IN THIS ISSUE
The Journey Continues
In the past decade, there have been many drivers that point to CSA facilitated workshops as a key audit tool in addressing the foundation of control-environment issues. From the U.S. Federal Sentencing Guidelines in 1991 to the U.S. Sarbanes-Oxley Act of 2002 [PDF], these initiatives focus on governance and public scrutiny. At DFS, the internal audit department viewed CSA as a strategic approach to collaboratively link business objectives with internal controls and ethics.
Less than a year after DFS's internal audit department began its CSA initiative, Dean Witter Discover, DFS's parent company, merged with Morgan Stanley. Soon after the merger, the three dominant internal audit groups within the newly merged company — Morgan Stanley institutional securities, Dean Witter retail services, and Discover credit card services — initiated an analysis to understand the similarities and differences between the internal audit groups. The study concluded with a united audit group, governed by one global audit director, with standardized and streamlined audit methodology, reporting, and practices. Although there were fundamental differences in each group's audit universe and local internal audit practices, each methodology shared a risk-based approach with a COSO foundation — just what was needed to expand the use of CSA. In 1998, as the merged internal audit department worked through the audit structure assessment, CSA was targeted as a strategic initiative. Representatives from the former audit groups pulled together a plan to assess, develop, and roll out a CSA process throughout the organization. Having the good fortune of leading the initiative from its beginning, I worked on the project through multiple phases, and the journey still continues.
The overall initiative has enjoyed great success at DFS — where CSA was implemented aggressively — and more opportunities are being explored for use in the various Morgan Stanley business units. Now with Sarbanes-Oxley as added impetus, we continue to find new applications for the process. Looking back, several critical steps contributed to the program's success, including a well-developed project strategy document, the right positioning, an appropriate methodology, adaptive tools, key skill sets, and a dedicated champion. Each of these items remains applicable today as we continue to evolve and maintain the CSA program.
Project Strategy Documentation
As with any new concept, pulling together a well thought-out strategy is crucial to successful implementation. We began with developing a project strategy document to define and capture the initiative's objectives.
DFS's CSA project strategy document contains a background section describing the increasingly competitive and customer-focused marketplace and the resulting impact of constant, rapid change to our organization. We elaborated on how this element raises the level of risk in the organization and the need for reliable, cost-effective internal control systems. We wrapped up our lead argument by paralleling the ever-evolving control environment with the need for adaptive audit tools, such as CSA. We included a description of CSA as we saw it: "CSA is not about one single methodology, but rather, a general approach that takes many specific forms. It is objective driven, action and results oriented, and shares a common framework for implementation."
Finally, to close the background section, we listed some of the benefits and hurdles of a CSA process. Although the benefits were fairly self-explanatory, the group was challenged on how to mitigate the hurdles and meet expectations, such as open communication and ownership.
The project strategy document continues with sections on Customer and Stakeholders, Scope Determination, Milestones and Deliverables, and Resource Requirements — both internal and external — ending with a section on Project Risks and Mitigation Strategy. During development, this last section was one of great debate, as we could not quite agree on what to include. We finally came up with risks considered critical companywide for which we would develop a mitigation strategy, including: business unit buy-in not obtained; culture of the organization; unrealistic expectations; lack of follow through on findings; and audit resources diverted to other tasks.
What makes the project risks and mitigation strategy section important is that it gives the user tools to clearly define the risks and possible mitigation alternatives before experiencing a full-blown situation where clarity of thought may not always be present.
Positioning — who should own CSA — is important to the success of any CSA agenda and was a critical component considered when launching DFS's program. Although there is not one best approach, there can be strong arguments for or against who the owner should be — the business unit or the internal audit department. Most companies agree that understanding the pros and cons and the organization's culture will help decide where to best place CSA.
DFS's approach to ownership is a little different than other organizations; we agreed on a shared approach, depending upon which CSA menu option was selected by the business unit. However, in each approach, management remains the owner of the controls, data, and action plans, but the process is shared with internal auditing. For example, our most dynamic CSA option is the facilitated workshop. The process is owned by internal auditing, but management owns the controls, content, and follow-up. With responsibility for the workshop process, internal auditing can ensure the COSO-based methodology is adhered to. It also provides us with the opportunity to comment on management's integrity as part of the control environment, allows inclusion of significant issues in the audit report if they arise in the workshops, and provides a vehicle for follow-up on those issues until they are resolved. It also enables the auditors to raise significant issues to the appropriate levels in the organization. Each workshop is conducted with the understanding that this will happen.
