Second Quarter 2007 • Vol. 11 • No. 2
CSA Sentinel – CSA Center membership required for access.
Welcome to CSA Sentinel, The IIA's quarterly publication for control-self assessment (CSA) professionals. As a benefit of membership in The IIA's CSA Center, this newsletter features articles on the latest thinking in CSA and risk, practical "how-to" advice, research, and news with the latest development updates.
In This Issue
Maximize Your Internal Audit Function
Improving Internal and External Audit Coordination
Enhancing the Bottom Line: Moving From Risk to Compliance
Q&A With Dave Harmon
According to Mike
Quick Tips: Four Tips to Help Develop a Successful and Sustainable CSA Program
All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.
Maximize Your Internal Audit Function
Optimize your ability to meet organizational objectives by aligning your internal audit goals with your strategic goals.
ALISON WOLF, CIA, CFA
INTERNAL AUDIT QUALITY ASSESSMENT OPTION COMPARISON TABLE
Internal audit focuses all resources on conducting operational, financial, and compliance audits.
Provides a completely independent and objective assessment and opinion using externally-generated samples and testing plans.
Completed quickly. An external organization can focus on the IAQA.
An external organization provides fresh best practices and a range of staff experience.
More expensive. The range varies depending upon the size, number of audits, and complexity of the internal audit department. However, the opportunity cost of having staff available also must be considered.
The external validation delivers best practices, but the ground level training and experience for staff is reduced.
Self-assessment With External Validator
Develops a self-assessment program that evolves into a part of the organizational fabric and culture.
Reduces the cost of an IAQA by completing the self-assessment in house.
Provides a training exercise.Builds a team effort and culture with the internal audit department.
|May reduce the potential for fresh best practices to increase effectiveness and efficiency.
Potential difficulties exist for the leader and staff of the internal self-assessment team to deliver recommendations for improvement to their own department.
Redirect resources (e.g., people and time) from operational, compliance, and financial audits.
More time to complete as staff has multiple simultaneous tasks to complete.
Internal audit functions may be structured and staffed in different configurations depending upon the size of the company and the industry. However, there are several common problems shared by many internal audit departments that may be found by a self-assessment:
The cause of poor timeliness may be difficult to ascertain, especially in complex audits. The causes are generally scope creep, inability to receive test data, or poor planning. The impact on strategic goals is that management may not be receiving up-to-date assessments on the processes and controls over operational and financial data to use in decision making. For example, if management is not aware of misclassification of loans in a financial organization trial balance, how will it decide on the loan pricing and regulatory capital strategies between commercial and residential loans?
Quick Fix: Try assigning a single individual, possibly an administrative assistant, to track the stages of the audit in order to monitor progress and understand where any bottlenecks or delays are occurring. For example, if an organization expects the fieldwork phase to last for two weeks, but it continues for three, management can target the steps taken in fieldwork to the cause for delay, such as avoiding scope creep or delays in the receipt of data. If it becomes obvious during the audit that the next deadline will not be met, disclosure of the cause and actions to remediate the delay should be documented. The results of the tracking efforts should be discussed in periodic staff meetings so that no project is left unmonitored for a long period of time. In addition, rewarding employees for timely audits and documentation of known delays in ongoing audits may encourage quicker turnaround times.
The absence of sufficient qualified staff is created partially by the nature of internal audit. Internal auditors often are expected to perform audits on multiple lines of business with diverse technologies, products, geography, and control infrastructures. The ability to be experienced and trained in every area is naturally limited. The impact on strategic goals is that audit risk may be increased and information back to management may not be focused and accurate.
Quick Fix: Use outside experts in audits as necessary. These experts can be external service providers, independent contractors, or an independent, internal resource loaned to the internal audit department for a specific project. This may mean using one person who is, for example, an "ABC software" expert in all audits where this technology is used. Coupling inexperienced staff with subject matter experts can expedite the training process so that dependence upon outsiders is reduced over time. This is similar to apprenticeships, which are useful as long as the requirements of independence are met.
