With the continued emphasis on Sarbanes-Oxley and related regulatory mandates, managers are never far removed from the topic of internal control. And a recurring discussion topic revolves around responsibility—just who should own internal control?

It’s not an unreasonable query—penalties for failure to follow the dictates of Sarbanes-Oxley and related laws make compliance a personal and not just a corporate issue. In addition, organizations will spend prodigiously—at the rate of approximately $1 million for every $1 billion in revenue, according to analysts at AMR Research—to ensure compliance. With the personal and corporate stakes so high—in terms of both potential penalties and economic and reputational issues—it’s well worth considering where controls ownership is best vested.

Quick Review, Ownership

But before considering ownership, it’s helpful to review for a moment just what we mean by internal control, as the definition colors the debate.

Internal control is defined broadly as a process to help assure your organization’s objectives will be achieved. Internal control is most often thought of in the context of reliable financial reporting, such as transaction approvals, reconciliations and segregation of incompatible duties. But controls also can be operational, like quality controls, which help ensure consistent—and customer-pleasing—results, or actions to ensure new marketing initiatives or product introductions are executed as planned.

Internal control systems are broad-based, aiding companies in achieving:

Effectiveness and efficiency of your company’s wide-ranging operational activities

The reliability of financial reports

Compliance with all applicable laws and regulations

As such, internal control goes well beyond integrity in financial reporting—it extends to every goal a company has established for itself. While the Sarbanes-Oxley requirements cover only financial reporting controls, many organizations recognize the benefits of internal control and are extending their focus on control to all areas of their organization.

In many organizations, any of a number of groups has been identified as potential owners of internal control. Familiarity and expertise in examining and assessing controls makes the internal audit staff a frequent candidate. Similarly, the IT security team—because of its role in identifying control issues and potential violations with enterprise resource planning and other applications—sometimes is thought of as an appropriate group for the job. And as has been noted in Compliance Week’s series of interviews with governance officers, the importance and relevance of a chief compliance officer or chief risk officer often causes those executives to be identified for ownership. And as the ultimate decision makers, the CEO and senior management—and even the board of directors—are other frequently identified internal control “owners.”

Audit

The belief that the internal audit group should own internal control is an understandable sentiment.

Auditors, after all, are experts on controls, and possess deep understanding of how they can be implemented—and circumvented. And the common misperception of internal controls as representing solely “financial checks and balances” furthers that stereotypical interpretation of auditing. In fact, many internal auditors have long focused as much if not more on operations and compliance risk and control issues.

But it is because many internal audit functions have important responsibilities to evaluate and test risk management and control processes, verifying they are in place and ensuring their adequacy, that internal audit’s ownership of internal control is inappropriate.

The dual responsibility to both establish and verify the effectiveness of internal control would introduce a potential conflict. And, as discussed below, effectiveness of internal control is strengthened when responsibility rests elsewhere.

Security

Alternatively, because of the critical importance of IT security, some organizations look to the IT security staff for internal control ownership. It’s certainly true that a sound security foundation is a significant element in assuring compliance with a wide range of regulatory mandates, not just Sarbanes-Oxley. And the IT security staff can provide detailed and sophisticated operational support in implementing controls, especially in the context of complex, distributed applications and systems, dealing with such matters as network security, access to systems and data, protection against viruses and network attacks, and related security issues.

But IT security’s role, while an important element of internal control, doesn’t extend to ownership of business processes. The security team can uncover potential issues and identify violations of many internal controls; however, they are not in a position to make decisions regarding changes to roles and responsibilities and other actions needed to mitigate or remediate risks posed by a violation.

Those tasks are a function of both the absolute level of risk an organization is willing to accept—generally stated in terms of risk tolerance—and the specific assignments of individuals to roles and responsibilities.

Only management can answer those questions. The security team can be—and should be—instrumental in determining the “how and what” of IT-based internal controls, but the “who,” “extent” and “why” is a job for management.

Senior Staff Functions

Often, those heading important functions such as the chief compliance officer or chief risk officer are thought to be responsible for internal control.

There’s no question that in many companies these roles have taken on increasing importance in fulfilling important risk and control responsibilities. Each in their own way can be a catalyst and facilitator in ensuring that risk management and internal control processes are effectively designed and appropriately carried out and monitored.

