IN THIS ISSUE

Second Quarter 2006 • Vol. 10 • No. 2

Print Article Print Entire Issue

CSA 101: Basics for the Newcomer

The world of CSA can be daunting to new auditors or CSA practitioners. Discover the answers to several questions newcomers often ask.

For new auditors or CSA practitioners, learning the basics of control self-assessment (CSA) has grown increasingly complex due to its proliferation around the world in audit and corporate environments. As its use continues to rise, the methodologies behind CSA have evolved to meet the specific needs and objectives of organizations. Even the terminology used to describe CSA has evolved and runs the gamut: dynamic self-assessment; facilitated self-assessment; management assessment process; control monitoring program; participatory assessment of risk and control; dynamic assessment of risks and enablers; business control and risk assessment; business risk assessment; and control and risk self-assessment, particularly in Canada where the Canadian Standards Association requested the revised terminology.

For newcomers to CSA, many questions may arise: What are the basic principles of CSA? How can CSA bring value to an organization's audit program? How can an organization implement CSA? What challenges do practitioners face? Regardless of who facilitates the self-assessment — an internal auditor or a CSA practitioner — CSA can help improve the control environment by increasing awareness of organizational objectives and the role of internal control in achieving those objectives. CSA also can motivate personnel to design and implement controls carefully and to improve operating controls continually.

DEFINITION OF CSA

CSA is a structured approach for evaluating the effectiveness of internal controls. Its goal is to examine and assess whether existing controls provide reasonable assurance that all business objectives will be met. CSA techniques allow management and work teams directly responsible for business objectives to manage risks more effectively by:

• Involving them in risk identification and internal control assessments.
• Evaluating residual risks.
• Developing action plans to address intolerable control weaknesses.
• Assessing the likelihood of achieving business objectives.

CSA generates information on internal controls that management and internal auditors can use when evaluating the adequacy of internal controls. It also can provide a positive influence on the control environment by educating staff about their role in monitoring and administering effective controls. In addition, as staff members buy into the process, control consciousness increases. One of the greatest secondary benefits of CSA relates directly to the effective involvement of participants. Employees become a more collaborative team since they work together to achieve a successful self-assessment. They also gain a better understanding of how their jobs fit with other employees' roles.

THE VALUE OF CSA TO INTERNAL AUDITING

CSA effectively augments traditional internal audit activities by providing a broader coverage of controls (i.e., soft controls) and enables management to manage risks and fulfill their responsibilities better by improving the quantity and quality of information available. Through CSA, internal auditors and operating staff collaborate to identify risks and assess the efficiency and effectiveness of internal controls. The quantity of information increases as internal auditors rely on operating employees to participate actively in CSA, thus reducing time spent on information gathering and validation procedures performed during an audit. Similarly, as employees have a more thorough understanding of the organization's processes than an auditor could develop over a relatively short period, the quality of the information is improved with CSA.

PERFORMING CSA

Any component of an organization can facilitate CSA activities, including the internal audit staff.

Three primary CSA approaches are facilitated workshops, questionnaires, and management-produced analysis. Organizations often combine more than one approach to accommodate their self-assessments.

Facilitated workshops are the most popular and effective — yet often the most time consuming — approach to CSA. Workshops allow gathering risk and control information from work teams that represent multiple levels of an organization. Optimally, a trained facilitator who can assist with conflict management and group dynamics, keeping the team focused on its objective, leads sessions. (See Fundamentals of Facilitated Workshops for more information.)

The questionnaire approach uses a survey instrument that offers opportunities to gather insightful responses. Questionnaires help determine the strength of the control environment, reinforce business and financial policies, and minimize internal audit resources, but typically do not produce the most reliable results due to misinterpretation of questions and no collaborative discussion amongst a group. Process owners use the survey results to assess their control structure.

A management-produced analysis does not use a facilitated workshop or questionnaire and produces an internal analysis of the business process. The CSA specialist — who may be an internal auditor — combines the results of the analysis with information gathered from other sources, such as key management personnel. By synthesizing this material, the CSA specialist develops an analysis that process owners can use in their self-assessment efforts.

For more information on CSA tools and techniques, newcomers may wish to check out Larry Hubbard's book Control Self-assessment: A Practical Guide, which is available from The IIA Bookstore. The IIA’s Professional Practices Pamphlet 98-2 provides additional CSA guidance. (PDF, 143 KB)

IMPLEMENT CSA ACTIVITIES

An organization should consider six major issues to implement CSA effectively:

1. Scope or breadth of the CSA process. The organization decides what portion of the entity will use CSA; what functions or objectives to consider; and what level of detail is included in the assessment (e.g., work group, district, or division).
2. Impact of the organization's culture. A CSA approach and format is selected based on a cultural analysis of the organization, including its key values and behaviors. In the event the organization's culture does not support a participative CSA approach, questionnaires may be a better choice for obtaining responses and performing internal control analyses.
3. Use of CSA results. The organization determines whether CSA risk assessment results will identify areas for management’s improvement of internal controls, and/or future internal audit work. The organization also can use the internal audit function to validate the CSA process and results.
4. CSA process. Based on factors such as cost and employee skill sets, the organization determines the tools, techniques, frameworks, mechanization, documentation, and report formats used in connection with gathering and reporting CSA information. Additionally, a determination should be made of which, if any, control framework will be used to ensure completeness of internal control questions.
5. Internal audit involvement. Implementers decide whether internal auditors or management will drive the CSA process.
6. Creating a sustainable CSA effort. Initial and ongoing marketing of CSA is very important and is influenced significantly by the organization's culture. If the organization is not supportive of a participative CSA approach, minimal marketing will avoid catching the eye of those resistant to change or employee involvement. Finding an audit-friendly department to begin a CSA effort may provide for greater appreciation of the CSA results and marketing by management.

Once these issues have been considered and addressed, an organization can move forward with the CSA process.

Because CSA is en effective method for gathering internal control information in today's environment, it can help internal auditors improve their work. As a result, auditors can help organizations protect stakeholder interests. Furthermore, CSA generates internal control information that may be useful for management and internal auditors when evaluating the adequacy of internal controls. This helps to improve the organization's control environment by raising employee awareness of internal controls, which ultimately results in a proven asset within the corporate structure.