Control Self Assessment

ACCT 1163
Operations Auditing
SURVEY AND WORKSHOP
APPROACHES TO CSA
 Key line managers across the business may be required to certify annually to the
effectiveness of internal control by returning a completed certificate or questionnaire. Part
of the management obligation might be to consult staff as part of this process and certify
that all the concerns of staff have been addressed. In CSA parlance, this approach is
usually termed “a survey approach to CSA”.
 A small number of managers and staff are selected to form the workshop. Each member of
the workshop should play an approximately equal role in the process that is the subject of
the workshop and all the most significant elements of the process should be represented
between the differing expertise and experience of the workshop members. The
requirement to cover the elements of the process amongst the workshop members is likely
to be the main driver to determine the size of the workshop.
SELECTING WORKSHOP
PARTICIPANTS
 the presence of a senior manager is likely to inhibit the workshop in that more junior
members may defer to the judgement of the more senior. Much depends on the personality
of the particular senior people and also on the management style.
 If acknowledgement of control weaknesses is unwelcome, then the workshop is unlikely to
be successful.
WHERE TO APPLY CSA

 It will be apparent that the CSA approach lends itself naturally to the review of business
processes that step across structural boundaries of the business.
 Workshop members can be drawn from each of the parts of the businesses that need to
coordinate effectively to achieve the purposes of the subject business process.
 CSA may also be an effective approach to follow to review the quality of control in highly
technical areas of the business that the internal audit activity lacks the competence to
understand adequately.
*continuation

 It will usually be wise to commence CSA in “easy win” parts of the organisation, which
are likely to have some of these characteristics:
• There is likely to be considerable opportunity to make improvements.
• The process steps across departmental frontiers and is difficult to review as a
conventional internal audit assignment.
• Internal auditors have insufficient technical skills to master the activity to be reviewed.
• The activity is performed in a participative, nonthreatening part of the organisation so
that workshop participants are unlikely to be reluctant to be frank.
CSA ROLES FOR MANAGEMENT AND
FOR INTERNAL AUDIT
 Ideally it should be management who have the responsibilities to decide:
• the subjects to be covered by CSA;
• the approach, whether survey of workshop, to be used;
• the frequency of the workshops;
• who should be invited to be members of the workshops;
• the action to be taken based on the workshop results;
• what to report, and to whom.
 The role of internal audit is usually:
• to facilitate to CSA programme;
• to facilitate CSA workshops;
• to review the assurance that management and the board can place on the CSA programme;
• to report the results of their assurance review to senior management and to the board.

*Effective facilitation of CSA by internal audit should ensure that an optimal programme
of CSA workshops is decided upon by management, and appropriate workshop members are
chosen.
AVOIDING LINE MANAGEMENT
DISILLUSIONMENT
 Management and staff often misguidedly assume that control is the prime domain of the
internal auditing function, and they fail to recognise that they have the prime responsibility
for control activities and that control is an integral part of their management processes.
 Line managers should be encouraged to acknowledge ownership of their systems and
processes, and to aim to reduce, counter or eradicate the related risks as one mechanism for
contributing to improved performance.
 The success (or otherwise) of CSA is heavily dependent on how the concept is “sold” to
management, for example:
• what is the agenda? (Cost saving, quality and performance improvements, corporate survival
through the achievement of objectives, linkages with other concurrent initiatives, such as quality,
etc.);
• the prevailing attitude of senior management and whether they are seen to be committed to the
process;
• the past and future role of internal auditing within the organisation;
• whether the CSA process is, in itself, unduly cumbersome and bureaucratic;
• the extent to which line management and their staff are able to influence the process and “have their
say” (i.e. a partnership approach);
• the degree of preparation and support provided to managers and their staff (i.e. training workshops
and the clear communication of the objectives of the CSA programme).
 CSA is an opportunity for management and internal audit to establish a common perception of the
organisation through its procedures and control activities.
 The CSA process should be forward-looking; recognising and accepting the need to improve
control processes as a success factor, rather than negative reactions to past oversights. Without an
open and honest approach to the review and assessment of control, the results are likely to be half-
hearted and the opportunity to reap real benefits will be missed.
 The CSA process should be built on, promoting a collective responsibility for internal control as a
partnership between line management, who are accountable for control as part of their
responsibilities, and internal audit, who objectively appraise the effectiveness of controls in place
on behalf of senior management.
 Forms of measuring achievements can be devised that enable performance comparisons to be
assessed over time, as a means of marking improvements and gains. Internal audit should consider
formally reporting the positive aspects of their findings in the context of attaining the strategic and
operational goals set for the organisation.
ENCOURAGEMENT FROM THE TOP

