Second Quarter 2007 • Vol. 11 • No. 2

CSA Sentinel

CSA Sentinel – CSA Center membership required for access.

Welcome to CSA Sentinel, The IIA's quarterly publication for control-self assessment (CSA) professionals. As a benefit of membership in The IIA's CSA Center, this newsletter features articles on the latest thinking in CSA and risk, practical "how-to" advice, research, and news with the latest development updates.

In This Issue

Maximize Your Internal Audit Function
Optimize your ability to meet organizational objectives by aligning your internal audit goals with your strategic goals.

Improving Internal and External Audit Coordination
Because of the potential value of CSA, internal auditors and their organizations need to work together to effectively integrate CSA into the external auditing process.

Enhancing the Bottom Line: Moving From Risk to Compliance
Learn how a risk-based approach to compliance can contribute to better business performance in any organization by saving time and money.

Q&A With Dave Harmon
Learn how to make a management control self-assessment work for your organization.

According to Mike
CSA is moving up the corporate ladder.

Quick Tips: Four Tips to Help Develop a Successful and Sustainable CSA Program
Following these tips can help internal auditors plan and prepare for a successful CSA program.

Center News
The IIA's 2007 Risk and Control Conference; download the free guide on IT outsourcing.

This section includes a listing of upcoming IIA risk and control training events.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Maximize Your Internal Audit Function

Optimize your ability to meet organizational objectives by aligning your internal audit goals with your strategic goals.



Every organization has goals and adopts strategies to achieve them. The risk that these strategies will fail and the respective goals will not be achieved must be evaluated by senior management and the board of directors when designing and implementing the corporate control structure. A well-run internal audit department should partner with management and the board of directors to provide consulting in the area of risk mitigation, as well as to provide independent monitoring of the controls upon which management relies. If completed properly, an internal audit quality assessment (IAQA) can be a part of management's strategy to achieve corporate goals by evaluating the effectiveness of the internal audit function.

Some organizations view the assessment of the internal audit function as a tool to make sure that the function is as effective and efficient as possible. Other organizations view the assessment as an expensive, time-consuming activity. A third group of organizations ask, "What internal audit function?" Regardless of the internal audit function's status in an organization, clarification on the following issues may assist in understanding how an internal audit function can become part of an overall strategy and assist in achieving corporate objectives:

  • The purpose of internal audit.
  • The internal audit standards.
  • The purpose of an internal audit self-assessment.
  • Some common internal audit problems and quick fixes.


With the high visibility of internal audit's participation in complying with the U.S. Sarbanes-Oxley Act of 2002 and the focus on publicly-traded company transparency, the true purpose and objective of the internal audit function may have become blurred for some organizations. According to The Institute of Internal Auditor's (IIA's) definition of internal auditing, the internal audit function should provide independent, thorough, timely, and objective results of quantitative and qualitative testing to senior management. Internal auditing assists public and private organizations to meet overall goals by establishing a systematic approach to assess the effectiveness of risk management, control, and governance processes.

An independent internal audit function is unbiased and holds a neutral position within an organization. It has the ability to define the scope of internal audits, the authority to obtain information and resources, and has an appropriate reporting structure to senior management. The members of the internal audit team are not testing their own work or that of persons they report to. Any actual or potential conflicts of interest that hinder an honest and unbiased assessment must be disclosed.


In order to operate an internal audit function that is objective, independent, effective, and useful to an organization, it is essential that the internal audit function comply with the International Standards for the Professional Practice of Internal Auditing (Standards) developed by The IIA. The Standards were created to guide the policies and practices of internal audit departments. Implementation standards refer to either assurance or consulting activities and are embedded in the attribute and performance standards. In total, there are 16 attribute standards and 30 performance standards.

Attribute standards refer to the construction of the audit department in terms of staff expertise and training, as well as objectivity. Attribute standards also refer to the function of the audit department in the organization in terms of purpose, authority, and evaluations. Two examples of attribute standards are:

  1. Attribute Standard 1000 — Purpose, Authority, and Responsibility: The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.
  2. Attribute Standard 1220 — Due Professional Care: Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

The attribute standards reflect the purpose of the internal audit function in that they define that the internal audit group should be staffed with competent persons who have access to information in order to complete their responsibility of monitoring the efficiency and effectiveness of internal operations.

Performance standards refer to how the internal audit function should operate and how the planning, scope, and reporting activities should be conducted and by whom. Two examples of performance standards are:

  1. Performance Standard 2010 — Planning: The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.
  2. Performance Standard 2500 — Monitoring Progress: The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

The performance standards reflect the purpose of the internal audit function in that they define activities to be completed, which help make sure that the internal audit function is operating as designed for the benefit of the organization.


An internal audit self-assessment is required by Attribute Standard 1300 — Quality Assurance and Improvement Program. Compliance with this standard involves both internal and external assessments. While the internal assessment can be less rigorous than the external assessment, it is in the best interest of the internal audit function to adopt the highest possible standards with respect to the internal reviews. A quality audit assessment reviews the overall audit focus (e.g., scope and scheduling), timeliness, the use of information technology resources, and the integration of audit services into the overall organizational goals and objectives.

The timeliness is determined by the risk profile and scope of the audit. For example, companies may require a 45-day span for high-risk areas and a 60-day span for moderate risk areas, respectively, from initiation of fieldwork to report completion and management sign off. A quality audit assessment involves discussion with audit management, senior organizational management, internal audit clients, and the audit staff. Once all of the results are gathered from client and employee surveys, workpaper testing, review of the charter, and any other tests deemed necessary, an evaluation of the internal audit's compliance with the attribute and performance standards is given.

The goal is to assure that the internal audit function is in compliance with the attribute and performance standards, and therefore is designed and operating efficiently and effectively. If management is relying on the results from internal audit reviews for regulatory compliance (i.e., Sarbanes-Oxley), they will want to make sure that controls are being tested effectively and timely.

To comply with the external assessment requirements of the Standards, organizations can either perform an internal self-assessment with an external validator to provide an opinion or they can employ an external validator to complete the assessment and provide an opinion. The validator reviews the self-assessment completed by internal resources from an independent viewpoint and is not involved with either the operations or the assessment of the internal audit function in the organization. The goal of an objective and independent review is met using either option. However, there are further pros to a properly completed IAQA and cons to each internal audit self-assessment option, demonstrated in the IAQA option comparison table, that should be considered based on the strategic initiatives and culture of the entity.




External Evaluation

Internal audit focuses all resources on conducting operational, financial, and compliance audits.

Provides a completely independent and objective assessment and opinion using externally-generated samples and testing plans.

Completed quickly. An external organization can focus on the IAQA.

An external organization provides fresh best practices and a range of staff experience.

More expensive. The range varies depending upon the size, number of audits, and complexity of the internal audit department. However, the opportunity cost of having staff available also must be considered.

The external validation delivers best practices, but the ground level training and experience for staff is reduced.

Self-assessment With External Validator

Develops a self-assessment program that evolves into a part of the organizational fabric and culture.

Reduces the cost of an IAQA by completing the self-assessment in house.

Provides a training exercise.

Builds a team effort and culture with the internal audit department.
May reduce the potential for fresh best practices to increase effectiveness and efficiency.

Potential difficulties exist for the leader and staff of the internal self-assessment team to deliver recommendations for improvement to their own department.

Redirect resources (e.g., people and time) from operational, compliance, and financial audits.

More time to complete as staff has multiple simultaneous tasks to complete.



Internal audit functions may be structured and staffed in different configurations depending upon the size of the company and the industry. However, there are several common problems shared by many internal audit departments that may be found by a self-assessment:

  • Timeliness of audit reports.
  • Lack of qualified staff.
  • Absence of risk assessment in audit scheduling and audit scope phases.


The cause of poor timeliness may be difficult to ascertain, especially in complex audits. The causes are generally scope creep, inability to receive test data, or poor planning. The impact on strategic goals is that management may not be receiving up-to-date assessments on the processes and controls over operational and financial data to use in decision making. For example, if management is not aware of misclassification of loans in a financial organization trial balance, how will it decide on the loan pricing and regulatory capital strategies between commercial and residential loans?

Quick Fix: Try assigning a single individual, possibly an administrative assistant, to track the stages of the audit in order to monitor progress and understand where any bottlenecks or delays are occurring. For example, if an organization expects the fieldwork phase to last for two weeks, but it continues for three, management can target the steps taken in fieldwork to the cause for delay, such as avoiding scope creep or delays in the receipt of data. If it becomes obvious during the audit that the next deadline will not be met, disclosure of the cause and actions to remediate the delay should be documented. The results of the tracking efforts should be discussed in periodic staff meetings so that no project is left unmonitored for a long period of time. In addition, rewarding employees for timely audits and documentation of known delays in ongoing audits may encourage quicker turnaround times.

Qualified Staff

The absence of sufficient qualified staff is created partially by the nature of internal audit. Internal auditors often are expected to perform audits on multiple lines of business with diverse technologies, products, geography, and control infrastructures. The ability to be experienced and trained in every area is naturally limited. The impact on strategic goals is that audit risk may be increased and information back to management may not be focused and accurate.

Quick Fix: Use outside experts in audits as necessary. These experts can be external service providers, independent contractors, or an independent, internal resource loaned to the internal audit department for a specific project. This may mean using one person who is, for example, an "ABC software" expert in all audits where this technology is used. Coupling inexperienced staff with subject matter experts can expedite the training process so that dependence upon outsiders is reduced over time. This is similar to apprenticeships, which are useful as long as the requirements of independence are met.

Absence of Risk Assessment

The assessment of risks associated with a process should be a part of the initial audit planning stage. In order to be efficient and effective, internal auditors not only want to ensure that all high-risk areas are audited but also that higher risk areas are assessed first as the consequence of a control failure is inherently higher than for lower risk areas. It is often perceived as a monumental project to identify each individual risk affecting the company and debating the relative priority of each risk. This project is further complicated by the dynamic nature of corporate businesses, which often render an initial risk assessment obsolete by the time the audit team arrives.

Quick Fix: Initial risk assessments can be made general in nature. A general high-level risk assessment of each department can be achieved via a questionnaire or meeting with departmental personnel. Once this initial risk assessment has been completed, the more in-depth risk assessment can occur during the planning stage of a particular audit. In addition, it can be helpful, and in some cases required, to obtain advice from subject matter experts. The focus of the audit should always include the highest risk areas at a minimum.


The purpose of an internal audit function is to act as a tool to make sure that an organization is as effective and efficient as possible. The internal audit standards shape an independent, efficient, and therefore effective, audit function. The purpose of a self-assessment will assist the internal audit function in operating as anticipated by management and make sure that the department risk assessment, scope development, and reporting are aligned with overall organizational strategies.

Alison Wolf, CIA, CFA, is a senior manager of the accounting and auditing department for Skoda Minotti where she focuses on the assessment and development of internal controls over operational, credit, and compliance functions including Sarbanes-Oxley-related activities for various industries. Wolf previously served as assistant vice president of consumer financial risk management for Key Bank and has held positions in risk assessment, personal banking, and commercial credit in the Canadian banking industry. She is a certified internal auditor and a chartered financial analyst and has completed the certified information systems auditor exam. Wolf also is accredited to complete quality assessment reviews of internal audit functions.
Joanne Fox Phillips, CIA, CPA, is a director of internal audit at Dynegy Inc., a wholesale power generation company headquartered in Houston, Texas. Prior to this position, Phillips worked as an external auditor for PricewaterhouseCoopers and later as an internal controls manager for El Paso Corporation. She is a certified internal auditor, a certified public accountant, and a certified fraud examiner. In addition to being accredited to complete quality assessment reviews of internal audit functions, Phillips has participated in external assessments as a volunteer with The IIA.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Improving Internal and External Audit Coordination

Because of the potential value of CSA, internal auditors and their organizations need to work together to effectively integrate CSA into the external auditing process.



About the CSA Survey


  • Surveys were mailed to 430 individuals listed in The IIA's Control Self-Assessment Center 2001 Membership Directory.
  • Recipients were located in the United States or Canada and worked for employers likely to receive independent financial statement audits.
  • Useful responses were received from 113 organizations and 73 indicated that they used CSA within the prior year. Out of the 73 organizations using CSA, 67 also had an independent financial statement audit the prior year.
  • Organizations that received an external audit were asked to provide their external auditors with an auditor's survey.


  • Information from 31 responding accounting firms revealed that on average, CSA was used in only 21.6% of the audits performed out of the respondent's office in the previous year. The two most common reasons cited by external auditors for not using CSA was the belief that it was inefficient and they lacked training.
  • Assertions about CSA inefficiency were directly contradicted by the 9 responding auditors that actually used CSA on the audit of the organization that provided them with their auditor survey. More than 75 percent of those auditors reported that the use of CSA resulted in a more efficient and effective financial statement audit.
  • The totality of the survey results suggest that CSA is being used in a relatively small percentage of financial statement audits, but the auditors that are actually using CSA were very satisfied with both the efficiency and effectiveness of this tool. It is likely that current impediments to using CSA would dissipate as external auditors gain a better understanding of the tool.

Many internal auditors already know that control self-assessment (CSA) can be an exceptionally useful tool for their organizations. However, what is less known is how external auditors can use CSA to improve the efficiency and effectiveness of a financial statement audit. A control self-assessment survey — conducted by the authors — of organizations and their external auditors revealed a low level of CSA usage by external auditors and a low level of communication between internal and external auditors. The survey also found several basic misconceptions on the part of internal and external auditors, and other organizational personnel that likely are contributing to low CSA usage. (For survey information and findings, see the sidebar "About the CSA Survey.") Because of CSA's value, organizations and their internal auditors should work to promote the use of CSA by their external auditors.


The internal audit profession has always had significant responsibilities over internal controls, which is demonstrated by its definition. In addition to their traditional control responsibilities, internal auditors are increasingly being called upon to assist management — by serving as its eyes and ears — in fulfilling its obligations under the U.S. Sarbanes-Oxley Act of 2002, particularly for Sections 302 and 404. The IIA's Professional Practices Framework also advocates that internal auditors be involved in both a consulting and assurance capacity.

As a result of the Sarbanes-Oxley requirements, the internal audit profession must evaluate both hard and soft controls under the guidelines of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework. Hard controls (e.g., credit approval indicated on an invoice) can be effectively evaluated by traditional auditing tests. However, soft controls (e.g., management's ethics and integrity) are vaguer and traditional audit tests are far less effective in evaluating them. The internal audit profession has been a leader in searching for new audit tools to more effectively evaluate soft controls and CSA has emerged as an effective tool in this area, but according to the survey, organizations are not using CSA in the most audit relevant areas. Only 14 percent of the 73 organizations using CSA used the tool to evaluate controls that promoted the reliability of the organization's independently audited financial statements. This use of CSA would be most directly relevant to independent financial statement audits. Yet, few organizations employed CSA in this manner.

CSA is used to evaluate organizational processes and controls, and can be helpful in improving the effectiveness of internal and external auditing. However, of the organizations surveyed, although most had CSA data available, organizations were not communicating with external auditors about their use of CSA. The organizations were not asking their external auditors to use the existing CSA data and few external auditors were making CSA-related requests of the organizations. Of the 67 respondents using CSA and also receiving an independent audit, none indicated that management requested that CSA be used by their auditor. In addition, according to the survey, no auditor asked their organization to implement new CSA activities that were relevant to the external audit. Only 14 organizations indicated that their auditors requested evidence that had been created via existing CSA activities.


The internal and external audit functions are two critical components of organizational governance systems and the International Standards for the Professional Practice of Internal Auditing recognizes that the two audit functions should be effectively coordinated. After Sarbanes-Oxley was passed, internal control responsibilities increased for internal and external auditors, which represents an area where tremendous value can be achieved through proper coordination. Internal auditors have been leaders in the effective use of CSA in control evaluations.

Since Sarbanes-Oxley Was Passed:

  • Both internal and external auditors must now provide more thorough evaluations of the internal control system.
  • Soft controls are widely recognized as an important element of all internal control systems and they must be evaluated properly.
  • Tools to evaluate soft controls are scarce, and CSA is a highly effective tool for this purpose.
  • CSA could be used by both internal and external auditors to more effectively meet their objectives relating to internal control evaluations.
  • Internal auditors have an increased responsibility to coordinate the activities of the external auditor, including coordinating the organization's use of CSA and available CSA data that could be used by external auditors.

External auditors also have enhanced control responsibilities under Sarbanes-Oxley. In addition to their long-standing responsibility to evaluate an organization's control system as part of a financial statement audit, Section 404 requires that the external auditors attest to the fairness of management assertions contained in their internal control report. In essence, external auditors are now required to audit the organization's system of internal control over financial reporting while also auditing the financial statements. This additional attestation on internal control necessitates a level of control understanding and testing that far exceeds what formerly was necessary to support an opinion on the financial statements. Using CSA can contribute to the effective attainment of these comprehensive audit responsibilities. But the survey results show that a significant number of individuals at organizations possessed negative sentiments about external auditors being involved in their CSA activities even though most organizations had no direct experience with such involvement. A majority of organizations did not believe that external auditor involvement in CSA activities would improve their CSA initiatives, and a significant minority (ranging from 19 to 45 percent, depending on the question asked) thought that external auditor involvement would actually hurt their CSA processes.

Performance Standard 2050: Coordination and its related practice advisories place a professional responsibility on internal auditors to effectively coordinate internal and external auditor control activities. Since the advent of Sarbanes-Oxley, this professional responsibility has taken on increased importance because the enhanced involvement of external auditors in the control arena has a direct bearing on the quantity and quality of the control information made available to top management and the board as they attempt to govern their organizations and fulfill their statutory responsibilities under Sarbanes-Oxley.