Absence of Risk Assessment
The assessment of risks associated with a process should be a part of the initial audit planning stage. In order to be efficient and effective, internal auditors not only want to ensure that all high-risk areas are audited but also that higher risk areas are assessed first as the consequence of a control failure is inherently higher than for lower risk areas. It is often perceived as a monumental project to identify each individual risk affecting the company and debating the relative priority of each risk. This project is further complicated by the dynamic nature of corporate businesses, which often render an initial risk assessment obsolete by the time the audit team arrives.
Quick Fix: Initial risk assessments can be made general in nature. A general high-level risk assessment of each department can be achieved via a questionnaire or meeting with departmental personnel. Once this initial risk assessment has been completed, the more in-depth risk assessment can occur during the planning stage of a particular audit. In addition, it can be helpful, and in some cases required, to obtain advice from subject matter experts. The focus of the audit should always include the highest risk areas at a minimum.
The purpose of an internal audit function is to act as a tool to make sure that an organization is as effective and efficient as possible. The internal audit standards shape an independent, efficient, and therefore effective, audit function. The purpose of a self-assessment will assist the internal audit function in operating as anticipated by management and make sure that the department risk assessment, scope development, and reporting are aligned with overall organizational strategies.
Many internal auditors already know that control self-assessment (CSA) can be an exceptionally useful tool for their organizations. However, what is less known is how external auditors can use CSA to improve the efficiency and effectiveness of a financial statement audit. A control self-assessment survey — conducted by the authors — of organizations and their external auditors revealed a low level of CSA usage by external auditors and a low level of communication between internal and external auditors. The survey also found several basic misconceptions on the part of internal and external auditors, and other organizational personnel that likely are contributing to low CSA usage. (For survey information and findings, see the sidebar "About the CSA Survey.") Because of CSA's value, organizations and their internal auditors should work to promote the use of CSA by their external auditors.
The internal audit profession has always had significant responsibilities over internal controls, which is demonstrated by its definition. In addition to their traditional control responsibilities, internal auditors are increasingly being called upon to assist management — by serving as its eyes and ears — in fulfilling its obligations under the U.S. Sarbanes-Oxley Act of 2002, particularly for Sections 302 and 404. The IIA's Professional Practices Framework also advocates that internal auditors be involved in both a consulting and assurance capacity.
As a result of the Sarbanes-Oxley requirements, the internal audit profession must evaluate both hard and soft controls under the guidelines of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework. Hard controls (e.g., credit approval indicated on an invoice) can be effectively evaluated by traditional auditing tests. However, soft controls (e.g., management's ethics and integrity) are vaguer and traditional audit tests are far less effective in evaluating them. The internal audit profession has been a leader in searching for new audit tools to more effectively evaluate soft controls and CSA has emerged as an effective tool in this area, but according to the survey, organizations are not using CSA in the most audit relevant areas. Only 14 percent of the 73 organizations using CSA used the tool to evaluate controls that promoted the reliability of the organization's independently audited financial statements. This use of CSA would be most directly relevant to independent financial statement audits. Yet, few organizations employed CSA in this manner.
CSA is used to evaluate organizational processes and controls, and can be helpful in improving the effectiveness of internal and external auditing. However, of the organizations surveyed, although most had CSA data available, organizations were not communicating with external auditors about their use of CSA. The organizations were not asking their external auditors to use the existing CSA data and few external auditors were making CSA-related requests of the organizations. Of the 67 respondents using CSA and also receiving an independent audit, none indicated that management requested that CSA be used by their auditor. In addition, according to the survey, no auditor asked their organization to implement new CSA activities that were relevant to the external audit. Only 14 organizations indicated that their auditors requested evidence that had been created via existing CSA activities.
The internal and external audit functions are two critical components of organizational governance systems and the International Standards for the Professional Practice of Internal Auditing recognizes that the two audit functions should be effectively coordinated. After Sarbanes-Oxley was passed, internal control responsibilities increased for internal and external auditors, which represents an area where tremendous value can be achieved through proper coordination. Internal auditors have been leaders in the effective use of CSA in control evaluations.
