One approach to assessing governance processes, risks and controls at an organization is to use a Control Self-Assessment (CSA) process. Although there are many definitions of a CSA, the Institute of Internal Auditors (IIA) describes it as follows:
A process through which internal control is tested and assessed with the goal of providing a reasonable guarantee that all operational objectives will be attained.
A brief history
The CSA is not a new concept. The first CSA was documented in 1987 by a Canadian internal auditing department that was unhappy with the standard audit techniques being used.
The IIA began to sponsor an annual CSA conference in 1993 in addition to offering Certification in Control Self-Assessment (CCSA) in 1999. Finally, the Sarbanes-Oxley Act (SOX) of 2002 solidified administrative assessment requirements in relation to companies’ internal control systems, including identification of significant processes and key controls at an organization.
Why use Control Self-Assessment (CSAs)?
There are a range of intangible benefits that companies gain by performing control self-assessments.
CSAs provide a structure to analyze a company’s risk profile. It is a methodology that gives stakeholders a guarantee that the internal control systems are reliable. CSAs create a clear line of responsibility, reducing the risk of fraud and strengthening the overall risk profile. They fundamentally integrate the strategic objectives of the business with risk and control processes.
Yet in order for CSAs to provide the organization with these benefits, some steps must be taken, and these three questions can help:
Are internal controls operating as they were designed to operate?
This shows how well ownership and responsibility are incorporated into the risk and control processes.
How is the efficacy of the controls being monitored?
This helps to identify risks and additional opportunities to improve control activities.
How are control deficiencies reported and fixed?
This helps in understanding and resolving problems found.
5 critical factors for an effective CSA program
There are several critical factors to successful implementation of an effective CSA program. These are the main ones:
1. Assure that the appropriate stakeholders are involved to support and back this initiative
Auditors alone are unable to sufficiently assess this broad perspective of controls. All stakeholders need to participate and contribute. Start with the owners of the business and control processes.
2. Create a culture of continual improvement
Your culture is constantly evolving, which is why you need to ensure that you have sufficient time and resources to fully conduct the assessment.
3. Involve highly qualified and trained professionals to facilitate the process
With the CSA, the term “control” insinuates a broad structure that encompasses the countless variables that contribute to a company’s capacity to achieve its objectives, with people being the most significant factor at an organization. Take advantage of existing teams, such as the internal auditing department, for example.
4. Define techniques that will be used to execute the CSA
There are various formats and techniques that professionals can choose to implement the CSA. The most common models are workshops and questionnaires. It is important to clearly define how the CSA will be implemented in practice.
5. Have quantitative metrics as well as qualitative assessments
The last thing an organization needs is another verification exercise. Although metrics are necessary for assessment, they are not mutually exclusive of the judgment required as a final basis for assessment.
Would you like to learn more about risks, internal controls and audits? Take a look at these posts that we’ve already written on the subject: