A repeatable change management workflow for authority: requests, approvals, temporary coverage, versioning, communications, and audit evidence.
Before managing changes, you need a solid policy foundation. See Writing a DOA Policy People Will Actually Follow for that starting point.
Definition: Authority change management is the controlled process by which an organization requests, reviews, approves, publishes, and communicates changes to decision rights, approval limits, and delegated authority, ensuring that authority records remain accurate, versioned, and audit-ready through every organizational shift.
The most important part of authority management is not the initial design. It is what happens after the first reorganization, the first acquisition, and the first urgent request for "just temporary coverage." West Monroe's 2026 Speed Wins research found that each request for additional analysis adds an average of three weeks of delay. Authority changes follow the same pattern: when the change process is slow or unclear, teams create workarounds that bypass governance entirely.
The scale of this problem is substantial. McKinsey's research on decision-making found that a typical Fortune 500 company wastes roughly $250 million per year on ineffective decision-making, representing 530,000 lost working days annually. A significant portion of that waste traces back to unclear authority and slow approval routing. Meanwhile, the EY and Society for Corporate Governance 2025 study found that while 90 percent of companies maintain a delegation of authority policy, 28 percent cite time-consuming updates and 27 percent cite maintaining current versions as persistent operational challenges. The gap between having a policy and keeping it current is where authority change management lives.
Authority changes introduce the greatest risk of control gaps because they touch active decision rights, system configurations, and compliance evidence simultaneously.
Every organizational change carries authority implications. Promotions shift approval limits. Departures leave delegations orphaned. Acquisitions merge incompatible authority structures. New entities require entirely new delegation chains. When these changes are not processed through a controlled workflow, the result is authority drift: the gradual divergence between documented decision rights and actual practice. For a deeper look at how drift develops, see Delegation of Authority 101.
APQC's 2024 research across 311 finance professionals found that 29 percent of organizations rate their delegation of authority as less than effective, and 30 percent of those organizations cite lack of accountability as the top negative impact. Unmanaged authority changes are the primary mechanism through which accountability breaks down: when no one can trace who approved a change, when it took effect, or why it was made, accountability becomes impossible to enforce.
The financial consequences are real. The ACFE's 2024 Report to the Nations found that 51 percent of occupational fraud losses stem from absent or overridden authorization controls, with a median loss of $145,000 per case. Authority change management is not a process improvement exercise. It is a control that directly reduces financial exposure.
Effective authority change management produces a complete, auditable record of every change to decision rights, from initial request through retirement.
A good authority change process should make it easy to answer three questions for any authority grant, at any point in time:
If you can reliably answer those three questions, you are already ahead of most organizations. The EY/SCG study found that 35 percent of organizations cite difficulty tracking delegations across entities and geographies as a persistent challenge. A controlled change workflow with versioning and effective dates eliminates that tracking problem at the source. For detailed metrics on measuring program health, see Authority Monitoring and Reporting Metrics.
A complete authority change workflow moves through seven stages, from request to retirement, producing audit evidence at every step.
The table below outlines each step, its purpose, key actions, and the evidence it produces. This framework applies to any authority change, whether it is a routine role transfer, an emergency coverage grant, or a material authority increase following a reorganization. The critical design principle: every step produces a record. If any step is missing or informal, you will be reconstructing history later, likely during an audit when the stakes are highest.
McKinsey's research on organizational decision-making found that the most effective organizations treat authority as a living system rather than a periodic compliance exercise. A structured change workflow is what makes that possible. For context on how this workflow connects to the broader authority matrix, see How to Build a Delegation of Authority Matrix.
A standardized request form captures the full context of every authority change, ensuring consistency and reducing the rework caused by incomplete submissions.
Require every authority change request to include: what decision rights are being changed, which role or person is gaining or losing authority, effective date and expiration date (if applicable), business justification, risk flags such as segregation of duties concerns, and downstream systems that will need configuration updates. The form does not need to be complex. Consistency is what matters. When requests arrive in inconsistent formats (emails, verbal requests, tickets with partial information), the review and approval steps take significantly longer and produce weaker evidence.
