AP exceptions · Procure-to-Pay
Controls
SOX 404 · ICFR · COSO 2013 control framework overlay
Framework Coverage
COSO 2013AI Ready
100%
0 covered1 partial0 gap
ICFRAI Ready
100%
0 covered1 partial0 gap
SOX 404Governed
67%
0 covered2 partial1 gap
Control Mappings
Partial4 controls
SOX-P2P-003SOX 404
AP segregation of duties
segregation_of_duties
No periodic access review exists to confirm segregation is maintained.
SOX-P2P-001SOX 404
AP approval controls
approval_chain
Side-channel approvals create gaps in the audit trail.
ICFR-X-002ICFR
Exception escalation governance
exception_governance
Escalation relies on individual judgement rather than defined rules.
COSO-CA-001COSO 2013
Authorisation controls over transactions
approval_chain
No written policy governing AP authorisation thresholds.
Not Evidenced1 control
SOX-P2P-002SOX 404
Exception evidence retention
evidence_retention
No centralised evidence store for exception documentation.
SOX 404
Exception documentation not retained in systemhighevidence_retention
Supporting documentation for AP overrides and exceptions is held in email or locally. This prevents reconstruction of approval evidence during audit.
ACTIONImplement mandatory document attachment at the point of exception capture within the workflow system.
ICFR
Exception escalation path is undocumentedmediumexception_governance
AP exception escalation relies on individual judgement with no defined criteria or documented ownership transfer path.
ACTIONDefine and document escalation triggers, ownership rules, and resolution timeframes for AP exceptions.
COSO 2013
Authorisation thresholds not formally documentedmediumapproval_chain
AP approval authority exists in practice but thresholds are not written, communicated, or enforced by system controls.
ACTIONDocument authorisation matrix and configure system controls to enforce approval thresholds.