Roles and Responsibilities of Internal Control

Roles and Responsibilites of Internal Control


Internal control is effected by personnel internal to the organization, including the board of directors or equivalent oversight body and its committees, management and personnel, business-enabling functions, and internal auditors. Collectively, they contribute to providing reasonable assurance that specified objectives are achieved. When outsourced service providers perform controls on behalf of the entity, management retains responsibility for those controls.

An organization may view internal control through three lines of defense:

  • Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives.

  • Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.

  • Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management to consider and implement; their position and compensation are separate and distinct from the business areas they review.

Responsible Parties

Every individual within an entity has a role in effecting internal control. Roles vary in responsibility and level of involvement, as discussed below.

The Board of Directors and Its Committees

Depending on the jurisdiction and nature of the organization, different governance structures may be established, such as a board of directors, supervisory board, trustees, and/or general partners, with committees as appropriate. In the Framework, these governance structures are commonly referred to as the board of directors.

The board is responsible for overseeing the system of internal control. With the power to engage or terminate the chief executive officer, the board has a key role in defining expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. Board members are objective, capable, and inquisitive. They have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities. They utilize resources as needed to investigate any issues, and they have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.

Boards of directors often carry out certain duties through committees, whose use varies depending on regulatory requirements and other considerations. Board committees may be used for oversight of audit, compensation, nominations and governance, risk, and other topics significant for the organization. Each committee can bring specific emphasis to certain components of internal control. Where a particular committee has not been established, the related functions are carried out by the board itself.

Board-level committees can include the following:

  • Audit Committee - Regulatory and professional standard-setting bodies often require the use of audit committees. The role and scope of authority of an audit committee can vary depending on the organization’s regulatory jurisdiction, industry norm, or other variables. This is sometimes also called the audit and risk committee to emphasize the importance of risk oversight. Management is responsible for the reliability of the financial statements, but an effective audit committee plays a critical oversight role. The board of directors, often through its audit committee, has the authority and responsibility to question senior management regarding how it is carrying out its internal and external reporting responsibilities and to verify that timely corrective actions are taken, as necessary.

    As a result of its independence the audit committee, along with a strong internal audit function as applicable, is often best positioned, to identify and promptly act in situations where senior management overrides controls or deviates from expected standards of conduct. The audit committee interacts with external auditors, meeting regularly to discuss the scope of planned audit procedures and results of audit procedures. Meetings with external auditors include executive sessions without management present to provide a forum for further dialogue between external auditors and audit committees. While board composition requirements vary, independent directors are important as they can provide an objective perspective. For example, the UK, German, and other corporate governance codes, and the New York Stock Exchange (NYSE) and NASDAQ listing requirements define the number and criteria for audit committee members to be independent from management and financially literate (e.g., at least one member with accounting or financial management expertise).

  • Compensation Committee - Establishes the compensation for the chief executive officer or equivalent and provides oversight of compensation arrangements to motivate without providing incentives for undue risk-taking so as to ultimately protect and promote the interest of shareholders or other owners of the entity. It oversees senior management in its role to balance performance measures, incentives, and rewards with the pressures created by the entity’s objectives, and helps structure compensation practices to support the achievement of the entity’s objectives without unduly emphasizing short-term results over long-term performance.

  • Nomination/Governance Committee - Provides control over the selection of candidates for directors and senior management. It regularly assesses and nominates members of the board of directors; makes recommendations regarding the board’s composition, operations, and performance; oversees the succession planning process for the chief executive officer and other key executives; and develops oversight discipline, processes, and structures. It promotes director orientations and training and evaluates oversight structures and processes (e.g., board/committee evaluations).

  • Other Committees - There may be other committees of the board of directors that oversee specific areas. These committees are often established in large organizations or due to particular circumstances of the entity. For example, in an industry where compliance with certain laws and regulations is fundamental to the survival or development of the organization, a board-level compliance committee may be necessary. Risk committees are formed to focus on changes in risk levels and related impacts, and oversight of risk responses. Further to board committees that provide oversight, management-level committees often exist to provide guidance in the execution of specific areas, such as compliance committees, new product committees, and others.

