This slide compilation will introduce viewers to COSO’s Internal Control – Integrated Framework for establishing an effective system of internal control, and will delve deeper with a summary of the Three Lines of Defense Model in assigning roles and responsibilities among the organization’s employees, managers, and board members. The roles and responsibilities within an organization can easily become commingled, confused, or simply overlooked. This is particularly true in small and medium sized organizations where board members are new or are volunteers, and where employees are tasked with performing functions outside their normal job duties.
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
Improving and Implementing Internal ControlsTommy Seah
Implementing and Improving Internal Controls
Articulating the increasing need for comprehensive in-house fraud control procedures
• Optimizing the accuracy and reliability of data acquired through internal inspections
• Detailing the process of applying controls inside the organization, and demonstrating the outcome
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
Improving and Implementing Internal ControlsTommy Seah
Implementing and Improving Internal Controls
Articulating the increasing need for comprehensive in-house fraud control procedures
• Optimizing the accuracy and reliability of data acquired through internal inspections
• Detailing the process of applying controls inside the organization, and demonstrating the outcome
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.
COSO Implementation: Getting Real, Getting It RightBlackLine
Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).
Presentation to the Austin ISACA Chapter on best practices in the art of organizational change. Focused on COBIT BAI05 - Organizational Change Enablement - March 1, 2016
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
How do auditors gain an understanding of the internal controls in an.pdfirshadkumar3
How do auditors gain an understanding of the internal controls in an IT environment?
Solution
The control environment is the foundation on which an effective system of internal control is
built and operated in an organization that strives to
(1) achieve its strategic objectives,
(2) provide reliable financial reporting to internal and external stakeholders,
(3) operate its business efficiently and effectively,
(4) comply with all applicable laws and regulations, and
(5) safeguard its assets.
Most of the well-publicized failures (including not only Enron and WorldCom, but also the
governance failures that led to the 2008 financial crisis) were, at least in part, the result of weak
control environments.
The control environment includes the following elements:
• Integrity and ethical values.
• Management philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
Central to any approach to auditing the control environment is the assessment of risks from
failure of each one of the six individual control environment elements as defined in the glossary
of the Standards. Upon determining the risks relating to each one of the six control environment
elements, the chief audit executive (CAE) may consider including in his or her annual audit plan
one or more failures can miss the fundamental aspects of the organization’s foundation..
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
Instilling good governance and ensuring full compliance with an effective internal control program. Presented at Corruption and Compliance South & South East Asia Summit, September 2012, Hilton Hotel, Singapore.
COSO Implementation: Getting Real, Getting It RightBlackLine
Join this webcast featuring senior-level financial executives with deep knowledge of the updated internal control framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Hear first-hand how Pfizer, Raytheon and Dow have implemented the updated framework (which will supersede COSO’s original 1992 guidelines at the end of this year).
Presentation to the Austin ISACA Chapter on best practices in the art of organizational change. Focused on COBIT BAI05 - Organizational Change Enablement - March 1, 2016
COSO's Internal Control - Integrated Framework.
Includes:
Objectives;
Components;
Principles relating to the components and
Point of Focus assisting users in determining whether the principles are present and functioning
How do auditors gain an understanding of the internal controls in an.pdfirshadkumar3
How do auditors gain an understanding of the internal controls in an IT environment?
Solution
The control environment is the foundation on which an effective system of internal control is
built and operated in an organization that strives to
(1) achieve its strategic objectives,
(2) provide reliable financial reporting to internal and external stakeholders,
(3) operate its business efficiently and effectively,
(4) comply with all applicable laws and regulations, and
(5) safeguard its assets.
Most of the well-publicized failures (including not only Enron and WorldCom, but also the
governance failures that led to the 2008 financial crisis) were, at least in part, the result of weak
control environments.
The control environment includes the following elements:
• Integrity and ethical values.
• Management philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
Central to any approach to auditing the control environment is the assessment of risks from
failure of each one of the six individual control environment elements as defined in the glossary
of the Standards. Upon determining the risks relating to each one of the six control environment
elements, the chief audit executive (CAE) may consider including in his or her annual audit plan
one or more failures can miss the fundamental aspects of the organization’s foundation..
