Control Self-Assessment (CSA) is a technique originally developed by Gulf Canada in 1987. In March 2000, the European Commission adopted a white paper on CSA. In the United States, when the Sarbanes-Oxley Act was implemented in 2007, Section 404 of the Act required companies to perform a top-down risk assessment, which CSA required. In the United Kingdom, the Financial Services Authority (now Financial Conduct Authority) recognized in its recommendations for improving operational risk management in 2011 that assessing risks through a self-assessment audit can be an important means of identifying risks. Today, a wide range of entities, including private sector companies, the voluntary sector (charities) and public sector entities, use CSA to assess the effectiveness of their risk management and control processes.
The Institute of Internal Auditors organizes courses, seminars and offers Certification in Control Self-Assessment (CCSA).
The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Audit self-assessment is included in COBIT’s audit objective ME2.4.
What is control self-assessment
CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal control system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in the assessment of the company’s risk management and control processes. CSA can cover objectives, risks, controls and processes.
CSA is a sustainable process whereby management validates the operation of its internal controls through testing. Each process owner and owner of functional control within a company conducts effectiveness tests to verify that key controls are working effectively.
Each process owner develops test scripts for each major control and involves his team to perform the given tests all year round. This allows management to check whether these controls are effective. A CSA program extends the role of operational management from just assessing the design of internal controls to testing and validating the effectiveness of internal controls throughout the year.
Benefits of a CSA program
An effective CSA program can deliver a number of benefits, including:
• Creating a clear accountability line for internal controls;
• Minimizing the risk of fraud;
• Creation of an improved control environment resulting in a lower risk profile for the company;
• sustainability of management’s compliance program;
• Reduction of regulatory compliance costs
The first step in any CSA program is to document the company’s control processes for the purpose of identifying appropriate ways to measure or test each control. The actual tests of the controls are performed by personnel with a daily role within the area of the company being evaluated, because they have the greatest knowledge of how the processes work. The usual techniques for performing the evaluations are:
• Internal audit questionnaire (ICQ) or customized survey questionnaires
• Interview techniques
• Control model Workshops or Interactive Workshops
Some companies choose a combination of methodologies that fit their activities to implement an effective CSA program. Upon completion of the assessment, each audit can be assessed based on the responses received to determine the likelihood of its failure and the impact if a failure occurs. These assessments can be summarized to create a risk matrix that shows potentially sensitive areas.
In any CSA program, the main steps are to define the nature and scope of the company’s CSA program, roll out the program, conduct the first test and assessment round, and record the lessons learned before the process is gone through again.
Entities have different incentives to improve the internal control environment, e.g. regulatory requirements, change of ownership, change in senior management, implementation of a large ERP system or simply stronger internal control to improve efficiency. Whatever the driver, a CSA program should be considered. By implementing an effective CSA program, the entity can embed responsibility for internal control deep within the company, ensure the sustainability of internal control compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will provide a much improved internal control environment, assuring all key stakeholders, both internal and external, that the company’s controls are operating effectively.