Responsible Parties

Senior Management

Chief Executive Officer

The chief executive officer (CEO) is accountable to the board of directors and is responsible for designing, implementing, and conducting an effective system of internal control. In privately owned, not-for-profit, or other entities, the equivalent role may have a different title but generally covers the same responsibilities as described below. More than any other individual, the CEO sets the tone at the top that affects the control environment and all other components of internal control.

The CEO’s responsibilities relating to internal control include:

  • With the support of management, providing leadership and direction to senior management, shaping entity values, standards, expectations of competence, organizational structure, and accountability that form the foundation of the entity’s internal control system (e.g. specifying entity-wide objectives and policies)
  • Maintaining oversight and control over the risks facing the entity (e.g., directing all management and other personnel to proactively identify risks to the system of internal control, considering the ever-increasing pace of change and networked interactions of business partners, outsourced service providers, customers, employees, and others and resulting risk factors)
  • Guiding the development and performance of control activities at the entity level, and delegating to various levels of management the design, implementation, conduct, and assessment of internal control at different levels of the entity (e.g., processes and controls to be established)
  • Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the type of planning and reporting systems the entity will use)
  • Evaluating control deficiencies and the impact on the ongoing and long-term effectiveness of the system of internal control (e.g., meeting regularly with senior management from each of the operating units such as research and development, production, marketing, sales, and major business-enabling functions such as finance, human resources, legal, compliance, risk management to evaluate how they are carrying out their internal control responsibilities)

In certain jurisdictions, the CEO (and in some cases also the chief financial officer) is required by law to specifically certify the effectiveness of internal control over financial reporting.

Other Members of Senior Management

Senior management comprises not only the CEO but also the other senior executives leading the key operating units and business-enabling functions. Examples include:

  • Chief administrative officer
  • Chief audit executive
  • Chief compliance officer
  • Chief financial officer
  • Chief information officer
  • Chief legal officer
  • Chief operating officer
  • Chief risk officer
  • Other senior leadership roles, depending on the nature of the business

These senior management roles support the CEO with respect to internal control, specifically by:

  • Providing leadership and direction to management in terms of shaping entity values, standards, expectations of competence, organizational structure, and accountability that form the foundation of the entity’s internal control system (e.g. specifying entity-wide objectives and policies)
  • Maintaining oversight over the risks facing the entity (e.g., directing all management and other personnel to proactively identify risks to the system of internal control, considering the ever-increasing pace of change and networked interactions of business partners, outsourced service providers, customers, employees, and others and resulting risk factors)
  • Guiding the development and performance of controls at the entity level, and delegating to various levels of management the design, implementation, conduct, and assessment of internal control at different levels of the entity (e.g., processes and controls to be established) 
  • Communicating expectations (e.g., integrity, competence, key policies) and information requirements (e.g., the type of planning and reporting systems the entity will use)
  • Evaluating internal control deficiencies and the impact on the ongoing and long-term effectiveness of the system of internal control (e.g., meeting regularly with finance, controllership, risk management, information technology, human resources, and business management from each of the operating units to evaluate how they are carrying out their internal control responsibilities)

Senior management guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives. They provide direction, for example, on a unit’s organizational structure and personnel hiring and training practices, as well as budgeting and other information systems that promote control over the unit’s activities. As such, through a cascading responsibility structure, each executive is a CEO for his or her sphere of responsibility.

Senior management assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit’s functions or departments. These subunit managers can play a more hands-on role in devising and executing particular internal control procedures. Often, these managers are directly responsible for determining resource requirements, training needs, and internal control procedures that address unit objectives, such as developing authorization procedures for purchasing raw materials, accepting new customers, or reviewing production reports to monitor product output. They also make recommendations on the controls, monitor their application within processes, and meet with upper-level managers to report on the operation of controls.

