COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
The following points of focus highlight important characteristics relating to this principle:
-
Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
-
Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.
-
Defines, Assigns, and Limits Authorities and Responsibilities—Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:
-
Board of Directors—Retains authority over significant decisions and reviews management's assignments and limitations of authorities and responsibilities
-
Senior Management—Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities
-
Management—Guides and facilitates the execution of senior management directives within the entity and its subunits
-
Personnel—Understands the entity's standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of objectives
-
Outsourced Service Providers—Adheres to management's definition of the scope of authority and responsibility for all non-employees engaged
Senior management and the board of directors establish the organizational structure and reporting lines necessary to plan, execute, control, and periodically assess the activities of the entity, in other words carry out their oversight responsibilities. They are supported by requisite processes and technology to provide for clear accountability and information flows within and across the overall entity and its subunits.
Entities are often structured along various dimensions. In particular:
-
The management operating model may follow product or service lines to facilitate development of new products and services, optimize marketing activities, rationalize production, and improve customer service or other operational aspects.
-
Legal entity structures are often designed to manage business risks, create favorable tax structures, and empower managers at foreign operations.
-
Geographic markets may provide for further subdivisions or aggregations of performance.
-
Entities also enter into a variety of relationships with outsourced service providers to support the achievement of objectives, which creates additional structures and reporting lines.
Each of these lenses may provide a different evaluation of the system of internal control. While the aggregation of risks along one dimension may indicate no issues, the view along a different dimension may show concentration risk around certain customer types, overreliance on a sole vendor, or other vulnerabilities. Ownership and accountability at each level of aggregation enables such multidimensional review and analysis.
Organizational structures evolve as the nature of the business evolves. Management therefore reviews and evaluates the structures for continued relevance and effectiveness and efficiency in support of the internal control system. Consider, for example, a bank that reports performance results and internal control effectiveness by legal entity, business unit, or geography. If it does not regularly revisit its reporting to verify that it adequately reflects its current business model, it may fail to recognize the emergence of certain risks, the absence of appropriate controls, and inadequacy of reporting.
For each type of structure it operates (e.g., geographic market structure, business segment structure, legal entity structure), management designs and evaluates the lines of reporting so that responsibilities are carried out and information flows as needed.
It also verifies there is no conflict of interest inherent in the execution of responsibilities across the organization and its outsourced service providers. Variables to consider when establishing and evaluating organizational structures include the following:
-
Nature, size, and geographic distribution of the entity's business
-
Risks related to the entity's objectives and business processes, which may be retained internally or outsourced, and interconnections with outsourced service providers and business partners
-
Nature of the assignment of authority and responsibility to top, operating unit, functional, and geographic management
-
Definition of reporting lines (e.g., direct reporting/"solid line" versus secondary report/"dotted line") and communication channels
-
Financial, tax, regulatory, and other reporting requirements of relevant jurisdictions
Regardless of the organizational structure, definitions, and assignments of authority and responsibility, reporting lines and communication channels must be clear to enable accountability over operating units and functional areas. For example, the board determines which senior management roles have at least a "dotted line" to the board of directors to allow for open communication to the board of all issues of importance. Similarly, direct reporting and informational reporting lines are defined at all levels of the organization.
Responsibilities can generally be viewed as falling within three lines of defense against the failure to achieve the entity's objectives, with oversight by the board of directors:
-
Management and other personnel on the front line provide the first line of defense in day-to-day activities. They are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives.
-
Business-enabling functions (also referred to as support functions) provide guidance on internal control requirements and evaluate adherence to defined standards; while they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.
-
Internal auditors provide the third line of defense in assessing and reporting on internal control and recommending corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review.
Periodic evaluation of existing structures in relation to the achievement of the entity's objectives enables realignment with emerging priorities (e.g., new regulations) and rationalization (e.g., cutting across silos of different functions or operating units) to provide a comprehensive and integrated view of internal control.
The board of directors delegates authority and defines and assigns responsibility to senior management. In turn, senior management delegates authority and defines and assigns responsibility for the overall entity and its subunits. Authority and responsibility are delegated based on demonstrated competence, and roles are defined based on who is responsible for or kept informed of decisions. The board and/or senior management define the degree to which individuals and teams are authorized and encouraged, or limited, to pursue achievement of objectives or address issues as they arise.
Key roles and responsibilities assigned across the organization typically include the following:
-
The board of directors stays informed and challenges senior management as necessary to provide guidance on significant decisions.
-
Senior management, which includes the chief executive officer or equivalent organizational leader, is ultimately responsible to the board of directors and other stakeholders for establishing directives, guidance, and control to enable management and other personnel to understand and carry out their responsibilities.
-
Management, which includes supervisors and decision-makers, executes senior management directives at the entity and its subunits.
-
Personnel, which includes all employees of the entity, are expected to understand the entity's standards of conduct, objectives as defined in relation to their area of responsibility, assessed risks to those objectives, related control activities at their respective levels of the entity, information, and communication flow, and any monitoring activities relevant to achieving objectives.
-
Management and personnel with direct responsibility over outsourced processes conducted by external service providers. Outsourced service providers are provided with clear and concise contractual terms related to the entity's objectives and expectations of conduct and performance, competence levels, expected information, and communication flow. They may execute business processes on behalf of or together with management, who remains responsible for internal control.
Organizations delegate authority and responsibility to enable management and other personnel to make decisions according to management's directives toward the achievement of the entity's objectives. An organization may define or revisit its structures by reducing layers of management, delegating more authority and responsibility to lower levels, or partnering with other organizations. For example, a sales organization may empower its managers to sell at a greater discount to gain market share. However, the authority is delegated and responsibility is assigned only to those who demonstrate the competence to make adequate decisions; consistently adhere to the entity's standards of conduct, policies, and procedures; and understand the consequences of the risks they take.
Delegation of authority provides greater agility, but it also increases the complexity of risks to be managed. Senior management, with guidance from the board of directors, provides the basis for determining what is or is not acceptable, such as non-compliance with the organization's regulatory or contractual obligations.
Authority empowers people to act as needed in a given role, but it is also necessary to define the limitations of authority, so that:
-
Delegation occurs only to the extent required to achieve the entity's objectives (e.g., review and approval of new products involves the requisite business and support functions, separate from the sales execution team).
-
Inappropriate risks are not accepted (e.g., a new vendor is not taken on without the requisite due diligence review).
-
Duties are segregated to reduce the risk of inappropriate conduct in the pursuit of objectives, and requisite checks and balances occur from the highest to the lowest levels of the organization (e.g., defining roles, responsibilities, and performance measures in a manner to reduce any potential for conflicts of interest).
-
Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities within the workflow of business processes (e.g., different access levels to enterprise resource planning systems at corporate and subsidiary levels; access privileges granted to on-line customers, business partners, and others).
-
Third-party service providers who are tasked with carrying out activities on behalf of an entity understand the extent of their decision-making rights.
| Generated November 9, 2014 22:46:48 |