I still remember the confused look on the CFO's face when I asked him, "Who owns internal controls in your organization?" He paused for what felt like an eternity before finally saying, "Isn't that... everybody's job?"
That's when I knew we had a problem.
This was back in 2016, during a COSO implementation project for a mid-sized manufacturing company. They had the framework documentation. They'd attended the training sessions. They'd even hired consultants to design their controls. But nobody had answered the most fundamental question: Who is actually responsible for making this work?
Three months later, their external auditors found 47 control deficiencies. Not because the controls were poorly designed, but because nobody owned them. The marketing team thought IT was handling data protection. IT thought compliance was monitoring access controls. Compliance thought department managers were conducting reviews.
Everyone was waiting for someone else to do the work.
After fifteen years of implementing COSO frameworks across dozens of organizations, I've learned this critical truth: The framework is only as good as the people operating it. And those people need crystal-clear roles, responsibilities, and accountability.
Understanding COSO: The Foundation You Can't Skip
Before we dive into roles, let me give you the context that most articles skip. COSO—the Committee of Sponsoring Organizations of the Treadway Commission—isn't just another compliance acronym. It's the gold standard for internal control frameworks, trusted by organizations worldwide and mandated by regulations like Sarbanes-Oxley.
But here's what nobody tells you: COSO doesn't dictate an organizational structure. It provides principles and components, but how you organize your people to execute those principles? That's on you.
And that's where most organizations struggle.
"A brilliant framework executed by a confused organization delivers nothing but expensive documentation and failed audits."
The Three Lines Model: COSO's Modern Organizational Philosophy
In 2020, the Institute of Internal Auditors (IIA) updated the Three Lines Model, which perfectly complements COSO implementation. I've used this model with every client since, and it's transformed how organizations think about control ownership.
Let me break it down the way I explain it to executives:
The Three Lines Model Explained
Line | Primary Function | Key Roles | Primary Responsibility | Reports To |
|---|---|---|---|---|
First Line | Operations & Ownership | Business Unit Managers, Process Owners, Department Heads | Own and manage risks; Implement and execute controls | Business Leadership |
Second Line | Oversight & Support | Risk Management, Compliance, Legal, Finance, IT Security | Provide expertise, monitoring, and oversight; Develop policies and frameworks | Chief Risk Officer / CFO |
Third Line | Independent Assurance | Internal Audit | Provide independent evaluation and assurance on effectiveness of governance, risk management, and controls | Audit Committee / Board |
I was implementing this model for a financial services firm in 2021, and their CEO had an "aha moment" that perfectly captured it: "So the first line drives the car, the second line reads the map and watches for hazards, and the third line checks that everything's working properly?"
Exactly.
The Organizational Structure That Actually Works
Based on my experience across 50+ COSO implementations, here's the structure that consistently delivers results:
Executive Level: The Strategic Layer
Board of Directors & Audit Committee
Let me be blunt: I've seen boards that rubber-stamp everything and boards that micromanage operational details. Neither works.
The board's role in COSO isn't to design controls or review transaction logs. It's to set the tone, provide oversight, and ensure management takes internal controls seriously.
Key Responsibilities:
Approve risk appetite and control framework
Review significant control deficiencies
Ensure adequate resources for control activities
Hold management accountable for control effectiveness
Oversee the internal audit function
I worked with a healthcare organization where the Audit Committee met quarterly for exactly 45 minutes, received a 200-page report they never read, and asked zero questions. Their external auditors found material weaknesses in three consecutive years.
Compare that to a technology company where the Audit Committee:
Met monthly during implementation (then quarterly for maintenance)
Received executive summaries with specific questions prepared in advance
Challenged management on control gaps
Allocated budget for remediation
Tracked progress on corrective actions
Guess which one achieved successful COSO implementation?
"A board that asks tough questions creates an organization that builds strong controls. A board that accepts everything gets exactly what it deserves."
Chief Executive Officer (CEO)
The CEO sets the tone at the top. This isn't ceremonial—it's foundational.
I've seen CEOs who viewed COSO as a "compliance checkbox" delegate everything to their CFO and wonder why the culture never shifted. I've also seen CEOs who made internal controls a strategic priority and watched it transform their entire organization.
One CEO I worked with started every quarterly all-hands meeting with a five-minute segment on control environment and recent improvements. Sounds simple, right? But it sent a powerful message: controls matter here.
