CSA Questionnaires Work;
Web Enabled, They Amaze

By ADRIAN D. BARRY, former internal audit director of XYZ Co.

TODAY’S INTERNAL AUDITORS have myriad software tools at their disposal to help the audit function be more effective. Ideally, they should use technology to enhance the way the audit function interacts with the rest of the company. At XYZ Co., a Silicon Valley computer software and hardware company, we found that this worked best by equipping the internal audit department with a Web-survey process, specifically, a survey-based control self-assessment (CSA) tool.

THE CHALLENGE

In 1999, as part of the internal audit department’s goals, XYZ’s chief financial officer (CFO) asked us to:

• Stay within a reduced budget (down 20 percent from the previous year). 
• Keep the headcount low (not fill the positions that had been vacated). 
• Travel less and eliminate nonstop business-class flights. 
• Maintain the same level of audits to assure the CFO and the audit committee, in real time, that global internal controls are strong and working effectively and efficiently.  
• Continuously assess the risk environment. 
• Develop a program or process to educate the finance and business communities on current internal policy and external financial regulations.

This was our challenge. In addition to the CFO’s list, there was one more internal audit issue that we thought needed addressing — communication. It is through solid communication that internal auditing mitigates company risk. We recognized the need to develop ways to communicate companywide, on a regular basis, through a medium that could be managed as the company changed in size and complexity.

We knew that CSA would be the best approach. However, the best-known CSA function is workshop-based, where participants take part in a three- or four-hour session, discussing a topic and voting anonymously. Our participants were located around the world, making this approach difficult.

CSA questionnaires, on the other hand, can be completed individually using Excel-based forms, which internal auditing reviews. The initial setup for the questionnaire approach may take some time, but once up and running, it is easy to sustain because it essentially leads to a continuous-assessment process whereby the company’s employees become more control conscious, continually critiquing the effectiveness and efficiency of the process and the processes under review. Issues identified through the risk-assessment process can be addressed through the questionnaires, and the questions can then circle back and feed into the risk-assessment process.

In addition, questionnaires help determine the strength of the control environment, reinforce business and financial policies, and minimize internal audit resources while extending the global reach. Internal auditors can act as technical support by reviewing assessment results regularly and reporting the information back to management — the owners of the process — who can choose to make changes based on their priorities. 

By using questionnaires, internal auditors partner with the client and transfer knowledge to the locations. Essentially, they get a finger on the pulse of the organization, and can be alerted to any changes in the strength of the control environment on a timely basis.

The downside of using paper-based questionnaires is that the data is difficult to manage, store, and manipulate. At XYZ, the data was not submitted in softcopy format. When we wrote our reports, we used a combination of Word and Excel documents, which proved to be labor intensive to draft and summarize. Web-enabled CSA programs, on the other hand, free up large amounts of administrative time.

GETTING STARTED

Picking the right organization to pilot the process was key to increasing the likelihood of success. CSA’s may not be suitable for all organizations — in terms of people, processes and procedures. After reviewing the way the company is organized, we selected the Field Sales Organization to pilot the program. Field Sales comprises 30 sales offices around the world, and has simple business processes at each site that can be tested each quarter. 

We needed a way to connect all of the participants from each of the 30 offices, so we opted to use a Web-enabled questionnaire. A powerful Web-based survey facilitates constant communication between internal auditing and all functions and geographies. We hired a feedback management expert that had numerous Web-enabled applications in its product range. The firm developed an application suite that allows internal audit groups to implement self-reviews of business processes and controls regularly. It also facilitates the implementation of a comprehensive questionnaire-based CSA program and archives the data. Powerful report generators enable the auditors to spot trends in processes companywide by function and geography. 

In addition, the application suite provides a framework of continuous feedback to management on the progress made in achieving action items and eases planning efforts by permitting questionnaires to be designed quickly and sent to clients prior to fieldwork. Moreover, the Web-based questionnaire allows links to be built around the tool, enabling visitors to the site to enhance their knowledge of business and financial policies and financial regulation developments.

