Power Structure & Internal Controls

Power Structure & Internal Controls

“You can delegate the activity but you cannot delegate the responsibility” is an old saying in the auditing field. The idea of internal controls, after outsourcing, may seem complex but is not as insurmountable as it seems. There are only a handful of key considerations that you face if you are a company contemplating engaging another company, or a company that has already engaged another company to perform a service for you. One of the most important consideration is the topic of this piece.

The power structure of the organization that you plan to engage, or have already engaged, is the determining factor in its reliability. I believe that the structure of the arrangement of responsibility, authority, and accountability drives the behavior, and ultimately, the quality of the outputs from an organization.

None-without-the-other (NWTO) is what you need to look for in an organization that you plan to entrust with valuable/important processes. There should be no person in an organization that has authority and no accountability, and there should be no person in an organization that has responsibility and no authority, as it is the recipe for dysfunction.

Responsibility for a process must be given with consideration for the resources, commitment, and time needed for the quality envisioned for that process to be achieved. I believe that anything other than that show of consideration is a ploy to distract. Basically, responsibility must be given to the right person, the right infrastructure, and the right applications to afford the task a chance at success. I believe that anything other than that show of consideration is a ploy to distract.

Authority for a process must be given with the consideration for decision making agility, the consideration for allocation of resources, and the consideration for quality controls. Namely, the ability to make prompt and appropriate decisions must be evident, the ability to influence decision makers must be evident, and the ability to sufficiently assess the quality of the outputs of a process must be evident, in the authority figure. When authority is appropriately dispensed, it presents itself as a team operating seamlessly.

Accountability must be rigidly transparent, unmoving, and consistently applied without hesitation. If that is baked into the culture of the organization, it is a great signal of its trustworthiness. The way an organization responds to a routine request for information is an indication of its level of trustworthiness.

In short, the arrangement of responsibility, authority, and accountability in an organization is a testament to its trustworthiness. Smart outsourcers look to see if an independent and objective practitioner has audited an organization before entrusting to its care valuable/important processes.

Contact CompVisory to learn more if you plan to outsource to a third party, if you have already outsourced to a third party, or if you are a third party that has been entrusted with the valuable/important processes of another entity. Keep in mind that NWTO should shape the culture of an organization, otherwise inefficiencies, or worse things, could raise their ugly heads.

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.