AICPA - Internal Control - Integrated Framework: Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples

This project was commissioned by COSO, which is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of fraud in organizations. COSO is a private sector initiative, jointly sponsored and funded by:

American Accounting Association (AAA)

American Institute of Certified Public Accountants (AICPA)

Financial Executives International (FEI)

Institute of Management Accountants (IMA)

The Institute of Internal Auditors (IIA)

eBook ISBN: 978-1-93735-241-7

2013 All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or by any means without written permission. For information regarding licensing and reprint permissions please contact the American Institute of Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials. Direct all inquiries to copyright@aicpa.org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed to 888-777-7077.

Establishes Structure, Authority, and Responsibility

Principle 3 . Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Points of Focus

The following points of focus highlight important characteristics relating to this principle:

Considers All Structures of the Entity Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.

Establishes Reporting Lines Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.

Defines, Assigns, and Limits Authorities and Responsibilities Management and the board of directors delegate authority, define responsibilities, use appropriate processes and technology to assign responsibilities, and segregate duties as necessary at the various levels of the organization:

Board of Directors Retains authority over significant decisions and reviews managements assignments and limitations of authorities and responsibilities

Senior Management Establishes directives, guidance, and control to enable management and personnel to understand and carry out their internal control responsibilities

Management Guides and facilitates the execution of senior management directives within the entity and its subunits

Personnel Understands the entitys standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives

Outsourced Service Providers Adheres to managements definition of the scope of authority and responsibility for all non-employees engaged

Approaches and Examples for Applying the Principle

Approach: Defining Roles and Reporting Lines and Assessing Them for Relevance

Senior management prepares organizational charts to document, communicate, and enforce accountability for the achievement of the entitys financial reporting objectives. The organizational charts can be used to:

Set forth assignments of authority and responsibility

Ensure duties are appropriately segregated

Establish reporting lines and communication channels

Define the various reporting dimensions relevant to the organization

Identify dependencies for roles and responsibilities involved in financial reporting as well as those accountable for external parties

Each unit or department within the entity that is relevant to external financial reporting aligns its roles and responsibilities to processes supporting the financial reporting objectives. Senior management and the board of directors verify that accountability and information flow within each of the various organizational structures (by business segment, geographical location, legal entity, or other) continually support the achievement of the entitys existing financial reporting objectives. Existing structures are periodically assessed for relevance considering changes in the entity or the environment in which it operates to ensure such alignment.

Demonstrated Points of Focus

Considers All Structures of the Entity

Establishes Reporting Lines

Defines, Assigns, and Limits Authorities and Responsibilities

Example: Reorganizing to Support Control Structure

Before Harmony Homes Real Estate became a public company, a wide range of the employees reported to the owner and CEO, Milton Chang, and the business structures in the US and in Asia were loosely connected. During the plans to go public, Mr. Chang, with the boards guidance, took steps to strengthen the organizational structure to better support both operations and financial reporting objectives. Management created three departments to oversee its core business activities: sales and customer service, purchasing/inventory, and production. Geographic governance structures were also established to oversee operations by jurisdiction and facilitate reporting to local regulators and other stakeholders. The managers charged with leading each of these departments and territories, as well as the managers of key staff functions, documented each persons responsibility in the processes. Job descriptions, including internal control responsibilities, were developed to support full understanding of each persons role.

The clear statement of roles helps to ensure responsibilities are carried out in support of the organizations objectives. It also provides the basis for risk assessment, control activities, information and communication, and monitoring activities along different dimensions simultaneously.

Example: Redefining Roles with CEO and Board Input

Due to significant changes within the company and the industry, Pieter Jenssen, CEO of transportation services provider General Trucking, recognized the need to redefine the role of each position within the companys mid- to high-level management team, especially within the finance and accounting function. His initiative was launched at an off-site meeting where the goals and objectives of the business were reviewed and realigned with managers specific roles and responsibilities, including those related to the financial reporting process. Two board members attended the meeting to serve as a sounding board, and all participants reached a shared understanding on how they will function and interact with one another in the future. The results of the meeting were communicated to other managers throughout the organization. The communication included a description of organizational lines by product line, geography, and management structure. It also included associated roles, responsibilities, and communication procedures, incorporated into policies that were made readily accessible on the companys intranet.

Approach: Defining Authority at Different Levels of Management

The board of directors outlines its oversight authority for financial reporting over senior management through its charter. When assigning authorities and responsibilities, management considers the impact on the control environment and the importance of effectively segregating duties. Policy documents define cascading levels of authority, checks, and balances for authorizing transactions, and accounting and reporting of financial results. Such authority and responsibility is deliberately limited in order to balance the need for the efficient achievement of objectives against the risks that could result from unmonitored inappropriate conduct. Management empowers employees to correct problems or implement improvements in their assigned business process as necessary.