Depending how many layers of management exist, these subunit managers, or lower level supervisory personnel, are directly involved in executing policies and procedures at a detailed level. It is their responsibility to execute remedial actions as control exceptions or other issues arise. This may involve investigating data-entry errors, transactions flagged on exception reports, departmental expense budget variances, or customer back orders or product inventory positions. Issues are communicated up the organization’s reporting structure according to the level of severity. Issues requiring senior management oversight include financial performance, product quality, product safety, workplace safety, community involvement, compliance with emission targets, or other
areas related to the achievement of the entity’s objectives.

Management’s responsibilities come with specific authority and accountability. Each manager is accountable to the next higher level for his or her portion of the internal control system, with the CEO being ultimately accountable to the board of directors, and the board being accountable to shareholders or other owners of the entity.

The chief financial officer (CFO) supports the CEO in front-line responsibilities, including internal control over financial reporting. In certain reporting jurisdictions, the CFO is required by law to certify to the effectiveness of internal control over financial reporting, alongside the CEO.

Business-Enabling Functions

Various organizational functions or operating units support the entity through specialized skills, such as risk management, finance, controllers, product/service quality management, technology, compliance, legal, human resources, and others. They provide guidance and assessment of internal control related to their areas of expertise, and it is incumbent on them to share and evaluate issues and trends that transcend organizational
units or functions. They keep the organization informed of relevant requirements as they evolve over time (e.g., new or changing laws and regulations across a multitude of jurisdictions). Such business-enabling functions are referred to as the second line of defense, while front-line personnel execute their control activities.

While all controls function to serve a purpose, their efforts are coordinated and integrated as appropriate. For example, a company’s new customer acceptance process may be reviewed by the compliance function from a regulatory perspective, by the risk management function from a concentration risk perspective, and by the internal audit function to assess the design and effectiveness of controls. Disruptions to the business process are minimized when the timing and approach to reviews and management of issues are coordinated to the extent possible. Integration of efforts helps create a common language and platform for evaluating and addressing internal control matters, as business-enabling functions guide the organization in achieving its objectives.

Risk and Control Personnel

Risk and control functions are part of the second line of defense. Depending on the size and complexity of the organization, dedicated risk and control personnel may support functional management to manage different risk types (e.g., operational, financial, quantitative, qualitative) by providing specialized skills and guidance to front-line management and other personnel and evaluating internal control. These activities can be part of an entity’s centralized or corporate organization or they can be set up with “dotted line” reporting to functional heads. Risk and control functions are central to the way management maintains control over business activitie

Responsibilities of risk and control personnel include identifying known and emerging risks, helping management develop processes to manage such relevant risks, communicating and providing education on these processes across the organization, and evaluating and reporting on the effectiveness of such processes. The chief risk/control
officer is responsible for reporting to senior management and the board on significant risks to the business and whether these risks are managed within the entity’s established tolerance levels, with adequate internal control in place. Despite such significant responsibilities, risk and control personnel are not responsible for executing controls, but support overall the achievement of internal control.

Legal and Compliance Personnel

Counsel from legal professionals is key to defining effective controls for compliance with regulations and managing the possibility of lawsuits. In large and complex organizations, specialized compliance professionals can be helpful in defining and assessing controls for adherence to both external and internal requirements. The chief legal/compliance officer is responsible for ensuring that legal, regulatory, and other requirements are understood and communicated to those responsible for effecting compliance.

A close working relationship between business management and legal and compliance personnel provides a strong basis for designing, implementing, and conducting internal control to manage adverse outcomes such as regulatory sanctions, legal liability, and failure to adhere to internal compliance policies and procedures. At smaller organizations, legal and compliance roles may be shared by the same professional, or one of these roles can be outsourced with close oversight by management.

