Organizational hierarchy of internal controls. An organization is created to achieve desirable outcomes defined by the specific needs and interests of the shareholders. Value creation and shareholders’ wealth maximization are among the key objectives of many organizations around the world.
Organizational Hierarchy Of Internal Controls
The organization creates value by transforming various inputs into specific outputs. Shareholders of an organization delegate authority to a governing body, which takes charge and runs the affairs of the organization on the shareholders’ behalves. Shareholders are often interested in profits and wealth maximization and expect to realize their goals effectively, sustainably, and ethically through an appropriate governing body.
Organizations are influenced by economic, social, political, environmental, technological, and physical factors. These factors include uncertainty, complexity, change, competition, and limits on business capacity and its capabilities. An organization adopts an appropriate structure and takes specific measures to keep its decisions, actions, behaviors, and outcomes in alignment with the objective of stakeholder wealth maximization which is achieved through optimization of overall business performance.
The Board-Level Internal Controls Committee
The board has ultimate responsibility for internal controls and risk management. In some organizations, the board is supported by board-level committees. These committees might include audit committees or an internal controls committee. For the sake of this lesson, let’s assume that an organization has an internal controls committee.
Now, the board may approve the internal control framework based on the recommendation from the internal controls committee, which also recommends the internal controls tolerance levels for different functions and processes considering all principal risk types faced by the organization. Tolerance levels are approved by the board of directors.
In carrying out its responsibilities, the board ensures that all relevant information is requested and received to fulfill its governance mandate. In this light, there are four predominant roles that an organization might establish to effectively implement a robust internal control structure:
- Head of Internal Controls;
- Internal Controls Framework Owner;
- Policy Owner; and
- Process Owner
Let’s discuss these roles individually.
Head Of Internal Controls
The first role is the head of internal controls. The head of internal controls is commonly an experienced internal control professional who is responsible for helping and advising different departments and functions of the organization in the identification, assessment, and management of risks and application of relevant controls. The head of internal controls reports to an internal control committee and updates the CEO or CFO of the organization about the key and significant risks and any internal control issues.
The head of internal controls is provided with an appropriate internal control team and other resources necessary to perform the duties and responsibilities. The head of internal controls is also responsible for developing and implementing an overall internal controls framework, which is presented to the internal control committee for review and approval. After review and approval of such framework, the head of internal controls ensures its implementation in the organization at all levels.
Internal Controls Framework Owners
The second role involves one or more internal controls framework owners, which might sit in different functions or departments of the organization.
Internal Controls Framework Owners are responsible for:
- Setting and maintaining risk and internal controls matrices for different functions and departments of the organization while considering all significant types of risks faced by department or function;
- Using the evidence gathered on the control environment through assessments, as well as their oversight and challenge activities to assess the effectiveness of the implemented controls and their quality;
- Escalating significant risks and control breaches to the head of internal controls, the senior management, and the internal control committee as appropriate; and
- Providing evidence-based annual affirmation to the head of internal controls on the effective management of the principal and significant risks. The evidence-based affirmations will be subject to review and challenge by the head of internal controls.
The third role involves one or more policy pwners, which – similar to the internal controls framework owners – might sit in different functions or departments of the organization. Policy owners are typically second-line managers who are responsible for setting and maintaining internal policies and processes in line with internal controls framework requirements.
Policy Owners are responsible for:
- Identifying the critical risks the policy is designed to address and are mapped to an RTF or this framework;
- Defining the mandatory policy statements with actionable principle-based requirements that can be reasonably validated and/or tested for effectiveness;
- Identifying the key processes and/or systems subject to the control requirements;
- Clearly outline the roles and/or job families that are responsible to comply with the policy requirements;
- Identifying and being responsible for the operational standards that are linked to the policy requirements and ensuring that standards are consistent with the policy;
- Identifying key areas of connectedness and cross-reference to the connected policies; and
- Setting out policy-specific authorities and decision-making matrixes including waivers, dispensations, and escalations requirements.
Finally, the fourth role involves one or more process owners in different functions and departments of the organization. Process owners are first- or second-line managers accountable for the end-to-end business or function processes as identified within the group’s process universe and are responsible for:
- Identification and management of the end-to-end process as defined in the group’s process universe and associated risks including activities which are carried out by other businesses or functions, or which are outsourced;
- Implementing the assessment results to monitor the effectiveness of the controls and standards governing the end-to-end process;
- Being accountable to the Process Universe Owner, Framework or Policy Owners, and implementing the control requirements applicable to the process;
- Escalating significant risks and issues to the Process Universe Owners, relevant Risk Framework Owners or Policy Owners; and
- Second Line process owners should rely on the OR function or an independent unit for oversight and challenge of requirements set by their frameworks or policies.
Internal control procedures reduce process variability, resulting in more predictable results. Internal Control Structure is critical for all types of organizations to achieve their goals. Because, if a proper Internal Control Structure is implemented, all operations, physical resources, and data will be monitored and controlled, objectives will be met, risks will be reduced, and information output will be reliable. If the Internal Control Structure is weak and unsound, the firm’s resources may be vulnerable to loss due to theft, negligence, carelessness, and other risks.