IN THIS ISSUE
CSA at BellSouth: The Afterlife
Learn how one company discovered CSA and implemented tailored programs to meet its business objectives during the last two decades.
GLENDA JORDAN, CIA, CCSA, CPA, CFE
MANAGER, BUSINESS CONTROLS
Control self-assessment (CSA) was one of the hottest internal audit topics in the mid-1990s. Everyone wanted to understand what it was, what benefits it offered, and how to implement it, and there were heated debates about the definition and implementation style. While the debates continue, the focus is now on whether any version of CSA is a significant player in today's environment. Is CSA still alive? If so, what does it look like now? To answer this question from BellSouth's perspective, one has to understand the journey that CSA has taken within the organization.
CSA at BellSouth has undergone three major transformations since the company first embarked on the pilgrimage. The first version of BellSouth's CSA initiative was called Work Team Self-assessment, but the second and third versions didn't have official names. The core of the second version was the internal audit, so this version accurately can be described as the BellSouth CSA Audit Approach. CSA later became a working tool within pockets of the corporation, so the BellSouth Imbedded Approach is an appropriate name for the third version. The following commentary provides the key drivers, process design rationale, and outcomes of each of the three BellSouth CSA initiatives.
WORK TEAM SELF-ASSESSMENT INITIATIVE
Work Team Self-assessment (WTSA) Initial Drivers
In the early 1990s, BellSouth's chief corporate auditor (CCA) became aware of CSA. At that time, BellSouth knew the telecommunication industry would soon experience radical changes because of the convergence of technology that would allow cable companies to compete with traditional phone companies. The CCA believed that internal audit downsizing was inevitable and wanted to explore the possibility of implementing some form of CSA to ensure that there still would be reasonable oversight of the corporate control structure when internal auditing could no longer have the same scope coverage.
WTSA Process Design Rationale
After calling The Institute of Internal Auditors (IIA), BellSouth received two contact names — Tim Leech and Paul Makosz. Both gentlemen were pioneers of the CSA movement as a consequence of problem-solving techniques they developed at Gulf Canada, an independent oil and gas company. Representatives from the BellSouth Internal Audit Department attended training sessions held by both Leech and Makosz. BellSouth created a unique methodology based on input from several sources, including The IIA.
The implementation strategy was to partner with selected assistant vice presidents who had a need for CSA. Through this partnership, the WTSA team planned to demonstrate the value of CSA after obtaining reliable results. Reliable results included critical enhancements to re-engineering projects prior to deployment and measurable key indicators like cost savings or customer satisfaction level increases as a result of improvements suggested within the WTSA process. For the next two years, BellSouth's Internal Audit Department allied with various departments and performed ad hoc WTSA workshops.
The largest effort was with the Network organization, a department within BellSouth. In telecommunications, a network organization generally includes the provisioning and maintenance of all assets required to route the call from origination to termination. Network had several ongoing control problems that management wanted resolved. So, Internal Audit teamed with Network to lead workshops throughout BellSouth. As a result, there were no audit findings associated with the WTSA topics during the next audit cycle. Other significant clients were BellSouth organizations that deployed major organizational changes (i.e., downsizing and outsourcing) where management wanted assurance that the business would still function in the new environment.
WTSA Outcomes — Lessons Learned
Everyone's individual concerns were addressed, and those who partnered closely with the WTSA team were positive about CSA. The WTSA process did not include any result summarization to the board or audit committee by Internal Audit, so customers (i.e., department management) appreciated getting control advice without experiencing any negative repercussions. However, despite positive experiences with the WTSA process, there was growing opposition. Because the CCA was open about potential downsizing to the Internal Audit Department as a driver for his involvement, other departments interpreted the message as Internal Audit wanting to transfer its job functions to the operating departments. In addition, some of the department heads that participated in CSA did not appreciate being audited shortly thereafter. Their belief was that because Internal Audit already had been in their department, they shouldn't have to be audited a second time. In reality, since WTSA did not include audit committee oversight, the audit still needed to be performed.
THE BELLSOUTH CSA AUDIT APPROACH
CSA Audit Initial Drivers
In early 1996, the CCA was transferred to assist in the formation of BellSouth's Long Distance entity, and a new CCA was appointed. The new CCA, however, was not a proponent of the WTSA process for the reasons previously mentioned. He believed that Internal Audit should prove it was adding value rather than preparing to downsize. Because the key WTSA players could substantiate the value WTSA had added, the new CCA asked a team of WTSA supporters to incorporate the strengths of WTSA into a new and improved internal audit approach, so the BellSouth version of the traditional CSA audit was born. Although the term CSA audit was used widely for similar methodologies, BellSouth never used that term internally. CSA supporters always believed the process should be owned by the business unit, but the new CCA believed the company did not have a ready appetite to volunteer for ownership at that time.
CSA Audit Process Design Rationale
Two critical CSA success factors were the forum for open communication across multiple organizational structures and key logic elements imbedded within the control model. Overwhelmingly, the element that everyone most valued in CSA was its ability to gather critical knowledge from many contributers at once. The CSA Audit Approach provided an opportunity to discuss the objectives, risks, and control design across organizational boundaries. A varying percentage of CSA clients appreciated learning the control design process and used the concepts in other aspects of their responsibilities after the CSA was complete. The CSA Audit Approach tailored the control model WTSA had used, but retained the aspects that BellSouth CSA clientele found most helpful.
For the next six years, BellSouth performed internal audits that opened and closed with facilitated sessions. The opening session gathered risks and key controls in a pre-determined format. If time permitted, the auditors obtained input on the best way to test the key controls. The audit team also provided an overview of the process they were using upon request. Regardless of the scope of the opening facilitated session(s), the auditors always gave the client a copy of the audit test steps. The audit team was open to any suggestions on ways to make the audit more efficient and effective. The closing meeting also was a facilitated session where the auditors presented results formally and requested input for any corrective action needed.
CSA Audit Outcomes
Because some of the BellSouth international operations were not culturally prepared for open dialogue, audit teams adapted the original approach as needed. For example, Internal Audit led a facilitated session in Israel with minimal participant interaction. The audit team was prepared for this response by the local contact and compiled what it believed were the key risks and controls based on experiences in other international cellular companies. The audit team created paper forms and mailed soft copies of a multiple-choice questionnaire that asked the audit client to rank certain risks and controls. The audit team received a reasonable response using this more subtle approach.
Over time, some organizations across BellSouth continued to respond to the CSA Audit Approach well. Other business units didn't see as much value in spending resources in planning the audit participatively the second time. In addition, once Internal Audit opened the door to participation, it noted that some issues could be resolved more effectively with interdepartmental support or additional skill sets that were only needed temporarily.
THE IMBEDDED APPROACH
Imbedded Approach Drivers
BellSouth began implementing "early entry" audits in those areas where additional help was needed to resolve a control issue. Early entry audits were essentially control design reviews that, in some instances, included consulting to assist in the control design. Some of these early entry initiatives lasted months. It soon became apparent that sometimes the issue identified in the audit had a root cause far removed from the issue originally noted. As a result, the CCA created a Business Controls (BC) Group within the Internal Audit Department. This group was an internal consulting group and not a part of the internal audit staff. Some of the members had internal audit experience, but the key criterion for hire was specialized operations experience in one of BellSouth's key operating units. The CCA would then refer selected audit topics to the BC organization to assist in root cause analysis and/or risk mitigation implementation oversight. The CCA also would refer situations where a perceived control concern existed, but performing an audit did not seem to be the best use of resources.
Despite the fact that The IIA had broadened the professional standards and supported consulting activities within the internal audit profession, BellSouth executives were concerned about maintaining the perception of audit independence within BellSouth. In an effort to keep the consulting activities completely separate from the audit activity, which required independence, BC became a separate organization from Internal Audit in 2002, and began reporting to the Security Department. BC developed its own process, which included risk assessment, control design, and CSA techniques.
Imbedded Approach Process Design Rationale
The mission of this new work unit was to establish the use of business controls and risk management as a standard business practice within BellSouth. BC developed a simple, repeatable process that could be recorded in any spreadsheet or text document. This process included a series of up to 20 questions (depending upon the complexity of the function involved). These 20 questions did not require any accounting or specific control expertise. For example, questions regarding a particular control activity would include:
- Who performs this activity?
- How often is it performed?
- How does the person performing this activity know whether the outcomes are acceptable?
- What actions are taken if the results are not acceptable?
Imbedded Approach Outcomes
BC has varied in size since 2002, but averages 10 managers. Engagements still frequently originate from internal audit findings, but also come from several other main sources. BC often participates in new control design initiatives at the request of management. For example, BC ensured that CSA was performed during the design phase of implementing several custom billing solutions for some of BellSouth's larger customers.
BC also leads a Risk Analysis and Monitoring Team with representatives from all operating departments as well as all oversight organizations (Compliance, Ethics, Internal Audit, Legal, Risk Management, and Security). This team identifies issues across organizational boundaries and facilitates related root cause analyses. Team members use meeting discussions and a share point site to provide continued focus on key topics of concern across the corporation, thereby identifying areas where there is a need for BC to initiate the Imbedded Approach. BC continues to provide formal training on risk management and control design, with programs that vary in design from generic concepts for all directors and above to presentations tailored to performing CSAs to address specific pre-determined business objectives.
BC has spent significant staff resources assisting BellSouth's Information Technology (IT) Department with various engagements, many of which were focused on ensuring that the general computer controls were compliant with the U.S. Sarbanes-Oxley Act of 2002. In an effort to maintain effective accountability and monitoring, the IT organization has developed a Web site where process, control, and execution owners sign off on key controls quarterly. This accountability process began with Sarbanes-Oxley controls, but also has expanded to other key controls. These quarterly "sign-offs" require answering key questions, including:
- How do you know the control is working?
- How would you know if the control was not working?
CSA has become a required quarterly activity in the IT Department, completely beyond the direct influence of BC. Although BC is not aware of any other departments using CSA as a repeatable ongoing monitoring mechanism at this time, some departments have expressed interest in the self-assessment process that IT has created.
ALIVE AND WELL
Is CSA still alive? At BellSouth it is. CSA has changed forms based on management and cultural needs, evolving to better meet business needs. BellSouth's BC Group serves as a centralized group that spans organizational boundaries, and the Internal Audit Department will perform a CSA-type audit for any audit clients who prefer a more participative form of auditing. The original WTSA team would be proud if they knew their efforts had, in part, set the stage for the Imbedded CSA Approach currently functioning in the IT Department.
Whether there is an interactive environment (like a WTSA workshop) or the ability for the IT Department to review its contractor responses within Web-based questionnaires, CSA provides a catalyst for effective communication that can sometimes be short-circuited in an organization as large as BellSouth. CSA, in its most basic form, provides reasonable assurance that business objectives will be met. Sound management practices provide the same outcome. Any technique that completely aligns with sound management practices will survive if it works effectively.
Glenda Jordan, CIA, CCSA, CPA, CFE, has supervised implementation of the Integrated Auditing Approach and CSA at BellSouth, as well as established internal audit offices throughout Latin America. She served on BellSouth's initial Sarbanes-Oxley Core Team, implementing the process for complying with Section 404 and continues to facilitate sustainability of Sarbanes-Oxley IT general controls. She is the author of Control Self-Assessment: Making the Choice, published by The IIA.