Internal auditing departments are led by a chief audit executive ("CAE") who generally reports to the audit committee of the board of directors, with administrative reporting to the chief executive officer (In the United States this reporting relationship is required by law for publicly traded companies).
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
In this webinar, Bob Hirth, COSO Chair, will provide a brief overview of the new COSO Framework, followed by an interactive discussion around the December 15 deadline set by COSO and what this means for companies that have – and have not yet – implemented the updated framework.
In addition, participants will hear what is required under the new COSO Framework, and how those requirements relate to SEC rules for determining if the system of internal controls over financial reporting is “effective,” specifically for purposes of Sarbanes-Oxley reporting.
In this session we will discuss:
- Best practices and lessons learned working with clients as they transition to the new COSO Framework along with industry adoption rates
- How adoption of COSO 2013 provides an opportunity for companies to review and potentially improve internal controls
- How financial management software can streamline the mapping, documenting, and testing activities relating to COSO 2013
Senior Project and Engineering Leader Jim Smith.pdfJim Smith
I am a Project and Engineering Leader with extensive experience as a Business Operations Leader, Technical Project Manager, Engineering Manager and Operations Experience for Domestic and International companies such as Electrolux, Carrier, and Deutz. I have developed new products using Stage Gate development/MS Project/JIRA, for the pro-duction of Medical Equipment, Large Commercial Refrigeration Systems, Appliances, HVAC, and Diesel engines.
My experience includes:
Managed customized engineered refrigeration system projects with high voltage power panels from quote to ship, coordinating actions between electrical engineering, mechanical design and application engineering, purchasing, production, test, quality assurance and field installation. Managed projects $25k to $1M per project; 4-8 per month. (Hussmann refrigeration)
Successfully developed the $15-20M yearly corporate capital strategy for manufacturing, with the Executive Team and key stakeholders. Created project scope and specifications, business case, ROI, managed project plans with key personnel for nine consumer product manufacturing and distribution sites; to support the company’s strategic sales plan.
Over 15 years of experience managing and developing cost improvement projects with key Stakeholders, site Manufacturing Engineers, Mechanical Engineers, Maintenance, and facility support personnel to optimize pro-duction operations, safety, EHS, and new product development. (BioLab, Deutz, Caire)
Experience working as a Technical Manager developing new products with chemical engineers and packaging engineers to enhance and reduce the cost of retail products. I have led the activities of multiple engineering groups with diverse backgrounds.
Great experience managing the product development of products which utilize complex electrical controls, high voltage power panels, product testing, and commissioning.
Created project scope, business case, ROI for multiple capital projects to support electrotechnical assembly and CPG goods. Identified project cost, risk, success criteria, and performed equipment qualifications. (Carrier, Electrolux, Biolab, Price, Hussmann)
Created detailed projects plans using MS Project, Gant charts in excel, and updated new product development in Jira for stakeholders and project team members including critical path.
Great knowledge of ISO9001, NFPA, OSHA regulations.
User level knowledge of MRP/SAP, MS Project, Powerpoint, Visio, Mastercontrol, JIRA, Power BI and Tableau.
I appreciate your consideration, and look forward to discussing this role with you, and how I can lead your company’s growth and profitability. I can be contacted via LinkedIn via phone or E Mail.
Jim Smith
678-993-7195
jimsmith30024@gmail.com
The case study discusses the potential of drone delivery and the challenges that need to be addressed before it becomes widespread.
Key takeaways:
Drone delivery is in its early stages: Amazon's trial in the UK demonstrates the potential for faster deliveries, but it's still limited by regulations and technology.
Regulations are a major hurdle: Safety concerns around drone collisions with airplanes and people have led to restrictions on flight height and location.
Other challenges exist: Who will use drone delivery the most? Is it cost-effective compared to traditional delivery trucks?
Discussion questions:
Managerial challenges: Integrating drones requires planning for new infrastructure, training staff, and navigating regulations. There are also marketing and recruitment considerations specific to this technology.
