IN THIS ISSUE
CSA 101: Basics for the Newcomer
The world of CSA can be daunting to new auditors or CSA practitioners. Discover the answers to several questions newcomers often ask.
For new auditors or CSA practitioners, learning the basics of control self-assessment (CSA) has grown increasingly complex due to its proliferation around the world in audit and corporate environments. As its use continues to rise, the methodologies behind CSA have evolved to meet the specific needs and objectives of organizations. Even the terminology used to describe CSA has evolved and runs the gamut: dynamic self-assessment; facilitated self-assessment; management assessment process; control monitoring program; participatory assessment of risk and control; dynamic assessment of risks and enablers; business control and risk assessment; business risk assessment; and control and risk self-assessment, particularly in Canada where the Canadian Standards Association requested the revised terminology.
For newcomers to CSA, many questions may arise: What are the basic principles of CSA? How can CSA bring value to an organization's audit program? How can an organization implement CSA? What challenges do practitioners face? Regardless of who facilitates the self-assessment — an internal auditor or a CSA practitioner — CSA can help improve the control environment by increasing awareness of organizational objectives and the role of internal control in achieving those objectives. CSA also can motivate personnel to design and implement controls carefully and to improve operating controls continually.
DEFINITION OF CSA
CSA is a structured approach for evaluating the effectiveness of internal controls. Its goal is to examine and assess whether existing controls provide reasonable assurance that all business objectives will be met. CSA techniques allow management and work teams directly responsible for business objectives to manage risks more effectively by:
CSA generates information on internal controls that management and internal auditors can use when evaluating the adequacy of internal controls. It also can provide a positive influence on the control environment by educating staff about their role in monitoring and administering effective controls. In addition, as staff members buy into the process, control consciousness increases. One of the greatest secondary benefits of CSA relates directly to the effective involvement of participants. Employees become a more collaborative team since they work together to achieve a successful self-assessment. They also gain a better understanding of how their jobs fit with other employees' roles.
THE VALUE OF CSA TO INTERNAL AUDITING
CSA effectively augments traditional internal audit activities by providing a broader coverage of controls (i.e., soft controls) and enables management to manage risks and fulfill their responsibilities better by improving the quantity and quality of information available. Through CSA, internal auditors and operating staff collaborate to identify risks and assess the efficiency and effectiveness of internal controls. The quantity of information increases as internal auditors rely on operating employees to participate actively in CSA, thus reducing time spent on information gathering and validation procedures performed during an audit. Similarly, as employees have a more thorough understanding of the organization's processes than an auditor could develop over a relatively short period, the quality of the information is improved with CSA.
Any component of an organization can facilitate CSA activities, including the internal audit staff.
Three primary CSA approaches are facilitated workshops, questionnaires, and management-produced analysis. Organizations often combine more than one approach to accommodate their self-assessments.
Facilitated workshops are the most popular and effective — yet often the most time consuming — approach to CSA. Workshops allow gathering risk and control information from work teams that represent multiple levels of an organization. Optimally, a trained facilitator who can assist with conflict management and group dynamics, keeping the team focused on its objective, leads sessions. (See Fundamentals of Facilitated Workshops for more information.)
The questionnaire approach uses a survey instrument that offers opportunities to gather insightful responses. Questionnaires help determine the strength of the control environment, reinforce business and financial policies, and minimize internal audit resources, but typically do not produce the most reliable results due to misinterpretation of questions and no collaborative discussion amongst a group. Process owners use the survey results to assess their control structure.
A management-produced analysis does not use a facilitated workshop or questionnaire and produces an internal analysis of the business process. The CSA specialist — who may be an internal auditor — combines the results of the analysis with information gathered from other sources, such as key management personnel. By synthesizing this material, the CSA specialist develops an analysis that process owners can use in their self-assessment efforts.
For more information on CSA tools and techniques, newcomers may wish to check out Larry Hubbard's book Control Self-assessment: A Practical Guide, which is available from The IIA Bookstore. The IIA’s Professional Practices Pamphlet 98-2 provides additional CSA guidance. (PDF, 143 KB)
IMPLEMENT CSA ACTIVITIES
An organization should consider six major issues to implement CSA effectively:
Once these issues have been considered and addressed, an organization can move forward with the CSA process.
Because CSA is en effective method for gathering internal control information in today's environment, it can help internal auditors improve their work. As a result, auditors can help organizations protect stakeholder interests. Furthermore, CSA generates internal control information that may be useful for management and internal auditors when evaluating the adequacy of internal controls. This helps to improve the organization's control environment by raising employee awareness of internal controls, which ultimately results in a proven asset within the corporate structure.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.