CSA Sentinel 

CSA Center membership required for access.

Welcome to CSA Sentinel, The IIA's quarterly publication for control self-assessment (CSA) professionals. A benefit of membership in The IIA’s CSA Center, this newsletter features articles on the latest thinking in CSA and risk, interviews, a question-and-answer profile section, practical "how-to" advice, research, and news with the latest development updates. If you would like to learn more about becoming a CSA member, click here.

In This Issue

This issue's articles include:

The CSA Practitioner: Teacher, Student, Partner Wrapped Into One
One organization's decade of CSA experience helps auditors empower clients to effectively assess their risks and controls.

Compliance Overload Drives Interest in ERM
Regulatory scrutiny and mounting compliance costs are motivating some business leaders to consider whether ERM can reduce compliance costs over time, improve operational performance, enhance corporate governance, and deliver greater shareholder value.

Q&A with Dave Harmon
What role could CSA play in helping audit shops prepare for a quality assessment?

Success Stories
A consulting firm in Canada is using CSA to convince management of the importance of the ERM investment. Your company can, too.

According to Mike
Looking Into the Crystal Ball.

Center News
Register for the CCSA Exam; Plan to Attend the 2006 Risk and Control Conference; Take Advantage of CSA Membership Benefits.

Quick Tips
Managing Change is Critical to Effective Leadership.

Calendar
A calendar of upcoming IIA risk and control training events.

The CSA Practitioner: Teacher, Student, Partner Wrapped Into One

One organization's decade of CSA experience helps auditors empower clients to effectively assess their risks and controls.

By Barbara Jackson Williams, CCSA, CPA
CSA Program Manager
Washington Metropolitan Area Transit Authority

Who hasn't heard by now that management, not the internal audit department, is responsible for the internal controls in their organizations? Surely no one who has been been touched by the U.S. Sarbanes-Oxley Act of 2002. Adding serious consequences to those responsibilities, various similar regulations requiring management to shoulder the risk-management burden with greater diligence and accountability are sprouting up all over the globe.

Conscientious audit shops often find themselves on the prowl for more effective ways to partner with management and assist them in their risk-management endeavors, while steering clear of assuming ownership for the process. The Washington Metropolitan Area Transit Authority (Metro) has found, along with countless other organizations, that the judicious implementation of CSA provides an opportunity for management and internal auditors to join forces and tackle this momentous task together, without crossing the boundary line that sets the two functions apart.

Thanks, in part, to the visionary leadership of Metro's chief audit executive, Jim Stewart — who introduced the organization to CSA in 1996 — CSA has permeated the internal audit efforts there and contributed to the thriving partnership between Metro's audit department and its management team. Along Metro's decade-long path to corporate-governance maturity are breadcrumbs of information that can help other practitioners steer clear of CSA's more notorious obstacles by simply learning when to teach, when to learn, and when to partner.                                                                                              

A Time to Teach

American scholar William A. Ward once categorized teachers by degrees of effectiveness in this manner: "The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates. The great teacher inspires." The role of the CSA practitioner as teacher is never more critical than when introducing an organization to the art of CSA. Explaining and demonstrating the CSA approach, as well as inspiring management to embrace self-assessment as a means to managing risk, is at the heart of successfully integrating CSA into the audit function.

Instruction must begin with a thorough explanation of the CSA process and, in particular, how it differs from the traditional audit practices the client may be accustomed to. At Metro, auditors preparing to perform a CSA engagement in a department take strides to find out that department's history with CSA and tailor their initial instructional strategies accordingly. For starters, it is necessary to explain the key distinctions between CSA and traditional auditing — a few of which are:

• In CSA the internal auditor serves as the facilitator of the process; management and employees are the ones who evaluate the internal controls.
• CSA uses tools that may not be familiar to managers in the context of auditing, such as facilitated workgroups, questionnaires, and anonymous voting mechanisms.
• In some instances the client issues the CSA report, rather than the auditor.
• CSA can be employed to evaluate "soft" controls, such as "tone at the top" and ethics, where traditional audit techniques are more limited.

But the role of teacher doesn't stop there. Once the foundation of what CSA is and how it adds value to an organization has been laid, the auditor must focus on teaching the specific purpose of the pending CSA. To ensure the client understands the workshop's objective(s) and the potential benefits to the department, it is helpful to detail the methodologies that will be employed in an upcoming workshop. However, before the auditor can instruct the client about a specific course of action to take, much planning must be done to determine the most expedient way to reach the prescribed goal(s). It's at this point in the process that the CSA practitioner must doff the teaching hat and assume the role of student, eager to learn the "DNA" of the client's operations and environment.

A Time to Learn

Auditors will often spend the bulk of the engagement's time parked in the preparation phase. Going into a CSA insufficiently prepared is a recipe for certain disaster. The objective of the preparation period is to learn as much as possible about the client's operations, personnel, systems, governance, risks, controls, and other challenges within the engagement's allotted timeframe. And who better to learn from than the clients themselves?

