Source-cited Q&A clarifying how DOA, approval matrices, RACI, and workflow rules differ and align in enterprise governance.
This comes up constantly: people use "DOA," "approval matrix," and "RACI" as if they're interchangeable. They're related, but they answer fundamentally different questions, and confusing them creates governance gaps that show up during audits and incidents.
The scale of the confusion is quantifiable. The EY and Society for Corporate Governance Delegation Edge study found that roughly 90 percent of companies maintain a delegation of authority policy, but training and enforcement remain their two largest challenges, with 36 percent identifying training as their single greatest difficulty and 54 percent documenting authority through both a board memo and a formal matrix. The policy exists; the framework discipline often does not.
Definition: Delegation of Authority (DOA). The formal assignment of decision rights and approval limits to specified roles or individuals, defining who is authorized to commit the organization to an action within defined thresholds, conditions, scope, and effective dates.
Definition: Approval matrix. A structured, usually tabular representation of approval rules that maps a specific decision type and threshold to the authority level required to approve it, typically functioning as the operational lookup tool for day-to-day compliance with a DOA policy.
Definition: RACI. A responsibility assignment model, Responsible, Accountable, Consulted, Informed, that clarifies role participation in a process steps without granting the decision-making authority required to commit the organization to an action.
A delegation of authority is the formal assignment of decision rights and approval limits that defines who holds permission to commit the organization to specific actions, under what thresholds, conditions, scope, and time constraints.
A: DOA is the formal assignment of decision rights and approval limits. It defines who is allowed to approve or commit the organization to an action, and under what constraints (thresholds, conditions, scope, time).
Think: permission to commit the company. For a complete treatment of how DOA frameworks are structured and operated, see the Delegation of Authority 101 pillar guide.
An approval matrix is the structured, searchable representation of DOA rules, typically a table, that maps decision types and thresholds to the specific authority level required to approve each one.
A: An approval matrix is a structured representation of approval rules, usually a table, that spells out which authority level is required for a given decision type and threshold.
An approval matrix often sits inside the broader DOA program, but in many organizations it becomes the "working DOA" because it's what people actually use day to day. The EY study found that 54 percent of companies use both a board memo and a formal matrix to document authority, but the critical factor is whether the matrix is actively maintained and enforced, not just documented. For a practical walk-through, see How to Build a Delegation of Authority Matrix.
Think: the rulebook format people reference.
RACI is a responsibility assignment model, Responsible, Accountable, Consulted, Informed, that clarifies role participation in a process but does not grant the decision-making authority required to commit the organization.
A: RACI is a responsibility model: Responsible, Accountable, Consulted, Informed. It clarifies who does the work, who owns the outcome, and who should be involved.
RACI is useful for process clarity, but it does not grant authority. You can be "Accountable" in a RACI chart and still not have delegated authority to approve a transaction above a threshold.
Think: who does the work and who owns the outcome.
Each framework serves a distinct governance purpose and answers a different core question, confusing them produces the most common audit and control gaps, while using each for what it's good at creates a coherent governance system.
A: Each serves a distinct governance purpose. The table below clarifies what each tool does, what it controls, and where it falls short.
| Framework | Core Question It Answers | Grants Authority? | Enforced in Systems? | Audit Evidence? |
|---|---|---|---|---|
| DOA (Delegation of Authority) | Who can approve or commit the organization? | Yes — formal decision rights and limits | Indirectly, through workflow rules | Strong, if versioned with effective dates |
| Approval Matrix | Which authority level is required for this decision? | Operationalizes DOA into actionable rules | Often the basis for workflow routing | Strong, if mapped to system controls |
| RACI | Who is responsible, accountable, consulted, informed? | No — clarifies roles, not authority | Rarely enforced in systems | Weak — no threshold or condition logic |
| Workflow Rules | How does the system route this approval? | Enforces authority, does not define it | Yes — directly in ERP/CLM/procurement | Mixed — strong for execution, weak for authority proof |
The critical insight: workflow systems capture that an approval happened, but they often cannot prove the approver had authority for that specific decision at that time. This is the gap that causes the most audit pain. McKinsey's research on organizational decision-making found that clear decision rights are one of the most powerful organizational levers at a leader's disposal, yet most organizations conflate these frameworks rather than connecting them deliberately. The same McKinsey study estimated that Fortune 500 companies waste roughly $250 million per year in management labor on ineffective decision processes, representing approximately 530,000 lost working days.