External forces vary by country: Regulations, consumer acceptance, and infrastructure all differ between countries.
Demographics matter: Younger generations might be more receptive to drone delivery, while older populations might have concerns.
Stakeholders for Amazon: Customers, regulators, aviation authorities, and competitors are all stakeholders. Regulators likely hold the greatest influence as they determine the feasibility of drone delivery.
12 steps to transform your organization into the agile org you deservePierre E. NEIS
During an organizational transformation, the shift is from the previous state to an improved one. In the realm of agility, I emphasize the significance of identifying polarities. This approach helps establish a clear understanding of your objectives. I have outlined 12 incremental actions to delineate your organizational strategy.
Public Speaking Tips to Help You Be A Strong Leader.pdfPinta Partners
In the realm of effective leadership, a multitude of skills come into play, but one stands out as both crucial and challenging: public speaking.
Public speaking transcends mere eloquence; it serves as the medium through which leaders articulate their vision, inspire action, and foster engagement. For leaders, refining public speaking skills is essential, elevating their ability to influence, persuade, and lead with resolute conviction. Here are some key tips to consider: https://joellandau.com/the-public-speaking-tips-to-help-you-be-a-stronger-leader/
A presentation on mastering key management concepts across projects, products, programs, and portfolios. Whether you're an aspiring manager or looking to enhance your skills, this session will provide you with the knowledge and tools to succeed in various management roles. Learn about the distinct lifecycles, methodologies, and essential skillsets needed to thrive in today's dynamic business environment.
Org Design is a core skill to be mastered by management for any successful org change.
Org Topologies™ in its essence is a two-dimensional space with 16 distinctive boxes - atomic organizational archetypes. That space helps you to plot your current operating model by positioning individuals, departments, and teams on the map. This will give a profound understanding of the performance of your value-creating organizational ecosystem.
Employment PracticesRegulation and Multinational CorporationsRoopaTemkar
Employment PracticesRegulation and Multinational Corporations
Strategic decision making within MNCs constrained or determined by the implementation of laws and codes of practice and by pressure from political actors. Managers in MNCs have to make choices that are shaped by gvmt. intervention and the local economy.
Specific ServPoints should be tailored for restaurants in all food service segments. Your ServPoints should be the centerpiece of brand delivery training (guest service) and align with your brand position and marketing initiatives, especially in high-labor-cost conditions.
408-784-7371
Foodservice Consulting + Design
Integrity in leadership builds trust by ensuring consistency between words an...Ram V Chary
Integrity in leadership builds trust by ensuring consistency between words and actions, making leaders reliable and credible. It also ensures ethical decision-making, which fosters a positive organizational culture and promotes long-term success. #RamVChary
Comparing Stability and Sustainability in Agile SystemsRob Healy
Copy of the presentation given at XP2024 based on a research paper.
In this paper we explain wat overwork is and the physical and mental health risks associated with it.
We then explore how overwork relates to system stability and inventory.
Finally there is a call to action for Team Leads / Scrum Masters / Managers to measure and monitor excess work for individual teams.
Addiction to Winning Across Diverse Populations.pdf
Internal Control - Who is responsible for what?
1. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 1
Before we answer the question “Who is responsible for what?” with regard to internal control, it’s
critically important that we have a basic understanding of what a system of internal control is, what
its purpose serves, and the components of an effective system of internal control.
The Committee of Sponsoring Organizations of the Treadway Commission updated its Internal
Control – Integrated Framework document in 2013. The first part of this seminar summarizes its
major concepts and lists its components and principles.
Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal Control – Integrated Framework.
Available for purchase or subscription at https://www.cpa2biz.com
2. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 3
This definition is intentionally broad in order to (a) capture important concepts that are
fundamental to designing, implementing, and assessing internal controls, and (b) to accommodate
subsets of internal control, such as a focusing solely on controls over external financial reporting.
The fundamental concepts are:
Internal control is a process (or, more accurately, a series of processes)
It is effected by people
It provides reasonable assurance
It is objectives‐focused
It’s important to note that a system of internal control is different from an internal control activity.