Five Ways Organizations Can Promote CSA to External Auditors

  1. Consider the needs of external auditors when planning a CSA agenda.
  2. Apply CSA tools to areas most relevant to the external audit, particularly internal controls promoting the reliability of financial statements.
  3. Communicate with external auditors about the organization's CSA programs and encourage them to use CSA-produced evidence.
  4. Be receptive to reasonable external auditor requests for new CSA initiatives.
  5. Educate employees about the advantages of external auditor involvement in CSA to help dispel negative sentiments that may exist.

To fulfill their responsibilities under Standard 2050, internal auditors should determine whether external auditors are using CSA to evaluate the many soft controls that are a critical component of any internal control system under COSO's Internal Control–Integrated Framework. Soft controls are too important to ignore and the appropriate tools must be used to evaluate them.


Because of the potential value of CSA, organizations and their internal auditors should work together to effectively integrate CSA into the external audit process. The survey of IIA Control Self-assessment Center members revealed that organizations were not using CSA in areas most relevant to external auditors, that organizations and auditors were not communicating with each other about the use of CSA, and that a significant proportion of employees appeared to hold negative sentiments about the value of external auditor participation in their organization's CSA activities.

Internal auditors should do all that they can to promote CSA. If organizations implement such measures, the likely result would be enhanced coordination between the internal and external auditing functions, more effective and efficient independent financial statement audits, enhanced compliance with regulatory requirements, and more constructive internal control recommendations from external auditors.

Dr. Terry J. Engle, CPA, currently serves as the advisory council professor of accounting at the University of South Florida. His teaching and research interests are in the areas of internal auditing and independent financial statement auditing. Engle has been the author of numerous articles that have appeared in leading academic and practitioner journals, including the American Accounting Association's Accounting Horizons, The IIA's Internal Auditor, The New York State Society of CPAs' The CPA Journal, and the American Institute of Certified Public Accountants' Journal of Accountancy.
Dr. Gilbert W. Joseph, CPA, CISA, is the endowed Dana Professor of accounting at The University of Tampa, Florida. He teaches financial and accounting systems courses and is an active member of several professional societies. Joseph has published more than 30 articles on a variety of topics in many academic and professional journals. Prior to teaching, he spent more than 20 years with the U.S. government working in computer systems.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Enhancing the Bottom Line: Moving From Risk to Compliance

Learn how a risk-based approach to compliance can contribute to better business performance in any organization by saving time and money.


The latest publications (Dec. 2006 and Apr. 2007) by the Public Company Accounting Oversight Board and the U.S. Securities and Exchange Commission on implementing a risk-based approach to compliance are receiving a lot of attention in the audit world. This is understandable because implementing a risk-based approach is an important driver in reducing audit and compliance costs. In addition, this type of approach ties business performance back into compliance as companies are now asked to focus even more on risks and controls. But can existing compliance investments be leveraged successfully to implement this risk-based approach?

According to a recent KPMG study published in The Netherlands, Return on Compliance: Utopia or Reality, the answer is yes. The study shows that there is a positive relationship between clean Sarbanes-Oxley filings (i.e., filings without significant deficiencies or material weaknesses) and the development of a company's market capitalization. The research showed a 28-percent rise in market capitalization for clean publicly-listed companies compared to the average of 18 percent for typical publicly-listed companies. This example illustrates that investments in proper compliance with Sarbanes-Oxley clearly do pay off, but this isn't the only benefit. Having a risk-based approach to compliance can also significantly improve the bottom line by enhancing related business performance. The risk-based approach can also help a company identify the really important controls — those that would seriously impact the company's financial performance if they failed. That is what Sarbanes-Oxley was all about — protecting companies and their shareholders from serious downfall.


Tips for Managing the Lifecycle of Risks

  • Decide on the objectives to be achieved.
  • Determine what could prevent that objective from being achieved. What could go wrong? What are the risks?
  • Identify inherent risks and opportunities values.
  • Find out what the company wants to do with these risks? What's the risk response?
  • Identify the controls in place for these risks.
  • Determine the residual risks.
  • Decide on what conditions the company will accept these risks.
  • Monitor objectives, risks, controls, and actual losses in a consistent manner.

To comply with Section 404 of Sarbanes-Oxley, publicly listed companies must identify their key controls and prove their design and operating effectiveness to make sure that the controls are properly designed. Simply put, the failing of even one of those key controls would potentially invoke a misstatement or restatement of that company's financial statements.

Testing a key control, including the collection of electronic evidence costs, takes several hours per control for most companies. Therefore, US $500 per tested control is an average reported estimate by The Big Four accounting firms. Reduction of the number of key controls to be tested means less testing, which results in less spending.

In addition, if Section 404 of Sarbanes-Oxley is not the only compliance regulation a control is related to, the monitoring of key controls becomes even more complicated. In some instances, publicly traded companies must comply with multiple regulations (e.g., privacy, product liability, employee safety and health, environmental regulations, anti-money laundering) that often overlap related controls. Typically, different departments conduct assessments with their business colleagues in a highly inefficient and ineffective manner by sending out numerous testing sheets, questionnaires, surveys, and assessments on topics like business continuity, business principles and ethics, information technology (IT) security, and regulatory issues including Sarbanes-Oxley. The value of integrating these frameworks into one common risk framework is enormous. The goal should be to assess once and use many times for all different regulations. A control that relates to Sarbanes-Oxley, as well as to the U.S. Patriot Act and Basel II, will now only be documented and tested once. In the traditional silo approach, the control would have been documented three times in three different systems and tested separately. Front-running companies have already demonstrated the obvious benefit from integrated frameworks.

Besides the convergence of controls, other measures — like implementing automated controls — can be taken to reduce compliance costs. Testing a manual key control requires more effort than testing an automated control. One primary reason is that auditors require larger sample sizes for a manual control. An automated control performs better than a manual control, provided the related IT processes are properly managed. Automated controls are also more economical given the streamlined approach and resulting improved performance. However, despite these benefits, a survey of BWise's client shows that somewhere between 50 and 80 percent of all current controls are manual, with a larger percentage of automated key controls found in highly automated industries like financial services and technology companies.

Increasing the number of automated controls can be beneficial as long as the investment in the automation does not surpass the benefit of less testing and higher reliability. The key to optimizing costs is the standardization of related processes, which is driven by the implementation of a risk-based approach across the organization.

