RA-004 · Research Report · 2026-05-16 · DOI 10.5281/zenodo.20185174

Accountability & Enterprise Governance

Cameisha Smith

The Inquiry

The Inquiry: Enterprise governance frameworks (COSO, COBIT, Three Lines Model, TOGAF, SOX) represent decades of mature development in defining accountability relationships — who is accountable to whom, for what, and through what mechanisms. Yet governance failures persist in organizations with fully implemented frameworks. Is the gap between governance design and governance outcomes a problem of framework quality (better frameworks needed), organizational culture (better values needed), or infrastructure (the mechanism to capture evidence that governance actually occurs in operational decisions is structurally absent)?

Falsifiable formulation: If any existing governance framework provides not just the prescription for accountability relationships but the operational infrastructure to capture evidence that those relationships are actually exercised in daily decisions — making governance evidence a structural by-product of decision-making rather than a separate documentation task — then the infrastructure gap claimed here does not exist.

Executive Summary

The framework-infrastructure gap is the accountability version of the "requirements without infrastructure" meta-pattern.

Prior sprints identified this pattern across provenance, design rationale, institutional memory, process mining, AI accountability, and audit compliance. This sprint confirms it in enterprise governance: COSO, COBIT, Three Lines Model, TOGAF, and SOX all prescribe what accountability should look like without providing the infrastructure to capture evidence that it actually occurs. The pattern is now validated across three independent domains (data provenance, AI governance, enterprise governance), strengthening the conclusion that it is structural.

Ceremonial conformity is the deepest governance challenge — and it requires an architectural, not cultural, resolution.

Meyer & Rowan's (1977) insight — that organizations adopt formal structures for legitimacy without operational implementation — explains why governance frameworks can coexist with governance failures. Enron had COSO-compliant controls. WorldCom had experienced directors. The frameworks were "present" but not "functioning" (COSO's own distinction). DiMaggio & Powell explain why this spreads: coercive isomorphism drives adoption through regulation; mimetic isomorphism drives adoption through imitation; normative isomorphism drives adoption through professional standards. All three mechanisms drive framework adoption without ensuring operational implementation.

The resolution is architectural: when governance documentation is embedded in the governance activity (not a separate compliance task), decoupling becomes structurally difficult. Organizations cannot maintain governance on paper without practicing it because the paper is the practice.

![Figure 1. Five enterprise governance frameworks share a common infrastructure gap: each prescribes accountability relationships without providing the mechanism to capture evidence that they are exercised in operational decisions.](images/rr-004-fig-01.png)

Agency and stewardship theories require dual-use governance infrastructure.

Most organizations need both monitoring (agency) and empowerment (stewardship). No governance infrastructure framework in the literature addresses how to serve both through common infrastructure. Decision records naturally serve both: in agency contexts, they provide monitoring evidence; in stewardship contexts, they preserve professional judgment and expertise. This dual-use property is architecturally significant — organizations don't need separate systems for accountability and knowledge management.

![Figure 2. Decision records serve dual governance functions: monitoring evidence in agency contexts and knowledge preservation in stewardship contexts — eliminating the need for parallel systems.](images/rr-004-fig-02.png)

Bovens + Schedler + Mulgan + Grant & Keohane = comprehensive accountability requirements.

The accountability theory literature converges on what infrastructure must provide: factual information (Bovens Phase 1), explanation (Phase 2), consequence evaluation (Phase 3), answerability + enforcement (Schedler), deterrence + evaluation + dialogue (Mulgan), and support for multiple accountability mechanisms simultaneously (Grant & Keohane). Decision records with documented intent, authority, evidence, and expected outcomes serve all of these requirements through a single infrastructure.