Approaching the client from a posture of a learner, rather than that of an expert, also goes a long way in empowering management to own the assessment. Because the employees participating in the self-assessment work day in and day out in the functional area being examined, they have a wealth of information about the inner workings of the department. Treating them as professionals nurtures a sense of collaboration, enabling internal auditors and management to work side by side to achieve identical goals. It also helps auditors shed the perception of being the adversarial challengers to management.

In preparing for the workshop, facilitators may want to:

• Interview managers. Auditors at Metro will frequently meet with members of executive management and line management to find out pressing concerns, conflicts in perspective, and their recommended scope for the assessment. These pre-session interviews communicate to management that this really is their process. Auditors ask management who they think should attend the workshop and will sometimes even ask, "What do you think they will say are some of the issues?" The feedback from the interviews gives auditors the opportunity to focus the remainder of their preparation on the issues management has targeted, which is more efficient than trying to paint a coherent picture of the client's needs with a broad brush.
• Send out questionnaires. Questionnaires or surveys can be used as a stand-alone CSA or in conjunction with a workshop to obtain a sense of where employees stand on key issues. This tool is not unique to CSA; it has been employed within the context of the internal audit function for years. If auditors decide to use questionnaires in lieu of a workshop, decisions will need to be made about who gets the survey, if it will be anonymous, and what topics will be included.
• Go on site. Metro auditors will frequently visit the area that's being evaluated and talk to the employees to learn as much as possible about their systems, equipment, and environment. So if they need to learn more about bus maintenance processes, they'll get in jeans, put on a pair of boots, go to a bus garage, and immerse themselves in the maintenance workers' world to better understand what they do. In addition to providing auditors with a more robust understanding of the area under evaluation, a site visit helps employees feel that their contribution is valuable to the assessment efforts. The more auditors can do to dispel the image of being holed away in offices, "judging" staff from a distance, the more productive their audit activities often are.

Spending adequate time preparing for the session is paramount to learning an organization's risks and how they are being mitigated. Auditors can then take the information acquired from the interviews, questionnaires, and visits to the department and evaluate it against benchmarking standards and best practices. Once the auditors' rigorous season of tutelage has drawn to a close, it is time for the real fun to begin: partnering with management in the workshop.

A Time to Partner

If auditors have performed their due diligence in instructing management about the form and function of CSA and learning enough about the department, the workshop should be a natural next step. Workshops at Metro usually include 10 to 15 participants and last four to six hours. Although volumes could be — and have been — written about techniques designed to help CSA practitioners lead meetings more effectively, there are a few strategies that have assisted auditors at Metro: 

• Adapt to the client's needs. At Metro, the auditors go out of their way to communicate that the client's needs take precedence over the auditor's. To this end, auditors frequently perform the workshops on the department's turf, work around their schedules, and mirror their dress. Going into their environment, in most cases, affords a more comfortable experience for participants. Similarly, working around their schedules goes a long way in communicating respect for their time. For example, if the employees targeted for a particular session were working the graveyard shift, the Metro auditors would go in during their hours of operation. In addition, if the work attire on that shift is more casual, the auditors wouldn't go in sporting a suit and tie.
• Explain the purpose, agenda, and outcome of the workshop. It is important to explain in the beginning of the workshop a few basics about CSA, how it coordinates with traditional audit work, how it will be reported, and what attendants stand to gain from the experience. The facilitator should take special care to define the purpose for the meeting as succinctly and clearly as possible, avoiding "auditor speak" or other technical jargon that could give the impression that he/she stands lofty and aloof from the employees. If employees understand why they are there and how they will benefit from the activity, they are more apt to lend their support and cooperation.
• Assess where participants stand on an issue early on. A popular tool for obtaining a consensus on where individuals stand on the issues under investigation at Metro is electronic voting technology. The advantage of this tool is that it is an efficient way to gather data, while still allowing participants to remain anonymous. These systems enable the group's perceptions to be mapped, revealing where there is agreement or disagreement, as well as permitting a comparison of perspectives among different sub-groups (e.g., senior management versus department heads). However, if this voting technology is not available, the auditor can hand out short questionnaires and have an assistant compile the responses or — if the atmosphere is conducive to open discussion — throw ice-breaking, evaluative questions out to the group early on.
• Encourage brainstorming among participants. Because the employees are the evaluators of risk and controls in CSA, auditors must equip them to identify risks (see sidebar), rank the severity of the risks, determine which risks can be controlled, identify current and potential controls, rate the effectiveness of those controls, and prepare an action plan if current controls are not optimal.

From Experimentation to Legacy

It's one thing to drill into managers' minds that they are responsible for their organization's risk management; it's quite another to actually empower management for the task. Therein lies the exceptional value of CSA over the rote exercise of many traditional audit practices. The collaboration that CSA naturally lends itself to provides internal audit shops with powerful opportunities to add value to the organization, while helping management stay on course with the mission and objectives it has charted. CSA's contribution to the assessment of internal controls promotes greater effectiveness and efficiency in operations, reduces the risk of asset loss, and helps ensure compliance with the amalgam of governing laws, regulations, and policies unique to their company.