External auditors also have enhanced control responsibilities under Sarbanes-Oxley. In addition to their long-standing responsibility to evaluate an organization's control system as part of a financial statement audit, Section 404 requires that the external auditors attest to the fairness of management assertions contained in their internal control report. In essence, external auditors are now required to audit the organization's system of internal control over financial reporting while also auditing the financial statements. This additional attestation on internal control necessitates a level of control understanding and testing that far exceeds what formerly was necessary to support an opinion on the financial statements. Using CSA can contribute to the effective attainment of these comprehensive audit responsibilities. But the survey results show that a significant number of individuals at organizations possessed negative sentiments about external auditors being involved in their CSA activities even though most organizations had no direct experience with such involvement. A majority of organizations did not believe that external auditor involvement in CSA activities would improve their CSA initiatives, and a significant minority (ranging from 19 to 45 percent, depending on the question asked) thought that external auditor involvement would actually hurt their CSA processes.
Performance Standard 2050: Coordination and its related practice advisories place a professional responsibility on internal auditors to effectively coordinate internal and external auditor control activities. Since the advent of Sarbanes-Oxley, this professional responsibility has taken on increased importance because the enhanced involvement of external auditors in the control arena has a direct bearing on the quantity and quality of the control information made available to top management and the board as they attempt to govern their organizations and fulfill their statutory responsibilities under Sarbanes-Oxley.
To fulfill their responsibilities under Standard 2050, internal auditors should determine whether external auditors are using CSA to evaluate the many soft controls that are a critical component of any internal control system under COSO's Internal Control–Integrated Framework. Soft controls are too important to ignore and the appropriate tools must be used to evaluate them.
Because of the potential value of CSA, organizations and their internal auditors should work together to effectively integrate CSA into the external audit process. The survey of IIA Control Self-assessment Center members revealed that organizations were not using CSA in areas most relevant to external auditors, that organizations and auditors were not communicating with each other about the use of CSA, and that a significant proportion of employees appeared to hold negative sentiments about the value of external auditor participation in their organization's CSA activities.
Internal auditors should do all that they can to promote CSA. If organizations implement such measures, the likely result would be enhanced coordination between the internal and external auditing functions, more effective and efficient independent financial statement audits, enhanced compliance with regulatory requirements, and more constructive internal control recommendations from external auditors.
The latest publications (Dec. 2006 and Apr. 2007) by the Public Company Accounting Oversight Board and the U.S. Securities and Exchange Commission on implementing a risk-based approach to compliance are receiving a lot of attention in the audit world. This is understandable because implementing a risk-based approach is an important driver in reducing audit and compliance costs. In addition, this type of approach ties business performance back into compliance as companies are now asked to focus even more on risks and controls. But can existing compliance investments be leveraged successfully to implement this risk-based approach?
According to a recent KPMG study published in The Netherlands, Return on Compliance: Utopia or Reality, the answer is yes. The study shows that there is a positive relationship between clean Sarbanes-Oxley filings (i.e., filings without significant deficiencies or material weaknesses) and the development of a company's market capitalization. The research showed a 28-percent rise in market capitalization for clean publicly-listed companies compared to the average of 18 percent for typical publicly-listed companies. This example illustrates that investments in proper compliance with Sarbanes-Oxley clearly do pay off, but this isn't the only benefit. Having a risk-based approach to compliance can also significantly improve the bottom line by enhancing related business performance. The risk-based approach can also help a company identify the really important controls — those that would seriously impact the company's financial performance if they failed. That is what Sarbanes-Oxley was all about — protecting companies and their shareholders from serious downfall.
To comply with Section 404 of Sarbanes-Oxley, publicly listed companies must identify their key controls and prove their design and operating effectiveness to make sure that the controls are properly designed. Simply put, the failing of even one of those key controls would potentially invoke a misstatement or restatement of that company's financial statements.
Testing a key control, including the collection of electronic evidence costs, takes several hours per control for most companies. Therefore, US $500 per tested control is an average reported estimate by The Big Four accounting firms. Reduction of the number of key controls to be tested means less testing, which results in less spending.