The cost of hiring our feedback managers equated to that of a senior staff member’s salary for one year. The fee consisted of paying the Web consultants for hosting the survey (compiling and archiving data on their servers), providing technical support, and visiting three countries each quarter for two weeks to validate that the documents self-tested by the sales office were real. The time taken to design and implement the Web-based solution was reduced significantly. 

ROLES AND RESPONSIBILITIES 

For a Web-enabled questionnaire program to succeed, all parties must have clearly defined roles and responsibilities. At XYZ, our CFO sponsored the program. Regional controllers were part of the participating team. Country controllers oversaw the testing performed by their staff and contributed to testing themselves, and finance/operations staff performed more detailed testing.

Because executive management sets the tone, they should be cheerleading. Each quarter when the results are communicated, a message reminding everyone involved of the importance of the process should come from the sponsor, the CFO. Middle management should listen to the audit teams, who report the results, and should prioritize the resolution of issues identified by their participating teams.

THE PROCESS

Our internal auditors rolled out the process by visiting different regions — in conjunction with the company’s biannual regional finance get-togethers — presenting the program, and training participants. The questionnaire took four weeks to develop, which included back-and-forth time with key participants and input from outside auditors. We used fundamental process questions that many of the large accounting firms use. Initially, some participants were reluctant to participate. Support from regional bosses and the CFO proved invaluable during this time.

Participants were e-mailed a Web-link and were provided with passwords so that they could submit self-tested transaction data via the Web privately and securely. They were asked to complete a survey describing the controls in place and plans to resolve any weaknesses. Once the program was up and running, they completed the survey annually. Quarterly, they were required to test, on a rotational basis, six key processes identified for the sales offices: 

• Sales (quote to collect) 
• Purchases (procure to pay) 
• Cash management 
• Information systems 
• Fixed assets 
• Inventory

When issues were noted in the quarterly reports, participants were required to identify action items and provide updates as to the progress being made to resolving them. Managers in both the regional and global offices were then provided with summary reports of the quarterly testing performed.

Internal auditing facilitated the process by reviewing the data that participants submitted via the Web and ensuring that it matched the original documents kept at the site. Auditors selected additional sample transactions to test — those not already self-selected by the country. Auditing also critiqued participants’ assessments and fed the results back to the regional controllers.

Within a few months, the program was running smoothly, and by the fourth or fifth quarters, participants realized that this was not just another project that was destined to fail, and they began to embrace the program.

POSITIVE RESULTS

Too often the "folks in the trenches" maintain inefficient processes, fearing that making any changes could lead to adverse audit findings. As an auditor, it is wonderful to observe the benefits of empowering the staff and to watch how lean the processes can become. 

At XYZ, we enjoyed a multitude of benefits as a result of the Web-enabled questionnaire. The process:

• Created a structure for educating finance and other functional groups on risk-assessment policies and controls. 
• Presented the opportunity to raise company policy awareness at the country level and permitted feedback to corporate as to what was happening in the field. 
• Enabled internal auditing to pay quarterly visits to the regions for validation only, significantly reducing the time, resources, and travel expenses needed for the traditional audit model. 
• Led to greater focusing of traditional internal audit efforts. If the CSA highlighted problem areas, the audit team would travel to a particular region to perform a comprehensive audit. 
• Improved auditing’s responsiveness, because auditors become aware of issues more quickly with the questionnaires. 
• Helped us identify good controls in areas such as granting credit, credit history review, discount approval, and export compliance. Once the exceptional controls were identified, they were posted on the Web site, where everyone could access them. Auditing also presented them to the local team during validation visits. 
• Assured both the external auditors and company management that approximately X percent of worldwide revenue was sampled and no significant issues were noted. 
• Reduced the amount of work external auditors performed at their year-end audit. External auditors could review the quarterly testing and the results of the annual controls survey and gain assurance about the company’s control environment. 
• Enabled process owners and auditors to detect aggressive sales behavior (by comparing ship request date to the actual shipping date), aggressive booking (by comparing purchase order date to the date the order was booked), and lack of sales contracts.

Quarterly, we ranked our regions — Americas, Europe, Asia Pacific, and Japan — based on the completeness of the answers as well as levels of participation (sometimes countries did not submit questionnaire responses). A sense of pride emerged from this, and participants were always eager to learn who would be first or last each quarter. The rankings also were considered in the country controllers’ performance evaluations.

WORTHWHILE EFFORT

Implementing a questionnaire-based CSA process is well worth the effort. Before the CSA questionnaire program was implemented at XYZ, internal auditing typically would visit each of the company’s 30 offices every three years for at least a week to perform audits. The visits were expensive and yielded questionable benefits. Audit findings were then given to the clients for them to act on, and there was very little participation by clients in the assessment of their operation. 

CSA is quite the opposite, and a questionnaire approach specifically allows for even more consistent and ongoing communication. Now, XYZ’s internal auditors partner with the clients and help transfer knowledge to the locations. Auditing also has a greater awareness of the company’s control environment, and as a result is more responsive. Internal auditing, external auditing, the audit committee, the CFO, the participants, and the company as a whole benefited from this process.

Q&A with Dave Harmon

David Harmon, CCSA, CIA, CISA, CPA, is director of financial management programs at UCLA in Los Angeles. Harmon helped develop a CSA program in his former position at Fannie Mae, instructs several IIA courses on CSA, and contributed to the questions in the CCSA exam.  

Before you chose a topic, it’s important to identify your customer and consider what the customer’s expectations are. It is always good to have ideas of topics to discuss, but one of your primary considerations should be: "What will it take to have a satisfied customer?" Then, tailor your topic and approach accordingly. For instance, a customer may be interested in a particular process that is new or has changed recently, or there may be "people" issues affecting a team's ability to manage a complex process. In some cases, you may have an audit objective that runs contrary to what your customer wants. In those situations, try to be creative and find a way to do both.

One way of selecting an appropriate topic is to ask the customer what he or she wants to talk about. Ask both management and staff. You may be surprised by their response. Management tends to be more task or process focused. Staff members tend to be more sensitive to the "soft" control issues that affect tasks and processes, and they have the closest grasp on the day-to-day detail. Management frequently only knows what is supposed to happen, while staff members know what actually happens. The feedback you receive may help you determine whether to structure a workshop that has a broader, soft-control scope or one that is more narrowly focused and perhaps more process oriented.

Next, choose a topic that is relevant and timely. Y2K readiness would have been a great topic in 1997, but if you waited until the middle of 1999, you may have been a day late and a dollar short. I don’t have to remind you that people are busy and their time is valuable. You will have a tough time engaging group members in a topic they do not think is important. Keep in mind that your job as a facilitator is not to select a topic that you think is important but to help your group members assess something that is important to them.

For your first workshop, don’t pick the most challenging or difficult topic to discuss, even if it is the most important, because the most critical topic may present the greatest opportunity for failure. Remember, there is a lot going on during a workshop that can be rather overwhelming for a first-time facilitator. From practicing facilitation skills to operating new types of equipment (which may or may not work) to perhaps dealing with one or two emotionally charged, opinionated, or otherwise difficult personalities, you will have a lot more on your mind than the subject matter of the actual CSA workshop. So, choosing a topic that requires intense thinking on your part may not be the best idea. You may want to avoid complex topics such as derivatives or network security, for example, unless you’re familiar and comfortable with these subjects. 

Ultimately, you’ll want to select a topic that is relevant, but not too controversial. Striking the right balance is key. So, use the "Goldilocks" approach to help you determine what topic will work best — something that’s not too hot and not too cold, but just right.

One final word of advice — choose a topic and approach that feel right to you, the facilitator. If you’re coerced into discussing a topic that you do not feel comfortable with, you may be setting yourself up for failure.

