Connect Support Advance

Whitepaper

Control
Self-Assessment
In Action
August 2023

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au
© 2023 - The Institute of Internal Auditors - Australia
 Control Self-Assessment
In Action
Contents
› Help reduce fraud risk by examining data that may
Background 2
flag unusual patterns of transactions.
- Purpose 2
Discussion
- Background 2
Discussion 2 Issue
- Issue 2 The issue to be discussed is:
- Control Self-Assessment 2 How can control self-assessment be used in a practical
- Control Self-Assessment Benefits 2 way as an internal audit service?

- Control Self-Assessment Techniques 3 Control Self-Assessment

- Control Self-Assessment In Action 3 The IIA-Australia defines CSA as:
Conclusion 6 Structured process where management and the work
- Summary 6 team collaboratively assess the effectiveness of
controls, the level of residual risk, and achievability
- Conclusion 6
of business objectives. Typically involves facilitated
Bibliography and References 6 workshops and surveys.
- Useful References 6
Control Self-Assessment Benefits
Purpose of White Papers 6
Benefits of CSA may include:
Author’s Biography 6
› Help directors and management meet their corporate
About the Institute of Internal Auditors–Australia 7 governance responsibilities.
Copyright 7
› Clarify business objectives and achieve shared
Disclaimer 7 understanding of business processes.
Background › Identify and treat risks that may impact achievement
of organisation and specific business objectives.
Purpose
› Create a clear line of accountability for controls and a
This White Paper has been written to show how control stronger governance regime.
self-assessment (CSA) can be used in a practical way as
an internal audit service. › Foster better understanding of business operations by
management and staff.
Background
› Highlight good practices and business performance
CSA is a technique that internal auditors can use as an improvement opportunities.
alternative internal audit service method. Internal auditors
can use CSA to: › Standardise and benchmark business processes
across multiple locations.
› Introduce a new internal audit service that reduces
time and effort to understand how business processes › Improve the internal control environment by:
work and quickly identify what can be improved or › Increased awareness of organisation objectives
streamlined. and the role of internal control to achieve specific
› Gather relevant information about risks and controls. business objectives.

› Focus internal audit work on high risk and unusual › Motivate personnel to carefully design and
areas. implement control processes.

› Develop greater collaboration with operating › Continually improve operating control processes.
managers and work teams. › Help management:
› Reduce the time and effort it takes for internal › Expand assurance coverage.
auditors to gather information on business units and
provide swift focus on areas requiring attention. › Reduce oversight cost.

© 2023 - The Institute of Internal Auditors - Australia 2

 Control Self-Assessment
In Action
› Streamline controls. Approach Selected
› Reduce need for extensive internal audit testing. Internal Audit developed a standard CSA questionnaire in
Microsoft Forms based on Department policy requirements
Control Self-Assessment Techniques and in consultation with relevant policy owners. The
There are a number of CSA techniques that can be process followed is shown in the diagram on the next
deployed: page.

› Facilitated team workshop Control-Based – focuses
on how well controls are actually working.
› Facilitated team workshop Process-Based – focuses
on activities performed with selected processes.
All division staff were asked to rank their understanding of
policy requirements and provide comments on a range of
topics including:
› Governance and Integrity

› Facilitated team workshop Risk-Based – focuses on › Work Health Safety and Facilities
identifying and managing risk. › Employment including staff and management
› Survey / Questionnaire – A technique to collect responsibilities
feedback data from staff who fulfil certain › Procurement and Grant Administration
responsibilities, for example in line with organisation
policies. CSA specialist or internal auditor evaluate › Information Management
and independently validate the results, for example Also included were:
through data analysis or review of supporting
documentation. › Discussions with management and relevant staff
regarding the division’s risk identification and
› Management Produced Analysis – Management management practices, including current status of
produces a self-assessment of the business process higher risks currently identified in the automated
which is then independently validated by a CSA enterprise risk management system.
specialist or an internal auditor.
› Review of the division process to monitor progress
Control Self-Assessment In Action against their operational plan.
Introduction This CSA process used a questionnaire approach and
The Internal Audit function at the Department of Health applied the following steps.
in Western Australia (Department) has trialed use of CSA
techniques to assess the level of understanding of and
compliance with key controls and policy requirements
across the Department. A standard electronic
questionnaire was developed for completion by all staff
within the business area. Results were evaluated and
validated by use of available data analytics dashboards.
This methodology was introduced to allow for efficient use
of internal audit resources by:
› Focusing majority of the internal audit plan on higher
strategic risk areas.
› Minimising internal audit impact on operational staff
across the Department who are traditionally ‘time
poor’.
Two divisions were selected with the agreement of
their senior executive for a pilot CSA exercise to test
the approach and provide input into the questionnaire
content. Following completion of the pilot, the CSA
process is currently being rolled out across the rest of the
Department. Following completion, a Department-wide
summary report is to be compiled.

© 2023 - The Institute of Internal Auditors - Australia 3

 Control Self-Assessment
In Action
› Set CSA objective and scope
› Ascertain divisional objectives and risks
Step 1 Plan › Research and gather relevant information
› Determine CSA approach
› Prepare CSA project brief to secure executive support

› Identify policy categories and key policy requirements

Step 2 Design › Draft CSA questionnaire in consultation with policy owners and divisional executive
› Communicate with stakeholders and participants

› Distribute questionnaire
› Provide real-time advice and guidance to participants
Step 3 Execute
› Provide regular updates on response rates to executive until desired rate of response is
achieved

› Download and analyse results

› Validate results against analytical compliance dashboards (where available) with
participants and stakeholders
Step 4 Validate
› Prepare results summary reports at whole-of-division and business unit level and discuss
with division executive
› Meet with select respondents for in-depth discussion upon self-nomination

› Agree results and management action plans to implement improvements, including timelines
Step 5 Finalise › Prepare draft report for management review
› Finalise the report

Monitor and › Follow-up to assure effective implementation of management action plans

Step 6
Follow-up
Project Plan

Activity Timing Resources

Phase 1 – Planning
Planning meetings
Source policy documents
Phase 2 – Pilot Control Self-Assessment
Design pilot questionnaire
Review pilot questionnaire with policy owners and executive
Convert agreed pilot questionnaire design into online questionnaire using Microsoft
Forms
Agree on whole-of-division distribution with executive
Distribute pilot questionnaire using divisional all staff email list
Close pilot questionnaire once desired response rate is achieved
Analyse and validate results
Prepare result summaries and present to divisional executive
Discuss outcomes and management actions with divisional executive

© 2023 - The Institute of Internal Auditors - Australia 4

 Control Self-Assessment
In Action
Prepare draft report and share with the division
Finalise report following feedback
Use lessons learned from pilot questionnaire to inform improvements
Phase 3 – Department-wide roll-out
Repeat CSA process in other divisions
Phase 4 – Consolidated Reporting
Develop and present a brief consolidated report for Department Executive
Committee
Present the consolidated report to the Risk and Audit Committee

Outcome Together with management, the internal audit team worked

The final outcome of the CSA exercise provides the
senior executive team with an understanding of the
level of overall staff compliance and awareness of key
policy requirements. In this particular case study, senior
executives were pleased to have reassurance that overall,
their staff understood their obligations and responsibilities
as defined in the policies.
The final report contained a summary of:
› Top five performing areas / Things to celebrate.
› Top five opportunities for improvement.
on identifying practical and workable solutions and quick
wins to address control weaknesses. These actions, along
with transparent reporting and communication allowed
the division to increase trust amongst their staff in their
commitment to continuous improvement and to the
Department’s values.
Shown below is an example reporting format used in this
CSA exercise.
1. Executive Summary
2. Overall Results Chart
3. Key Strengths (Top 5)
4. Key Opportunities for Improvement (Bottom 5)
5. Result Summary by Control Area (use table below for
each control area included in the CSA)

Control Area Aggregate Control Assessment

<Name of control area> Fully Effective
refer table below for definitions
Identified Strengths:
<dot-point key strengths identified in the CSA>
Observations
<dot-point key learnings, results of data validation and opportunities for improvement>
Agreed Improvement Actions:
<detail actions agreed with management>
Responsible Officer: xx
Target date: xxx

© 2023 - The Institute of Internal Auditors - Australia 5

 Control Self-Assessment
In Action
Control Effectiveness Definitions

Controls Rating per Risk

CSA Response Controls Rating Definition
Management Framework
Never (0% of time) Totally ineffective Control is not in place
Rarely (25% of time) The control is operating poorly and
Largely ineffective
improvements are required
Sometimes (50% of time) Some work is required to improve the
Partially effective
control
Usually (75% of time) The control is well-designed some
Substantially effective minor work is required to improve
effectiveness
Always (100% of time) The control is well-designed and is
Fully effective operating effectively and reliably at
all times