No. RACI clarifies role participation in a process but assigns no decision rights, which means an organization relying on RACI alone will still lack the bounded, provable authority that audits, contracts, and financial commitments require.
A: No. RACI can clarify roles, but DOA is what establishes decision rights and approval limits. If you only have RACI, you'll still end up relying on informal approvals, escalation via email, and "whoever the executive trusts." McKinsey found that 72 percent of senior executives said bad strategic decisions were as frequent as or more common than good ones, and much of that stems from unclear authority, which RACI alone cannot solve.
| What People Assume | Why It Breaks Down | What Auditors Actually Ask |
|---|---|---|
| "RACI Accountable = approval authority" | RACI assigns outcome ownership, not signing rights. An "A" in RACI cannot approve a $2M contract without a DOA delegation. | "Show me the delegation that granted this person authority for this amount." |
| "Our ERP routing = our DOA" | Workflow rules enforce approvals but don't define authority. System configs often diverge from the policy over time. | "Can you prove this workflow rule matched the authority matrix on the date of this transaction?" |
| "The spreadsheet is the matrix" | Static spreadsheets lack version control, effective dates, and integration with the systems enforcing rules. | "Which version of this matrix was in effect on June 15? Who approved the change?" |
| "We have a DOA policy, so we're covered" | A policy without a working matrix is a document, not a control. People revert to informal approvals. | "How do employees look up the correct approver for a specific decision type and amount?" |
In practice, yes. Even if it doesn't look like a spreadsheet, every DOA program needs a deterministic way to map a scenario to an approver, without one, the DOA remains a policy document rather than a working tool that governs daily decisions.
A: In practice, yes, even if it doesn't look like a spreadsheet. Somewhere, people need a deterministic way to map a scenario to an approver. That's what the matrix provides. Without it, DOA remains a policy document that people reference occasionally rather than a working tool that governs daily decisions.
The KPMG 2025 SOX Survey found that 40 percent of compliance teams still rely on spreadsheets as their working authority matrix, a pattern that exposes exactly why a matrix must be version-controlled and integrated rather than just documented.
Workflows are where governance meets reality, the ERP, procurement, CLM, and treasury systems that either enforce or fail to enforce approval rules in practice, and the layer where divergence between policy and execution is most likely to emerge.
A: Workflows are where governance meets reality. Systems like ERP, procurement, CLM, and treasury tools enforce (or fail to enforce) approval rules. The more your workflow rules drift from the matrix, the more you get:
West Monroe's 2026 Speed Wins research found that 44 percent of managers have accepted slow decision-making as normal or have grown apathetic toward fixing it, and that each additional request for analysis adds an average of three weeks of delay. When workflow rules diverge from the authority matrix, both speed and control suffer. For the operational mechanics of preventing this divergence, see Avoiding Sync Drift.
Use each framework for what it's structurally good at, RACI for process roles, DOA for decision rights, the matrix for searchable rules, and workflow rules for system enforcement, with the explicit goal of having all three tools reference the same underlying authority data.
A: Use each for what it's good at:
| Framework | Best Used For | Typical Owner | Common Failure Mode |
|---|---|---|---|
| RACI | Defining who performs and owns steps in a process | Process owners, project managers | Treated as authority when it only clarifies roles |
| DOA Policy | Defining who can approve or commit at key decision points | CFO, General Counsel, Board/Governance Committee | Remains a policy document rather than an operational tool |
| Approval Matrix | Making DOA rules searchable and unambiguous | Finance, compliance, or operations teams | Maintained in spreadsheets that diverge from system configs |
| Workflow Rules | Enforcing the matrix in systems where work happens | IT, system admins, ERP/CLM platform teams | Configured independently from authority matrix, causing drift |
Our recommendation: The most impactful alignment step is ensuring workflow routing rules in your ERP, procurement, and contract systems reference the same authority matrix, rather than maintaining separate approval logic that was configured independently. This single step eliminates the most common source of authority drift. West Monroe's research found that 73 percent of C-Suite leaders believe halving decision cycle time would unlock at least five percent in additional revenue, a business case that directly rewards alignment.
One designated system should own authority rules and delegations, with every other system consuming those rules rather than maintaining parallel logic, because managing mismatches between multiple authority sources is more expensive and riskier than managing authority in one place.