The EY/SCG study found that 28 percent of organizations cite time-consuming updates as a key DOA challenge. Standardized request forms directly address this: when every request arrives with the same fields populated, the review cycle compresses from days to hours. Organizations that connect their request workflow to HRIS events (new hires, promotions, transfers, terminations) can trigger authority change requests automatically, reducing manual effort further. For the underlying structure that defines what needs to change, see How to Build a Delegation of Authority Matrix.
An impact check validates that the proposed authority change does not create segregation of duties conflicts, increase uncontrolled risk, or misalign with comparable roles.
Before approval, validate four things. Does this change create a segregation of duties conflict? Does it increase risk without a compensating control? Is the authority consistent with comparable roles and regions? Do downstream systems need updates to enforce the change? The ACFE data is instructive here: 51 percent of occupational fraud losses stem from absent or overridden controls. The impact check is where you catch control gaps before they become audit findings or, worse, financial losses.
Our recommendation: Build the segregation of duties and risk check into the request workflow itself, not as a separate manual step. When the check happens automatically at request time, conflicts are caught before approval rather than discovered months later during an audit. This single automation eliminates the most common source of control gaps in authority programs. For a deeper look at how separation of duties interacts with authority frameworks, see DOA vs. Approval Matrix vs. RACI.
Approval tiers should match the risk level of the change, ensuring proportionate governance without creating blanket committee review for routine adjustments.
The table below maps change types to appropriate approvers. The principle is proportionate governance: routine changes within established parameters need the matrix owner plus direct business owner. Material authority increases need finance or risk leadership. Changes affecting regulated processes need the compliance or control function. The point is not to create a committee for every change. It is to ensure that the right people see changes that carry material risk, while routine adjustments flow through quickly.
The EY/SCG study found that 36 percent of organizations cite insufficient training as their top DOA challenge. Approver clarity is a direct contributor: when approvers do not understand their role in the change workflow, they either rubber-stamp everything (creating control gaps) or delay everything (creating workarounds). Defining clear approval tiers and communicating them is as important as defining the authority matrix itself. For compliance context on why approval evidence matters, see DOA and SOX/Internal Controls.
Every authority change must be versioned with explicit effective dates, preserving the complete history needed for point-in-time audit queries.
Two rules prevent confusion. First, every change has an explicit effective date, even if it is "effective immediately." Recording the precise moment authority becomes active is what enables point-in-time recall during audits. Second, old versions are retired, not deleted. Version history is what allows "as-of" answers later, and auditors will ask for them.
Deloitte's research on organizational design maturity found that organizations with clearly defined and well-maintained decision rights are 1.3 times more likely to meet their financial targets. Maintaining version integrity through controlled publishing is a foundational requirement for that maturity. The EY/SCG study reinforces this: 27 percent of organizations cite maintaining current versions as a challenge, and the root cause is almost always a lack of formal publishing discipline. Authority records that are emailed, saved to shared drives, or updated informally will always drift. A controlled publish step with version tracking solves this structurally.
Authority changes fail silently when affected parties do not know they happened, making structured notification and acknowledgment essential for enforcement.
At minimum, notify the new delegate, their manager, the process owners who route approvals, and the system owners who enforce workflow controls. In mature programs, organizations also require acknowledgment for high-impact authority grants, creating a record that the delegate understands the scope and constraints of their new authority. APQC's research found that 67 percent of organizations with effective DOA policies report better decision-making. Notification is a key enabler: decisions improve when people know clearly what they are authorized to decide.
Notification is also where authority change management intersects with signatory governance. When a change affects who can sign contracts, banking documents, or regulatory filings, the notification must extend to counterparties, banks, and regulatory bodies. For the operational mechanics of keeping signatory lists aligned with delegation changes, see Authorized Signatory Lists Explained and Keeping Delegations and Signature Authority in Sync.
Authority is only real if systems and workflows reflect the current state of delegation, making enforcement point updates the step where governance translates into operational reality.
The table below maps common enforcement points to the specific updates required when authority changes. This is where many authority programs break down: the policy and matrix are updated, but the systems where actual approvals happen still reflect the old authority mapping. The result is either over-escalation (routing approvals to people who no longer have the relevant authority) or under-control (allowing approvals by people whose authority has been revoked).
