CSA by any name: control self-assessment, in its various forms, can be a powerful way to gather audit information. (Back to Basics).CONTROL SELF-ASSESSMENT (CSA) is a generic term that covers risk self--assessment (RSA), control and risk self-assessment (CRSA), and other processes whereby an organization's personnel evaluate their own risks and controls with the help of facilitators from the internal audit department. Assessments can be performed through a series of workshops or meetings or through questionnaires and can be applied to projects, processes, business units, and functions --basically any area of a company. Whatever format is used, the goal is the same: to help organizations assess the likelihood of achieving their business objectives by using the knowledge of the workers responsible for meeting them. CONDUCTING WORKSHOPS Workshops, the most popular CSA format, can focus on "soft," or informal, controls; risks to a single objective; or the overall operation or risks of a department or function. Workshops typically last two to four hours and involve 10 to 15 work-team members. Usually, one facilitator and one scribe conduct the workshop using a computer and projection unit to capture information about risks and controls on an interactive, real-time basis. Immediately after the workshop, a written GSA report detailing the workshop results -- objectives, risks, controls, and assessment -- is distributed to the work team's management. CSA encourages work teams to assess risks and recommend improvements to increase the likelihood of meeting objectives. When computer and projection equipment are not used, workshop results can be captured on flip charts or overhead charts and later transcribed into a CSA report. When using this approach, producing the report for management may take several days. Handheld voting technology also can be used to capture information. This method ensures anonymity and efficiency in gathering data. CSA VERSUS AUDITING CSA differs from other types of auditing in several ways. * Line employees, instead of internal auditors, evaluate internal controls. * Often, work teams, not the auditors, issue a report detailing an objective, its related risks and controls, and an assessment of the current status of meeting the objective. * Workshop participants are the risk and control experts when it comes to meeting their business objectives -- not the auditors. Auditing's role is that of a facilitator and an educator of risk and control concepts. * Because of the participation and collaboration of the work team, management and staff are more likely to accept the results -- which can include new procedures -- than if the results were derived from another type of audit. For many of these reasons, self-assessment can be a more effective way of evaluating soft controls than other internal audit methods. CSA has been growing in popularity for several years, but it still is not right for every situation. Self-assessments won't be successful if work teams are not open and honest, which may occur for any number of reasons -- fear of management reprisal, fear of the facilitator being an auditor, fear of reporting the results of the workshop, or simply fear of stating an opinion in a group setting. In some cases, anonymous voting can eliminate the problem, but other forms of control assessment -- such as traditional internal auditing -- may be more appropriate in certain situations. In most organizations that use GSA, the self-assessment effort is at most 30 percent of internal auditing's work, with the remaining work being traditional auditing. CHOOSING THE RIGHT FORMAT Almost all organizations that use GSA approach it differently. Some like to focus on risks, some on processes, and some on soft controls. Others use self-assessment workshops to determine the scope of their audit work. The main GSA formats are: * Risk-based. Work teams focus on identifying the risks they face in achieving their business objectives and the controls in place to manage key risks. Management usually reacts well to a risk-based approach to workshops. * Objective-based. Work teams focus on ways currently used to accomplish a given objective, then identify the risks that could still occur--the residual risks--despite the controls in place. This approach works best when controls are believed to be in good shape already, as it can confirm this and enable auditors to move on to other areas. * Control-based. Work teams focus on how well the controls in place are working. Controls are most likely identified before the workshop, and the workshop is used to validate their operation. This format may use a specific control framework, such as those created by The Committee of Sponsoring Organizations of the Treadway Commission or the Canadian Institute of Chartered Accountant's Criteria of Control Board, to identify the controls in place by framework category. GSA is particularly helpful in evaluating the soft, or informal, controls discussed in those frameworks. * Process-based. Work teams examine a process from beginning to end and identify the strengths and weaknesses of each process step. Audit departments that perform process-based audits often use this approach. * Departmental-based Work teams examine a department's overall situation and identify the things that help the department function as well as those that may prevent the department from reaching its goals. This type of GSA often requires the least pre-workshop planning time. The way these assessments are performed varies among organizations. Even the early implementers of GSA, starting in the late 1980s, differ in their views of the process. The wide variety of approaches reflects the differences in structure, level of employee empowerment, management style, and policies that exist within organizations. GATHERING INFORMATION Self-assessment--whether it is called GSA, RSA, GRSA, or some other term--is a powerful way to gather audit information in the right circumstances. It is used when there is a need for soft control information, when the auditors want to educate others in risk-assessment techniques, and when the auditors are trying to solidify management s ownership of risks and controls. However, it is important to remember that self-assessments are verbal evidence, much like audit interviews, and must be tested when used to form internal auditing's overall opinion of an organization's internal control. RELATED ARTICLE: Understanding CSA Control self-assessment offers may potential benefits. However, internal auditors often encounter several challenges when attempting to implement it. * Resistance to change. People are generally hesitant about altering the status quo, and CSA is a change from traditional internal auditing. * Ducking responsibility. Management may not believe that line employees should be responsible for effective control and risk management. They may view CSA as simply a shift of work--a way for internal auditors to get line employees to do auditing's job. * Inaccurate results. The CSA results may not be accurate if the participants are not knowledgeable or candid, or the facilitator is unable to get to the root causes of issues. * Lack of employee training. Asking line employees to assess risks and controls will involve additional training, as well as an increased time commitment on the employees' part to keep the CSA process functioning effectively. * Lack of facilitator training/skill. In most cases, internal audit staff members are not facilitators or trainers and will need to devote time to developing these skills. * Threat to human resources. Total quality management, organizational development, and human resources employees, who traditionally use facilitated workshops, may view CSA as a threat. Careful consideration of how CSA can benefit an organization can help overcome these challenges. * Employee understanding. CSA helps employees at all levels better understand and assume responsibility for effective control and risk management by involving them in the assessment process. * