CSA Sentinel

CSA Sentinel – CSA Center membership required for access.

Welcome to CSA Sentinel, The IIA's quarterly publication for control-self assessment (CSA) professionals. A benefit of membership in The IIA’s CSA Center, this newsletter features articles on the latest thinking in CSA and risk, interviews, a question-and-answer profile section, practical "how-to" advice, research, and news with the latest development updates. If you would like to learn more about becoming a CSA member, click here.

In This Issue

This issue's articles include:

Control Self-assessment: Defeating the "Killer Bees to Group Dynamics"
Learn how to conduct a productive and successful control self-assessment by avoiding and defeating five common issues — the "Killer Bees to Group Dynamics" — that can ruin even the most well planned CSA workshop.

CSA 101: Basics for the Newcomer
The world of CSA can be daunting to new auditors or CSA practitioners. Discover the answers to several questions newcomers often ask.

Q&A with Dave Harmon
ERM and Sarbanes-Oxley seem most applicable to for-profit organizations rather than fitting the culture of nonprofit organizations. Isn’t it unrealistic for nonprofits to adopt these practices? Isn't it all just "window dressing"?

According to Mike
Control Self-assessment: A Retrospective

Center News
Register for the CCSA exam and plan to attend the 2006 Risk and Control Conference in Palm Beach, Fla.

Quick Tips: Evaluating Soft Controls
Need help evaluating soft controls? Answering a few questions can help with your evaluation.

Calendar
A calendar of upcoming IIA risk and control training events.

Control Self-assessment: Defeating the "Killer Bees to Group Dynamics"

Learn how to conduct a productive and successful control self-assessment by avoiding and defeating five common issues — the "Killer Bees to Group Dynamics" — that can ruin even the most well planned CSA workshop.

PETER HUGHES, Ph.D., CIA, CPA, CITP
DIRECTOR OF ORANGE COUNTY, CALIF.

During control self-assessment (CSA) workshops, issues often surface that must be addressed before a group's energies and insights can be harnessed. Like a swarm of killer bees, these issues can attack and be fatal to your workshop. The five such "Killer Bees to Group Dynamics" include:

• Lack of clear purpose.
• Lack of ground rules.
• Lack of candid input.
• Lack of consensus.
• Lack of a final product.

If a workshop falls prey to killer bees, it can be difficult to end up with a session that successfully addresses its goals. A facilitated workshop can help CSA professionals address — and conquer — the most common killer bees.

A CLEAR PURPOSE

To tackle the first killer bee, the facilitator should: 1) State the workshop's purpose and goals at the beginning of each session; 2) Describe the biggest obstacles in achieving the stated objective, as well as ways to meditate or eliminate those obstacles; and 3) Discuss the secondary benefit the group can expect, such as how the workshop will reinforce teamwork and teambuilding. If a meeting has clearly stated objectives, participants are more likely to understand what they're working toward and be inspired to achieve a tangible goal.

GROUND RULES

The CSA facilitated workshop should follow ground rules for interacting and participating that are founded upon proven rules of civility. To avoid awkward and possibly contentious situations, the group should agree to observe the ground rules and support the facilitator in enforcing them. Eliminating this killer bee, lack of ground rules, will help keep interactions positive, constructive, and depersonalized. Obtaining consensus to support the facilitator at the beginning of the workshop is critical to achieving the team's objective. For any group with divergent viewpoints and staffing ranks, it is critical that the group selects and recognizes a “bee keeper” who can gently and humorously guide the discussions in the direction of constructive and impersonal observations.

CANDID INPUT

Lack of candid input or participation is a killer bee that can bore holes into a workshop's foundation. Obtaining candid input is essential to assessing objectives, risks, and controls. The use of anonymous voting devices can be helpful in drawing out participants' real thoughts because the fear of being judged or receiving retribution from management is alleviated. Participants often rave about how liberating anonymous voting is and how critical it is in soliciting their honest and real assessments of a process. Throughout the session, it also is useful to remind the group that capturing the impressions, insights, and positions of each participant is crucial in being able to meet the workshop's objectives. Numerous workplace studies have shown how rarely employees voice their concerns or disagreement with management. In fact, the occurrence is so rare that specialized seminars are offered to address this issue. A likely reason employees might fear speaking up is because they lack the ability to frame their observations constructively so that management feels supported rather than attacked. The combination of the anonymous voting feature and ground rules in facilitated workshops often neutralizes this fear.

CONSENSUS

If the lack-of-consensus killer bee attacks, the workshop results may be skewed, making it difficult to generate a final product. The use of software to capture the group's comments and votes in real time can be an invaluable technique in facilitating a workshop. Vote tallies immediately shown on the projector screen reflect the group's genuine opinions and feelings. Validating the vote through discussion prior to finalizing the group's opinion and generating the final product is a powerful tool to override group thinking or an intimidation factor that may be present. More often than not, a workshop participant will be very outspoken and opinionated. This actually can be a good way to seek group consensus by drawing out other participants' viewpoints with well-timed questions from the facilitator, such as "Who can empathize with this statement?" or "Does anyone else feel this way, and if not, why?" These questions can put the group at ease, generating impersonal and constructive perspectives.

THE FINAL PRODUCT

To swat the final killer bee, CSA workshops should yield a final product, which helps the facilitator and participants feel confident that they have achieved their objective. One way to achieve this product is to capture the entire session electronically and print it out in report form at the end of the workshop. This process validates the effort of each individual, as well as the expenditure of staff time for this endeavor.

Facilitated CSA workshops can be a valuable tool that helps staff and operations work more productively and efficiently, and helps the organization achieve its business goals. The ability of the CSA process to address the typical reasons for failures on group projects makes CSA a predictable and effective managerial and audit tool. By stating a clear purpose; establishing ground rules; encouraging and gathering candid input; achieving consensus; and helping produce a final product, the facilitator can defeat the "Killer Bees to Group Dynamics" and conduct a successful assessment.

Peter Hughes, Ph.D., CIA, CPA, CITP, has served as the director of internal audit for the Oregon University System, the California Institute of Technology, the NASA Jet Propulsion Lab, and Orange County in California, as well as the director of finance and accounting for CBS Inc., and the acting controller for the California Institute of Technology.

CSA 101: Basics for the Newcomer

The world of CSA can be daunting to new auditors or CSA practitioners. Discover the answers to several questions newcomers often ask.

For new auditors or CSA practitioners, learning the basics of control self-assessment (CSA) has grown increasingly complex due to its proliferation around the world in audit and corporate environments. As its use continues to rise, the methodologies behind CSA have evolved to meet the specific needs and objectives of organizations. Even the terminology used to describe CSA has evolved and runs the gamut: dynamic self-assessment; facilitated self-assessment; management assessment process; control monitoring program; participatory assessment of risk and control; dynamic assessment of risks and enablers; business control and risk assessment; business risk assessment; and control and risk self-assessment, particularly in Canada where the Canadian Standards Association requested the revised terminology.

For newcomers to CSA, many questions may arise: What are the basic principles of CSA? How can CSA bring value to an organization's audit program? How can an organization implement CSA? What challenges do practitioners face? Regardless of who facilitates the self-assessment — an internal auditor or a CSA practitioner — CSA can help improve the control environment by increasing awareness of organizational objectives and the role of internal control in achieving those objectives. CSA also can motivate personnel to design and implement controls carefully and to improve operating controls continually.

DEFINITION OF CSA

CSA is a structured approach for evaluating the effectiveness of internal controls. Its goal is to examine and assess whether existing controls provide reasonable assurance that all business objectives will be met. CSA techniques allow management and work teams directly responsible for business objectives to manage risks more effectively by:

• Involving them in risk identification and internal control assessments.
• Evaluating residual risks.
• Developing action plans to address intolerable control weaknesses.
• Assessing the likelihood of achieving business objectives.

CSA generates information on internal controls that management and internal auditors can use when evaluating the adequacy of internal controls. It also can provide a positive influence on the control environment by educating staff about their role in monitoring and administering effective controls. In addition, as staff members buy into the process, control consciousness increases. One of the greatest secondary benefits of CSA relates directly to the effective involvement of participants. Employees become a more collaborative team since they work together to achieve a successful self-assessment. They also gain a better understanding of how their jobs fit with other employees' roles.

THE VALUE OF CSA TO INTERNAL AUDITING

CSA effectively augments traditional internal audit activities by providing a broader coverage of controls (i.e., soft controls) and enables management to manage risks and fulfill their responsibilities better by improving the quantity and quality of information available. Through CSA, internal auditors and operating staff collaborate to identify risks and assess the efficiency and effectiveness of internal controls. The quantity of information increases as internal auditors rely on operating employees to participate actively in CSA, thus reducing time spent on information gathering and validation procedures performed during an audit. Similarly, as employees have a more thorough understanding of the organization's processes than an auditor could develop over a relatively short period, the quality of the information is improved with CSA.

