Preapproval Requirements

SOX Section 202 requires your audit committee to preapprove every engagement with the external auditor—both audit and permissible non-audit services—before any work starts. To operationalize it, implement a documented intake and approval workflow, define approval authorities (full committee vs. delegated), and retain evidence that approval occurred prior to service delivery ¹.

Key takeaways:

• The control objective is timing and authority: audit committee approval must happen before services are rendered ¹.
• Build a single front door for auditor-related requests, with clear service categories, preapproval thresholds, and a no-retroactive-approval rule.
• Exams and audits focus on completeness (no “side” engagements) and proof (dated approvals tied to invoices/SOWs).

“Preapproval requirements” under SOX Section 202 sound simple, but teams fail them in predictable ways: the business starts “just a little” work with the auditor, an invoice shows up later, and someone tries to paper it after the fact. The requirement is strict on sequence. Approval must happen before the auditor performs the work, and the approving body is the audit committee ¹.

For a CCO, GRC lead, or SOX program owner, the operational challenge is less about legal interpretation and more about workflow design. You need a process that catches every request for external-auditor services, routes it to the right approver quickly, and produces durable evidence that stands up to internal audit, external audit, and audit committee scrutiny. You also need to keep scope creep under control: “audit” work, permissible non-audit services, and anything that looks like an add-on must all flow through the same gate.

This page gives requirement-level implementation guidance you can put into production: who must follow the process, how to structure approvals, what artifacts to retain, and what typically breaks during audits.

Regulatory text

Requirement excerpt: “All auditing services and non-audit services must be preapproved by the audit committee before the services are rendered.” ¹

Operator interpretation (what this means in practice):

• No work begins without approval. The audit committee’s approval must be dated and recorded before the auditor performs the service ¹.
• Scope is broad. It covers audit services and non-audit services provided by the external auditor ¹.
• The audit committee owns the decision. Management can prepare the request and recommendation, but the approval authority sits with the audit committee ¹.

If you remember one test: if the auditor could invoice for it, your audit committee should have approved it beforehand.

Plain-English interpretation of the preapproval requirements requirement

SOX Section 202 is an oversight control. It forces a governance check before the external auditor takes on paid work for the issuer beyond the core audit. The audit committee must know what the auditor is doing, what it costs, and why it is appropriate before the auditor starts ¹.

This is not a “policy on paper” requirement. It is a transaction-level control that must operate each time services are requested.

Who it applies to

Entities

• Public companies (issuers) with an audit committee responsible for oversight of the external auditor ¹.
• Registered public accounting firms providing services to issuers, because they will be asked to confirm preapproval and align their billing and engagement processes ¹.

Operational context (where it shows up)

• New audit-related projects: comfort letters, audit-related attestations, reviews tied to filings.
• Requests for non-audit work that may be permissible but still requires audit committee preapproval ¹.
• “Change orders” to existing engagements, expanded scope, or added hours.
• Global subsidiaries engaging the group auditor’s network firm for local work. If it’s your external auditor (or under that umbrella) performing services for the issuer, route it through the same preapproval gate.

What you actually need to do (step-by-step)

1) Establish a single intake channel for all auditor services

Create one controlled path for requesting any service from the external auditor:

• A standardized request form (ticket, workflow, or template) that business units must use.
• A clear statement: no PO, no SOW, no kickoff until audit committee preapproval is documented ¹.

Practical tip: Put Accounts Payable on notice that invoices from the external auditor require a preapproval reference ID before payment.

2) Define service categories and what “counts”

Build a service catalog to prevent “creative naming”:

• Audit services
• Permissible non-audit services (your process should still require preapproval for these) ¹

Keep the catalog mapped to how the audit firm describes services on engagement letters and invoices. Your control fails if your internal categories don’t match the billing line items.

3) Define approval authority and meeting cadence mechanics

Your audit committee must preapprove before services are rendered ¹. Operationally, you need a method that works between meetings:

• Schedule standing agenda time for approvals.
• If your committee uses delegated authority (common in practice), document:
  • who can approve on behalf of the committee,
  • what must be reported back to the full committee,
  • how quickly ratification happens.

Don’t rely on informal email trails without a defined recordkeeping method. If email is used, standardize it and archive it to your official repository.

4) Implement “preapproval-before-start” gates in procurement and the auditor engagement process

Add hard stops:

• Procurement cannot issue a PO to the auditor without an approval record.
• The auditor cannot begin work without receiving proof of preapproval (include this requirement in engagement kickoff checklists).
• Changes in scope trigger a new approval workflow before additional work begins.

A common control design: require a preapproval ID on (1) the engagement letter/SOW, (2) the PO, and (3) the invoice.

5) Track spend and scope against approvals

Approvals should include enough detail to manage drift:

• approved services description,
• approved fee or fee cap,
• timeframe/period covered,
• engagement owner.

If actuals are trending beyond the approval, treat it as a change order requiring preapproval before incremental work begins.

6) Close the loop with periodic audit committee reporting

Give the audit committee visibility into:

• approvals granted since the last meeting,
• cumulative fees by category,
• exceptions (requests rejected, or any process breaks detected).

This turns preapproval into active oversight rather than a rubber stamp.

7) Build an exceptions protocol (and make it painful)

SOX 202 is sensitive to retroactive approvals because the timing is explicit ¹. Your protocol should:

• define what counts as an exception,
• require escalation to the audit committee chair and CCO/General Counsel,
• require root-cause analysis,
• require remediation (process change, training, AP block).

Goal: prevent recurrence, not “explain it away.”