In addition, if Section 404 of Sarbanes-Oxley is not the only compliance regulation a control is related to, the monitoring of key controls becomes even more complicated. In some instances, publicly traded companies must comply with multiple regulations (e.g., privacy, product liability, employee safety and health, environmental regulations, anti-money laundering) that often overlap related controls. Typically, different departments conduct assessments with their business colleagues in a highly inefficient and ineffective manner by sending out numerous testing sheets, questionnaires, surveys, and assessments on topics like business continuity, business principles and ethics, information technology (IT) security, and regulatory issues including Sarbanes-Oxley. The value of integrating these frameworks into one common risk framework is enormous. The goal should be to assess once and use many times for all different regulations. A control that relates to Sarbanes-Oxley, as well as to the U.S. Patriot Act and Basel II, will now only be documented and tested once. In the traditional silo approach, the control would have been documented three times in three different systems and tested separately. Front-running companies have already demonstrated the obvious benefit from integrated frameworks.
Besides the convergence of controls, other measures — like implementing automated controls — can be taken to reduce compliance costs. Testing a manual key control requires more effort than testing an automated control. One primary reason is that auditors require larger sample sizes for a manual control. An automated control performs better than a manual control, provided the related IT processes are properly managed. Automated controls are also more economical given the streamlined approach and resulting improved performance. However, despite these benefits, a survey of BWise's client shows that somewhere between 50 and 80 percent of all current controls are manual, with a larger percentage of automated key controls found in highly automated industries like financial services and technology companies.
Increasing the number of automated controls can be beneficial as long as the investment in the automation does not surpass the benefit of less testing and higher reliability. The key to optimizing costs is the standardization of related processes, which is driven by the implementation of a risk-based approach across the organization.
Although some companies have made important first strides by documenting their controls using a risk-based approach, many have not yet taken real advantage of this approach. In figures 1 and 2, a methodology is presented on how to actually implement such an approach. Figure 1 is an example of a simplified risk framework where controls are mitigating certain risks in a particular process. Figure 2 represents an elaborate risk framework where the relations are built between significant accounts, control objectives, processes, risks, and controls within entities and divisions. In reality, however, the risk framework will be even more complex and will include IT systems and entity-level controls.
Even if a company's existing documentation is not constructed like the frameworks shown, it will likely be relatively simple to insert the lacking information. For example, risks or control objectives are added to the company’s existing model. It is important that the risks are identified at a sufficiently high level and not as a negative formulation of the control. In order to truly implement a risk-based approach, risks need to be identified as business risks. For example, a risk identified as "segregation of duties is not implemented" is hardly adding value to a control being identified as "segregation of duties." The risk should preferably be formulated as a business risk, or at least as a risk that is applicable to business processes. The same can be said about the relationship between a risk and a control objective. A control objective is not the opposite of a risk. A control objective is something an organization wants to achieve whereas a risk is something threatening that objective.
In addition, if the existing compliance documentation lacks the business risk component, risk templates are available that allow companies to quickly enrich their existing documentation and proceed from there.
The risk-based approach can be implemented in various ways. Risk-based scenario analysis is probably the most elaborate and sophisticated methodology, but this approach requires a mature sense of risk in the company. Only the most seasoned companies can adopt this approach because it asks for a significant amount of high-quality data. Mature governance, risk, and compliance platforms offer this capability for most companies as a potential growth model.
However, compliance and enterprise risk management software is available that allows businesses to run a risk assessment based on the information a company already has. Loading the existing compliance documentation into a sufficiently comprehensive risk-based compliance solution will allow running a risk assessment without any additional investments. Prior investments — often running into millions of dollars in compliance documentation — can now pay dividends.
Business managers often are asked to assess the impact and likelihood of risks that could occur. And although there are various types of risk assessments, there are more ways to conduct a risk assessment, ranging from high-level enterprise risks to low-level process risks to assessing inherent risk, residual risk, or both.
This initial risk assessment also will immediately show whether the identified business risks make business sense. Business managers should be able to provide answers regarding the potential impact and likelihood as well as:
Several types of risk assessments are used around the world. Following are a few of the more common examples, including their application and benefits for the implementation of a risk-based approach.