Figure 1
Figure 1: Simplified risk framework


Although some companies have made important first strides by documenting their controls using a risk-based approach, many have not yet taken real advantage of this approach. In figures 1 and 2, a methodology is presented on how to actually implement such an approach. Figure 1 is an example of a simplified risk framework where controls are mitigating certain risks in a particular process. Figure 2 represents an elaborate risk framework where the relations are built between significant accounts, control objectives, processes, risks, and controls within entities and divisions. In reality, however, the risk framework will be even more complex and will include IT systems and entity-level controls.

Even if a company's existing documentation is not constructed like the frameworks shown, it will likely be relatively simple to insert the lacking information. For example, risks or control objectives are added to the company’s existing model. It is important that the risks are identified at a sufficiently high level and not as a negative formulation of the control. In order to truly implement a risk-based approach, risks need to be identified as business risks. For example, a risk identified as "segregation of duties is not implemented" is hardly adding value to a control being identified as "segregation of duties." The risk should preferably be formulated as a business risk, or at least as a risk that is applicable to business processes. The same can be said about the relationship between a risk and a control objective. A control objective is not the opposite of a risk. A control objective is something an organization wants to achieve whereas a risk is something threatening that objective.

Figure 2
Figure 2: Elaborate risk framework

For some companies, documentation is focused on identifying the controls and not much more. In those cases, risks are either not documented or are documented at such a granular level that they have little true business value. Again, similar observations are made with respect to objectives. These are also often defined at too granular of a level. In order to be able to implement a risk-based approach, having them defined at a business level is beneficial, if not a prerequisite.

In addition, if the existing compliance documentation lacks the business risk component, risk templates are available that allow companies to quickly enrich their existing documentation and proceed from there.


The risk-based approach can be implemented in various ways. Risk-based scenario analysis is probably the most elaborate and sophisticated methodology, but this approach requires a mature sense of risk in the company. Only the most seasoned companies can adopt this approach because it asks for a significant amount of high-quality data. Mature governance, risk, and compliance platforms offer this capability for most companies as a potential growth model.

However, compliance and enterprise risk management software is available that allows businesses to run a risk assessment based on the information a company already has. Loading the existing compliance documentation into a sufficiently comprehensive risk-based compliance solution will allow running a risk assessment without any additional investments. Prior investments — often running into millions of dollars in compliance documentation — can now pay dividends.

Business managers often are asked to assess the impact and likelihood of risks that could occur. And although there are various types of risk assessments, there are more ways to conduct a risk assessment, ranging from high-level enterprise risks to low-level process risks to assessing inherent risk, residual risk, or both.

This initial risk assessment also will immediately show whether the identified business risks make business sense. Business managers should be able to provide answers regarding the potential impact and likelihood as well as:

  • Understand and assess the risk at a business level by envisioning the risk occurring.
  • Be able to perform the risk assessment within a reasonable amount of time, asking for the risks to be defined at the appropriate level.


Several types of risk assessments are used around the world. Following are a few of the more common examples, including their application and benefits for the implementation of a risk-based approach.

Inherent Risk Assessment (Gross Risks)
The inherent risk assessment analyzes the impact and likelihood — or frequency and severity — of risks identified as if there were no controls. In practice, this is often a challenging task for non-experts because it is hard to imagine the controls not in place. However, if the inherent risks are known, they are a strong indicator of where to put in the effort. The inherent risk assessment also states what the specific risk is — in case the control fails (i.e., the control is not effective). Therefore, if the inherent risk impact or severity is higher than a certain threshold (i.e., the materiality level), the underlying controls should be in scope. In other words, the inherent risk assessment is a good tool to use to implement a risk-based approach to compliance but might require risk training for the people conducting the risk assessment.

Residual Risk Assessment (Net Risks)
The residual risk assessment analyzes the risk with the controls in place, including the anticipated effectiveness of the related controls. This is not a control test as is required for Sarbanes-Oxley, but rather a limited assessment of the relevance of that control. These types of assessments are easier to conduct, and not surprisingly, are the ones most commonly used. This is because staff is asked to assess the exact situation they know, as opposed to a virtual situation they can only envision, as is the case in an inherent risk assessment. From a residual risk assessment, experts may conclude which risks are most vital, and therefore, which controls are relevant. This analysis is less thorough than the inherent risk assessment and the most value can be derived if risks are assessed at both an inherent and residual risk level as this combines all relevant information.

Scenario Analysis With Expected and Extreme Value
An assessment type often applied at the enterprise level is a scenario analysis where expected values for impact and likelihood are asked together with extreme values, like a worst and best case. These values can be used to determine which risks are truly relevant, which opportunities should be explored, and which controls should play a vital role.

Quantitative Versus Qualitative Risk Assessments
An important part in every risk assessment discussion is the question of whether quantitative or qualitative answers should be given. Obviously, the quantitative answers are the preference, provided the answers would be correct. The reality is that it is often extremely hard to give a well-augmented quantitative answer. Therefore, many organizations conduct qualitative assessments and translate this back into more quantitative answers in a validation round based on the input of many individuals.


Although there are many ways to implement a risk-based approach for compliance, the first step toward significantly reducing the number of controls and compliance costs in any company is choosing the risk assessment that is most appropriate. For all variants of using risk assessments to implement a risk-based approach to compliance, it is vital to consider the following points:

  • Agree with the external auditor on the methodology, the quantification, the rationale behind decisions taken, and the risks taken into account.
  • Use available best practice templates.
  • Leverage technology that will allow the re-use of existing compliance documentation to implement a risk-based approach to compliance without having to invest a second time in large risk documentation efforts.

And above all else, make sure that besides the appropriate governance, risk, and compliance solution (GRC) platform, the appropriate methodology is used.

Dr. Luc Brandts is chief technology officer of BWise, a provider of GRC solution platforms. Brandts has 18 years of technology and business management experience across numerous industries including financial services, government, manufacturing, health care, and telecommunications. He has been involved in projects implementing GRC technology to cover Sarbanes-Oxley, Basel II, ISO, IT governance, and other regulations.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Q&A With Dave Harmon

"I'm looking for new ideas on how to assess my organization. What is a CSA opportunity that is not commonly considered?"