Conclusion Bibliography and References

Summary
Many internal audit functions provide a ‘one dimensional’
internal audit service built around similar-sized internal
audit engagements, often focusing in depth on a particular
risk, subject or operation. Due to internal audit resource
scarcity combined with the impact a traditional internal
audit has on each business area, there is a limit on the
number of operational audits that can be delivered in a
given year.
To stretch the coverage of internal audit activity, it is useful
to look for innovative ways that internal audit services
can be delivered. CSA is a way to provide a low impact
internal audit service that can engage with business areas
to provide a low depth but broad coverage of the control
environment. When combined with operational audits, CSA
methodology allows the internal audit function to achieve
both the depth and breadth of cover with limited resources.
Conclusion
At the Department, we found CSA helped internal audit
engage with business unit personnel to better understand
controls. The primary driver for a CSA approach was
collaboration and relationship building with senior
executives to build a culture where risk and control is
understood and appreciated. It expanded assurance
coverage in a cost-effective way and reduced the need for
extensive internal audit testing. It is a way of stretching the
internal audit budget further.
Useful References
McCuaig, B., 1998. Auditing, Assurance & CSA. Internal
Auditor, Jun, lv(3), p. 43+.
The Institute of Internal Auditors - Australia, 2022.
Factsheet: Control Self-Assessment. [Online]
Available at: https://iia.org.au/technical-resources/fact-
sheet/iia-australia-factsheet-control-self-assessment
The Institute of Internal Auditors, Inc., 1998. Professional
Practices Pamphlet 98-2: A Perspective on Control Self-
Assessment, Altamonte Springs: The Institute of Internal
Auditors, Inc.
Purpose of White Papers
A White Paper is a report authored and peer reviewed
by experienced practitioners to provide guidance on a
particular subject related to governance, risk management
or control. It seeks to inform readers about an issue and
present ideas and options on how it might be managed. It
does not necessarily represent the position or philosophy
of the Institute of Internal Auditors-Global and the Institute
of Internal Auditors-Australia.
Author Biography
This White Paper written by:
Yulia Wood BSc, CPA(US), CA, PMIIA
Yulia Wood is the Risk and Audit Manager and Chief Audit
Officer at the Department of Health in Western Australia.
Her 20-years of experience in risk and audit include
Australian public and tertiary education sectors and
leading international internal audit activities for a global

© 2023 - The Institute of Internal Auditors - Australia 6

 Control Self-Assessment
In Action
US-based manufacturing company. Yulia is passionate Copyright
about the power of risk and audit integration, importance
of soft controls, and continuous innovation in the risk and This White Paper contains a variety of copyright material.
audit fields to drive the value of the functions she leads Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors-Global or the
and of the internal audit profession.
Institute of Internal Auditors-Australia. Some material is
owned by others which is shown through attribution and
Carol Richardson-Dale BCom, PFIIA referencing. Some material is in the public domain. Except
Carol Richardson-Dale is the Principal Audit Consultant for material which is unambiguously and unarguably in
at the Department of Health in Western Australia. Since the public domain, only material owned by the Institute
joining the department in 2020, Carol was instrumental in of Internal Auditors-Global and the Institute of Internal
establishing and documenting governance arrangements Auditors-Australia, and so indicated, may be copied,
of the internal audit function in line with the ‘International provided that textual and graphical content are not
Professional Practices Framework’ to set the function on altered and the source is acknowledged. The Institute of
a maturity growth trajectory. Carol previously worked in Internal Auditors-Australia reserves the right to revoke that
the Australian University sector for over 10 years within permission at any time. Permission is not given for any
an integrated audit and risk team. One of her major commercial use or sale of the material.
achievements was delivery of a number of control self-
assessments at the operational business unit level leading Disclaimer
to a consolidated report at the University level. Whilst the Institute of Internal Auditors–Australia has
This White Paper edited by: attempted to ensure the information in this White Paper
is as accurate as possible, the information is for personal
Michael Parkinson BSc(Hons), GradDipComp, PFIIA, CIA, and educational use only, and is provided in good faith
CISA, CRMA, CRISC without any express or implied warranty. There is no
guarantee given to the accuracy or currency of information
About the Institute of Internal Auditors- contained in this White Paper. The Institute of Internal
Australia Auditors–Australia does not accept responsibility for any
loss or damage occasioned by use of the information
The Institute of Internal Auditors (IIA) is the global
contained in this White Paper.
professional association for Internal Auditors, with global
headquarters in the USA and affiliated Institutes and
Chapters throughout the world including Australia.
As the chief advocate of the Internal Audit profession,
the IIA serves as the profession’s international standard-
setter, sole provider of globally accepted internal auditing
certifications, and principal researcher and educator.
The IIA sets the bar for Internal Audit integrity and
professionalism around the world with its ‘International
Professional Practices Framework’ (IPPF), a collection of
guidance that includes the ‘International Standards for the
Professional Practice of Internal Auditing’ and the ‘Code of
Ethics’.
The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
influencers, and is extensively represented on a number
of global committees and prominent working groups in
Australia and internationally.
The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of
local area Chapters. Generally, members work in internal
auditing, risk management, governance, internal control,
information technology audit, education, and security.

© 2023 - The Institute of Internal Auditors - Australia 7