CONTROL

SELF
ASSESSMENT
INTRODUCTION
INTRODUCTION
Control Self Assessment (CSA) developed during the 1900s as an
alternative to, or more generally an adjunct to, conventional internal
auditing.
 Generally considered to have been born in a multinational Canadian oil
company.
Implications of this business process re-engineering were that internal
audit was being downsized and greater empowerment was being given to
line management and staff.
The internal audit activity devised a process of control self assessment by
management and staff, facilitated by internal audit.
 Indeed IBM with their self assessment program (SAP) and
British Petroleum with their internal control review program
(ICRP) both predated the development referred to above,
and both were facilitated by internal audit.
Nevertheless CSA, in tandem with conventional internal
auditing, has much to commend it and it is our purpose in
this chapter to set out an approach straightforward, practical
terms.
SURVEY AND WORKSHOP APPROACHES TO CSA
 Key line managers across the business may be required to
certify annually to the effectiveness of internal control by
returning a completed certificate or questionnaire.
 In CSA parlance, this approach is usually termed “a survey
approach to CSA”
 A more demanding, ambitious style of CSA is workshop-based.
 Each member of the workshop should play an approximately
equal role in the process that is the subject of the workshop
and all the most significant elements of the process should be
represented between the differing expertise and experience
of the workshop members.
SELECTING WORKSHOP PARTICIPANTS
 One consideration in selecting those to attend the workshop
is whether the presence of a senior manager is likely to
inhibit the workshop in that more junior members may defer
to the judgement of the more senior.
 Organizations and parts thereof, that are managed
hierarchically rather than participatively, and are managed as
it were “more by the stick than the carrot” will always harder
to benefit from CSA.
WHERE TO APPLY CSA
 It will be apparent that the CSA approach lends itself naturally to the
review of business processes that step across structural boundaries
of the business.
 CSA can also be applied to the review of activities which correspond
to the responsibilities of a single section of the business.
 CSA may also be an effective approach to follow to review the
quality of control in highly technical areas of the business that the
internal audit activity lacks the competence to understand
adequately.
 In its fully fledged form, CSA is intended to cover the entire
organization and to work to an annual cycle of workshops across the
organization.
 CSA ROLES FOR MANAGEMENT AND FOR INTERNAL AUDIT
Ideally it should be management who have the responsibilities
to decide:
• the subjects to be covered by CSA
• the approach, whether survey the workshop to be used
• the frequency of the workshops
• who should be invited to be members of the workshops
• the action to be taken based on the workshop results
• what to report and to whom
The role of internal audit is usually:
• to facilitate CSA program
• to facilitate CSA workshops
• to review the assurance that management and the board can place
on the CSA program
• to report the results of their assurance review to senior
management and to the board
Facilitation is the art of enabling others to achieve better results
for themselves. CSA is control self assessment, effective facilitation
of CSA by internal audit should ensure that an optimal program of
CSA workshops is decided upon by management, appropriate
workshop members are chosen.
AVOIDING LINE MANAGEMENT DISILLUSIONMENT
o Beyond the achievement of the first cycle of the CSA program, it is
possible that managers will assume that the exercise is now complete
and that there is no further justification for their continued
involvement.
o Management and staff often misguidedly assume that control is the
prime domain of the internal auditing function.
o Therefore, it follows that cost-effective internal control activities are
often positive means of achieving the required targets and objectives.
o A realistic and healthy view of the related risks will need to be
developed against which control activities can be set.
o CSA is an opportunity for management and internal audit to establish a
common perception of the organization through its procedures and
control activities.
o The CSA process should be forward-looking; recognizing and accepting the
need to improve control processes as a success factor, rather than
negative reactions to past oversights.
o The CSA process should be built on, promoting a collective responsibility
for internal control as a partnership between line management, who are
accountable for control as part of their responsibilities, and internal audit,
who objectively appraise the effectiveness the effectiveness of controls on
behalf of the senior management.
ENCOURAGEMENT FROM THE TOP
Senior management need to demonstrate commitment to the CSA
process and encourage line management to buy-in to the fact that the
internal controls can support the achievement of corporate goals.
 It will be necessary to identify the strategic and operational
objectives for the organization.
Management should aim to engender a positive and contributive
environment, where CSA participants can have their say and influence
outcomes.
FACILITATING CSA WORKSHOPS, AND TRAINING FOR CSA
 Facilitation of CSA workshops by internal auditors at a workshop
one as the facilitator and the other as the “scribe” drafting the
report of the workshop in real time” as the workshop progresses.
 It has also been suggested that it necessary to provide training for
those who will attend CSA workshops.
ANONYMOUS VOTING SYSTEMS
 Anonymous voting hardware and software, often
termed “audience response systems”, are frequently
used, with each workshop participant having a
cordless keypad.
 A vote taken generally allows the workshop to
progress to the next issue.
COMPARING CSA WITH INTERNAL AUDIT
• the relative lack of independence and consequential
objectivity that characterizes CSA
• the importance of management receiving dependable
assurance on governance processes, risk management and
internal
• the need for internal audit to encourage the CSA program
and to facilitate the CSA workshops
• the value to top management, the board and the audit
committee of internal audit reporting to these parties on
the quality and scope of the CSA program
• the need to provide management and staff with training in
order that they approach CSA effectively, and the likely
need for internal audit to do this
CONTROL SELF ASSESSMENT AS REASSURANCE FOR INTERNAL
AUDIT
 the results of the control self assessment process can be used by
internal audit once the head of the internal auditing unit is
satisfied that the quality of the control self assessment work
means that it can be relied upon.
 Involvement of internal audit as an adviser in the CSA process
will provide internal audit with the confidence to draw
conclusions as to the effectiveness of the CSA process.
 WORKSHOP FORMATS

Objectives Risks Controls

 UTILISING CoCo IN CSA

PURPOSE

MONITORING COMMITMENT
& LEARNING

CAPABILITY
THANK YOU FOR LISTENING!