Educating ERM

By Christina Brune
An interview with Marc Guerra, CIA, CPA, CISA,
Director Financial Control and Accountability, University of California at Riverside

How did you first learn about CSA?
It all started with a controls initiative that the University of California implemented in 1996. As part of that program, each of the university’s campuses was to conduct a campus-wide risk assessment, preferably in concert with their strategic planning process, and control self-assessment techniques were to be used for introducing the enterprise risk management (ERM) concept. The CSA tool had been in the back of my mind since then, although we didn’t begin the risk assessment effort at my campus until a few years later.

How did you begin your ERM effort?
Approximately two years ago, Executive Vice Chancellor David Warren started our campus’ strategic planning initiative. He held a series of workshops and town hall meetings and invited faculty, students, staff, and groups from the local community to help craft a vision statement that reflected the kind of campus we want to be in the year 2010. It took about one-and-a-half years to solidify this statement, which we call Vision 2010. 

Once Vision 2010 was established, I approached David with the idea of conducting a campus-wide risk assessment in the framework of our Vision 2010 statement. I got the idea from my counterpart at the university’s Santa Cruz campus, who had done the same thing. David was very agreeable. Last year, he also asked each of the campus’ units to draft its own mini Vision 2010 statement, which gave me more relevant objectives to work with. 

I had a simple three-step approach:

1. Establish objectives. (Vision 2010, which had already been hammered out, effectively became our broad set of objectives, and the individual units’ mini statements complemented those objectives.)   
2. Identify the risks and threats that may prevent us from achieving our objectives.  
3. Manage the most problematic risks and threats.

David and I drafted a three-part, open-ended survey, which I used during interviews with the deans and vice chancellors to evoke discussion. The first part included a set of questions that assessed the executives’ awareness and understanding of the objectives and their buy-in. This was a critical step, because if there was a problem with the objectives, trying to move to the next two steps — identifying and managing the risks and threats — would be pointless.

What were the lessons you learned when starting out?
To succeed, an ERM program must have high-level management support. It has to be a partnership. I was fortunate to have our vice chancellor’s support. 

The objectives also have to be clear, understood, and agreed-upon. As it turned out, in our case, the objectives weren’t always clear or understood, and there were some groups that didn’t accept or agree with the vision statement. Therefore, the executives asked me to return and engage in further discussions about the objectives and the issues that certain faculty members were having with them.

I also learned some lessons about human nature. When we began to identify the risks and threats, often people tended to discuss risks that weren’t in their areas of responsibility. More times than not, I had to reel them in and get them to discuss the ones within their realm of control. As a facilitator, that’s something you have to be aware of and respond to.

What response did you receive?
The deans and vice chancellors said that the questionnaire-based discussions we had — regarding their objectives, the overall campus objectives, the risks and threats, and the management of those risks and threats — were very helpful. In fact, they wanted me to come back and have similar conversations in a group environment with faculty and staff. Specifically, they asked me to focus on the objectives part of the survey.

The discussions elicited from the survey have been well received. People are incorporating the objectives into programs like new staff and faculty orientation and recruitment efforts.

What have you done with the information you collected?
Rather than using voting software, which I thought would be a bit too impersonal, I took notes as I engaged in conversations with the individuals and groups. Afterward, I went through my notes and identified common threads.

I’m in the process of communicating my findings in a draft report. The first part of the report is an assessment of the campus’ awareness of Vision 2010. The next section includes a list of common broad-based and unit-specific risks and threats. For example, our computing center has specific threats that aren’t common across the other units; however, they’re significant enough that they could impact our Vision 2010. The next step will be to report on ways to manage those identified risks and threats.  

Who owns the ERM effort?
One of my objectives for this entire exercise was to foster a culture of identifying, understanding, and managing risk. I wanted management to take ownership of this effort, and I believe they have. I essentially act as an enabler, or facilitator.