![Figure 3. Four accountability frameworks converge on requirements that structural decision infrastructure satisfies: factual information, explanation, consequence evaluation, answerability, enforcement, and multi-mechanism support.](images/rr-004-fig-03.png)

Abstract

Enterprise governance frameworks — COSO, COBIT, the IIA Three Lines Model, TOGAF, and the Sarbanes-Oxley Act — represent decades of mature development in prescribing accountability relationships. Yet governance failures persist in organizations with fully implemented frameworks. This research sprint investigates whether the gap between governance design and governance outcomes is a problem of framework quality, organizational culture, or infrastructure. Across 25 sources spanning agency theory, stewardship theory, institutional theory, accountability theory, and enterprise governance practice, a convergent finding emerges: every major framework prescribes what accountability should look like without providing the mechanism to capture evidence that it actually occurs in operational decisions. Meyer and Rowan's ceremonial conformity — organizations adopting structures for legitimacy without operational implementation — explains the persistence of the gap. The resolution is architectural: embedding governance documentation in governance activity so that decoupling becomes structurally difficult. The sprint synthesizes Bovens, Schedler, Mulgan, and Grant and Keohane into comprehensive accountability requirements that only structural decision infrastructure can satisfy, and establishes the governance theory foundation for the infrastructure arguments developed in adjacent sprints on provenance, AI governance, and organizational memory.