But while their roles are important and sometimes critical in effecting internal control, they should not, as discussed below, have ultimate responsibility for an organization’s internal control.

Management

Having evaluated other candidates, it becomes increasingly clear that a company’s senior management is the most logical and appropriate owner of internal control. Business management’s ownership of internal control, however, doesn’t arise by default. It’s an inescapable conclusion from the consideration of many factors:

The judgment of numerous experts, as documented in the COSO Internal Control – Integrated Framework.

The dictates of law and regulation, including the Sarbanes-Oxley Act.

Executives’ job descriptions, which include as a basic responsibility the management of risk.

The genesis of the COSO Internal Control – Integrated Framework dates back to 1987 when the Treadway Commission (officially, the National Commission on Fraudulent Financial Reporting) called for development of a framework, including a common definition, of internal control in an effort to eliminate confusion and disagreements that had reigned among practitioners to that time.

Released in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control – Integrated Framework has gone on to become accepted as the definitive statement on internal control. For managements, regulators, auditors and others, it represents the standard against which an organization’s internal control is judged when assessing compliance with the provisions of the Sarbanes-Oxley Act.

The COSO internal control framework delivers a strong mandate for management ownership of internal control, defining it as a process carried out by an entity’s board of directors, management and indeed all personnel in an entity.

Management, however, is set forth as the owner, beginning with the CEO and with board of director oversight, and cascading to line and staff managers relative to their spheres of responsibility.

And because the CFO typically not only has responsibility for financial reporting, but also is a key player influencing control in all facets of the organization, the COSO framework emphasizes the importance of the CFO’s role.

Not surprisingly, Sarbanes-Oxley, along with related rules of the SEC and the Public Company Accounting Oversight Board—newly established by Sarbanes-Oxley—point to management’s responsibility for internal control. The rules require that chief executive officer and chief financial officer of public companies report on the effectiveness of internal control over financial reporting. The rules require that:

Management must document the design of controls related to assertions for significant financial statement accounts and disclosures.

Management must test controls related to relevant assertions for significant financial statement accounts and disclosures.

Management must perform procedures to develop sufficient evidence and maintain documentation to support its assessment of the effectiveness of the company’s internal controls.

Relevant to our discussion is the constraint that management cannot delegate its responsibility to assess the company’s internal control to auditors or any other third party. The rules are clear—as a senior manager you may look to auditors and other parties for assistance, but ownership of the controls and the assessment process remains with you.

Management’s ownership of internal control indeed is long supported by experience with what works best in effective implementation and maintenance of internal control, and best practice offers compelling evidence that this is where ownership needs to be.

One of the underlying reasons is that an essential task of senior executives, with appropriate board of directors oversight, is managing risk and other potential events—events that can result in an opportunity the organization can profit from, or that may derail already established goals and operations. Having identified these events, management has prime responsibility, and indeed is best positioned, to mitigate the downside while taking advantage of the potential for upside gains.

Establishing Tone

How? To be sure, effective risk management and internal control begin with trust and openness, and the relationships among individuals throughout the organization including the board, senior executives, other managers and front-line employees. Indeed, it’s for that reason that a key aspect of compliance efforts focuses on the control environment, including the so-called “tone at the top,” involving executives’ willingness and ability to establish and maintain an environment in which internal controls can operate.

This environment is established with both the words and actions of top management, along with the organization structure, assignment of authority and responsibility, integrity and ethical values and other factors. The control environment serves as the foundation for the other components of internal control, where the enterprise’s people can identify, assess and respond to risks, and establish the internal controls necessary to ensure the company is moving towards achieving its financial reporting, compliance and broad-based business objectives.

The intrinsic relationship between internal control and management’s responsibilities to run the business make the case clear. If managers are to faithfully carry out their responsibilities, and excel in the operation of the business, they must take ownership of internal control.

Establishing goals and objectives, establishing standards and protocols, managing risk day-to-day and deploying and monitoring resources form the well-accepted basis for management’s control responsibilities.

In today’s environment, managers need to embrace ownership of all elements of internal control to gain the needed assurance the business is operating as planned, and moving towards achievement of the company’s goals.

The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

Topics