Inherent Risk Assessment (Gross Risks)
The inherent risk assessment analyzes the impact and likelihood — or frequency and severity — of risks identified as if there were no controls. In practice, this is often a challenging task for non-experts because it is hard to imagine the controls not in place. However, if the inherent risks are known, they are a strong indicator of where to put in the effort. The inherent risk assessment also states what the specific risk is — in case the control fails (i.e., the control is not effective). Therefore, if the inherent risk impact or severity is higher than a certain threshold (i.e., the materiality level), the underlying controls should be in scope. In other words, the inherent risk assessment is a good tool to use to implement a risk-based approach to compliance but might require risk training for the people conducting the risk assessment.
Residual Risk Assessment (Net Risks)
The residual risk assessment analyzes the risk with the controls in place, including the anticipated effectiveness of the related controls. This is not a control test as is required for Sarbanes-Oxley, but rather a limited assessment of the relevance of that control. These types of assessments are easier to conduct, and not surprisingly, are the ones most commonly used. This is because staff is asked to assess the exact situation they know, as opposed to a virtual situation they can only envision, as is the case in an inherent risk assessment. From a residual risk assessment, experts may conclude which risks are most vital, and therefore, which controls are relevant. This analysis is less thorough than the inherent risk assessment and the most value can be derived if risks are assessed at both an inherent and residual risk level as this combines all relevant information.
Scenario Analysis With Expected and Extreme Value
An assessment type often applied at the enterprise level is a scenario analysis where expected values for impact and likelihood are asked together with extreme values, like a worst and best case. These values can be used to determine which risks are truly relevant, which opportunities should be explored, and which controls should play a vital role.
Quantitative Versus Qualitative Risk Assessments
An important part in every risk assessment discussion is the question of whether quantitative or qualitative answers should be given. Obviously, the quantitative answers are the preference, provided the answers would be correct. The reality is that it is often extremely hard to give a well-augmented quantitative answer. Therefore, many organizations conduct qualitative assessments and translate this back into more quantitative answers in a validation round based on the input of many individuals.
Although there are many ways to implement a risk-based approach for compliance, the first step toward significantly reducing the number of controls and compliance costs in any company is choosing the risk assessment that is most appropriate. For all variants of using risk assessments to implement a risk-based approach to compliance, it is vital to consider the following points:
And above all else, make sure that besides the appropriate governance, risk, and compliance solution (GRC) platform, the appropriate methodology is used.
One control self-assessment (CSA) approach would be a program directed toward management effectiveness. Many assessment activities are predicated on the assumption that management is basically good and that processes, resources, or staff are the things that require attention. While to a limited degree, management effectiveness is considered as part of the control environment assessment in most CSA applications, it is not the central focus of the CSA. But most feedback is too general to take the necessary specific action unless there is a major systematic issue.
A rigorous self-assessment program dealing with management effectiveness would have several benefits. First, it would enhance the control environment by clearly establishing standards, as well as a measurement process for management effectiveness, both in terms of the process itself and the perception. Second, management setting an example would send a clear message to staff members that the organization is serious about control improvement.
The first year would be the most difficult, but at the same time, it would present the greatest opportunity for building credibility. If this is an absolutely new process, you can be assured that while there will be room for improvement across the board, a few glaring management problems may require immediate attention. The important thing is to have appropriate measured response. Individual managers and their supervisors are well equipped to deal with most issues reported (e.g., communications, performance evaluations, perceived equity issues, transparency of processes). However, if there is clear dysfunction in the group, it may require human resources to become directly involved. As with other CSA results, if a significant issue is reported, some action — whether it be training, reassignment, or termination — must result.
I have personally seen such a program implemented and it made a huge difference. Although the system won't guarantee that every manager is perfect, it does have the capability to improve overall management. In the program I saw implemented, there was flexibility for dealing with good performers that were not management material and a few underperformers were removed altogether. Some may view this as a stretch for CSA, but I honestly disagree. Management is as key a control as any other, and it makes perfect sense to have CSA assess it.
Have a question about CSA you'd like to ask Dave? E-mail your question to the editor. It could be answered in a future issue of CSA Sentinel.