Open and frank communication brings out significant issues in the workshops despite the participants knowing that issues may be escalated through an audit report. Collaborative wording is used in the audit report, which represents the partnership efforts of the workshop. The end result is agreed-upon action plans and management ownership of the issues and resolution, which builds a stronger process.
Several years before launching the CSA program, the internal audit department adopted the COSO framework methodology for conducting internal audits. In the search for an appropriate CSA approach it was essential that the methodology fit with our current internal control framework, because we did not want the two audit approaches to conflict. The biggest challenge was to find a workshop approach that would include the internal control framework in its application — not complement it, and not be an add-on to it, but one that would hinge upon our COSO based methodology.
After researching and reviewing various approaches, processes, and vendor tools, we narrowed our search to five applications that had the tools and approach we wanted. We finally selected a methodology that requires an internal control framework, includes an ethics exercise, and offers a user-friendly flexible tool, instant reporting, and customer support.
When selecting a tool to support a CSA function, consideration needs to be given to ensure it is cost effective, flexible, and delivers timely information. The tool should have the ability to capture, analyze, and produce information of substance relevant to the business. Although DFS uses various self-assessment tools, the facilitated workshop is the most dynamic. To illustrate how the CSA program ties together the audit process, we use the unoriginal, though appropriate, umbrella diagram [PDF] to represent a holistic view of CSA. In all forms, it is a collaborative event between internal auditing and the business unit.
DSF's CSA tool allows the facilitator to run a dynamic workshop, capture the discussion of the workshop, cover each component of COSO, provide for a quantitative analysis on ethics, and produce a report with radial, graphs, and narratives within 24 hours of the original session. Its flexibility, efficiency, and speed allows the facilitators to present timely information to the participants and senior management on their processes, risks, ethics, and action plans.
By ensuring the CSA approach is integrated with our audit methodology, the information maintained in our controls database is supported. It also gives us the ability to include workshop results in our automated workpapers and allows significant issues to be included in our internal tracking tool. As we expand or modify existing internal audit technology, the existing CSA tool is flexible enough to remain integral to our assessment process.
Different CSA options require different skills. Upon analyzing the various requirements of the program, we decided we needed the expertise of facilitators, technicians, analyzers, control experts, and persons with knowledge of the business. The facilitated workshop requires the most specialized set of skills and uses the gamut of expertise. We realized early on that we might not find all these skills in the same person, so we designated a team of individuals encompassing the necessary skills needed to run a successful program, and typically use two individuals to run a workshop.
When we first launched CSA, the entire internal audit department — 24 individuals — attended training to introduce them to the methodology, technology, CSA concepts, COSO, ethics, and first-hand workshop delivery. During this time, we assessed each individual's skill set and were able to plan appropriate training for their development in some or all of the disciplines. New employees are assessed in a similar manner. As newer, less-experienced facilitators and technicians embark on their first workshops, more experienced auditors accompany them to ensure success of the workshop and to further reinforce the newly acquired skills until they feel comfortable to run workshops on their own.
The term champion may not be an officially recognized designation in all organizations, but it is a well-known requirement for successful implementation of any strategic initiative. A champion gives the cause a voice. Typically, the champion embraces the project in spirit and practice and is knowledgeable about the organization, as well as the risks, controls, and CSA process. Without a champion, or multiple champions for physically dispersed locations, the program is not likely to be sustained or embraced.
A Successful Journey
I have lost count of the number of CSA workshops we have run at DFS since initially launching the program. What is more interesting is the continued applicability of these self-assessment processes in our business environment. We have used our CSA approach without compromising methodology or process to perform benchmarking, risk assessments, ethics testing, Sarbanes-Oxley work, and audit assurance. Our self-assessment tool has been flexible enough to fit with our automated workpapers, our soon-to-be launched client interactive audit-tracking tool, and our relatively new controls database. The workshops continue to raise issues in a collaborative way with the business units and are viewed as a value-added service by senior management. Our CSA tool allows for a graphic representation of risk, tied to business objectives and controls, which integrates nicely from a risk management perspective.
CSA is a very powerful tool with which DFS has had much success. For organizations considering such a program, I encourage you to remember it is not a one-size-fit all process and to think strategically when implementing CSA. To help determine the best "size," internal auditors need to embrace CSA holistically, understand the culture of the organization, form a sound objective, stay on course, and pay attention to lessons learned.
Mariefrance Weiler, an internal audit director at Morgan Stanley Credit Services, is responsible for auditing Discover Financial Services' credit card operations. She has more than 17 years' experience in the internal audit profession, eight of which were spent in Europe and South Africa working for Big Four accounting firms. Weiler is a frequent speaker on CSA at IIA conferences.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.