One testament to our risk management culture is the development of a new initiative called Leadership for Growth, which David started shortly after I completed the initial round of executive interviews. The deans and vice chancellors meet twice a month and discuss the risks and threats that may prevent us from achieving our Vision 2010. Each dean or vice chancellor hosts a dinner and presents to the group the risks and threats pertinent to his or her area. Then, they discuss these issues as a group. 

I’m not involved in this effort. It’s not a facilitated process. However, my boss, the vice chancellor of administration, attends and updates me regularly. 

How have CSA and the ERM effort complemented your regular audit work?
On a couple of occasions, the deans have asked me to come back and use the CSA approach to examine a particular process or a particular group within their unit, and I farmed that out to internal auditing. One associate vice chancellor requested that CSAs be conducted in six of her units. She recognized the benefits of using the CSA tool to get the objectives out there, communicated, and hammered in. Having an objective third person come in and discuss objectives is helpful.

What are your future plans for ERM?
I’m going to propose to David that I conduct additional, more-focused CSAs on the top common and specific risks and threats that we identified in our campus-wide risk assessment. These facilitated sessions will get the process owners involved.

I’m also proposing annual campus-wide risk assessments. Deans and vice chancellors usually have only a five-year contract, and many take other positions after that time. Therefore, we average one or two a year that turnover. I would like to discuss the executive survey with all new deans and vice chancellors after they’ve adjusted to their new positions. I’d also like to follow up with the existing deans and vice chancellors to further discuss management of the identified risks and threats.

According to Mike

Mike Pidzamecky, CMA is senior consultant, CSA, internal audit and security, at Imperial Life Financial in Toronto, Canada. Pidzamecky developed several CSA approaches while working for the Westcoast Energy Group. He teaches CSA courses for The IIA and has written questions for the CCSA exam.

I recently had the opportunity to review a new publication, Control Self Assessment: For Risk Management and Other Practical Applications by Keith Wade and Andy Wynne. A compilation of applications and experiences from CSA practitioners around the world, the book had one particularly interesting discussion about a major fraud in a large subsidiary that shook our thinking about corporate governance. Although the deception was perpetuated by top-level management, external auditors had audited the company each year and the company’s internal auditors had conducted regular audits. "Ironically," the passage reads, "one of the last audit reports issued by the internal auditor, contained the management comment ' … control systems are operating as intended by management.'" In addition, the Board was meeting its governance responsibilities, and the company was expanding and making money.

"Unfortunately," say Wade and Wynne, "senior management had created a number of contracts between the company and other companies they owned privately and caused the company to do business for many years on terms and conditions that were clearly not at arm’s length."

Even with the traditional controls firmly ensconced, the fraud lasted years. At the end of the passage, the authors rightly wonder, "While only a few employees at the top were involved, we could not believe that many more employees had not had suspicions or knowledge they were willing to live with and not disclose."

This may seem to be a perfect description of Enron or some of the currently famous "scandal" companies, but it is actually a description of Gulf Canada in 1985 as witnessed and written by Tim Leech and Bruce McCuaig. (Yes, as a Canadian, it breaks my heart to say we did it before the Americans.)

It is this event at Gulf Canada more than 17 years ago that laid the foundation for control self-assessment, or control and risk self-assessment. Leech and McCuaig don’t claim that CSA was created one day in 1985. Instead, they explain that what actually began was "…the development and reporting on internal control and risk. In short, the early recognition of the need for and development of criteria of control." It wasn’t long before auditors elected to involve company personnel, no matter their responsibility, in the continuous evaluation of controls and risks in their business units and departments.

When I read this passage during one of my recent IIA classes, one participant asked if CSA would have stopped the fraudulent financial reporting at the energy giant, Enron. That’s a good question. 

In my humble opinion, yes, I believe it would have, but only if someone had allowed CSA to truly take place. A recent Forbes magazine article revealed that over a year ago, dozens of former Enron employees gave statements for a class-action lawsuit against the company. They described sales orders that were booked twice, ancient receivables that were listed as assets, payments to suppliers delayed so that profits would look higher and expenses lower. They had lots of knowledge about the scope and the detail of the wrongs being committed. So, why didn’t anyone talk to them? 

