Overview
Organizational Structure Review is the annual evaluation of the company’s formal reporting lines, roles, and responsibilities to ensure they support effective governance and accountability. This process ensures alignment with SOC 2 CC1.3 by confirming management oversight, segregation of duties, and clarity of authority.
Step-by-Step Process
Initiate annual review
The HR Manager schedules the annual organizational structure review and confirms the review period and scope (entire organization or specific business units). The output is a documented review plan with a defined review date and participants.
Role: HR Manager
Collect current organizational data
The HR Manager extracts the current employee list, job titles, departments, and reporting relationships from the HR system. The output is an exported employee roster used as the baseline for validation.
Role: HR Manager
Review reporting lines and roles
The HR Manager reviews reporting lines to ensure they are clearly defined and appropriate for governance and oversight, including executive management and key control owners. Any gaps or unclear reporting relationships are noted for follow-up.
Role: HR Manager
Validate with management
The HR Manager shares the draft organizational structure with executive management for confirmation and approval. The output is documented confirmation or requested changes from management.
Role: HR Manager
Update organizational chart
The HR Manager updates the official organizational chart to reflect approved changes using an approved diagramming or HR tool. The output is a finalized, dated organizational chart.
Role: HR Manager
Approve and publish structure
Executive management formally approves the updated organizational structure, and HR publishes it to the designated internal repository. The output is an approved and accessible organizational chart.
Role: HR Manager
Retain evidence
The HR Manager stores all review documentation, approvals, and final charts in the compliance evidence repository. The output is a complete evidence package ready for audit review.
Role: HR Manager
What You Need Before Starting
- Access to HR system (e.g., BambooHR) with employee and reporting data
- Prior year approved organizational chart
- List of current executives and department heads
- Access to diagramming tool (Lucidchart or Creately)
Evidence Your Auditor Expects
- Final organizational chart showing reporting lines, dated and versioned
- Exported employee roster from HR system with timestamp
- Email or electronic approval from executive management with date
- Annual review plan or meeting invite showing review date
How This Looks In Your Tools
Lucidchart
Log in to Lucidchart and navigate to Documents > New > Org Chart to open a new organizational chart template. Use the left-hand shape library to add roles and reporting lines, and label each position with job title and department.
Once updates are complete, click File > Version History to confirm the last modified date. Export the chart by selecting File > Download As and save as PDF with the review year in the filename, then upload it to the compliance evidence repository.
Creately
Log in to Creately and select Create New > Org Chart from the template gallery. Use the toolbar to add positions and connectors, ensuring reporting lines are clearly shown and labeled.
After management approval, click File > Export and download the chart as a PDF or PNG. Confirm the updated date in the document properties and store the exported file in the compliance evidence folder.
BambooHR
Log in to BambooHR and navigate to Reports > Organizational Chart to view the current structure. Review reporting lines by clicking on individual employees to confirm manager assignments.
If updates are required, go to Employees > Directory, select the employee, and update the Reports To field. After completing changes, return to Reports > Organizational Chart and export or screenshot the chart with the visible system date for audit evidence.
Common Audit Findings
- Organizational chart not updated annually
- This occurs when reviews are informal or not scheduled. Prevent this by calendaring the annual review and retaining a dated final chart each year.
- Unclear or missing reporting lines
- Auditors note this when charts lack direct manager relationships. Prevent it by validating reporting lines against HR system data and confirming with management.
- Lack of management approval evidence
- This happens when approval is verbal only. Always retain dated email or system-based approval from executive management.
- HR system data does not match organizational chart
- Discrepancies occur when updates are made in only one system. Prevent this by updating the HR system first and generating charts directly from current data.