The system of internal control is the entire process – which is both dynamic and iterative –
effected by the organization.
An internal control activity only a part of the entire process. An internal control activity by
itself is of little value. All too often, though, the focus is on the internal control activity and
not the entire system.
3. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 5
Having a complete system of internal control in place is important because it reduces risk in
achieving objectives.
Risk is simply uncertainty and variability. Therefore, a system of internal control reduces the
uncertainty and variability in achieving objectives.
It’s important to note that it does not eliminate risk. It merely reduces it. Hence, reasonable
assurance is used in the definition and not absolute assurance.
4. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 7
Operational Objectives
Relate to the achievement of the organization’s basic mission and vision.
Reflect management’s choices based on the organization’s operating model, its external
environment and industry, and the level of performance it wishes to operate at.
Safeguarding of Assets is included as part of an organization’s operational objectives. This
includes preventing unauthorized acquisition, use, or disposition of organizational assets.
This specific objective is often considered a separate category of objectives. And, if so, the
Framework can accommodate that, although COSO considers it an operational objective.
Reporting Objectives
Relate to the preparation of reports for use by the organization internally, external
organizations, and stakeholders.
These are often broken out into sub‐categories:
o Internal Reporting Objectives (Financial and Non‐Financial)
o External Reporting Objectives (Financial and Non‐Financial)
Internal reporting objectives are associated with timely information for management to be
able to make decisions and assess performance. Reporting standards are set internally by
management and are based on their information needs.
External reporting objectives are associated with accessing capital markets, acquiring credit,
being awarded contracts, reporting to regulators, dealing with suppliers and vendors, and
communicating with customers, constituents, and other stakeholders.
5. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 9
Compliance Objectives
Related to activities and actions that are governed by laws, rules, and regulations.
These include well‐known laws and regulations, such as those relating to human resources,
taxation, and environmental compliance. But, they also pertain to more obscure
compliance requirements
Laws and regulations establish minimum standards of conduct. Any additional standards
imposed on the organization by the organizations governance and management are
considered operational objectives.
Often there is overlap of objective categories. That is, a particular objective may be simultaneously
an operational, reporting, or compliance objective. That’s perfectly fine. The key, though, is to
understand how that objective relates to and supports each of those categories. Because, while a
particular objective may have, say, an operational and reporting function right now. In the future,
overall operational goals may shift. That particular objective may no longer be considered an
operational objective, but it may still be considered a reporting objective.
Operational and internal reporting objectives are usually based on the organization’s preferences,
judgements, and choices.
External reporting and compliance objectives are usually based on external requirements.
All objectives, regardless of category, start at the entity level and cascade down to subunits
(divisions, operating units, functions) so that the subunits’ operational objectives support and
contribute to the overall entity‐level objectives.
6. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 11
Control Environment
The organization demonstrates a commitment to integrity and ethical values.
The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives.
The organization holds individuals accountable for their internal control responsibilities in
the pursuit of objectives.
Risk Assessment
The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
The organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
The organization identifies and assesses changes that could significantly impact the system
of internal control.
7. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 13
Control Activities
The organization selects and develops control activities that contribute to the mitigation of
risks to the achievement of objectives to acceptable levels.
The organization selects and develops general control activities over technology to support
the achievement of objectives.
The organization deploys control activities through policies that establish what is expected
and procedures that put policies into action.
Information and Communication
The organization obtains or generates and uses relevant, quality information to support the
functioning of internal control.
The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.
The organization communicates with external parties regarding matters affecting the
functioning of internal control.
Monitoring Activities
The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
The organization evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
8. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 15
To be effective, all five components and their relevant principles must be present and functioning,
and they must be operating together in an integrated manner.
“Present and functioning” means that the components and principles exist in the design and
implementation of the system of internal control and continue to exist in the conduct of the
system of internal control.
“Operating together” means that the components collectively reduce risk.
The Framework views all components of internal controls as suitable and relevant to all entities.