A: Pick one system of record for authority rules and delegations. Then integrate outward so workflows reference the same source. When the matrix lives in one place, delegations live in another, and workflow rules live in three more, you're managing mismatches instead of managing authority.
The KPMG 2025 SOX Survey underscores the cost of fragmented authority: the average SOX program budget reached $2.3 million in FY24, a 44 percent increase from $1.6 million two years earlier, while only 17 percent of controls are automated, down from 21 percent in FY22. Organizations are spending more on compliance while becoming less efficient at it. Protiviti's 2023 SOX Compliance Survey found that 58 percent of organizations reported increased compliance hours and 74 percent were actively seeking further automation, confirming that the underlying problem is architectural, not effort-based. For the architectural pattern that makes one-source-of-truth governance practical, see Single Source of Truth for Authority: Integrating HRIS, ERP, and Identity.
AI agents that take action on behalf of the organization, initiating purchases, approving exceptions, releasing payments, require the same delegated authority structure as human approvers, and neither IAM permissions nor RACI assignments are substitutes for a bounded DOA delegation.
A: When an AI agent approves a purchase order or releases a payment, the audit question is not whether the agent had system access. It is whether the agent had delegated authority for that action, under what limits, and who is the accountable human owner. OWASP's 2025 Top 10 for Large Language Model Applications elevated "Excessive Agency" to the sixth position precisely because identity-layer controls are insufficient to prevent unauthorized actions by actors that have legitimate access but lack bounded authority. Regulatory frameworks are converging on the same conclusion, the EU AI Act's Article 14 on human oversight and the Singapore IMDA Model AI Governance Framework for Agentic AI both require documented accountability structures that delegation records satisfy.
The DOA framework applies to AI agents exactly as it applies to humans: scope, limits, effective dates, accountable owner. For the detailed governance model, see Agentic Authority Management.
The governance failures below appear repeatedly in audit findings and are predictable once the framework distinctions are clear. Each one traces back to treating the frameworks as substitutes rather than complements.
At minimum, review the matrix with every material organizational change (reorganization, leadership transition, M&A) and at least quarterly as a standing cadence. Role changes, terminations, and re-orgs that occur between formal reviews should trigger event-driven updates rather than wait for the calendar. The KPMG material-weakness analysis shows that companies reporting weaknesses in multiple consecutive years disproportionately rely on annual-only review cycles, a cadence that routinely misses emerging control gaps. For the full change-management discipline, see the Authority Change Management Playbook.
In practice, no. ERP approval configurations are system-specific, version in ways that are not audit-friendly, and lack the delegation semantics, effective dates, accountable owner, business rationale, that a real authority record requires. The ERP should consume authority data via API lookup or event-driven sync, not own it. Treating ERP routing as the de facto DOA creates the exact drift pattern KPMG identifies as a leading cause of material weakness findings.
DOA provides the structural framework that makes segregation of duties (SoD) enforceable. SoD prevents one person from controlling an entire risky process end-to-end; DOA defines who can approve what, which makes those separations concrete. KPMG's analysis of SEC filings found that SoD failures surged from 34 percent of material weakness disclosures in FY21 to 55 percent in FY23, making this the fastest-growing category of control deficiency. Building SoD conflict detection into the DOA change workflow, rather than discovering conflicts during the next audit, is the single most effective remediation.
Limited. RACI documents role participation but lacks the threshold, condition, and effective-date structure auditors need to verify authorization. An auditor asking "did this person have authority to approve this amount on this date" cannot answer the question from a RACI chart. RACI is useful for process clarity and operational ownership; it is not a substitute for the delegation record that audits actually test against.
Agents that take action on behalf of the organization require the same delegation structure as human approvers: scope, limits, effective dates, accountable human owner, and audit evidence. IAM permissions govern whether the agent can access a system; DOA governs whether the agent is authorized to take a specific action at a specific threshold. Both are required. The Agentic Authority Management guide covers the four-layer governance model (advisory, bounded, escalation, monitoring) for AI agent authority in detail.
Designate one system as the authoritative source for authority rules and delegations, then audit whether every other system enforcing approvals references that source or maintains its own parallel logic. Most organizations discover at this step that their ERP, procurement tool, and contract platform each have independent approval configurations, and that fixing the integration contract is a higher-leverage project than tightening any one system's rules. For the integration architecture, see Single Source of Truth for Authority.
Next: If you want to pressure-test your authority controls and evidence, read DOA and SOX/Internal Controls (Q&A).
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
