Q&A with Dave Harmon

David Harmon, CCSA, CIA, CISA, CPA
Director of Financial Management Programs 
UCLA, Los Angeles

Quoting from the U.S. Public Company Accounting Oversight Board's (PCAOB's) audit standard No. 2, under the heading Management Self-assessment of Controls — page 81, paragraph 40 — "Management may test the operating effectiveness of controls using a self-assessment process. Because such an assessment is made by the same personnel who are responsible for performing the control, the individuals performing the self-assessment do not have sufficient objectivity as it relates to the subject matter. Therefore, the auditor should not use their work." So, does this totally rule out use of control self-assessment (CSA) when evaluating an organization's controls?

The short answer is no, CSA is not dead. The long answer is a bit more complicated. I must admit, as a strong proponent of CSA, I was extremely encouraged at first by the passage of the U.S. Sarbanes-Oxley Act of 2002. It seemed that this ruling would be the driver to bring CSA into the mainstream of the audit process, from the fringes of an esoteric internal audit best practice. But after digesting the fine details of the new internal control standard, I now have different thoughts. However, what may appear to be a lost opportunity does not mean that all is lost. After taking some time to think about it, there may be a silver lining in this somewhat gray cloud. By not institutionalizing CSA, the concept may be somewhat protected from the risk of becoming a watered down version of its original promise.

One thing that I have stressed time and again is that organizations need to sponsor a champion for CSA to work. This has been one of CSA's greatest challenges and has also been the most common reason for failure. Advocates know that CSA can pay big dividends when properly implemented. But because the self-assessment process also has had its share of failures, advocates might ask, how did this happen? In my view, self-assessment failures are due to implementing controls that don't work as designed. If CSA had been adopted and mandated as a PCAOB requirement, many of the organizations required to adopt it may not have had an appropriate champion to sponsor and support it. The long-term effect would be that CSA would lose credibility — realizing the PCAOB assertion that it cannot be relied upon — and become a self-fulfilling prophecy.

Here is the catch-22. CSA is a highly effective method for assessing the health of an organization's system of internal control — in particular its control environment — and should be considered when assessing internal control. However, if the PCAOB had made it a requirement, it may have ceased to be effective as it is deemed unreliable for purposes of evaluation. Therefore, the PCAOB's failure to embrace CSA is not necessarily a detriment and may actually be appropriate as the standard provides some latitude in using CSA results. In context with these thoughts, another reference to the standard — page A-27, paragraphs 52 and 53 — appears at odds, indicating that "self-assessment programs as a company-level control may be appropriate …. to test and evaluate the design effectiveness of company-level controls first, because the results of that work might affect the way the auditor evaluates the other aspects of control over financial reporting."

So how should auditors interpret these contradictions? Can or should external auditors use CSA results? This is where auditor judgment comes into play to determine if an organization's CSA program has credibility. If there is evidence that the organization uses it successfully as a control assessment tool, the auditors may consider reliance. However, if indications are such that the organization's CSA process is not truly effective, the external auditors will probably not rely on it when assessing controls.

If CSA is on the vanguard of identifying control issues, the results will be hard to dismiss. To steal a philosophy from the movie "Field of Dreams": If you embrace CSA and give it credibility, they — the external auditors — will come and place reliance on it.

As a true believer, the benefits of an effective CSA program go well beyond compliance with Sarbanes-Oxley. Enlightened chief audit executives and management should embrace CSA, whether or not external auditing places reliance upon it. 

David Harmon, CCSA, CIA, CISA, CPA, is director of financial management programs at UCLA in Los Angeles. Harmon helped develop a CSA program in his former position at Fannie Mae, instructs several IIA courses on CSA, and contributed to the questions in The IIA's CCSA exam.