Likewise, because principles are fundamental concepts associated with components and have a
significant bearing on the presence and functioning of an associated component, all seventeen
principles are considered suitable and relevant to all entities. Therefore, if a principle is not present
and functioning, the associated component cannot be considered present and functioning.
Management, with board oversight, may determine that a particular principle is not relevant
to the organization. However, this is rare. If it is determined as such, though, the
organization must support its determination with the rationale of how, in the absence of
that principle, the associated component can be present and functioning.
9. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 17
When a shortcoming exists in a component and relevant principles that reduces the likelihood of
achieving organizational objectives (i.e., increases risk), an internal control deficiency exists.
A major deficiency is one that severely reduces the likelihood of achieving objectives.
Whenever a component and one or more relevant principles are not present or functioning
or when components are not operating together, a major deficiency automatically exists.
When a major deficiency exists, management cannot conclude that it has met the
requirements for an effective system of internal control
When a system of internal control is effective, management and those charged with governance can
be reasonably assured that…
the organization is achieving effective and efficient operations (operations),
the organization is preparing reliable internal and external reports (reporting), and
the organization is operating in compliance with applicable laws and regulations
(compliance).
10. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 19
Now that we have a basic understanding of what a system of internal control consists of and how it
is designed, we can move on to the seminar’s question: Who is responsible for what?
Seeing as the system of internal control is effected by people, those people – the organization’s
employees – should have a good understanding of what their roles are, where their role fits into the
entire organization, and, most importantly, what their responsibilities are.
COSO and the Institute of Internal Auditors released a whitepaper in July 2015 to assist
organizations in obtaining a better understanding of roles and responsibilities. This whitepaper,
Leveraging COSO across the Three Lines of Defense, is summarized the second half of this seminar.
The Institute of Internal Auditors, Anderson, D., and Eubanks, G. (2015). Leveraging COSO across the Three Lines of
Defense.
Available for download at http://www.coso.org/guidance.htm.
11. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 21
Organizations may have unique structures, but most have the following broad categories of roles:
Board of Directors (Board of Trustees, City Councilors, Board of Selectmen, etc., a.k.a. Those
Charged with Governance)
Senior Management (CEO, Executive Director, City Administrator, Town Manager, CFO,
Director of Finance, CIO, COO, Chief Legal Officer, etc.)
Operational Managers (subunit managers, divisional managers, functional managers, etc.)
Area Specialists and Internal Monitors (information security, physical security, quality
control, environmental compliance, legal compliance, supply chain, etc.)
Internal Auditors
12. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 23
The board is responsible for overseeing the system of internal control.
Establish the overall, long‐term objectives of the organization
Define high‐level strategies for achieving objectives
Establish governance structures to best manage risk
Define expectations about integrity, ethical values, transparency, and accountability
To execute their responsibilities properly, board members must…
Have a working knowledge of the organization’s activities and environment
Commit the time necessary to fulfill their responsibilities
Maintain open and unrestricted communications with all entity personnel, independent
auditors, external reviewers, and legal counsel
Be objective, capable, and inquisitive
Together with Senior Management, they establish the Control Environment component of the
system of internal control.
13. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 25
Senior Management is responsible for designing, implementing, and leading an effective system of
internal control.
Provide leadership and direction in shaping organizational values, standards, expectations of
competence, organizational structure, and accountability
Specify entity‐wide objectives and policies
Maintain oversight and control over the risks the organization faces
Guide the development and performance of control activities at the entity‐level
Communicate expectations and information requirements
Evaluate control deficiencies and their impact on effectiveness of the system of internal
control
Delegate responsibility for designing, implementing, and assessing more specific internal
control procedures to subunit managers.
For functional or operating unit senior management (e.g., CFO, CIO, COO, etc.), they focus on the
objectives of their respective units, ensure that they are aligned with entity‐wide objectives, and
develop and implement internal control policies and procedures to support those objectives.
With board oversight, senior management establishes the Control Environment component of the
system of internal control.
14. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 27
Operational management are front‐line and mid‐line managers who are responsible for day‐to‐day
ownership of risk and management of control.