 Senior management need to demonstrate commitment to the CSA process and encourage
line management to buy-in to the fact that internal controls can support the achievement of
corporate goals.
 In order to provide the direction and focus for CSA, it will be necessary to identify the
strategic and operational objectives for the organisation.
 Management should aim to engender a positive and contributive environment, where CSA
participants can have their say and influence outcomes.
 CSA offers unique opportunities for a new and more proactive relationship to be
established between line managers and the internal audit function, with all parties focusing
their attention on positive achievement through an effective internal control environment.
FACILITATING CSA WORKSHOPS, AND
TRAINING FOR CSA
 Facilitation of CSA workshops by internal audit may involve two internal auditors at a
workshop—one as the facilitator and the other as the “scribe” drafting the report of the
workshop “in real time” as the workshop progresses.
 An issue of concern for chief audit executives collaborating in the introduction of CSA is
whether their existing internal audit staff have appropriate facilitation skills, and also an
understanding of control self assessment so that they can act as effective CSA facilitators.
 CCSA holders gain exemption from one of the four examination papers (Paper 4) that lead
to the main, global professional designation for internal auditors—Certified Internal
Auditor (CIA).
 Facilitation of CSA by the internal audit activity fits into the “consulting services” rather
than the “assurance” role of internal audit.
ANONYMOUS VOTING SYSTEMS

 Anonymous voting hardware and software, often termed “audience response systems”, are
frequently used, with each workshop participant having a cordless keypad.
 The votes result in collected data, presented attractively perhaps in graphs or pie charts that
can be incorporated where relevant into the report of the workshop.
 anonymous voting results in candid expressions of opinion, unalloyed by a voters’ concern
about the reception their vote will be given by their peers or managers who are also
participating in the workshop
COMPARING CSA WITH INTERNAL
AUDIT
We do not consider that CSA can be a satisfactory alternative to a conventional internal audit
activity, although at its outset many wondered whether it would prove to be so. Our reasons are
these:
• the relative lack of independence and consequential objectivity that characterizes CSA;
• the importance of management receiving dependable assurance on governance processes, risk
management and internal control—at the audit engagement level, as well as overall assurance on
these to top management, the board and the audit committee;
• the need for internal audit to encourage the CSA programme and to facilitate the CSA workshops;
• the value to top management, the board and the audit committee of internal audit reporting to these
parties on the quality and scope of the CSA programme;
• the need to provide management and staff with training in order that they approach CSA
effectively, and the likely need for internal audit to do this.
A HYBRID APPROACH—INTEGRATING INTERNAL
AUDITING ENGAGEMENTS WITH CSA WORKSHOPS

 When this approach is followed, a CSA workshop may be convened either during the
planning phase of the audit or at the commencement of the audit fieldwork, facilitated by
the internal audit team.
 The issues highlighted by that workshop will be followed up by the internal audit team, to
the extent that they are relevant to the objectives of the audit.
 At the end of the audit fieldwork, instead of or additional to the usual exit meeting, the
CSA workshop reconvenes and considers the issues afresh, taking account of the findings
of the audit team.
WORKSHOP FORMATS

 The commonest intention of a CSA workshop is to determine whether and how internal
control needs to be improved in the subject area of the workshop. This requires a clear
understanding of the objectives of the activity under consideration and the risks (internal
and external) to the achievement of those objectives (Figure 10.1).
 It is only then that the adequacy of controls can be considered together with
whether and how they may be improved. Control can be judged effective if:
• the controls that are in place have the potential to mitigate the risks if they are applied;
• the controls that are in place are being applied effectively; and
• the extent to which the controls do not mitigate risk is acceptable to the organisation.
UTILISING CoCo IN CSA
PURPOSE

1. Do we clearly understand the mission and vision of the organization?

2. Do we understand our objectives, as a group, and how they fit with other objectives in
the organization?
3. Does the information available to us enable us to identify risk and assess risk?
4. Do we understand the risk we need to control and the degree of residual risk
acceptable to those to whom we are accountable for control?
5. Do we understand the policies that affect our actions?
6. Are our plans responsive and adequate to achieve control?
7. Do we have manageable performance targets?
COMMITMENT

1. Are our principles of integrity and ethical values shared and practised?
2. Are people rewarded fairly according to the organization’s objectives and values?
3. Do we clearly understand what we are accountable for, and do we have a clear
definition of our authority and responsibilities?
4. Are critical decisions made by people with the necessary expertise, knowledge and
authority?
5. Are levels of trust sufficient to support the open flow of information and effective
performance?
CAPABILITY

1. Do we have the right people, skills, tools and resources?

2. Is there prompt communication of mistakes, bad news and other information to people
who need to know, without fear of reprisal?
3. Is there adequate information to allow us to perform our tasks?
4. Are our actions coordinated with the rest of the organization?
5. Do we have the procedures and the processes to help ensure achievement of our
objectives?
MONITORING AND LEARNING

1. Do we review the internal and external environment to see whether changes are
required to objectives or control?
2. Do we monitor performance against relevant targets and indicators?
3. Do we challenge the assumptions behind our objectives?
4. Do we receive and provide information that is necessary and relevant to decision-
making?
5. Are our information systems up to date?
6. Do we learn from the results of monitoring and make continuous improvements to
control?
7. Do we periodically assess the effectiveness of control?
Control Objectives for Control Self
Assessment
(a) To contribute to ensuring that risks are managed to be within the organisation’s risk
appetite.
(b) To tap into the knowledge and experience of management and staff who run business
processes.
(c) To empower management and staff to assess and improve the mitigation of risks.
(d) To provide a practical means to assess business processes that cut across structural
boundaries of the organisation.
THANK
YOU!!!