CEO's Critical Responsibilities:
Responsibility | Why It Matters | Frequency |
|---|---|---|
Set organizational tone regarding controls | Establishes culture and expectations | Ongoing |
Approve control framework and policies | Demonstrates executive commitment | Annually |
Allocate resources for control implementation | Ensures adequate support | During budgeting |
Review enterprise risk assessment | Maintains strategic alignment | Quarterly |
Certify control effectiveness (SOX) | Personal accountability | Annually |
Address significant deficiencies | Shows seriousness of commitment | As needed |
Chief Financial Officer (CFO)
In most organizations, the CFO is the de facto owner of the COSO framework, especially for SOX compliance. But I've learned that successful CFOs don't try to own every control—they orchestrate the control environment.
A CFO I worked with put it perfectly: "I'm not the goalkeeper trying to stop every shot. I'm the coach making sure everyone knows their position and plays it well."
CFO Key Responsibilities:
Overall accountability for internal control framework
Design and implementation of financial controls
Coordination of control testing and monitoring
Remediation of control deficiencies
Reporting to board and external auditors
Resource allocation for control activities
Management Level: The Execution Layer
This is where COSO lives or dies. I cannot overstate this enough.
Chief Risk Officer (CRO) / Risk Management Director
Not every organization has a CRO, but every organization needs someone focused on enterprise risk management. In smaller companies, this might be the CFO or a VP of Finance.
I implemented COSO for a manufacturing company that didn't have a dedicated risk function. We appointed their VP of Operations to also own risk management (with additional resources). Within a year, they had:
Identified 23 previously unknown risks
Implemented controls for 18 high-priority gaps
Reduced insurance premiums by 22%
Passed their first SOX audit with zero deficiencies
CRO Responsibilities:
Core Function | Specific Activities | Deliverables |
|---|---|---|
Risk Assessment | Identify, assess, and prioritize enterprise risks | Risk register, heat maps, risk reports |
Risk Response | Develop risk mitigation strategies | Risk response plans, control recommendations |
Risk Monitoring | Track risk indicators and emerging risks | KRI dashboards, trend analysis |
Risk Reporting | Communicate risk status to leadership | Quarterly risk reports, board presentations |
Framework Maintenance | Update risk management policies and procedures | Risk management policy, annual framework review |
Internal Audit Director
Here's a mistake I see constantly: organizations treat internal audit as "the people who find problems." Wrong.
Internal audit should be your organization's most valuable partner in COSO implementation—an independent, objective source of assurance and insight.
I worked with a retail company where internal audit was feared. Departments would scramble to hide issues before audit visits. The audit team would drop in, find problems, write scathing reports, and leave.
We restructured their approach. Internal audit became advisors during control design, provided real-time feedback, and focused on helping departments succeed. Control deficiencies dropped 67% within 18 months.
Internal Audit Key Responsibilities:
Develop risk-based audit plan
Test design and operating effectiveness of controls
Provide independent assurance to board and management
Identify control deficiencies and recommend improvements
Follow up on remediation of findings
Assess control environment and tone at the top
Compliance Officer / Director
The compliance role varies dramatically by industry. In healthcare, they focus on HIPAA and regulatory requirements. In financial services, it's AML and securities regulations. In manufacturing, it might be environmental and safety compliance.
But in every COSO implementation, compliance plays a critical second-line role.
Compliance Responsibilities:
Function | Description | Key Activities |
|---|---|---|
Policy Development | Create and maintain compliance policies | Policy writing, review, approval, communication |
Monitoring & Testing | Ongoing compliance monitoring | Control testing, transaction monitoring, exception review |
Training & Awareness | Educate organization on requirements | Training programs, awareness campaigns, communication |
Regulatory Relations | Interface with regulators and external parties | Regulatory reporting, examinations, inquiries |
Issue Management | Track and remediate compliance gaps | Issue tracking, corrective action plans, validation |
IT Security / Information Security Officer
Technology controls are the backbone of modern COSO frameworks. Yet I constantly see IT security treated as a support function rather than a critical control partner.
One organization I worked with had their CISO reporting to the CIO, who reported to the CFO. When we needed to implement segregation of duties controls that impacted the CIO's own access, guess how that went?