"Institutionalized organizations must not only conform to myths but must also maintain the appearance of evaluation and inspection." — Meyer & Rowan (1977), American Journal of Sociology
Findings13
F-RA-004-01 · gap-identification · lab-originated
Enterprise governance frameworks (COSO 2013/2017, COBIT 2019, IIA Three Lines Model 2020, TOGAF, SOX 2002) are mature in prescription — they define what organizations should do for governance/accountability — but all share a structural limitation: they prescribe WHAT without providing the infrastructure for HOW to capture evidence that governance actually occurs in decisions. COSO distinguishes "present and functioning" from "operating effectively" yet provides no mechanism for the evidence that bridges them.
F-RA-004-02 · gap-identification · lab-originated
Principal-agent theory (Jensen & Meckling 1976; Eisenhardt 1989; Gailmard 2014) identifies information asymmetry as the fundamental governance challenge — agency costs decompose into monitoring, bonding, and residual loss — but traditional responses (monitoring, incentive alignment, bonding) reduce information asymmetry only at the margins and do not fundamentally restructure the information architecture.
F-RA-004-03 · design-requirement-derivation · lab-originated
Stewardship theory (Davis, Schoorman & Donaldson 1997) holds that under certain conditions agents function as stewards whose interests naturally align with organizational objectives, emphasizing empowerment and trust over monitoring and incentives; most organizations contain both agency and stewardship dynamics simultaneously, so governance infrastructure must accommodate stewardship simultaneously with agency.
F-RA-004-04 · gap-identification · lab-originated
Bovens' (2007) accountability framework defines accountability as a relationship between actor and forum with three phases — (1) Information, (2) Explanation/Debate, (3) Consequences — and (2010) distinguishes accountability as virtue from accountability as mechanism. This framework defines what governance infrastructure must provide.
F-RA-004-05 · gap-identification · lab-originated
Schedler (1999) identifies accountability as two-dimensional — answerability (obligation to inform and justify) and enforcement (capacity to impose consequences). Answerability without enforcement is merely transparency; enforcement without answerability is authoritarianism; genuine accountability requires both. Schedler also identifies overlapping accountability-adjacent concepts: surveillance, monitoring, oversight, control, and accountability proper.
F-RA-004-06 · root-cause-diagnosis · lab-originated
Institutional theory (Meyer & Rowan 1977; DiMaggio & Powell 1983; Scott 2001) explains why organizations adopt governance ceremonially without operational implementation: formal structures are adopted as "rational myths" for legitimacy and "decoupled" from operations; isomorphic mechanisms (coercive, mimetic, normative) spread adoption; institutional stability requires support across all three pillars (regulative, normative, cultural-cognitive).
F-RA-004-07 · gap-identification · lab-originated
IT governance research (Weill & Ross 2004, 250-enterprise MIT CISR study) found that governance determines who systematically makes and contributes to decisions, and that high-performing organizations tend toward clear, integrated governance; the critical variable is clarity about who decides, not who decides — even imperfect-but-clear governance outperforms theoretically superior-but-ambiguous governance.
F-RA-004-08 · gap-identification · lab-originated
Corporate governance theory traces to the separation of ownership and control (Berle & Means 1932): dispersed shareholders cannot directly control managerial decisions. Cadbury (1992) established "comply or explain"; Useem & Zelleke (2006) found boards increasingly treat delegation of authority as a careful, self-conscious decision with annual calendars and written protocols.
F-RA-004-09 · gap-identification · lab-originated
The IIA's 2020 Three Lines Model defines first-/second-/third-line roles and six principles, but role differentiation without decision documentation means whether roles actually fulfill their functions is unknowable without retrospective investigation; third-line independence ("highest degree of objectivity") implies records must be accessible to assurance without first/second-line ability to alter them — making immutability a governance requirement, not merely a technical feature.
F-RA-004-10 · gap-identification · lab-originated
AI accountability extends governance challenges by introducing three AI-specific challenges (Busuioc 2021): opacity (algorithmic decisions may be unexplainable), diffusion of responsibility (multiple actors share accountability), and regulatory lag (frameworks designed for human decision-making). Wieringa (2020) reviewed 242 articles, finding lifecycle-based accountability across development, deployment, operation, and evaluation.
F-RA-004-11 · gap-identification · lab-originated
Multiple accountability theorists converge on the need for combined mechanisms rather than any single solution: Mulgan (2003) — three dimensions (external constraint, retrospective judgment, social interaction) plus the network-accountability challenge (hierarchy mechanisms work poorly in distributed governance); Grant & Keohane (2005) — seven mechanisms (hierarchical, supervisory, fiscal, legal, market, peer, public reputational). No single mechanism suffices.
F-RA-004-15 · convergent-validation · lab-originated
The framework-infrastructure gap is the accountability instance of the "requirements without infrastructure" meta-pattern, now validated across three independent domains — data provenance (S1), AI governance (S2), and enterprise governance (S4) — strengthening the conclusion that the pattern is structural rather than domain-specific.
F-RA-004-16 · convergent-validation · lab-originated
Decision records (carrying documented intent, authority, evidence, and expected outcomes) satisfy the comprehensive accountability requirements that the literature converges on — Bovens' three phases, Schedler's answerability + enforcement, Mulgan's deterrence + evaluation + dialogue, and Grant & Keohane's multiple mechanisms — through a single infrastructure.
Concepts2
Three phases of accountability (Information / Explanation-Debate / Consequences)Combined-mechanisms accountability (no single mechanism suffices)
Open Questions2
OQ-012How do ESG reporting frameworks extend the accountability infrastructure gap?
OQ-013Can Bovens' three-phase model be operationalized as a governance infrastructure completeness test?
Bibliography25
{Committee of Sponsoring Organizations of the Treadway Commission} (2013) · Internal Control --- Integrated Framework
{Committee of Sponsoring Organizations of the Treadway Commission} (2017) · Enterprise Risk Management --- Integrating with Strategy and Performance
{ISACA} (2018) · COBIT 2019 Framework: Governance and Management Objectives
{Institute of Internal Auditors} (2020) · The {IIA's} Three Lines Model: An Update of the Three Lines of Defense
{The Open Group} (2022) · TOGAF Standard, 10th Edition
(2002) · Sarbanes-Oxley Act of 2002
Jensen, Michael C. and Meckling, William H. (1976) · Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure
Eisenhardt, Kathleen M. (1989) · Agency Theory: An Assessment and Review
Davis, James H. and Schoorman, F. David and Donaldson, Lex (1997) · Toward a Stewardship Theory of Management
Gailmard, Sean (2014) · Accountability and Principal-Agent Theory
Bovens, Mark (2007) · Analysing and Assessing Accountability: A Conceptual Framework
Bovens, Mark (2010) · Two Concepts of Accountability: Accountability as a Virtue and as a Mechanism
+13 more citations