One control self-assessment (CSA) approach would be a program directed toward management effectiveness. Many assessment activities are predicated on the assumption that management is basically good and that processes, resources, or staff are the things that require attention. While to a limited degree, management effectiveness is considered as part of the control environment assessment in most CSA applications, it is not the central focus of the CSA. But most feedback is too general to take the necessary specific action unless there is a major systematic issue.

A rigorous self-assessment program dealing with management effectiveness would have several benefits. First, it would enhance the control environment by clearly establishing standards, as well as a measurement process for management effectiveness, both in terms of the process itself and the perception. Second, management setting an example would send a clear message to staff members that the organization is serious about control improvement.


  1. Planning. The program would require planning, and like all CSA initiatives, sponsorship at the highest levels — executive as well as human resources — of the organization.
  2. Agreement. All involved parties need to agree upon what constitutes good management and the development of appropriate survey instruments that could be used to collect data. A starting point for this discussion might be The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management – Integrated Framework, which could provide some guidance. Also, human resources would be a good resource for developing the more detailed portion of the assessment.
  3. Rollout and assessment. This type of program would require adequate advance explanation. It would likely create a lot of anxiety and, for most organizations, it would represent the beginning of a real change in culture. To really be useful, the assessment would need to be mandatory for all management and gather input from subordinates, as well as peers and superiors. This sometimes is referred to as 360-degree feedback.
  4. Evaluate the results. The assessed manager — and perhaps his or her supervisor —would receive the results and human resources would assist the manager in interpreting the results, suggesting courses of action where appropriate.
  5. Follow-through on assessment results. Follow-through can be done either by individual managers, superiors, or human resources.


The first year would be the most difficult, but at the same time, it would present the greatest opportunity for building credibility. If this is an absolutely new process, you can be assured that while there will be room for improvement across the board, a few glaring management problems may require immediate attention. The important thing is to have appropriate measured response. Individual managers and their supervisors are well equipped to deal with most issues reported (e.g., communications, performance evaluations, perceived equity issues, transparency of processes). However, if there is clear dysfunction in the group, it may require human resources to become directly involved. As with other CSA results, if a significant issue is reported, some action — whether it be training, reassignment, or termination — must result.

I have personally seen such a program implemented and it made a huge difference. Although the system won't guarantee that every manager is perfect, it does have the capability to improve overall management. In the program I saw implemented, there was flexibility for dealing with good performers that were not management material and a few underperformers were removed altogether. Some may view this as a stretch for CSA, but I honestly disagree. Management is as key a control as any other, and it makes perfect sense to have CSA assess it.

Have a question about CSA you'd like to ask Dave? E-mail your question to the editor. It could be answered in a future issue of CSA Sentinel.

David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles, and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's Certification in Control Self-assessment exam.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

According to Mike

CSA Is Moving Up the Corporate Ladder


On a recent rainy day, I found myself reading a shareholder information package for stock I own in a U.S. company. It was two inches thick and double-sided. But don't worry. This is not going to be an article about how unruly annual reports have become since the Enron days. What caught my eye was a statement regarding how this company's audit committee performs a self-assessment each year.

I was pleasantly surprised to read in a disclosure document that members of an audit committee are actually conducting self-assessments. However, I was shocked when I discovered the audit committee was the only part of the board to conduct these assessments. Neither the entire board nor any other committee — governance, nominating, compensation — disclosed any type of self-assessment. Why would only one quarter of the board be conducting a self assessment? Was this a business standard or an anomaly? This really piqued my interest in what other organizations are doing, so I decided to do some research. And while this research was in no way a statistically valid endeavor, I did learn some interesting facts about self-assessments in today's companies.


My research began by visiting The IIA's Global Audit Information Network (GAIN) site. This site offers information and results from surveys sent to thousands of members on a wide variety of topics, including internal audit processes, corporate governance, the U.S. Sarbanes-Oxley Act of 2002, and enterprise risk management, to name a few. For the research at hand, I found a survey conducted in 2004 that specifically addressed self-assessments being performed by the board and its committees.

Out of the online survey invitations sent out in 2004, 19 percent of the respondents stated that their board performed a formal written self-assessment with rankings. Another 8 percent had a formal written program but without rankings, and 7 percent said it was only based on discussion. Finally, 15 percent of respondents were developing a program and 32 percent did not have one. The remaining 18 percent weren't sure about their organization's self-assessment programs.

It would be interesting to see how those statistics have changed in three years, but I'm more interested in what is taking place in the more formal assessments today and, most importantly, the results. Thanks to the internet, by typing "board of directors self-assessment" into a search engine, I was presented with a plethora of corporate, private, government, and nonprofit sites stating that a board self-assessment is performed. I was particularly interested in three organizations and how they handle self-assessments.


IT service provider CGI Group impressed me not only by its detailed disclosure, but also by how much thought went into making the self-assessment a thorough examination. The self-assessment program was referred to 13 times in regards to how it evaluates various responsibilities, procedures, policies, and committees of the board. The following is an excerpt from the corporate governance committee's report:

"The corporate governance committee, chaired by the lead director, conducts an annual self-assessment of the effectiveness of the board as a whole, of the standing committees of the board, and of the contribution's of individual directors. It is also responsible for establishing the competencies, skills, and personal qualities it seeks in new board members with a view to adding value to the company, and directors are assessed against the contribution they are expected to make. This assessment is based on annual questionnaires to which directors respond.

"The board of directors reviews the assessment of its performance and the recommendations provided by the corporate governance committee annually with the objective of increasing the board's effectiveness in carrying out its responsibilities. The board takes appropriate action based on the results of the review process."

Here is an organization that has assigned a lead director the responsibility of overseeing an annual board and committeewide self-assessment. Moreover, it is a thorough examination that leads to proactive action so that the board, its committees, and members are constantly striving to implement better procedures and processes for continuing good corporate governance.