We restructured so the CISO reported directly to the CEO with a dotted line to the board. Control implementation accelerated dramatically.
IT Security Responsibilities:
Design and implement IT general controls (ITGC)
Manage logical access controls
Oversee change management processes
Monitor security events and incidents
Conduct vulnerability assessments
Ensure business continuity and disaster recovery
Operational Level: Where Controls Actually Happen
Process Owners / Department Managers
This is the forgotten layer in most COSO discussions, yet it's the most important.
Process owners are your first line of defense. They own the business processes, understand the risks, and execute the controls daily. If they don't understand COSO or don't care about controls, your framework is just expensive paperwork.
I implemented COSO for a healthcare organization where we spent three months training process owners on their control responsibilities. We created control matrices showing exactly which controls they owned, how to execute them, and how to document evidence.
The result? When external auditors arrived, process owners could explain their controls, demonstrate execution, and provide evidence without scrambling. The audit went smoothly, and more importantly, controls became part of how they worked, not something they did for auditors.
Process Owner Responsibilities:
Responsibility | What It Means | Examples |
|---|---|---|
Control Execution | Perform assigned controls according to procedures | Approvals, reconciliations, reviews, verifications |
Documentation | Maintain evidence of control performance | Signed approvals, reconciliation workpapers, review notes |
Issue Identification | Recognize and escalate control failures | Report exceptions, control breakdowns, unusual items |
Remediation | Fix identified control deficiencies | Process improvements, additional training, procedure updates |
Testing Support | Assist internal audit and external auditors | Provide evidence, explain processes, demonstrate controls |
Finance Team / Controllers
While the CFO has ultimate accountability, the finance team executes the majority of financial controls.
I worked with a company that had brilliant financial controls on paper. But their controllers were so overworked that they'd skip reconciliation reviews, backdate approvals, and fabricate evidence during audits.
We added two FTEs to the finance team (cost: $140,000 annually). Control deficiencies dropped from 34 to 3. The CFO told me: "Best investment we ever made. We were spending $300,000 annually on remediation and audit fees. Now we spend $140,000 on proper staffing and save the rest."
Finance Team Control Responsibilities:
Execute financial close controls
Perform account reconciliations
Review journal entries and adjustments
Monitor financial reporting controls
Maintain documentation and evidence
Support internal and external audits
IT Operations Team
While IT Security designs controls, IT Operations executes them daily.
Change management is a perfect example. IT Security creates the policy, but IT Operations implements changes, follows approval processes, and maintains documentation.
I've seen too many organizations where IT Operations viewed controls as bureaucratic obstacles. "We need to move fast," they'd say. "These controls slow us down."
Then they'd deploy a change that broke production systems, causing customer outages and revenue loss.
We implemented a change management process that was efficient but controlled. Average change implementation time only increased by 47 minutes, but production incidents from changes dropped 73%.
The IT Operations Director's quote stuck with me: "Turns out, spending 47 minutes planning prevents 4-hour outages. Who knew?"
"Controls don't slow you down—they prevent you from having to stop completely to fix disasters."
The RACI Matrix: Making It Crystal Clear
One of my favorite tools for clarifying roles is the RACI matrix. It eliminates the "I thought they were doing it" problem.
Here's an example RACI matrix for key COSO activities:
Activity | Board | CEO | CFO | CRO | Internal Audit | Compliance | IT Security | Process Owners |
|---|---|---|---|---|---|---|---|---|
Set risk appetite | A | R | C | I | C | C | I | I |
Design control framework | I | A | R | C | C | C | C | I |
Execute controls | - | - | I | I | - | I | I | R |
Test control effectiveness | - | I | I | I | R | C | C | C |
Remediate deficiencies | I | I | A | C | C | C | C | R |
Report to board | I | C | R | C | C | C | I | I |
Maintain documentation | - | - | I | C | C | C | C | R |
Train employees | - | I | C | C | C | R | C | I |
RACI Legend:
R = Responsible (does the work)
A = Accountable (ultimate ownership, only one A per activity)
C = Consulted (provides input)
I = Informed (kept updated)
I created a RACI matrix for a technology company in 2020. During the review meeting, we discovered three critical controls where nobody was "R" and two where five people were "A." No wonder controls weren't working!
We fixed the matrix, clarified responsibilities, and within six months, control deficiencies dropped 82%.