Other Personnel

Internal control is the responsibility of everyone in an entity and therefore constitutes an explicit or implicit part of everyone’s job description. Front-line personnel constitute the first line of defense in the performance of internal control responsibilities. Examples include:

  • Control Environment - Reading, understanding, and applying the standards of conduct of the organization

  • Risk Assessment - Identifying and evaluating risks to the achievement of objectives and understanding established risk tolerances relating to their areas of responsibility

  • Control Activities - Performing reconciliations, following up on exception reports, performing physical inspections, and investigating reasons for cost variances or other performance indicators

  • Information and Communication - Producing and sharing information used in the internal control system (e.g., inventory records, work-in-process data, sales or expense reports) or taking other actions needed to effect control

  • Monitoring Activities - Supporting efforts to identify and communicate to higher-level management issues in operations, non-compliance with the code of conduct, or other violations of policy or illegal actions

The care with which those activities are performed directly affects the effectiveness of the internal control system. Internal control relies on checks and balances, including segregation of duties, and on employees not “looking the other way.” Personnel understands the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines are available to permit reporting of such circumstances.

Internal Auditors

As the third line of defense, internal auditors provide assurance and advisory support to management on internal control. Depending on the jurisdiction, size of the entity, and nature of the business, this function may be required or optional, internal or outsourced, large or small. In all cases, internal audit activities are expected to be carried out by competent and professional resources aligned to the risks relevant to the entity.

The internal audit activity includes evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding. For example:

  • Reliability and integrity of financial and operational information

  • Effectiveness and efficiency of operations and programs

  • Safeguarding of assets

  • Compliance with laws, regulations, policies, procedures, and contracts

All activities within an organization are potentially within the scope of the internal auditor’s responsibility. In some entities, the internal audit function is heavily involved with controls over operations. For example, internal auditors may periodically monitor production quality, test the timeliness of shipments to customers, or evaluate the efficiency of the plant layout. In other entities, the internal audit function may focus primarily on compliance or financial reporting–related activities. In all cases, they demonstrate the necessary knowledge of the business and independence to provide a meaningful evaluation of internal control.

The scope of internal auditing is typically expected to include oversight, risk management, and internal control, and assisting the organization in maintaining effective control by evaluating their effectiveness and efficiency and by promoting continual improvement. Internal audit communicates findings and interacts directly with management, the audit committee, and/or the board of directors.

Internal auditors maintain an impartial view of the activities they audit through their skills and authority within the entity. Internal auditors have functional reporting to the audit committee and/or the board of directors and administrative reporting to the chief executive officer or other members of senior management.

Internal auditors are objective when not placed in a position of subordinating their judgment on audit matters to that of others and when protected from other threats to their objectivity. The primary protection against these threats is appropriate internal auditor reporting lines and staff assignments. These assignments are made to avoid potential and actual conflicts of interest and bias. Internal auditors do not assume operating responsibilities, nor are they assigned to audit activities with which they were involved recently in connection with prior operating assignments.

External Parties

A number of external parties can contribute to the achievement of the entity’s objectives, whether by performing activities as outsourced service providers or by providing data or analysis to functional/operational personnel. In both cases, functional/operational management always retains full responsibility for the internal control.

Outsourced Service Providers

Many organizations outsource business functions, delegating their roles and responsibilities for day-to-day management to outside service providers. Administrative, finance, human resources, technology, legal, and even select internal operations can be executed by parties outside the organization, with the objective of obtaining access to enhanced capabilities at a lower cost. For example, a financial institution may outsource its loan review process to a third party, a technology company may outsource the operation and maintenance of its information technology processing, and a retail company may outsource its internal audit function. While these external parties execute activities for or on behalf of the organization, management cannot abdicate its responsibility to manage the associated risks. It must implement a program to evaluate those activities performed by others on their behalf to assess the effectiveness of the system of internal control over the activities performed by outsourced service providers.

Other Parties Interacting with the Entity

Customers, vendors, and others transacting business with the entity are an important source of information used in conducting control activities. For example:

  • A customer can inform a company about shipping delays, inferior product quality, or failure to otherwise meet the customer’s needs for product or service. Or a customer may be more proactive and work with an entity in developing needed product enhancements.
  • A vendor can provide statements or information regarding completed or open shipments and billings, which may be used to identify and correct discrepancies and to reconcile balances.
  • A potential supplier can notify senior management of an employee’s request for a kickback.
  • Experts can provide market data to help the organization adapt its business model and supporting processes and controls to new challenges and opportunities.
  • A non-governmental organization or newspaper may publish reports on working or environmental conditions at a supplier or sub-supplier.