Another organization that caught my attention was the Luxembourg-based steel manufacturer, Arcelor. The following excerpt is from their corporate governance Web site.

"The self-assessment questionnaire covered seven principal themes:

  • The organization of board meetings and follow-up activities.
  • The board's composition.
  • The current director independence criteria.
  • The board's missions and the scope of its powers.
  • The remuneration of the board's members.
  • The audit committee's operating procedures.
  • The appointments and remuneration committee's operating procedures.

"Based on answers provided and observations made by board members, decisions were taken to make further improvements to the operating procedures of the board and its committees. It was also decided to increase the number of ordinary board meetings per year from six to seven."

Arcelor's board approved this self-assessment in 2004 and implemented it for the first time in 2005. What was of particular interest to me was that through the self-assessment, the board actually found areas where it could improve itself and its committees. To me, this was a vindication that self-assessment at any level of the organization can be a powerful tool in helping to improve operations and processes.


The third organization that interested me was Kingdom Oil, a not-for-profit religious organization. Kingdom Oil actually publishes a copy of their annual board self-assessment on their Web site. Although a small not-for-profit organization, it is interesting that many of the 12 questions the board members have to respond to can be applicable to any other organization — large or small, public or private, for profit or not.


Considering the way these three organizations handle self-assessments, there is really no excuse why any organization's board should not conduct an annual self-assessment.

Through my impromptu research on self-assessments in today's organizations, I learned many interesting things. Primarily, and most importantly, I learned that many organizations' boards are performing self-assessments. This is great news for auditors and stakeholders alike. Based on this discovery, I drew the following conclusions:

  1. Although some self-assessments are better than others, these assessments are helping to improve corporate governance.
  2. The entire board and its committees should complete annual self-assessments to generate a complete evaluation of all areas of corporate governance.
  3. Change is rapid, even at the upper levels, so it's imperative for organizations to continue revising self-assessments to make sure negative and positive outcomes of potential change are addressed.
  4. If the board of an organization is performing a self-assessment, there are no excuses for the rest of an organization to not do the same.
  5. There is a great opportunity for internal audit departments to step forward and help the board in its self-assessment evaluation by offering its expertise and knowledge in corporate governance, risk, control, and process improvement.

Michael Pidzamecky, CFE, CMA, is a private consultant who works with CSA and ERM processes. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and written questions for The IIA's Certification in Control Self-assessment exam.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Quick Tips: Four Tips to Help Develop a Successful and Sustainable CSA Program

Following these tips can help internal auditors plan and prepare for a successful CSA program.


The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control — Integrated Framework is the foundation for all other components of the internal control framework and includes factors such as culture, integrity, ethical values, and management philosophy. Because each organization is unique, it is imperative to carefully consider the ethical and cultural environment of the organization when determining which control self-assessment (CSA) process to implement to achieve positive and lasting results. Additionally, auditors and CSA practitioners need to make sure they have a clear understanding of the objectives identified by operational management, audit and compliance, and all employees. Value must be derived from these three groups to help develop a successful and sustainable CSA program. Whether an organization identifies risk through internal control questionnaires or facilitated workshops, using these simple tips — combined with understanding the organization's objectives — will help create a successful CSA program.


Planning is essential for a successful CSA. Prior to implementing anything, do your homework to determine the right CSA approach for the organization. CSA can be an excellent tool for identifying and reducing organizational risks, but because questionnaires and workshops are beneficial in different ways, networking with other audit professionals can help auditors determine the best approach to implement in a particular organization.

Internal Control Questionnaires
The advantage of using internal control questionnaires is the ability to reach a broader audience in less time. A questionnaire could reach each employee in an organization at every location with little effort. However, each questionnaire is only as good as the questions being asked and this process does not allow respondents to add detailed information pertinent to the topic. When planning to use questionnaires, keep these things in mind:

  • Questionnaires should be carefully and thoughtfully worded to allow employees from all levels and backgrounds to understand what is being asked.
  • Keep internal control questionnaires short to maximize participation. A maximum of 20 to 25 questions is best.
  • For better results, avoid sending surveys too close together. Internal auditing may not be the only department within the organization to rely on surveys for information, and there could be some confusion and burn-out experienced by employees.
  • Use a rating scale appropriate for the topic and use an even number of options to prevent participants from consistently voting in the middle of the range (e.g., consider 1– 4, 1– 6). This helps make sure the survey questions are understood and provides better results when analyzing responses.

Facilitated Workshops
Facilitated workshops are advantageous because participants buy into the process and identify their own risks. The process of analyzing and prioritizing these risks lies with the people affected by the risks. In addition, conversation between participants in a workshop can be expanded upon and action steps to reduce risks can be discussed. However, facilitated workshops are time- and labor-intensive, so it would take considerable time to complete workshops in every department of most organizations. When planning workshops, remember that:

  • Employees must achieve results rather than feeling like another process is being imposed by management.
  • Employees from all levels of an organization should participate. The people who perform the day-to-day work may be aware of risks but lack a venue to bring them to the attention of management. Ideas for improving risks can be discussed collectively by all participants and management.

Regardless of which approach is used, an important — and often overlooked — element of the planning phase is explaining the CSA process to management and establishing expectations regarding the benefits that can be derived from it. This will help generate support before questionnaires are distributed or workshops are held.


In a CSA process, planning and preparedness go hand in hand. CSA practitioners employ different methods to prepare for internal control questionnaires and facilitated workshops. No matter the approach, time should always be factored in to adequately prepare for the assessment. Here are some things to keep in mind during preparation:

  • Identify high-level risks and include them in the survey.
  • Know the audience and gear the material to employees in the appropriate job classifications.
  • Allow enough time for responses (e.g., three weeks as opposed to one week).
  • Send reminder notices to increase participation.
  • Do not issue surveys close to major holidays because mployees may be rushed to complete their work before a vacation or will be buried under work when they return to the office.
  • Do not overlap surveys; response rates could significantly drop due to confusion.
  • Establish ground rules for workshops and make certain participants understand and agree to abide by them.
  • For workshops, ensure logistics are conducive for group participation and consider the best location, table and chair configuration, seating preferences, equipment, and room temperature.