On a recent rainy day, I found myself reading a shareholder information package for stock I own in a U.S. company. It was two inches thick and double-sided. But don't worry. This is not going to be an article about how unruly annual reports have become since the Enron days. What caught my eye was a statement regarding how this company's audit committee performs a self-assessment each year.
I was pleasantly surprised to read in a disclosure document that members of an audit committee are actually conducting self-assessments. However, I was shocked when I discovered the audit committee was the only part of the board to conduct these assessments. Neither the entire board nor any other committee — governance, nominating, compensation — disclosed any type of self-assessment. Why would only one quarter of the board be conducting a self assessment? Was this a business standard or an anomaly? This really piqued my interest in what other organizations are doing, so I decided to do some research. And while this research was in no way a statistically valid endeavor, I did learn some interesting facts about self-assessments in today's companies.
My research began by visiting The IIA's Global Audit Information Network (GAIN) site. This site offers information and results from surveys sent to thousands of members on a wide variety of topics, including internal audit processes, corporate governance, the U.S. Sarbanes-Oxley Act of 2002, and enterprise risk management, to name a few. For the research at hand, I found a survey conducted in 2004 that specifically addressed self-assessments being performed by the board and its committees.
Out of the online survey invitations sent out in 2004, 19 percent of the respondents stated that their board performed a formal written self-assessment with rankings. Another 8 percent had a formal written program but without rankings, and 7 percent said it was only based on discussion. Finally, 15 percent of respondents were developing a program and 32 percent did not have one. The remaining 18 percent weren't sure about their organization's self-assessment programs.
It would be interesting to see how those statistics have changed in three years, but I'm more interested in what is taking place in the more formal assessments today and, most importantly, the results. Thanks to the internet, by typing "board of directors self-assessment" into a search engine, I was presented with a plethora of corporate, private, government, and nonprofit sites stating that a board self-assessment is performed. I was particularly interested in three organizations and how they handle self-assessments.
IT service provider CGI Group impressed me not only by its detailed disclosure, but also by how much thought went into making the self-assessment a thorough examination. The self-assessment program was referred to 13 times in regards to how it evaluates various responsibilities, procedures, policies, and committees of the board. The following is an excerpt from the corporate governance committee's report:
"The corporate governance committee, chaired by the lead director, conducts an annual self-assessment of the effectiveness of the board as a whole, of the standing committees of the board, and of the contribution's of individual directors. It is also responsible for establishing the competencies, skills, and personal qualities it seeks in new board members with a view to adding value to the company, and directors are assessed against the contribution they are expected to make. This assessment is based on annual questionnaires to which directors respond.
"The board of directors reviews the assessment of its performance and the recommendations provided by the corporate governance committee annually with the objective of increasing the board's effectiveness in carrying out its responsibilities. The board takes appropriate action based on the results of the review process."
Here is an organization that has assigned a lead director the responsibility of overseeing an annual board and committeewide self-assessment. Moreover, it is a thorough examination that leads to proactive action so that the board, its committees, and members are constantly striving to implement better procedures and processes for continuing good corporate governance.
Another organization that caught my attention was the Luxembourg-based steel manufacturer, Arcelor. The following excerpt is from their corporate governance Web site.
"The self-assessment questionnaire covered seven principal themes:
"Based on answers provided and observations made by board members, decisions were taken to make further improvements to the operating procedures of the board and its committees. It was also decided to increase the number of ordinary board meetings per year from six to seven."
Arcelor's board approved this self-assessment in 2004 and implemented it for the first time in 2005. What was of particular interest to me was that through the self-assessment, the board actually found areas where it could improve itself and its committees. To me, this was a vindication that self-assessment at any level of the organization can be a powerful tool in helping to improve operations and processes.
The third organization that interested me was Kingdom Oil, a not-for-profit religious organization. Kingdom Oil actually publishes a copy of their annual board self-assessment on their Web site. Although a small not-for-profit organization, it is interesting that many of the 12 questions the board members have to respond to can be applicable to any other organization — large or small, public or private, for profit or not.
Considering the way these three organizations handle self-assessments, there is really no excuse why any organization's board should not conduct an annual self-assessment.
