Internal auditors have declared that management and the board of directors "own" the organization's

programs and procedures, as well as the organization's objectives, risks that imperil the attainment of
these objectives, and controls that minimize their likelihood and impact. While this is true, in my
experience, far too many managers are unaware of their responsibility. I frequently question recent
college grads if they were required to take an internal auditing class during my internal audit seminars,
and only accounting majors are frequently required to do so. As a result, how much teaching would
nonbusiness majors receive if most business majors do not receive particular instructions on risks and
controls? This is concerning because many of them may subsequently assume management roles.

CSAs are intended to fill this void. They are made up of questionnaires and other forms that process
owners fill out to identify the major activities in their programs and processes, as well as the objectives,
risks, and controls, as well as the people who perform key tasks and controls, and the major challenges
that these programs and processes face. Managers must consider the design and condition of their
areas of responsibility, as well as the presence and quality of corresponding controls, when
implementing CSAs.

The use of CSAs is not yet widespread. In reality, when I ask seminar participants if their organizations
have a CSA program, a large proportion of them say they don't have one and haven't started the process
of developing one. Those who have one often complain that it isn't meeting their expectations in terms
of overall utilization or the quality of the data captured in these documents.