As auditors learn the art of knowing when to teach, when to learn, and when to partner with management in facilitating a dynamic self-assessment, they will find their audit department grow in both its influence and visibility. At Metro, our former workshop participants are frequently CSA's greatest sales associates. They spread the word and enthusiastically share with others how CSA has helped them find achievable solutions to their department's challenges. When employees become raving fans, the audit shop can know it's well on its way to leaving a legacy of empowerment behind.

Barbara Jackson Williams is the control self-assessment program manager at the Washington Metropolitan Area Transit Authority. She previously served as assistant inspector general for the District of Columbia. Williams has participated as a speaker in various state and local government seminars and IIA conferences and has provided internal control training for several nonprofit organizations. She is a member of The IIA's Washington D.C. chapter.

Compliance Overload Drives Interest in ERM

Regulatory scrutiny and mounting compliance costs are motivating some business leaders to consider whether ERM can reduce compliance costs over time, improve operational performance, enhance corporate governance, and deliver greater shareholder value.

By Rick Julien, CIA, CPA, and Larry Rieger, CPA
Crowe Chizek and Co. LLC

Enterprise risk management (ERM) has been widely discussed by organizations' management, boards, and auditors for more than a decade, but implementation has been embraced sporadically, at best. In the past 10 years, corporate interest in ERM was often driven by intellectual curiosity or internal audit experimentation. Many corporations now realize ERM provides a solid foundation upon which they can enhance corporate governance and deliver greater shareholder value. Few attempts at implementation, however, have come close to fully achieving these objectives.

Many organizations that launched ERM initiatives began by assessing and roughly quantifying risks across their enterprises. Unfortunately, most of these earlier efforts did not progress to aggregating risks, creating formal strategies, or implementing plans to address the risks. Even fewer went on to develop frameworks to test for risk or take corrective action. However, now that publicly held companies in the United States must comply with heightened corporate governance legislation, some business executives have begun to push their organizations to solve problems and derive greater value from the substantial investments in compliance and control activities.

The more visionary corporations understand that ERM is a logical and strategic step to reducing total compliance costs over time. By focusing on the hindrances that hamstring a company's ability to achieve its business objectives, ERM provides a framework for managing risks to improve performance. It, therefore, serves as an essential building block to strengthen corporate governance and deliver greater shareholder value.

TRENDS

Interest in ERM has built slowly since the mid-1990s, when the Economist Intelligence Unit — a business research and advisory firm — created its extensive ERM framework. After the new millennium ushered in a wave of corporate scandals and large-scale business failures, the U.S. Sarbanes-Oxley Act of 2002 was enacted to improve the accuracy of financial reporting, strengthen internal accounting and reporting controls, and upgrade corporate governance. More importantly, although Sarbanes-Oxley did not mandate ERM, it validated its value and elevated its prominence in business planning.

Section 404 of Sarbanes-Oxley requires that companies use a suitable, recognized control framework for evaluating the effectiveness of internal controls. Currently, most U.S. companies use the internal control framework developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Although COSO's model has been around for the past 15 years, it has only recently become more than a buzzword in boardrooms.

The COSO internal control model (Figure 1) looks like a cube, with five rows: Monitoring, Information and Communication, Control Activities, Risk Assessment, and Control Environment. On the top side of the cube are three rows: Operations, Financial Reporting, and Compliance. On another side are two Activity columns and two Unit columns.

Figure 1: COSO Internal Control Framework

The draft of an emerging ERM cube (Figure 2) adds a fourth category, Strategy, to the top three rows of the internal control cube, then rotates the cube to rest on a different side. On the other side of the cube are three additional rows: Risk Response, Event Identification, and Objective Setting — sandwiched between Risk Assessment and Control Environment.  

Figure 2: COSO ERM Framework

NOT A QUICK FIX

The COSO cube is not a simple concept to grasp or implement. The problem for new ERM recruits becomes the perceived lack of a common point of focus and understanding about the different compliance costs and their interrelationships. All of the components, rows, and columns seem equally important. Where does an organization start? How does the process flow? Because the ERM framework adds more rows and columns, even more puzzling questions naturally arise.

Coming up with a plan for how ERM will be kneaded into an organization's processes can be as daunting as creating a visual model. However, both of these steps are critical in the initial stages of ERM delivery. A comprehensive management approach that covers the entire organization's ERM strategy is not a quick fix and cannot become another item in management's checklist. Just as quality must be assured at each step in manufacturing an excellent automobile, risk management must be intrinsically woven into each business process in order for ERM to add value.

Similarly, in the same way automobile manufacturers realize it is not cost-efficient to inspect their products at the end of the line and then recall, repair, and reinspect them, shrewd companies understand it is not prudent to treat risk management as an afterthought — considered at the end of each quarter or, worse, each year. Risk management, like manufacturing quality, must be built into every day business processes.

EVOLUTION OF ERM

Organizations often experience an evolutionary process as they progress along their ERM journey. This process consists of five levels:

• Level One: basic compliance with governing regulations using checklists
• Level Two: control focus in which a set of internal audit checklists act as oversight for various departments
• Level Three: process approach to risk management that breaks through a narrow silo view of risk and encourages activity mapping across departments
• Level Four: a common risk language and prioritization of internal audit and compliance efforts based on risk
• Level Five: holistic approach to risk that ties risk review to strategy and builds risk management into daily business processes

Many organizations plateau at Level Three because Sarbanes-Oxley doesn't mandate greater scrutiny over operational or legal-compliance controls. The focus of Section 404 is narrow and confined to internal controls over financial reporting. Even though Sarbanes-Oxley does not require firms to do more, risk-savvy firms are turning their attention more and more to the business processes that support the financials and are using this knowledge to improve many of their risk-management initiatives. Level Five, of course, represents an entitywide, fully mature integration of ERM.

STRATEGIC VALUE

Every company sits at a different position along the curve moving upward toward Level Five. Few firms have reached this pinnacle level of implementation. Even so, all companies complying with Section 404 should begin to consider going beyond simple compliance to answer the question, "How do we turn compliance costs into a competitive advantage?" Companies that plan strategically can leverage the required Sarbanes-Oxley compliance costs to become stronger competitively.

Consider a simple example in which ERM is applied to corporate governance: the systems and processes an organization uses to protect the interests of its diverse shareholders. The ideal form of corporate governance addresses the needs of all stakeholders — shareholders, employees, customers, lenders, vendors, and the community — because all share a common interest in the successful perpetuation of the entity. Astute business leaders recognize that satisfying stakeholders' interests is vital to sustaining the organization in the long run and enabling it to prosper over time.

ERM enters the picture because good corporate governance requires judicious risk-taking, which would include:

• Establishing the proper infrastructure to identify, source, and measure risks using common risk frameworks.
• Monitoring risks with the right processes.
• Ensuring management has a comprehensive understanding of how to manage those risks.
• Learning to take intelligent risk because without risk, there is no reward.

Many companies are still doing the minimum to manage the additional costs of compliance mandated by Sarbanes Oxley. However, by thinking strategically about risk management and managing their overall costs of compliance, company leaders can maximize the value of their compliance investments. Initiatives to implement ERM and strengthen corporate governance help set the tone at the top in organizations — one that is frequently reflected in the bottom line.

Rick Julien, CIA, CPA , and Lawrence A. Rieger, CPA, are executive in Crowe Chizek and Company LLC’s corporate governance and internal auditing practice, based in Oak Brook, Ill.

Julien has more than 25 years' experience in operational and information technology auditing, working with the Arthur Andersen accounting firm and as internal audit manager for Carolina Power and Light. Julien, who currently works with clients on Sarbanes-Oxley requirements, has authored several articles and has spoken at conferences on corporate governance, Sarbanes-Oxley requirements, strategic outsourcing, and internal audit benchmarking and best practices.

Reiger has more than 30 years of public accounting experience, working primarily with financial markets, energy, telecommunications, and manufacturing industries. Formerly the head of internal audit services at Arthur Andersen, Rieger has led internal audit projects for both start-up and Fortune 500 companies. He is an active member, and a former board of governor's member, of The IIA's Detroit chapter.   

Q&A with Dave Harmon

What role could CSA play in helping audit shops prepare for a quality assessment?

By Dave Harmon, CIA, CCSA, CISA, CPA
Director of Financial Management Programs 
University of California

All audit shops that have been in existence since Jan. 1, 2002 — and wish to include "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing" on their audit reports — face a deadline of Jan. 1, 2007, to prove that they practice what they preach. A requirement of The IIA's International Standards for the Professional Practice of Internal Auditing (Standards), quality assessments (QAs) are performed to provide assurance that an organization's internal audit activity is in conformity with The IIA's Standards and the Code of Ethics. Put in simple terms, a QA is a tool by which the auditors get audited.

Standard 1300: Quality Assurance and Improvement Program mandates that chief audit executives (CAEs) develop and maintain a quality assurance and improvement program that includes internal self-assessments and an external QA that must be performed every five years. The Jan. 1 deadline has left many audit departments scrambling to perform the required internal assessments in preparation for their QA. Because of the self-assessment nature of the preparation required, CAEs could take advantage of control self-assessment (CSA) tools, such as questionnaires and facilitated workshops, to query staff and clients to find out how the internal audit activity's charter, goals, objectives, policies, and procedures could be improved to add more value to the organizations they serve.

Dissecting the Standards

Some of the distinctions between the types of assessments required by the Standards get a little confusing, so let me break them down. First of all, in the language of the Standards and practice advisories, "internal assessment," "internal review," and "self-assessment" are all synonymous and are used interchangeably. Having clarified that, Standard 1311: Internal Assessments requires audit shops to perform both ongoing and periodic reviews — or self-assessments — of all of their audit activities.

The ongoing internal assessments should be incorporated into the routine policies and practices used to manage the internal audit activity. Intended to ensure that the CAE covers the entire spectrum of audit and consulting work performed by the audit function, ongoing assessments are conducted through checklists of procedures followed in an audit; feedback from audit customers and other stakeholders; and analyses of performance metrics, such as project budgets, cycle times, and cost-recovery systems.

Periodic self-assessments represent nonroutine, special-purpose reviews, and compliance testing. This evaluation is designed to assess an activity's compliance with the charter, Standards, and Code of Ethics, as well as its effectiveness in meeting the needs of its various stakeholders. CSA methodology is a natural fit for this type of activity.