Common enforcement points include ERP approval rules, procurement workflows, contract lifecycle management signature and clause approval rules, treasury and banking entitlements, and identity and access management for privileged actions. The EY/SCG study found that 35 percent of organizations cite difficulty tracking delegations across entities and geographies. The tracking difficulty is a symptom. The root cause is that enforcement updates happen inconsistently across systems. The EY/SCG study also found that 71 percent of organizations plan technology investment for DOA management, and enforcement synchronization is one of the primary drivers of that investment. For the integration architecture that keeps authority synchronized across systems, see Single Source of Truth for Authority.
Temporary authority should expire without anyone needing to remember it, making automatic retirement the single most effective lever for reducing long-term authority drift.
Issue every temporary delegation with an explicit end date. Schedule notifications before expiry so there is time to extend if the business need persists. When the end date passes, automatically revert to the standard authority mapping. This sounds simple, but it is one of the biggest levers for reducing authority drift over time. Without automatic retirement, "temporary" coverage quietly becomes permanent. A delegation granted for a two-week vacation is still active eighteen months later. A special project authority outlives the project by years.
West Monroe's research found that 44 percent of managers have accepted slow decision-making as normal, a cultural inertia that accumulated temporary delegations reinforce. When everyone has accumulated authority grants that were never retired, the matrix becomes so cluttered that nobody trusts it, and the cycle of workarounds begins again. For a broader look at how delegation and signatory records stay aligned through role changes, see Keeping Delegations and Signature Authority in Sync.
A structured review cadence catches authority drift early, when corrections are inexpensive and low-risk, rather than during an audit when the stakes are highest.
The table below outlines a four-tier cadence that balances operational overhead with governance rigor. The key insight is that different activities belong at different frequencies. Pending requests and time-bound coverage need weekly attention. System reconciliation needs monthly review. Evidence sampling and validation belong on a quarterly cycle. Policy-level changes happen annually or after material business events.
APQC's research found that 49 percent of organizations with effective DOA policies report a reduction in bottlenecks. A regular cadence is what sustains that benefit: without it, small inconsistencies accumulate until the authority framework becomes a bottleneck itself. For the full set of governance metrics and KPIs that should drive your review cadence, see Authority Monitoring and Reporting Metrics. For the ownership structure and roles that support this cadence, see Operating Model for Authority Management.
Most authority change management failures follow predictable patterns that are preventable with the right process design and organizational discipline.
Treating authority changes as IT tickets. Authority changes are governance events, not system configuration tasks. When they are processed through a generic IT ticketing system without risk assessment, segregation of duties checking, or formal approval tiers, the change may be executed correctly in one system while creating control gaps across others. The change workflow needs to be owned by governance, with IT as an execution partner.
Allowing verbal or email authority grants. Any authority grant that is not recorded in the system of record does not exist for audit purposes. McKinsey's research found that 72 percent of senior executives said bad decisions were as frequent as or more common than good ones. Verbal authority grants compound this problem by removing the accountability trail that governance depends on.
Skipping the impact check for "simple" changes. Most segregation of duties conflicts are created by changes that seemed routine at the time. A lateral transfer that gives someone both purchase order creation and approval authority. A promotion that adds a new approval tier without removing the old one. The impact check exists precisely for changes that feel simple.
Not requiring effective dates. "Updated the matrix" is not a change record. Without an effective date, there is no way to answer the audit question "Who had authority on this date?" Every change, no matter how small, needs a recorded effective date.
Ignoring the cost of non-compliance. Ponemon Institute research found that the cost of non-compliance is 2.71 times higher than the cost of compliance ($14.82 million versus $5.47 million). Authority change management is not overhead. It is one of the most cost-effective controls an organization can implement.
Purpose-built authority management platforms address the structural limitations of manual change processes by centralizing, automating, and auditing every step of the change workflow.
Aptly supports controlled change management across all seven steps of the workflow described in this article. Change requests flow through configurable approval tiers with built-in segregation of duties checking (Steps 1 through 3). Every change is published with version history, effective dates, and point-in-time recall (Step 4). Notifications and acknowledgment tracking ensure affected parties are informed (Step 5). Pre-built integrations with ERP, HRIS, procurement, and identity systems keep enforcement points synchronized (Step 6). Time-bound delegations expire automatically with configurable notifications before expiry (Step 7).