PERFORMING CSA

Any component of an organization can facilitate CSA activities, including the internal audit staff.

Three primary CSA approaches are facilitated workshops, questionnaires, and management-produced analysis. Organizations often combine more than one approach to accommodate their self-assessments.

Facilitated workshops are the most popular and effective — yet often the most time consuming — approach to CSA. Workshops allow gathering risk and control information from work teams that represent multiple levels of an organization. Optimally, a trained facilitator who can assist with conflict management and group dynamics, keeping the team focused on its objective, leads sessions. (See Fundamentals of Facilitated Workshops for more information.)

The questionnaire approach uses a survey instrument that offers opportunities to gather insightful responses. Questionnaires help determine the strength of the control environment, reinforce business and financial policies, and minimize internal audit resources, but typically do not produce the most reliable results due to misinterpretation of questions and no collaborative discussion amongst a group. Process owners use the survey results to assess their control structure.

A management-produced analysis does not use a facilitated workshop or questionnaire and produces an internal analysis of the business process. The CSA specialist — who may be an internal auditor — combines the results of the analysis with information gathered from other sources, such as key management personnel. By synthesizing this material, the CSA specialist develops an analysis that process owners can use in their self-assessment efforts.

For more information on CSA tools and techniques, newcomers may wish to check out Larry Hubbard's book Control Self-assessment: A Practical Guide, which is available from The IIA Bookstore. The IIA’s Professional Practices Pamphlet 98-2 provides additional CSA guidance. (PDF, 143 KB)

IMPLEMENT CSA ACTIVITIES

An organization should consider six major issues to implement CSA effectively:

1. Scope or breadth of the CSA process. The organization decides what portion of the entity will use CSA; what functions or objectives to consider; and what level of detail is included in the assessment (e.g., work group, district, or division).
2. Impact of the organization's culture. A CSA approach and format is selected based on a cultural analysis of the organization, including its key values and behaviors. In the event the organization's culture does not support a participative CSA approach, questionnaires may be a better choice for obtaining responses and performing internal control analyses.
3. Use of CSA results. The organization determines whether CSA risk assessment results will identify areas for management’s improvement of internal controls, and/or future internal audit work. The organization also can use the internal audit function to validate the CSA process and results.
4. CSA process. Based on factors such as cost and employee skill sets, the organization determines the tools, techniques, frameworks, mechanization, documentation, and report formats used in connection with gathering and reporting CSA information. Additionally, a determination should be made of which, if any, control framework will be used to ensure completeness of internal control questions.
5. Internal audit involvement. Implementers decide whether internal auditors or management will drive the CSA process.
6. Creating a sustainable CSA effort. Initial and ongoing marketing of CSA is very important and is influenced significantly by the organization's culture. If the organization is not supportive of a participative CSA approach, minimal marketing will avoid catching the eye of those resistant to change or employee involvement. Finding an audit-friendly department to begin a CSA effort may provide for greater appreciation of the CSA results and marketing by management.

Once these issues have been considered and addressed, an organization can move forward with the CSA process.

Because CSA is en effective method for gathering internal control information in today's environment, it can help internal auditors improve their work. As a result, auditors can help organizations protect stakeholder interests. Furthermore, CSA generates internal control information that may be useful for management and internal auditors when evaluating the adequacy of internal controls. This helps to improve the organization's control environment by raising employee awareness of internal controls, which ultimately results in a proven asset within the corporate structure.

Q&A With Dave Harmon

Enterprise risk management and Sarbanes-Oxley seem most applicable to for-profit organizations and don't seem to fit the culture of nonprofit organizations. Isn't it unrealistic for nonprofits to adopt these practices? Isn't it just "window dressing"?

DAVE HARMON, CIA, CCSA, CPA, CISA
DIRECTOR OF FINANCIAL MANAGEMENT PROGRAMS
UNIVERSITY OF CALIFORNIA

Although your questions are somewhat insightful regarding organizational culture and window dressing, I must emphatically answer "no" and "no." The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management — Integrated Framework and the U.S. Sarbanes-Oxley Act of 2002 can, and should, play a major, successful role in both for-profit and nonprofit organizations.

ARE ERM AND SARBANES-OXLEY MOST APPLICABLE TO FOR-PROFIT ORGANIZATIONS?