CSA Tools of Choice

There are a number of CSA tools that could be used to perform the internal assessments, but there are three I would recommend most:

• CAE questionnaire: This questionnaire is completed by the CAE and is intended to give an assessment of the real nuts and bolts of how the audit function is being managed. At minimum, the questionnaire should include inquiries about board and management oversight, charter objectives, engagement planning, the audit environment, staff training, and quality/process improvement.
• Customer questionnaires: Questionnaires could be sent to customers to ask for their feedback in assessing how well the internal audit shop is meeting their needs. Survey questions might address the audit shop's quality of communication, organization, adherence to engagement schedules, reports, follow up, and training — to name a few.
• Staff questionnaires/facilitated workshops: Depending on the audit department's budget, timeframe, and experience with CSA, either questionnaires or workshops could be used to assess compliance with the Standards, division of responsibilities, areas targeted for process improvement, audit risks, technology, training, rotation of auditors, and preparation strategies for the QA.

One benefit of evaluating the CAE, along with the staff and customers, is it provides an opportunity to find out if others' perspectives match the CAE's perception of reality. If there is a significant gap in perceptions among any of the target groups involved, those inconsistencies should be documented and investigated. Furthermore, if questionnaires were used exclusively to reveal problem areas, audit shops could choose to follow up with facilitated workshops to gain collective feedback in an interactive forum.

Caveat

Although CSA can be an effective way for audit organizations to prepare for a QA, questionnaires and facilitated workshops shouldn't be the only methods CAEs use to measure their operations against the Standards. The IIA's Quality Center offers a Quality Assessment Manual that clearly lays out the criteria used in a QA. The manual also offers guidance and best practices on how to set up a quality assurance and improvement program, which is the best step a CAE could take to prepare for a QA.  

David Harmon , CCSA, CIA, CISA, CPA, is director of financial management programs at UCLA in Los Angeles. Harmon helped develop a CSA program in his former position at Fannie Mae, instructs several IIA courses on CSA, and contributed to the questions in The IIA's CCSA exam.

CSA: A Means to an End

A consulting firm in Canada is using CSA to convince management of the importance of the ERM investment. Your company can too.

By Éric Lavoie, CIA, CCSA, CA
Partner, Lemieux Nolet Consulting
Risk Management and Performance

Canadian-based consulting firm Lemieux Nolet has been helping companies get a handle on their enterprisewide risk through the innovative use of CSA since 2000. As the firm built its clientele, the consultants quickly learned the importance of having everyone throughout the organization — especially managers — take ownership of the risk-management process in their daily jobs. Selling enterprise risk management (ERM) through the use of CSA tools like facilitated workshops and questionnaires has enabled clients to implement controls commensurate to their unique risks.

Lemieux Nolet started using CSA to persuade management to see the virtues cutting across the “silos” of individual business units to evaluate their organization’s risks. Often commissioned by the internal audit department rather than upper management, Lemieux Nolet’s consultants know that the first — and most important — step in the ERM process is to get the company’s top executives on board. This can be a difficult sell. We have found management is often reluctant to invest in ERM unless they are compelled by peer pressure or governance requirements. So we often start performing CSA workgroups at the strategic level and then watch management sell it on down the chain of command. Once management has gone through the process and seen the value at the strategic level, they are more likely to allocate resources to the program.

BREAKING DOWN THE PROCESS

Although the CSA process is anything but simple, keeping it organized — by following a few key guiding principles — has helped Lemieux Nolet consultants build their clientele into the success it is today.

Determine the scope.
Knowing what you’re analyzing is a critical aspect of planning the CSA workshop. To get the most out of a CSA, we often focus on the company’s individual processes rather than business units. Although analyzing a process can be more complex because participants are often from several business units, processes supply more information than individual units. Many companies Lemieux Nolet has worked with have found that using a process view for the risk assessment provides a more complete risk identification and a better CSA because controls can appear at any point during the process. For example, lately we’ve been using a process of planning, allocation, and management of financial resources in a government department. We tried to reconstruct the process universe by involving people from the central head office and multi-level people from different divisions — managers, professionals, and administrative workers. It is not necessary or feasible to involve all of the employees who work in a particular process, but we do target employees from different business units to get a better view of where trouble areas might exist. The quality of the participants, not the quantity, is what matters.

Determine the manager’s role.
Once you’ve decided on the scope, it’s important to establish the manager’s role. If you have chosen to go with the process approach, you might have more than one manager involved. If the manager(s) decide to attend the workshop, ask if he or she will be acting as an observer or a participant. We explain to managers that other participants might be more inhibited if they are there, and come up with a backup plan together in the event that happens. If the manager(s) chooses not to attend, the CSA facilitator will then circle back to the manager(s) with the workshop results.

Choose participants carefully.
The workshop’s success depends on the attendees. Consult with the manager to determine who should be selected to participate in the CSA. You’ll want to ensure that every facet of the process or business unit is represented. We usually limit our workshops to 10 to 15 participants, and we generally use a U-shaped table. Placing participants in succession around a table like that enables the facilitator to go around the table one-by-one to solicit feedback. This technique is especially effective early on in the workshop or when working with participants who are less inclined to speak up.

