Senior management and the board of directors establish the organizational structure and reporting lines necessary to plan, execute, control, and period- ically assess the activities of the entity, in other words carry out their over- sight responsibilities. They are supported by requisite processes and techno- logy to provide for clear accountability and information flows within and across the overall entity and its subunits.
Entities are often structured along various dimensions. In particular:
•
The management operating model may follow product or service lines to fa-cilitate development of new products and services, optimize marketing activities, rationalize production, and improve customer service or other operational aspects.
•
Legal entity structures are often designed to manage business risks, create favorable tax structures, and empower managers at foreign operations.•
Geographic markets may provide for further subdivisions or aggregations of performance.•
Entities also enter into a variety of relationships with outsourced service providers to support the achievement of objectives, which creates addi- tional structures and reporting lines.Each of these lenses may provide a different evaluation of the system of in- ternal control. While the aggregation of risks along one dimension may indic- ate no issues, the view along a different dimension may show concentration risk around certain customer types, overreliance on a sole vendor, or other vulnerabilities. Ownership and accountability at each level of aggregation en- ables such multidimensional review and analysis.
Organizational structures evolve as the nature of the business evolves. Man- agement therefore reviews and evaluates the structures for continued relev- ance and effectiveness and efficiency in support of the internal control sys- tem. Consider, for example, a bank that reports performance results and in- ternal control effectiveness by legal entity, business unit, or geography. If it does not regularly revisit its reporting to verify that it adequately reflects its current business model, it may fail to recognize the emergence of certain risks, the absence of appropriate controls, and inadequacy of reporting. For each type of structure it operates (e.g., geographic market structure, business segment structure, legal entity structure), management designs and evaluates the lines of reporting so that responsibilities are carried out and in- formation flows as needed. It also verifies there is no conflict of interest in- herent in the execution of responsibilities across the organization and its out- sourced service providers. Variables to consider when establishing and evalu- ating organizational structures include the following:
•
Nature, size, and geographic distribution of the entity’s business•
Risks related to the entity’s objectives and business processes, which maybe retained internally or outsourced, and interconnections with outsourced service providers and business partners
•
Nature of the assignment of authority and responsibility to top, operating unit, functional, and geographic management•
Definition of reporting lines (e.g., direct reporting/“solid line” versus sec- ondary report/“dotted line”) and communication channels•
Financial, tax, regulatory, and other reporting requirements of relev- ant jurisdictionsRegardless of the organizational structure, definitions, and assignments of authority and responsibility, reporting lines and communication channels must be clear to enable accountability over operating units and functional areas. For example, the board determines which senior management roles have at least a “dotted line” to the board of directors to allow for open com- munication to the board of all issues of importance. Similarly, direct reporting and informational reporting lines are defined at all levels of the organization. Responsibilities can generally be viewed as falling within three lines of de- fense against the failure to achieve the entity’s objectives, with oversight by the board of directors:
•
Management and other personnel on the front line provide the first line of defense in day-to-day activities. They are responsible for maintaining ef- fective internal control day to day; they are compensated based on per- formance in relation to all applicable objectives.•
Business-enabling functions (also referred to as support functions) provide guidance on internal control requirements and evaluate adherence to defined standards; while they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.•
Internal auditors provide the third line of defense in assessing and reporting on internal control and recommending corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review.Periodic evaluation of existing structures in relation to the achievement of the entity’s objectives enables realignment with emerging priorities (e.g., new regulations) and rationalization (e.g., cutting across silos of different func- tions or operating units) to provide a comprehensive and integrated view of internal control.
Return to Table of Contents
Authorities and Responsibilities
The board of directors delegates authority and defines and assigns responsib- ility to senior management. In turn, senior management delegates authority and defines and assigns responsibility for the overall entity and its subunits. Authority and responsibility are delegated based on demonstrated compet- ence, and roles are defined based on who is responsible for or kept informed of decisions. The board and/or senior management define the degree to which individuals and teams are authorized and encouraged, or limited, to pursue achievement of objectives or address issues as they arise. Key roles and responsibilities assigned across the organization typically in- clude the following:
•
The board of directors stays informed and challenges senior management as necessary to provide guidance on significant decisions.•
Senior management, which includes the chief executive officer or equivalent organizational leader, is ultimately responsible to the board of directors and other stakeholders for establishing directives, guidance, and control to enable management and other personnel to understand and carry out their responsibilities.•
Management, which includes supervisors and decision-makers, executes senior management directives at the entity and its subunits.•
Personnel, which includes all employees of the entity, are expected to un- derstand the entity’s standards of conduct, objectives as defined inrelation to their area of responsibility, assessed risks to those objectives, related control activities at their respective levels of the entity, informa- tion, and communication flow, and any monitoring activities relevant to achieving objectives.
•
Management and personnel with direct responsibility over outsourced pro- cesses conducted by external service providers. Outsourced service pro- viders are provided with clear and concise contractual terms related to the entity’s objectives and expectations of conduct and performance, compet- ence levels, expected information, and communication flow. They may ex- ecute business processes on behalf of or together with management, who remains responsible for internal control.Organizations delegate authority and responsibility to enable management and other personnel to make decisions according to management’s directives toward the achievement of the entity’s objectives. An organization may define or revisit its structures by reducing layers of management, delegating more authority and responsibility to lower levels, or partnering with other or- ganizations. For example, a sales organization may empower its managers to sell at a greater discount to gain market share. However, the authority is del- egated and responsibility is assigned only to those who demonstrate the competence to make adequate decisions; consistently adhere to the entity’s standards of conduct, policies, and procedures; and understand the con- sequences of the risks they take.
Delegation of authority provides greater agility, but it also increases the com- plexity of risks to be managed. Senior management, with guidance from the board of directors, provides the basis for determining what is or is not ac- ceptable, such as non-compliance with the organization’s regulatory or con- tractual obligations.