Enterprise Risk Management (ERM) and Sarbanes-Oxley are different animals, neither of which I accept as the exclusive domain of for-profit organizations. ERM is a control model with universal application, regardless of an organization's type. I'm more than a little surprised when organizations still refer to adopting ERM — ERM isn't an orphan that requires adoption; it's the law of the land. ERM, in its basic form, has had its mandate for more than 10 years and, although ERM finally is getting some respect, it still isn't being implemented fully.

Sarbanes-Oxley, on the other hand, is legislation pertaining to publicly traded companies. Although the use of Sarbanes-Oxley in nonprofits is a legitimate question, the essence of Sarbanes-Oxley does have universal appeal: management accountability and sound financial management. Since when do these principles not apply to nonprofits? The United Nations and its oil-for-food fraud is a perfect example. Nonprofits may have the right to ignore Sarbanes-Oxley, but that doesn't mean they should. Potter Stewart, former U.S. Supreme Court justice, said it best: "There's a big difference between what you have a right to do and what is right to do."

In fact, many nonprofits have embraced relevant portions of Sarbanes-Oxley as best practices. The requirements for auditor independence (i.e., the structure of audit committees and relationships with external auditors) make good sense and are inexpensive to satisfy. Similarly, selected parts of corporate responsibility requirements are relevant, such as establishing a code of conduct and using management certifications. Personally, I would not want to put myself in a position where I had to justify why these steps weren't implemented. Full compliance with the documentation and assessment of internal controls may not be applicable, but neither is the situation where there is no formal documentation of internal controls.

DO ERM AND SARBANES-OXLEY FIT THE CULTURE OF NONPROFIT ORGANIZATIONS?

Possibly not. However, ERM and Sarbanes-Oxley don't fit the cultures of for-profit organizations either. All practitioners acknowledge that adapting ERM to an organization's existing culture is a key to success. I believe the ultimate goal of ERM is to change an organization's culture. Everything else logically flows from that. If organizations had the right culture, it wouldn't be necessary to spend all this time on internal control models. The very fact that ERM does not fit the culture of nonprofits makes the case for its implementation.

Regarding Sarbanes-Oxley, I agree that it doesn't fit the nonprofits' culture. It is a mandate for public companies and was never intended to fit with any culture; it was intended for compliance. Achieving Sarbanes-Oxley compliance will change an organization's culture for the better.

IS IT UNREALISTIC FOR NONPROFITS TO ADOPT THESE PRACTICES?

To this question, I counter by asking whether it is unrealistic for nonprofits not to adopt these practices. By now, you should have a pretty clear sense of my position that nonprofits need good internal controls the same way for-profits do. In fact, the argument could be made that the need is greater. For-profits have the built-in discipline of the marketplace competition to answer to, which helps to "weed out" the worst of the worst for-profit companies, while nonprofits rely on the good stewardship of management. Without a discipline like ERM and relevant portions of Sarbanes-Oxley, stewardship — when it does exist — may tend to lose its effectiveness over time. Organizations like the United Nations, which are created with the noblest of intentions, but have a unique monopoly, are a perfect example. Over time, the concept of good stewardship takes a back seat to bureaucracy and employee entitlements.

IS IT JUST WINDOW DRESSING?

Although implementations of ERM and Sarbanes-Oxley can be window dressing, they shouldn't be. I think with any new change process, there are elements of both form (i.e., window dressing) and substance (i.e., effective change). Early on, substance frequently takes a back seat to form. But, ultimately, if the process has integrity (i.e., the proper sponsorship), substance overcomes form as the prevailing effect.

One easy way to avoid the frustration of a transforming change is to believe the process doesn't apply to you or that the proposed change lacks substance. What tends to get overlooked is the cost of not changing. The assumption that continuing to proceed in an aimless manner, alleging that what has worked in the past will continue to work in the future, only delays — but does not avoid — the consequences.

David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's CCSA exam.

According to Mike

Control Self-assessment: A Retrospective

MICHAEL PIDZAMECKY, CFE, CMA
CONSULTANT
TORONTO

It's been more than a decade since I was first introduced to CSA at Westcoast Energy. At that time, CSA was a process-based program where the audit group would lead departments through a self-evaluation of their risks and controls, economy, efficiency, effectiveness, and the ability to meet stated goals and objectives. One of the key components of the program — the use of storyboards to document the process — actually was pioneered by Westcoast Energy.