Size Matters: Scaling Roles for Your Organization
The structure I've outlined works for mid-to-large organizations. But what if you're smaller?
Small Organization (< 50 employees)
You won't have dedicated roles for everything. Here's how I've seen small organizations successfully implement COSO:
Combined Roles:
CEO handles Board oversight responsibilities
CFO owns framework + risk management + compliance
Controller executes financial controls
IT Manager handles IT controls and security
Department managers own process controls
External consultants provide internal audit function
I worked with a 35-person SaaS company using exactly this structure. They achieved SOC 2 certification (which relies heavily on COSO principles) with:
One part-time compliance consultant (10 hours/month)
Existing staff executing controls (added ~5% to workload)
External auditors for testing
Total additional cost: ~$85,000 annually
Medium Organization (50-500 employees)
This is where you start building specialized roles:
Dedicated Roles:
Board / Audit Committee
CEO
CFO (framework owner)
Controller (financial control execution)
Risk Manager (could be part-time or shared role)
Compliance Officer
IT Security Manager
Internal Audit (could be outsourced or 1-2 FTEs)
Process Owners in each department
Large Organization (500+ employees)
Full separation of duties with dedicated teams:
Fully Staffed Structure:
Board of Directors with dedicated Audit Committee
CEO + Executive Leadership Team
CFO with dedicated control team
Chief Risk Officer with risk management team
Chief Audit Executive with internal audit department
Chief Compliance Officer with compliance team
CISO with security operations team
Dedicated process owners and control coordinators in each business unit
Common Organizational Pitfalls (And How to Avoid Them)
After fifteen years, I've seen the same mistakes repeatedly. Here are the big ones:
Pitfall #1: The "One Person Owns Everything" Problem
I consulted for a company where the Controller was responsible for:
Designing controls
Executing controls
Testing controls
Remediating deficiencies
Reporting to the board
When auditors arrived, they found (surprise!) that controls weren't working. The Controller was drowning and cutting corners.
Solution: Separate design, execution, testing, and oversight across different roles.
Pitfall #2: The "No One Owns Anything" Problem
The opposite problem: controls documented but nobody assigned to own them.
I reviewed a control matrix for a healthcare company that had 147 controls and literally said "TBD" in the owner column for 89 of them.
Solution: Every control must have a named owner. Not a department. Not a role. A specific person's name.
Pitfall #3: The "We'll Outsource Our Problems" Problem
Some organizations try to outsource control ownership entirely to consultants or service providers.
I had a potential client once say: "We'll just hire you to own all our controls."
I declined the engagement. You can outsource control execution or testing, but you cannot outsource control ownership and accountability.
Solution: Own your controls. Use consultants for expertise, but maintain accountability internally.
Pitfall #4: The "Controls Are IT's Problem" Problem
Technology is critical, but controls aren't just an IT issue.
I worked with a manufacturing company that thought implementing a new ERP system would "solve their control problems." They spent $4.5 million on technology and still failed their SOX audit because they hadn't addressed organizational roles and responsibilities.
Solution: Technology enables controls, but people execute them. Fix the organizational structure first.
Building Your Control Culture: The Secret Ingredient
Here's what most articles won't tell you: You can have perfect roles and responsibilities defined, and still fail if you don't have the right culture.
I implemented COSO for two similar-sized companies in the same industry within six months of each other.
Company A:
CEO mentioned controls once during implementation
CFO viewed COSO as regulatory burden
Managers resented additional work
Employees saw controls as obstacles
Result: Continuous deficiencies, expensive remediation, failed audits
Company B:
CEO talked about control environment monthly
CFO integrated controls into performance reviews
Managers received bonuses for control improvements
Employees understood why controls mattered
Result: Clean audits, improved efficiency, reduced errors
The difference? Culture.
"You can't mandate a control culture. You have to build it, nurture it, and demonstrate it from the top down."