CSA gives the employees the chance to speak about the proverbial good, bad, and ugly. Whatever form you use, the object is to provide a thorough assessment of the organization’s control environment and activities, risk assessment program, information and communication channels, and the monitoring systems. In its purest sense, CSA is a program of deep, probing analysis within an organization that insists on everyone’s participation, from the lowest staff member to the highest.

But, even with the greatest assessment and the highest standards, the most important requirement for a successful CSA program is a culture of high moral and ethical governance and business standards demonstrated from highest level of management to the newest employee. Without such standards we cannot expect an organization to embrace a process that will disclose all of its shortcomings — even the potential fraudulent ones. 

I have said in many of my classes that a good CSA program will enable every employee to bring up concerns and to have those concerns get addressed. But, this is only true if senior management supports such a program. If management is intent on misleading the public, shareholders, regulators, and the government about what is actually going on in the company, they will surely not want a successful CSA program that asks the staff what’s going on in the organization. 

That’s my opinion. Whether you agree or disagree, let me know at mpidzamecky@djfsc.com.

Center News

Research Report Offers Help for ERM Seekers

The IIA Research Foundation recently released a new research report on enterprise risk management (ERM). Enterprise Risk Management: Pulling it All Together explores the movement of the internal audit profession from compliance auditing to a risk-based audit approach and demonstrates how ERM can help organizations focus employee efforts on the most important issues to boost shareholder value.

The 163-page study introduces the ERM approach and classifies risks into four categories: strategic, operational, financial, and hazardous. The report also includes case studies from organizations that have embarked on ERM such as Canada Post Corp., FirstEnergy Corp., General Motors Corp., Unocal Corp., and Wal-Mart Stores Inc., and examines the role of internal auditing in ERM implementation.

The authors, three noted professors of internal auditing and risk management theory, intend their report to provide practical and timely guidance for practitioners interested in implementing ERM in their own organizations.

Click here for a detailed editorial summary of the book and ordering information.

CCSA Specialty Exam and Review at the 2002 Conference

Control self-assessment practitioners have the unique opportunity to sit for the Certification in Control Self-Assessment (CCSA) exam at The IIA's Enterprise Risk Management Control Self-assessment Conference in September and to attend a comprehensive CCSA review workshop held one day prior to the start of the conference. 

The conference, held Sept. 18–20 in Chicago, will address the latest strategies, approaches, and techniques shaping the future of enterprise risk management. The Sept. 17 review session will cover topics such as exam administration, CSA tools, risk and control concepts and models, strategic business and management, project planning, and practice questions.

The special offering of the CCSA exam will take place Sept. 20, the final day of the conference. Pre-registration by Sept. 12 is required. Click here for more information.

Calendar

Quick Tips

By LETICIA HERRERA-PRICE
Director, Audit
HEB
San Antonio, Texas  

ENSURING SUCCESSFUL CSA

Control self-assessment is still not a common term — or practice — in many organizations. Therefore, to ensure that CSAs run efficiently and effectively, the auditor should be prepared and keep the following tips in mind: 

• Explain the objective of the CSA to key management and participants and gain consensus.    
• Explain the CSA process and provide examples to CSA participants.    
• Be cognizant of the "right" timing and other participant constraints. For example, month-end financial closing periods may make it difficult for employees to be away from their responsibilities and concentrate on the issues at hand. Other constraints may include recent changes in control, new employee responsibilities, or the location or scheduled hours of the workshops.    
• Emphasize the importance of active participation.   
• Define all audit terms, and use common terminology.   
• Obtain management’s input regarding workshop participants.   
• If conducting a workshop, choose the proper surroundings — preferably a location away from the office.   
• If utilizing a questionnaire, gain consensus regarding pertinent questions.   
• Gain commitment from upper management on following through with the CSA results, recommendations, and action plans.   
• Be prepared to wear two hats: facilitator and auditor.   
• Be flexible!