CSA was such a great success with the departments that volunteered to be our test subjects that when we officially offered it as an audit approach, we found many willing participants. I have conducted many types of self-assessment reviews over the years — objective, controls, and risk — and although I may be biased by saying all were successful, it was the continous, positive testaments from unbiased clients that proved self-assessment was an important tool for any audit group. I remember one company where The Committee of Sponsoring Organizations of the Treadway Commission/Criteria of Control CSA approach was fully supported by the chief executive officer. This approach was used to help the company and its personnel examine the organization and determine what was needed to transform it from a money-losing operation into an industry leader. CSA was credited as one of the key success factors responsible for transforming this organization into one of the most profitable companies in its industry.

In the beginning, many of us faced distractions and hurdles while trying to implement self-assessment. Some management and even internal audit leaders believed that internal audit should only do financial and compliance auditing; therefore, self-assessment was refused. Others gave permission to implement self-assessment for the opposite reason — they saw CSA as a way of doing more audits in less time and with fewer resources. But we discovered that CSA was only one of many audit approaches. Some of us had senior management's support, but soon discovered that other departments were working against us because they were afraid of what we would undercover. I can even remember external auditors laughing at the idea of self-assessments being conduct by internal auditors, let alone company management.

CSA professionals always will face challenges in trying to implement some sort of self-assessment program. But will the premise of self-assessment ever die? Absolutely not! It has been around for close to a century in the form of your annual tax return. And every time you travel between countries and complete a customs declaration, you self-access. Even today, we have legislation that requires management to self-assess the internal controls over financial reporting. And the latest and greatest sound business practice — enterprise risk management (ERM) — is rooted in the need to have the entire organization self-assess the potential risk it faces each year to maximize business objectives and opportunities.

Whether you are a practitioner of internal or external audit, financial reporting, risk management, regulatory compliance, or human resources, you're administering at least one self-assessment review or audit in one form or another. CSA is a fact of life and a fact of business that always will be present. So let's strive to work with one another to share experiences and processes so that we can realize the full potential of self-assessment programs.

This will be my last column for CSA Sentinel. During the last 10 years, I've seen and done a lot with CSA, or as I like to call it, just plain old self-assessment. I know many of you do not agree with all of my opinions, but I can say that I've learned a lot by listening with an open mind. To all of you out there who have read my column, thank you for at least giving me an ear — whether you agreed or disagreed. My last opinion for you is this: no matter what others say, no matter what others are doing, and no matter how much you paid the consultant — in the end, you choose the self-assessment approach that best meets the needs of your organization. Remember, in self-assessment, there is no wrong or right way — only the best way.

Finally, I would like to thank all of my editors, past and present, for all their help and encouragement. It is through their dedication and support that this rough piece of rock could be polished up and turned into diamond.

Michael Pidzamecky, CFE, CMA, is a private consultant who works with CSA and ERM processes. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and written questions for the Certified Control Self-Assessment exam.

Center News

Coming Soon — The IIA's Risk and Control Conference

Mark your calendar for The IIA's 2006 Risk and Control Conference, Aug. 21–23, in Palm Beach, Fla. Risk and control is big business — improving your ability to add value and help improve your organization's risk management and control processes is what this conference is all about.

Participants can take advantage of numerous networking opportunities to share ideas, best practices, and discuss the current challenges facing your organizations. Don't miss this excellent opportunity to focus on the issues that are important to your organization, while making sense of different frameworks, regulations, and best practices of interest to internal auditors and other business professionals.

To obtain additional information and to register, visit The IIA Web site,
www.theiia.org/training/conf/index.cfm?e_code=RISK0806, or contact customer service at +1-407-937-1111.

CIA Exam Offerings

The Certified Internal Auditor^® (CIA) designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal audit field. Candidates leave the program enriched with educational experience, information, and business tools that can be applied immediately in any organization or business environment.

Upcoming exam dates are:

• Nov. 15, 2006 (Part I – 8:30 a.m. to 12:00 p.m.; Part II – 1:30 to 5:00 p.m.; Local Time) Application deadline is Sept. 30, 2006.
• Nov. 16, 2006 (Part III – 8:30 a.m. to 12:00 p.m.; Part IV – 1:30 to 5:00 p.m.; Local Time) Application deadline is Sept. 30, 2006.

For additional information and to register, visit The IIA Web site, www.theiia.org/?doc_id=43, or contact customer service at +1-407-937-1111.