Practical Implementation: Your 90-Day Roadmap
Based on my experience, here's how to establish clear COSO roles and responsibilities:
Month 1: Assessment and Design
Week 1-2: Document Current State
Identify existing roles and responsibilities
Interview key stakeholders
Identify gaps and overlaps
Assess organizational capacity
Week 3-4: Design Target Structure
Define roles based on organization size
Create RACI matrices for key processes
Identify new positions needed
Determine reporting relationships
Month 2: Communication and Alignment
Week 5-6: Executive Alignment
Present proposed structure to leadership
Secure commitment and resources
Finalize organizational design
Develop job descriptions
Week 7-8: Communication Rollout
Communicate changes to organization
Hold town halls and Q&A sessions
Address concerns and questions
Begin recruiting for new positions
Month 3: Implementation and Training
Week 9-10: Staffing and Setup
Fill new positions
Establish reporting relationships
Create communication channels
Develop training materials
Week 11-12: Training and Launch
Train all stakeholders on their roles
Distribute RACI matrices
Establish regular meeting cadences
Begin execution
Measuring Success: How You Know It's Working
I'm a big believer in metrics. Here's how I measure whether the organizational structure is effective:
Leading Indicators (What You Can Track Monthly)
Metric | Target | What It Measures |
|---|---|---|
% of controls with designated owners | 100% | Role clarity |
% of control owners trained | 100% | Capability |
Control execution rate | >95% | Operational effectiveness |
Average time to remediate deficiencies | <30 days | Responsiveness |
Employee control awareness survey score | >4.0/5.0 | Culture |
Lagging Indicators (Quarterly/Annual Assessment)
Metric | Target | What It Measures |
|---|---|---|
Number of control deficiencies identified | Decreasing trend | Control effectiveness |
Number of repeat deficiencies | Zero | Remediation effectiveness |
Clean audit opinions | 100% | Overall framework success |
Control-related incidents/errors | Decreasing trend | Risk reduction |
Cost of control remediation | Decreasing trend | Efficiency |
I worked with a financial services firm that tracked these metrics religiously. In Year 1 of their COSO implementation:
73 control deficiencies identified
12 repeat issues
Remediation costs: $420,000
By Year 3:
8 control deficiencies identified
0 repeat issues
Remediation costs: $35,000
They didn't change the controls. They got the organizational structure and accountability right.
The Real-World Truth About Organizational Structure
Let me close with some hard-earned wisdom:
Perfect organizational structures don't exist. Every company has constraints—budget, headcount, expertise, politics. The goal isn't perfection; it's clarity and accountability.
Roles will evolve. Your organizational structure for COSO will change as your company grows, your risks evolve, and your maturity increases. That's normal and healthy.
People matter more than org charts. I've seen beautiful organizational designs fail because they put the wrong people in critical roles. I've also seen imperfect structures succeed because they had committed, capable people executing them.
Culture trumps everything. You can have the most sophisticated three-lines model with perfect separation of duties, but if your CEO doesn't care about controls, neither will anyone else.
I learned this lesson the hard way in 2017. We designed a theoretically perfect COSO organizational structure for a technology company. On paper, it was textbook. In practice, it failed spectacularly because we hadn't addressed the cultural resistance to controls.
We stepped back, spent three months on change management and cultural development, then re-launched the same organizational structure. This time, it worked beautifully.
Your Next Steps
If you're building or restructuring your COSO organizational framework:
Step 1: Assess your current state honestly
Who currently owns what?
Where are the gaps and overlaps?
What's working and what isn't?
Step 2: Design for your reality
What can you afford?
What expertise do you have?
What can you outsource?
What must you own?
Step 3: Get executive buy-in
Show the business case
Demonstrate ROI
Secure resources
Commit to the journey
Step 4: Communicate relentlessly
Explain why it matters
Clarify expectations
Address concerns
Celebrate progress
Step 5: Measure and adjust
Track your metrics
Learn from issues
Iterate and improve
Stay committed
The Bottom Line
After implementing COSO frameworks in organizations ranging from 20-employee startups to Fortune 500 enterprises, I can tell you this: The framework isn't the hard part. Getting the people and organizational structure right is.
Controls don't execute themselves. Risk assessments don't complete themselves. Deficiencies don't remediate themselves.
People do all of that. And those people need clear roles, sufficient resources, proper training, executive support, and a culture that values controls.
Get the organizational structure right, and COSO becomes a competitive advantage—a systematic way to reduce risk, improve operations, and build stakeholder confidence.
Get it wrong, and you'll have expensive documentation that nobody follows, controls that nobody executes, and auditors who find the same deficiencies year after year.
The choice is yours. Choose wisely.
"In COSO implementation, organizational clarity isn't everything. But without it, everything else is nothing."