APQC's research found that 75 percent of organizations using technology for DOA management report it as effective, compared to 64 percent of those without technology. The EY/SCG study found that 78 percent of organizations still host their DOA on an intranet or shared drive, and only 14 percent use a dedicated IT system. The gap between those two numbers represents the opportunity: organizations that move from static document management to purpose-built platforms see measurable improvements in change processing speed, audit readiness, and authority accuracy. For organizations evaluating how to prevent unauthorized actions during the transition between authority states, see Preventing Unauthorized Signatures.
Routine changes within established parameters should be processed within one to two business days. Material changes requiring additional review typically take three to five business days. Emergency coverage should be grantable same-day with expedited approval and a follow-up review within 48 hours. If your average turnaround exceeds a week, teams will create workarounds. West Monroe's research found that each additional analysis request adds an average of three weeks of delay. The same principle applies to authority processing: speed is not the enemy of governance, but unnecessary friction is.
The most common triggers are role changes (promotions, lateral transfers, terminations), organizational restructuring, new entity or subsidiary formation, mergers and acquisitions, planned absences requiring temporary coverage, new bank account or counterparty onboarding, regulatory updates that affect approval requirements, and periodic threshold recalibration based on business growth. Event-driven triggers should be automated where possible through HRIS and directory integration, so authority reviews happen as a byproduct of organizational changes rather than as separate manual efforts.
Require an explicit end date on every temporary grant. Schedule notifications before expiry so the business can extend if needed. Implement automatic reversion when the end date passes. Report on temporary coverage exceeding defined thresholds (for example, grants active beyond 90 days) as a governance metric. Without these controls, temporary authority is the single largest source of authority drift in most organizations.
The approval chain should reflect the risk level of the change. Routine adjustments within established parameters need the matrix owner and direct business owner. Material authority increases need finance or risk leadership. Changes affecting regulated processes need the compliance or control function. The goal is proportionate governance, not blanket committee review for every change.
M&A integration is the highest-complexity authority change scenario. Two organizations with different approval thresholds, different matrix structures, and different enforcement systems need to be rationalized. The recommended approach is to map both authority structures side by side, identify conflicts and gaps, establish a transitional authority framework for the integration period with explicit sunset dates, and then converge to a unified structure. Assign a dedicated authority workstream within the integration program, not an afterthought within IT or compliance. For the structural framework that should guide this convergence, see How to Build a Delegation of Authority Matrix.
Each change should produce a timestamped request record with business justification, an impact assessment with segregation of duties findings, approval records with approver identity and timestamp, a versioned authority record showing the before and after state with effective dates, notification and acknowledgment records, and system configuration change records for downstream enforcement points. The goal is a complete chain of evidence from request to enforcement, reconstructable at any future point in time. For compliance-specific requirements, see DOA and SOX/Internal Controls.
In multi-entity organizations, authority change management must account for entity-specific thresholds, local regulatory requirements, and cross-entity consistency. A change that is routine in one entity may be material in another due to different thresholds or regulatory environments. The change workflow should include an entity-context step that identifies which entities are affected and applies the appropriate approval tier for each. Centralized visibility across all entities is essential to prevent fragmentation.
Temporary authority is a planned, time-bound delegation issued in advance for a known period (such as vacation coverage or a project assignment). Emergency authority is an expedited grant issued in response to an unplanned event (such as an unexpected departure or a critical business need with no available delegate). Both should have explicit end dates and automatic retirement. The key difference is the approval path: emergency authority uses an expedited approval with a mandatory follow-up review within a defined period, typically 48 hours, while temporary authority follows the standard approval workflow.
1. West Monroe, "Speed Wins: The C-Suite Mandate for Decision Velocity," 2026.
2. McKinsey & Company, "Decision making in the age of urgency," 2019.
3. EY and Society for Corporate Governance, "The Delegation Edge: Corporate Governance in Focus," 2025.
4. APQC, "The CFO's Guide to an Effective Delegation of Authority Policy," 2024.
5. ACFE, "Report to the Nations on Occupational Fraud and Abuse," 2024.
6. McKinsey & Company, "Untangling your organization's decision making," 2017.
7. Deloitte, "Good to great: Using organizational design to drive better decisions," 2020.
8. McKinsey & Company, "Three keys to faster, better decisions," 2019.
9. Ponemon Institute and GlobalScape, "The True Cost of Compliance with Data Protection Regulations," 2017.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