Design and implement processes to identify and assess significant risks within their
operational realm.
Select and develop internal control activities to respond to identified risks.
Highlight inadequate processes and address control breakdowns.
Communicate to key stakeholders of the activity.
Operational management is responsible for the Risk Assessment, Control Activities, and
Information and Communication components of the Framework. Additionally, in conjunction with
the area specialists and internal monitors, they have shared responsibility for the Monitoring
component.
15. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 29
Area specialists and internal monitors are responsible for the ongoing monitoring of control and risk.
Work closely with operating managers to define implementation strategies
Provide expertise in their respective areas with regard to risk.
Help identify known and emerging risks
Assist management in defining which activities to monitor, assist in designing effective
controls, provide communication and education about control processes, and explain how
to measure success.
Monitor controls on an ongoing basis to determine whether the controls are functioning as
intended.
Evaluate and communicate deficiencies to operating and senior management and assist in
developing corrective actions.
They are part of management and, therefore, are not independent, but they should still exercise an
adequate degree of objectivity.
Along with operational management, they are responsible for the Monitoring component of the
system of internal control.
16. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 31
Internal auditors are responsible for providing independent, objective assurance to the board and
senior management regarding the design, implementation, and effectiveness of the system of
internal control.
They assess all components of the Framework
They have independence from management and have direct communication with the board.
They provide assurance regarding the efficiency and effectiveness of governance, risk
management, and internal control.
They review all aspects of the organization’s operations and activities.
Internal auditors do not design or implement controls and are not responsible for the organization’s
operations.
They are responsible for assessing and reporting on all components of the system of internal
control.
17. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 33
The Board and Senior Management set the overall objectives and create a good Control
Environment. They are not one of the three lines of defense, but rather they use the three lines of
defense to help reduce risk in achieving organizational objectives.
Each level within the organization is accountable to the next higher level for his/her portion of the
internal control system.
Employees who perform control activities (including area specialists and internal monitors)
are accountable to operational management.
Operational management is accountable to senior management.
Members of senior management are accountable to the CEO.
The CEO is accountable to the board.
Internal auditors are accountable to the board.
And, finally, the board is accountable to its shareholders/citizens.
The “lines of defense” should be as distinct as possible, with roles and responsibilities clearly
articulated through policies and procedures and reinforced by a consistent tone at the top and a
sound Control Environment.
The Three Lines of Defense Model is designed to be flexible to allow for different sized and
differently structured organizations. Therefore, some blending of responsibilities may be okay for
some organizations, but the overall aim should be to delineate as much as possible the three lines of
defense.
18. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 35
Coordination should not be confused with structure. While the three lines of defense are separate
and have their own unique responsibilities, they should not operate in isolation. The idea is to share
information and coordinate efforts regarding risk, control, and governance to achieve the overall
organizational objectives.
The best way to ensure sound structure and effective and efficient coordination is for senior
management to carefully analyze the organization, assign responsibilities to specific individuals, and
communicate those responsibilities through written policies and procedures.
Each person should know their role and both the extent and limits of their responsibilities. That is,
there should be no gaps in coverage, but there should be no overlap in coverage either. The former
ensures effectiveness, the latter facilitates efficiency.
19. Internal Control: Who is Responsible for What?
Berry Talbot Royer’s Seminar Series 37
External auditors and regulators are not part of an organization’s system of internal control.
They are not part of the organization
In most cases, they have a limited focus
o For example, regulators may only be concerned with a particular aspect of the
organization, such as controls over expenditures or occupational safety
o Independent financial statement auditors are primarily concerned with financial
reporting controls and place less emphasis on operational and compliance controls
(unless they have some bearing on financial reporting controls).
However, they can help boost the overall governance and control structure
Regulators often have requirements that are intended to strengthen governance and
control
External auditors can provide useful observations about financial reporting risks and related
controls.
External auditors and regulators should not be considered as substitutes for the internal lines of
defense and management does not relinquish its responsibilities simply because regulators and
external auditors examine and report on aspects of the organization.