Lemieux Nolet consultants occasionally suggest splitting the group into two — one with managers and another with the staff — right from the planning stage to give any staff members who may feel intimidated an opportunity to speak freely. The outcome of both sessions would then be combined and the final results given to management.

If management decides to group everyone together at the workshop, there are a number of techniques facilitators can use to draw everyone into the discussion.

• Specify clearly at the beginning of the workshop that the participants have been selected because they all have something to bring to the workshop.
• Ask people to introduce themselves at the beginning of the workshop to encourage them to speak during the workshop.
• Hold a brainstorming session once participants have introduced themselves and are feeling more comfortable. Ask everyone to provide one example of a risk, so everyone gets a chance to be heard.
• Get a consensus on where participants stand on an issue through the use of anonymous voting technology. Good voting technology can evaluate where sub-groups within the workshop (e.g., managers, professionals, and administrative staff) stand on particular issues. In addition to allowing participants to rate risks and controls under the cloak of anonymity, it also highlights the different points of view among members of sub-groups. At the end of the workshop, the facilitator can look at the risk profile of each sub-group, as well as the whole group.
• For the really tough cases, where participants are hesitant to speak candidly, consider adding a separate mini-workshop to get their input or distribute a questionnaire they can fill out. If you choose to distribute a questionnaire, meet with those people afterwards to go over the results.

Provide materials in advance.
At Lemieux Nolet, we prepare kits for the participants and send them out early enough that they have sufficient time to read them and start thinking about the process before the workshop. If you have the luxury of doing two workshops — one to assess the company’s risks and another to evaluate its controls — you’ll need to send out a kit for each workshop. The kit for the first workshop should include a description of the process, an explanation of risk concepts, a risk model, tools for risk identification, and possibly a preliminary list of risks. The kit for the second workshop should summarize what was done in the first workshop and help participants begin assessing to which extent risks are mastered — residual risk — and what are basic risk management choices and techniques.

BEFORE, DURING, AND AFTER: EVALUATING RISKS AND CONTROLS

Planning is a key element throughout the CSA process. The more we do on the front end, the smoother the facilitated workgroup tends to go. With the aim of coming away from the CSA with a clear risk profile in hand, here are some steps we would recommend:

• During the planning stages, define the scope and indicate what participants will be evaluating before they get to the session. We use the toolkit or pre-session interviews for this purpose.
• Brainstorm with the group to identify the risks, using flip charts to capture ideas. Allowing everyone to see all the ideas at the same time is a very effective tool. One creative tool we’ve discovered recently is a flip chart that is in the form of a giant Post-it note pad. After taking copious notes, we can just pull the paper off and stick it to the wall — with no damage to the wall or hassling with tape. Being able to see the notes in front of them keeps the process moving along efficiently.
• Create a risk profile once the risks have been identified by measuring them in terms of impact and likelihood. Lemieux Nolet uses simple assessment scales such as small, medium, high, and very high to rate both dimensions. Companies we have worked with have found using a scale with an even number of choices — to prevent people from choosing the middle, or “neutral” — is a great way to make participants take a stand on issues.
• In between the two workshops, inventory the controls and link them to the risks. This creates a risk-control matrix, a chart with two columns — risks on the left and controls on the right. Use that matrix to inventory the controls that are in place and link each of the controls with the risks to form the inventory of the existing controls.

Use the risk-control matrix to assess how well each risk is mastered — control effectiveness regarding each risk. Look at the control portfolio that is currently in place to assess whether the controls are appropriate, insufficient, or even excessive. Because the risk levels have been measured in terms of impact and likelihood, it is desirable to have a good balance between the risk level and the intensity of controls. Use the following scale to measure both the effectiveness and efficiency of controls:

1: Very low
2: Low
3: Appropriate (the coverage of the risk is effective and sufficient)
4: Superior (too many controls)
5: Excessive (way too many controls)

If you have too many controls, determine which ones are most cost-effective and do away with the controls that are costing your company more money than they are worth.

Implementing a CSA can be quite difficult, but Lemieux Nolet has found these tools to be immensely helpful in improving their clients’ knowledge about the risks and controls. A successful CSA can help you effectively solve the challenges your company faces.

Lemieux Nolet is a professional services firm operating five offices in Quebec City. In addition to traditional accounting, certification and tax services, Lemieux Nolet provides consulting services in risk management, control, governance, performance improvement and internal auditing. As partner in charge of Lemieux Nolet's consulting practice, Éric Lavoie has been using a participative and CSA approach to deliver value to its clients since 1994 and, focusing on ERM, since 2000.

According to Mike

Looking Into the Crystal Ball

By Michael Pidzamecky, CMA, CFE
Director, ERM and Compliance Services
Resolver

I usually prefer writing with a smile, but last year held more challenges than laughter for much of the world, as well as for me personally. Always the optimist, however, I dust off my fortune-teller's turban and gaze into my crystal ball — otherwise known as my goldfish bowl — to see what lies ahead for control self-assessment in 2006.