CCSA Specialty Exam Offerings

The Certification in Control Self-Assessment^® (CCSA) is a specialty certification program designed for control self-assessment (CSA) practitioners. Business professionals of all CSA experience levels can benefit from this comprehensive program. Gaining the required knowledge in areas such as risk and control models — often considered the realm of auditors only — exposes CSA practitioners to vital CSA concepts that can help clients achieve their objectives.

Upcoming exam dates will be held on:

• June 18, 2006 — Offered at The IIA's International Conference in Houston, Texas. Application deadline is June 1, 2006.
• Nov. 16, 2006 — Offered at more than 250 locations worldwide. Application deadline is Sept. 30, 2006.

If you wish to learn more or to register, visit The IIA Web site, www.theiia.org/?doc_id=36, or contact customer service at +1-407-937-1111.

Evaluating Soft Controls

Need help evaluating soft controls? Answering a few questions can help with your evaluation.

LARRY D. HUBBARD, CIA, CCSA, CPA, CISA
PRINCIPAL, LARRY HUBBARD & ASSOCIATES

Most soft controls can only be self-assessed because they impact attitudes, and attitudes — unlike policies, procedures, and reconciliations — are unique to each person. In The Committee of Sponsoring Organizations of the Treadway Commission's frameworks, soft controls fall under the "internal environment" component and must be evaluated before all the other control components. That way, the impact of soft controls — or the environment — on people can be considered in designing or evaluating other controls.

In evaluating soft controls, managers can tell you the "design" of soft controls, but it is the actual workers who can tell you the "operation" of soft controls. Answering the following questions can help you evaluate your organization's soft controls:

• In what ways does your manager encourage you to increase your ability to perform your job?
• To what extent does your manager do the "right" thing, regardless of any negative consequences or pressures?
• How clearly do your manager's actions demonstrate the company's policies on ethical conduct?
• How effective is your manager in creating a positive environment for following company policies and doing the right thing?
• To what extent is your manager willing to hear other points of view and communicate the reasoning behind his/her decisions?
• How effective is your manager at communicating departmental priorities and objectives and seeking the help of others to overcome barriers to their achievement?
• How clearly are job responsibilities and other duties defined and communicated within your department?
• To what extent do you personally understand and agree with the goals and objectives of your department?
• How well do the systems and procedures you are expected to use support the needs of your job responsibilities?

Larry Hubbard, CIA, CCSA, CPA, CISA, is a professional trainer and consultant with a broad background in accounting, auditing, and finance. His experience includes audit management; information systems, financial, and operational auditing; financial reporting; consulting and training; and organization directorship.

Calendar

May

Enterprise Risk Management: What's New? What's Next?
May 22–24; Lake Buena Vista (Orlando), Fla.

Evaluating Internal Controls: A COSO-based Approach
May 22–24; Lake Buena Vista (Orlando), Fla.

June

Adding Value Using Risk-based Auditing
June 12–14; New York, N.Y.

Corporate Governance: Strategies for Internal Audit
June 14–16; New York, N.Y.

Enterprise Risk Management: Process Improvement Workshop
June 15–16; New York, N.Y.

Enterprise Risk Management: What's New? What's Next?
June 12–14; New York, N.Y.

Evaluating Internal Controls: A COSO-based Approach
June 12–14; New York, N.Y.

Value-added Business Controls: The Right Way to Manage Risk
June 14–16; New York, N.Y.

July

Enterprise Risk Management: What's New? What's Next?
July 10–12; Vancouver, British Columbia
July 24–26; Boston, Mass.

Evaluating Internal Controls: A COSO-based Approach
July 10–12; Vancouver, British Columbia

Facilitating Results Using CSA
July 26–28; Boston, Mass.

Introduction to Control Self-assessment
July 24–26; Boston, Mass.

August

Adding Value Using Risk-based Auditing
August 28–30; Palm Beach, Fla.

Corporate Governance: Strategies for Internal Audit
August 7–9; Las Vegas, Nev.
August 28–30; Palm Beach, Fla.

Enterprise Risk Management: What's New? What's Next?
August 28–30; Palm Beach, Fla.

Evaluating Internal Controls: A COSO-based Approach
August 7–9; Las Vegas, Nev.

The IIA's Risk and Control Conference
August 21–23; Palm Beach, Fla.

Value-added Business Controls: The Right Way to Manage Risk
August 9–11; Las Vegas, Nev.
August 28–30; Palm Beach, Fla.

To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Allison Cain via e-mail allison.cain@theiia.org, or by fax, +1-407-830-4832.