IN THIS ISSUE
Five Primary Approaches to CSA
As control self-assessment (CSA) proliferates around the world in audit and corporate environments, organizations are deciding whether or not to use CSA, determining which method works best, or learning new methods to build on current practices. With dozens of methods to choose from such tasks can prove daunting.
Even the terminology used to describe CSA runs the gamut: dynamic self-assessment (DSA), facilitated self-assessment (FSA), management assessment process (MAP), control monitoring program (CMP), participatory assessment of risk and control (PARC), dynamic assessment of risks and enablers (DARE), business control and risk assessment, (BCRA), business risk assessment (BRA), and Control and Risk Self-Assessment (CRSA), particularly in Canada where the revised terminology was requested by the Canadian Standards Association.
Larry Hubbard, certified in control self-assessment (CCSA), said organizations overwhelmed by the seemingly endless CSA options initially may want to focus on one of five primary methods — survey, situational analysis, an objective- or risk-based workshop, or a workshop aimed at learning about soft controls. But auditors must first decide whether to use the risk assessment tool in the first place.
TO CSA OR NOT TO CSA?
Simply put, CSA is not a traditional audit, so not every organization or internal auditor should jump into the process. CSA, as defined by The IIA, is "a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met." According to Hubbard, author of Control Self-Assessment: A Practical Guide, several reasons exists why such a process is not always appropriate:
"The biggest potential roadblock to CSA, especially a workshop, is getting people in a room and asking them to talk about something," Hubbard said. "I've seen many people who misunderstand the organization's culture and try to use this tool in a situation where people aren't really comfortable communicating with each other in an open setting — and it doesn't work very well."
But there are plenty of reasons to embrace CSA, he said. The process can empower employees, provide greater audit coverage, open up communications, train others in controls and risks, evaluate and provide data on soft controls, and establish expectations about policies and procedures. CSA also is versatile and flexible — management can conduct the process as often as desired, and assessments can be conducted all at once or staggered over a period of time.
Workshops, or facilitated meetings, gather internal control information from work teams that represent various levels within the organization. The internal auditor leads the workshop, which is designed to assess risks and controls for a given objective or process. Michael Pidzamecky, manager, Enterprise Risk Management at Sears Canada Inc. in Toronto, said the basic advantages of a workshop are that it "allows participants to meet face to face and discuss the issues and provides the opportunity for analysis and action planning."
Mariefrance Weiler, executive director of internal audit at Morgan Stanley Credit Services in Chicago, prefers the workshop approach to other methods because it follows the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management — Integrated Framework, which offers organizations a commonly accepted model for evaluating risk management efforts. "We have used this approach since 2000 because it follows the COSO framework, gets to the root cause of issues, is extremely flexible, surfaces risks and control issues, gives a great synopsis of the culture of an organization, and presents the information in a meaningful format," Weiler said.
While workshops are the most popular approach to CSA, they are not for everyone. "It's a lot like public speaking and a lot of auditors don't want to stand up in front of a group of 15 to 20 people for several hours and facilitate," Hubbard said. "Others just are not skilled in it or experienced with it."
Workshops can be risk-focused, objective-focused, control-focused, process-focused, situational- or department-focused, or for other purposes such as planning or training. Deciding which type to use should be driven by what kind of information is needed, Hubbard said.
Objective-based workshops — appropriately named because they focus on a specific objective — begin by identifying the controls in place to meet an objective, and then the remaining, or residual risks. The approach assumes that the initial risk identification and control design for objectives already has been done and, after reviewing existing controls in the workshop, the remaining or residual risk is communicated.
The depth of the process depends on the maturity of the organization, Hubbard said. For some organizations, it is not safe to assume that a risk assessment already has been performed. In such cases, a risk-based approach is more appropriate.
Tim Leech of Paisley Consulting in Ontario prefers the objective-based approach. "I believe it best integrates with national and international risk management standards, total quality principles, and a balanced scorecard approach to management," said Leech, a principal consultant and chief methodology officer.
"This approach works best in helping employees across the organization learn how to analyze their own risks," Hubbard said. A risk-based workshop begins with an identification of the inherent risks that might prevent meeting an objective, and then identifies the control activities to ensure they are sufficient to manage the key risks. Any significant residual risks are identified.
Like the objective-based approach, this method takes place on an objective-by-objective basis. The risk-based approach examines risks first and then looks at controls in the workshop, whereas the objective-based approach reverses the order, first reviewing controls and then looking at residual risks. The risk-based method, Leech said, is "powerful in the early phases because it produces large amounts of relevant information quickly."
CSA sometimes is used to gain information about soft controls such as ethics, integrity, management philosophy and operating style, and effectiveness of communication. The only way to obtain that type of information is to ask those involved in the certain situations, Hubbard said. "You can't really determine if two people are communicating well just by looking at them," he said. "You have to ask them if they understood each other. And that's a self-assessment."
The questions asked in a soft controls approach will be much different than those asked in an objective- or risk-based workshop. "It's an entirely different type of effort to ask people about objectives and risks, than to ask about how well their manager operates."
THE SURVEY WAY
The survey approach to CSA, sometimes called "survey-based self-assessment," uses a questionnaire to ask simple yes-or-no type questions. Process owners use the results to assess their control structure. Auditors have used questionnaires for many years and using them in CSA is not much different, except that the questions should be written in language comfortable to those surveyed, not only the auditors.
Surveys may be preferred to workshop-based CSA when:
The situational approach focuses on an entire department at once rather than on a single objective or process, Hubbard explained. "You're really saying, 'Based on the things happening right now, how well are things working and what is getting in the way of meeting objectives?' You're telling me what it is like today in this department, what works well and what doesn't."
This approach can be used anywhere by nearly anyone, Hubbard said. The process can be very interactive, based on the types of questions asked and how they are asked. "Some people ask questions and listen to the responses while others ask employees to list on individual pieces of paper five things that help them do their job, and then hang them on a wall and have groups rearrange them into categories." Groups then can discuss potential solutions for the top-ranking issues.
This CSA approach usually does not address specific objectives or include an assessment of the controls related to each subject, but takes less preparation time and typically there is no bottleneck in the workshop waiting on the recording process. It can be easier on the facilitator because the work team is more involved in generating and sorting the raw data. The result is a broad, overview, along with specific issues, of the current situation in the department.
MIXING IT UP
Audit departments often combine more than one approach in their organizations. Surveys, for example, can be conducted as a prelude to a workshop. Also, since organizations sometimes need information about both soft and hard controls, taking on several different CSA methods often is the way to go. "Any way you look at it, it all should be driven by the information needed about internal controls," Hubbard said.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.