Such information sharing between management and external parties can be important to the entity in achieving its operations, reporting, and compliance objectives. The entity has mechanisms in place with which to receive such information and to take appropriate action on a timely basis - that is, it not only addresses the particular situation reported, but also investigates the underlying source of an issue and fixes it.

In addition to customers and vendors, other parties, such as creditors, can provide insight on the achievement of an entity’s objectives. A bank, for example, may request reports on an entity’s compliance with certain debt covenants and recommend performance indicators or other desired targets or controls.

Independent Auditors

In some jurisdictions, an independent auditor is engaged to audit or examine the effectiveness of internal control over external financial reporting in addition to auditing the entity’s financial statements. (In some jurisdictions, the auditor is also legally required to express an opinion on the effectiveness of the internal control over external financial reporting in addition to his or her opinion on the financial statements.) Results of these audits enable the auditor to provide information to management that will be useful in conducting its oversight responsibilities. These reports and communications may include:

  • Observations including analytical information and recommendations for use in taking actions necessary to achieve established objectives
  • Findings of internal control deficiencies that come to attention of the auditor, and recommendations for improvement

Notwithstanding the depth and nature of the independent auditor’s work, this is not a replacement or a supplement to an adequate system of internal control, which remains the full responsibility of management.

Such information frequently relates not only to financial reporting but to operations and compliance activities as well. The information is reported to and acted upon by management and, depending on its significance, to the board of directors or audit committee.

External Reviewers

Subject matter specialists can be solicited or mandated to review specific areas of the organization’s internal control. Recognizing the various requirements or expectations of its stakeholders, an organization often seeks expert advice to translate these into policies and procedures, as well as communications and training, and evaluation of adherence to such requirements and standards. Workplace safety, environmental concerns, and fair trade practices are some examples of areas where an organization proactively seeks to ensure that it is complying with governing rules and standards. Certain functional areas may also be reviewed to promote greater effectiveness and efficiency of operations, such as compliance reviews, information systems penetration testing, and employment practices assessments.

Legislators and Regulators

Legislators and regulators can affect the internal control systems through specific requirements to establish internal control across the organization and/or through examinations of particular operating units. Many entities have long been subject to legal requirements for internal control. For example, companies listed on a US stock exchange are expected to establish and maintain a system of internal control, and legislation requires that senior executives of publicly listed companies certify to the effectiveness of their company’s internal control over financial reporting.

Various regulations require that public companies establish and maintain internal accounting control systems that satisfy specified objectives. Various laws and regulations apply to financial assistance programs, which address a variety of activities ranging from civil rights to cash management, and specify required internal control procedures or practices. Several regulatory agencies directly examine entities for which they have oversight responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on certain aspects of the banks’ internal control systems. These agencies make recommendations and are frequently empowered to take enforcement action. Thus, legislators and regulators affect the internal control systems in several ways:

  • They establish rules that provide the impetus for management to establish an internal control system that meets statutory and regulatory requirements.
  • Through examination of a particular entity, they provide information used by the entity’s internal control system and provide comment letters, recommendations, and sometimes directives to management on needed internal control system improvements.
  • They may receive and, in turn, investigate, whistle-blower allegations.

Financial Analysts, Bond Rating Agencies, and the News Media

Financial analysts, bond rating agencies, and news media personnel analyze management’s performance against strategies and objectives by considering historical financial statements and prospective financial information, actions taken in response to conditions in the economy and marketplace, potential for success in the short and long term, and industry performance and peer-group comparisons, among other factors. Such investigative activities can provide insights, among many other outcomes, into the state of internal control and how management is responding to enhancing internal control.