controls over data accuracy and completeness.
Yes. Because Provision 29 extends beyond financial controls to operational and compliance controls, organizations need authority management across a broader scope than SOX requires. A centralized delegation platform provides the version-controlled records, SoD enforcement, and evidence production that boards need to make their annual effectiveness declarations with confidence.
Sources: KPMG 2025 SOX Survey (FY24 data, 146 participants); KPMG Material Weakness Trends (Audit Analytics, SEC EDGAR data); EY/Society for Corporate Governance 2025; GAO-25-107500 (June 2025); PCAOB 2024 Inspection Spotlight (March 2025); UK Corporate Governance Code 2024; Protiviti SOX Compliance Survey (2023) and Innovation Poll (2024); West Monroe Speed Wins (2026); McKinsey Decision-Making Research; Ponemon Institute/GlobalScape True Cost of Compliance (2018); Deloitte SOX Modernization Framework; Grand View Research GRC Market Report (2024); NorthRow Compliance Operations Research (2023); Journal of Accounting, Auditing, and Finance; Contemporary Accounting Research; PwC Provision 29 Readiness Benchmarking (September 2025); RSM US Material Weakness Root Cause Analysis; CFGI CFO's Guide to Material Weaknesses.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