First to appear through the mist is a busy year for the U.S. justice system. In 2006, more executives of U.S. companies will be accused of fraudulent activity and face possible prosecution. They will most likely try to stave off convictions with claims that they did not know — or were not told — about the illegal activity of their subordinates. As the mist further clears in my crystal ball, I am shocked to see the foreperson of a jury declare each corporate defendant "not guilty." Although some will say they were truly ignorant of how their employees, management teams, and operation systems were malfunctioning, others will be getting away with unadulterated malfeasance. The IIA's 2005 Risk and Control Conference highlighted this prevalent scenario and focused on some of the more common chinks in companies' armor.

In two separate sessions, organizations at the conference revealed that one of the most surprising risks uncovered through their risk-assessment workshops was a lack of strategic oversight over contract commitment. Not factoring contracts into the company's strategy poses the question: Do you really know what contracts your staff and management have committed your company to and how they may affect your future finances and/or operations? According to the conference speakers, senior executives often had no idea what commitments were being made by their departments. In one case, it was discovered that a company's subsidiary entered into a contract that was deemed unacceptable to its corporate office. The entire operation was shut down the day after the assessment because risks resulting from the venture would have gravely impaired the stability of the company.

When the mist is gone, I can see that the executives on trial really did not have any idea about the misdeeds of those for whom they are responsible. They are truly ignorant of important operational facts — facts that could have been disclosed if a proper and well-functioning ERM program had been in place. Consequently, I see them paying a heavy fine for their lack of knowledge … wait … no, I see them losing their jobs … uh, oh — the crystal ball never lies — I see them going to jail!

So for those of you out there who don't want to be the next newspaper headline, I suggest you start thinking about ERM and, in particular, how you can inform your executive team of risks they should be aware of before it's too late.

Show Them the Way and They Will Come

As the guilty executives are clouded from my view, the haze parts on another vision of the future: IIA leaders at the 2006 Risk and Control Conference making presentations about how The IIA uses CSA and ERM programs internally. Okay, so maybe I'm pushing an agenda here.

In my new role of providing ERM and compliance consulting services, I have met with executives from many organizations. Our discussions have centered on the development and implementation of CSA and ERM programs to meet not only the requirements of the U.S. Sarbanes-Oxley Act of 2002 and other regulations around the world, but also new stakeholder demands for better overall, enterprisewide internal control and risk management.

However, the dilemma is no one really wants to be the leader. I can understand this phenomenon, given the fact that the first round of Sarbanes-Oxley compliance was an onerous and expensive undertaking because of a lack of standardized guidance and practice. Although many can visualize the output — tantamount to a paper version of Mount Everest — and are cognizant of the resources necessary to implement Sarbanes-Oxley mandates, they really don't comprehend the benefits their organizations have derived from these new practices — or even know if they are carrying them out effectively.

The same problem is happening with CSA and ERM. People understand what they are about, and they have some awareness of the potential benefits. However, they are tenuous about stepping out in it because there is no shining, standardized public example that could serve as a benchmark. They do not want to waste money and time; they want it to be right the first time.

I'd like to see The IIA take up the challenge and use its research and education resources to implement within the organization a program of CSA and ERM — a program that will demonstrate to members and their organizations that The IIA is applying the very measures it counsels other organizations to adopt. If The IIA leads the way through practical application, I believe CSA and ERM will be more readily accepted and put into practice by the outside world.

The Must-have in 2006

The last thing I see in my crystal ball is the push toward elevating ethics on a personal and organizational level. In past columns I have written about some of the reasons for the great financial debacles of the last few years. They resulted from root rot that penetrated deeper than a mere lack of internal controls. The paucity of sound ethics created a toxic environment in which internal controls could be circumvented. With the establishment of Sarbanes-Oxley and sundry compliance programs, the vast majority of organizations have implemented codes of conduct and ethics hotlines — also known as whistleblower programs.

All of these programs are important, but they are only tools. The real need is to develop training and self-assessment programs specific to ethics so that these tools can be effectively assimilated into an organization's corporate culture. We need to train people to understand what ethics is, how it affects individuals and organizations, how to determine when the "ethical line" has been crossed, and how to rectify breaches.

I see 2006 as the year that starts the adoption of CSA and ERM as the primary foundations for good business practices throughout all organizations. Let's hope I am not wrong. I wish all of you a very prosperous and healthy year.

Michael Pidzamecky, CMA, CFE, is an independent consultant providing internal audit, enterprise risk management, and compliance solutions. He is currently under contract with Resolver Inc. as director ERM and compliance services. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and has written questions for the Certified Control Self-assessment exam.

Center News

Register for the CCSA Exam

The Certification in Control Self-assessment (CCSA) lays the groundwork for control self-assessment practice and demonstrates a practitioner's training, experience, and competence in CSA. The exam, which is offered in more than 85 countries, is scheduled for May 18, with a March 31 application deadline. The IIA is also offering special exam venues on March 18 at The IIA's General Audit Management Conference in Palm Springs, Calif. — with a March 1 application deadline — as well as at The IIA's International Conference in Houston, June 18, with a June 1 registration deadline. 