Through my impromptu research on self-assessments in today's organizations, I learned many interesting things. Primarily, and most importantly, I learned that many organizations' boards are performing self-assessments. This is great news for auditors and stakeholders alike. Based on this discovery, I drew the following conclusions:
The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control — Integrated Framework is the foundation for all other components of the internal control framework and includes factors such as culture, integrity, ethical values, and management philosophy. Because each organization is unique, it is imperative to carefully consider the ethical and cultural environment of the organization when determining which control self-assessment (CSA) process to implement to achieve positive and lasting results. Additionally, auditors and CSA practitioners need to make sure they have a clear understanding of the objectives identified by operational management, audit and compliance, and all employees. Value must be derived from these three groups to help develop a successful and sustainable CSA program. Whether an organization identifies risk through internal control questionnaires or facilitated workshops, using these simple tips — combined with understanding the organization's objectives — will help create a successful CSA program.
Planning is essential for a successful CSA. Prior to implementing anything, do your homework to determine the right CSA approach for the organization. CSA can be an excellent tool for identifying and reducing organizational risks, but because questionnaires and workshops are beneficial in different ways, networking with other audit professionals can help auditors determine the best approach to implement in a particular organization.
Internal Control Questionnaires
The advantage of using internal control questionnaires is the ability to reach a broader audience in less time. A questionnaire could reach each employee in an organization at every location with little effort. However, each questionnaire is only as good as the questions being asked and this process does not allow respondents to add detailed information pertinent to the topic. When planning to use questionnaires, keep these things in mind:
Facilitated workshops are advantageous because participants buy into the process and identify their own risks. The process of analyzing and prioritizing these risks lies with the people affected by the risks. In addition, conversation between participants in a workshop can be expanded upon and action steps to reduce risks can be discussed. However, facilitated workshops are time- and labor-intensive, so it would take considerable time to complete workshops in every department of most organizations. When planning workshops, remember that:
Regardless of which approach is used, an important — and often overlooked — element of the planning phase is explaining the CSA process to management and establishing expectations regarding the benefits that can be derived from it. This will help generate support before questionnaires are distributed or workshops are held.
In a CSA process, planning and preparedness go hand in hand. CSA practitioners employ different methods to prepare for internal control questionnaires and facilitated workshops. No matter the approach, time should always be factored in to adequately prepare for the assessment. Here are some things to keep in mind during preparation:
After the questionnaires have been returned and evaluated or after a workshop has ended, many CSA practitioners forget or take too long to share the results with participants. After the CSA process is complete:
CSA is not just a tool to help organizations achieve their objectives. It provides an avenue for auditors and practitioners to hone their process and become even more experienced. By keeping the following final things in mind, practitioners will be able to create a successful CSA program:
Mark your calendar for The IIA's 2007 Risk and Control Conference, Aug. 20–22, in San Diego, Calif. The conference will offer an array of tools and knowledge to help auditors improve their organization's risk management and control processes.
Conference topics include governance, risk, and compliance issues and attendees will be able to choose from the following five tracks:
Keynote speakers include Roderick M. Winters, CIA, CPA of Microsoft Corporation, who heads an internal audit group that is widely viewed as an innovative audit organization and a leader in leveraging technology and employee empowerment; Odell Guyton, director of compliance at Microsoft Corporation; and Gerald D. Cox, CIA, of South West Audit Partners, The IIA's incoming chairman of the board, who has more than 25 years of internal audit experience.
Attendees will also have numerous networking opportunities to share ideas, best practices, and discuss the current challenges facing their organizations.
To obtain additional information and to register, visit The IIA's Web site or contact customer service at +1-407-937-1111.
To help internal auditors and chief audit executives understand the benefits and challenges of information technology (IT) outsourcing, The IIA recently published its new Global Technology Audit Guide (GTAG) on IT Outsourcing. Key issues addressed in this guide include: choosing the right IT outsourcing vendor; the best ways to manage outsourcing contract agreements; how to mitigate outsourcing risks; and the most effective framework for establishing outsourcing controls. To download a free copy, visit The IIA's GTAG Web page.
To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Allison Cain via e-mail, firstname.lastname@example.org, or by fax, +1-407-830-4832.