Who is responsible for internal controls?

COSO white paper's 'three lines of defense' can establish risk management duties.

Establishing who is responsible for specific internal controls can be a challenge at many organizations.

Effective internal controls help organizations manage risks in a systematic, effective way. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) helps many organizations manage risks. But the framework does little to establish who is responsible for the specific duties it describes.

A new COSO white paperLeveraging COSO Across the Three Lines of Defense, describes how organizations can better establish and coordinate duties related to risk and control. The AICPA is a member of COSO.

Coordination under this model can help minimize gaps in controls and eliminate unnecessary duplication of assigned duties. The model proposes that senior management and the board oversee and direct three separate groups (or lines of defense) that contribute to effective management of risk and control. These separate groups:

  • Own and manage risk and control (operating management).
  • Monitor risk and control in support of management (risk, control, and compliance functions put in place by management).
  • Provide independent assurance about effectiveness of risk management and control to the board and senior management (internal audit).

SPONSORED REPORT

Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.

100th ANNIVERSARY

Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.