For additional information or to register for the exam, visit The IIA's CCSA Web site, http://www.theiia.org/?doc_id=30, or click "Certification" and "CCSA" from The IIA's home page, www.theiia.org. Interested candidates can also contact The IIA's Customer Service Center at custserv@theiia.org or +1-407-937-1111.

For information on the IIA Research Foundation's CCSA Study Guide — authored by James K. Kincaid, William J. Sampias, and Albert J. Marcella — visit The IIA's Web site, www.theiia.org/iia/bookstore.cfm?fuseaction=product_detail&order_num=495.

Plan to attend the 2006 Risk and Control Conference

Be sure to mark your calendar for The IIA's 2006 Risk and Control Conference, held August 21–23 at The Breakers in Palm Beach, Fla. Attendees will learn how to improve their ability to add value and help improve their organization's risk-management and control processes, as well as take advantage of networking opportunities to share ideas and best practices, as well as discuss the current challenges facing your industries.

For conference details and registration, visit The IIA's Web site, http://www.theiia.org/training/conf/index.cfm?e_code=RISK0806.

Managing Change is Critical to Effective Leadership

Want to make your CSA run more efficiently and effectively? Here are some "quick tips" from experienced professionals that can help you hit the ground running to avoid mistakes on your next CSA.

John C. Bruckman, PhD
Managing Director
Change Management Group
Scotts Valley, Calif.  

Managing change is a critical element of any leadership function. The successful CSA facilitator should be able to effectively address and reduce the fear of change that naturally exists in the work group. The following techniques will help implement a more effective change process within a CSA facilitated workshop:

Set the Example

Words and actions must be consistent for credibility. Employees will generally take their cues from the senior staff members' behavior, despite all declarations of intent. The facilitator should ensure that senior managers follow up on the recommendations resulting from the workshop. Most employees quickly "burn out" on changes that are announced on a regular basis but are not consistently reinforced over a period of time.

Consider the Group's Perspective

A clear understanding of what drives the group is necessary before introducing new elements into the mix. When attempting to gain a group's support for needed change, the greatest leverage lies in discovering what self-interest they have in maintaining the status quo and what would motivate them to effect change. When CSA facilitators approach groups from the participants' perspective and understand what they might have to lose, they will be able to intervene in ways that avoid triggering individual defense mechanisms, thereby preserving open discussions and feedback.

Build Trust

Leadership integrity is an important variable in the successful completion of a changing process.  If the doors of change are not open, the intervention process must concentrate on team-building, trust building, and open and honest communication prior to the introduction of change. If the CSA facilitator can lower the work group's fear levels, he or she can open the doors to change, as well as concentrate on methodologies that will keep them open. Authentic participation in the change process, with opportunities to raise issues of concern, will help keep a group open to the possibility of change.

Be Willing to Compromise

If management or a facilitator focuses on a predetermined outcome and displays unwillingness to compromise, the possibility of work group support is minimized. Employees are much more likely to support a new set of ideas that they have had a key role in shaping.

Allow Group Ownership

Ownership of the proposal for change is instrumental to a successful change process. If a senior manager generates most of the ideas, the facilitator should construct a process that allows the group members to take and make the ideas their own.

John C. Bruckman, PhD, is managing director of the Change Management Group, based in California. During the last 33 years, Bruckman has consulted on change-management processes with more than 300 organizations in the United States, South America, Europe, Asia, and Africa.

Calendar

February

Adding Value Using Risk–based Auditing
February 27–March 1; San Diego, Calif.

Evaluating Internal Controls: A COSO–based Approach
February 27–March 1; San Diego, Calif.

March

Enterprise Risk Management: What's New? What's Next?
March 6–8; Las Vegas, Nev.
March 27–29; Lake Buena Vista (Orlando), Fla. 

Enterprise Risk Management: Process Improvement Workshop
March 7–8; Las Vegas, Nev.

Value–added Business Controls: The Right Way to Manage Risk
March 8–10; Las Vegas, Nev.

Evaluating Internal Controls: A COSO–based Approach
March 27–29; Lake Buena Vista (Orlando), Fla.

April

Adding Value Using Risk–based Auditing
April 10–12; Baltimore, Md.

Corporate Governance: Strategies for Internal Audit
April 12–14; Baltimore, Md.

Evaluating Internal Controls: A COSO–based Approach
April 12–14; Baltimore, Md.

May

Enterprise Risk Management: What's New? What's Next?
May 1–3; San Francisco, Calif.
May 10–12; Chicago, Ill.
May 22–24; Lake Buena Vista (Orlando), Fla.   

Introduction to Control Self–assessment
May 1–3; San Francisco, Calif.

Value–added Business Controls: The Right Way to Manage Risk
May 1–3; San Francisco, Calif.

Evaluating Internal Controls: A COSO–based Approach
May 3–5; San Francisco, Calif.
May 22–24; Lake Buena Vista (Orlando), Fla.

Facilitating Results Using CSA
May 3–5; San Francisco, Calif.

To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Annie Cushing via e–mail acushing@theiia.org, or fax +1–407–830–4832.