After the questionnaires have been returned and evaluated or after a workshop has ended, many CSA practitioners forget or take too long to share the results with participants. After the CSA process is complete:

  • Schedule time to communicate and deliver the results of internal control surveys or facilitated workshops as soon as the results are available.
  • Follow up in a timely manner with management to assess whether appropriate action has been taken to address risks.
  • Add an educational component to internal control questionnaires and workshop results by providing employees with corporate policies or other references at the conclusion because the information may be new to some employees.


CSA is not just a tool to help organizations achieve their objectives. It provides an avenue for auditors and practitioners to hone their process and become even more experienced. By keeping the following final things in mind, practitioners will be able to create a successful CSA program:

  • Never stop improving your CSA process; one size does not necessarily fit all. An organization may get more benefit from a combination of internal control questionnaires and facilitated workshops.
  • Continue to earn the trust of the customers; everyone is employed by the same organization.
  • Avoid the temptation to perform an internal audit too close to a facilitated workshop, as this could impact future participation levels.
  • Monitor your own progress.
  • After a period of time, distribute an internal control questionnaire again or facilitate another workshop to ascertain whether risks previously identified are addressed and new risks are recognized.
  • Continue to add value to your organization and customers by educating them on policies and procedures and being available for questions.
Judi Locketz, CCSA, is the director of internal controls and accountability at the University of California, San Francisco (UCSF). Judi developed and teaches an ethical awareness course at UCSF, is a California certified mediator, and is a volunteer instructor for The IIA. Prior to joining UCSF, Judi spent 11 years working in the internal audit field for various industries.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.

Center News


Mark your calendar for The IIA's 2007 Risk and Control Conference, Aug. 20–22, in San Diego, Calif. The conference will offer an array of tools and knowledge to help auditors improve their organization's risk management and control processes.

Conference topics include governance, risk, and compliance issues and attendees will be able to choose from the following five tracks:

  1. Critical Issues
  2. Coffee Talk Session: Strategies for Success
  3. Auditor's Tool Box
  4. Technology Solutions
  5. Professional Development

Keynote speakers include Roderick M. Winters, CIA, CPA of Microsoft Corporation, who heads an internal audit group that is widely viewed as an innovative audit organization and a leader in leveraging technology and employee empowerment; Odell Guyton, director of compliance at Microsoft Corporation; and Gerald D. Cox, CIA, of South West Audit Partners, The IIA's incoming chairman of the board, who has more than 25 years of internal audit experience.

Attendees will also have numerous networking opportunities to share ideas, best practices, and discuss the current challenges facing their organizations.

To obtain additional information and to register, visit The IIA's Web site or contact customer service at +1-407-937-1111.


To help internal auditors and chief audit executives understand the benefits and challenges of information technology (IT) outsourcing, The IIA recently published its new Global Technology Audit Guide (GTAG) on IT Outsourcing. Key issues addressed in this guide include: choosing the right IT outsourcing vendor; the best ways to manage outsourcing contract agreements; how to mitigate outsourcing risks; and the most effective framework for establishing outsourcing controls. To download a free copy, visit The IIA's GTAG Web page.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.



Adding Value Using Risk-based Auditing

  • May 23–25; Las Vegas, Nev.

COSO "III" — Applications and Emerging Practices Workshop

  • May 24–25; Orlando, Fla.

Enterprise Risk Management: What's New? What's Next?

  • May 23–25; Las Vegas, Nev.
  • May 23–25; Orlando, Fla.

Evaluating Internal Controls: A COSO-based Approach

  • May 21–23; Las Vegas, Nev.
  • May 21–23; Orlando, Fla.

Facilitating Results Using CSA

  • May 23–25; Orlando, Fla.

Introduction to Control Self-assessment

  • May 21–23; Orlando, Fla.

SOX Primer: Charting Your Course

  • May 21–23; Orlando, Fla.

Value-added Business Controls: The Right Way to Manage Risk

  • May 23–25; Las Vegas, Nev.


Adding Value Using Risk-based Auditing

  • June 11–13; Ottawa, Ontario

Evaluating Internal Controls: A COSO-based Approach

  • June 20–22; Minneapolis, Minn.

Sarbanes-Oxley Act: Assessing IT Controls

  • June 13–15; Ottawa, Ontario

Value-added Business Controls: The Right Way to Manage Risk

  • June 13–15; Ottawa, Ontario


Corporate Governance: Strategies for Internal Audit

  • July 23–25; Orlando, Fla.
  • July 25–27; Las Vegas, Nev.

COSO "III" — Applications and Emerging Practices Workshop

  • July 26–27; Las Vegas, Nev.

Enterprise Risk Management: What's New? What's Next?

  • Jul. 25–27; Las Vegas, Nev.

Introduction to Control Self-assessment

  • July 30–Aug. 1; Boston, Mass.

Sarbanes-Oxley: Process Improvement Workshop

  • July 31–Aug. 1; Boston, Mass.

SOX Primer: Charting Your Course

  • July 23–25; Las Vegas, Nev.

Value-added Business Controls: The Right Way to Manage Risk

  • July 25–27; Las Vegas, Nev.


2007 Risk and Control Conference

  • Aug. 21–22; San Diego, Calif.

Adding Value Using Risk-based Auditing

  • Aug. 1–3; Boston, Mass.

COSO "III" — Applications and Emerging Practices Workshop

  • Aug. 30–31; Palm Beach, Fla.

Enterprise Risk Management: Process Improvement Workshop

  • Aug. 2–3; Boston, Mass.

Enterprise Risk Management: What's New? What's Next?

  • Aug. 6–8; Charlotte, N.C.
  • Aug. 29–31; Palm Beach, Fla.

Evaluating Internal Controls: A COSO-based Approach

  • Aug. 27–20; Palm Beach, Fla.

Facilitating Results Using CSA

  • Aug. 1–3; Boston, Mass.

Sarbanes-Oxley Act: Assessing IT Controls

  • Aug. 15–17; San Francisco, Calif.

To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Allison Cain via e-mail,, or by fax, +1-407-830-4832.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.