Required evidence and artifacts to retain

Keep artifacts that prove who approved what, and when, tied to the actual engagement and spend:

Core artifacts

• Audit committee preapproval policy/procedure referencing preapproval before services are rendered ¹.
• Audit committee minutes or written consents showing preapproval, with date/time.
• Delegation-of-authority documentation if the committee delegates preapproval decisions, plus reporting/ratification records.
• Service request intake form or ticket (requester, business justification, service category).
• Engagement letter/SOW and any change orders, linked to the approval record.
• PO and invoice records showing the approval reference.

Evidence quality expectations

• Date stamps must show approval occurred before kickoff/work performed ¹.
• The approval scope must match what was delivered and billed.
• Records must be searchable by engagement, period, and service category.

If you’re managing this in Daydream, structure the control so each engagement record links request → approval → contract → invoices → committee reporting in one place. That linkage is what reduces scramble during audit sampling.

Common exam/audit questions and hangups

Expect auditors and regulators (or internal audit) to test these areas:

1. Completeness: “How do you ensure all services by the external auditor are captured?”
   Hangup: side arrangements by finance teams or subsidiaries.

2. Timing: “Show me evidence approval happened before work started.”
   Hangup: approvals dated after kickoff, or approvals that reference only a general category, not a specific engagement.

3. Scope and change control: “How do you handle scope creep and overages?”
   Hangup: additional hours worked without a new approval.

4. Authority: “Who can approve, and where is that documented?”
   Hangup: approvals by management, or informal approvals that do not clearly represent the audit committee ¹.

5. Record retention: “Where are approvals stored, and can you retrieve them quickly?”
   Hangup: approvals scattered across email, board portal, procurement tools, and shared drives.

Frequent implementation mistakes (and how to avoid them)

• Mistake: treating preapproval as an annual blanket approval with no linkage to real engagements.
  Fix: require an approval record that references the specific engagement/SOW and period, then reconcile it to invoices.

• Mistake: retroactive approvals after the auditor has started work.
  Fix: add procurement and AP blocks, plus an auditor kickoff checklist requiring proof of approval ¹.

• Mistake: approvals that are too vague to test.
  Fix: force structured fields: service description, fees/cap, timeframe, and responsible owner.

• Mistake: missing change-order governance.
  Fix: define what triggers re-approval (expanded scope, new deliverables, or incremental fees) and route it before extra work begins.

• Mistake: subsidiaries bypass the process.
  Fix: publish a policy statement that any engagement of the group auditor (or its affiliates) by any controlled entity must go through the central intake.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Operationally, the risk is straightforward:

• Independence and governance risk: unmanaged non-audit work can create perceived or actual conflicts that the audit committee did not evaluate in advance.
• Financial reporting risk: unapproved engagements can create control failures that surface during SOX testing, external audit scrutiny, or audit committee oversight reviews.
• Board risk: failures put audit committee oversight under a microscope because the committee is the named approving authority ¹.

Practical execution plan (30/60/90-day)

No time-to-implement claims are implied here; this is a sequencing plan you can adapt.

First 30 days (Immediate stabilization)

• Inventory all current external auditor engagements, including informal or pending requests.
• Implement an interim rule: no new work begins without written audit committee preapproval evidence ¹.
• Stand up a basic intake form and an approval log (even a controlled spreadsheet is acceptable as a stopgap).
• Align AP: require an approval reference for payment of auditor invoices.

Days 31–60 (Process hardening)

• Publish a formal preapproval procedure, including service categories and a change-order trigger.
• Implement delegation/ratification mechanics if the audit committee needs between-meeting approvals.
• Build the procurement gate: PO issuance requires an approval record.
• Establish a recurring audit committee report format: approvals granted, spend vs. approved, exceptions.

Days 61–90 (Operational maturity)

• Centralize recordkeeping in a system of record (board portal + GRC/workflow tooling) so sampling is fast.
• Add monitoring: monthly reconciliation of auditor invoices to approvals and approved caps.
• Run tabletop tests: pick a sample engagement and prove you can produce request → approval → SOW → invoice with correct dates.
• Train finance, procurement, and subsidiary controllers on the “single front door” rule.

Frequently Asked Questions

Does SOX Section 202 apply only to non-audit services?

No. The text requires preapproval for “all auditing services and non-audit services” before they are rendered ¹. Route every external-auditor engagement through the same approval process.

Can management preapprove if the audit committee is busy?

The requirement assigns preapproval to the audit committee ¹. If you need faster turnaround, document a committee-approved delegation mechanism and retain evidence of approvals and reporting back to the committee.

What counts as “before the services are rendered” in practice?

Treat it as “before kickoff and before any billable work starts” because you must prove approval timing ¹. Set procurement and auditor kickoff gates to prevent work from starting without a recorded approval.

Do we need separate approvals for change orders or extra hours?

If the additional work changes scope or increases fees beyond what the audit committee approved, treat it as a new request and obtain preapproval before the incremental work begins. Build this trigger into your engagement management checklist.

Where should we store the evidence—board portal, procurement system, or GRC tool?

Store it where you can produce a complete, dated chain from request through approval to invoicing. Many teams keep approvals in the board portal and mirror key fields into a GRC system (for example, Daydream) to tie them to SOWs and invoices.

What if we discover an engagement started without preapproval?

Escalate to the audit committee chair and document the exception, root cause, and remediation steps. Avoid “papering” it quietly; the control objective is that approval precedes the work ¹.

Footnotes

1. Public Law 107-204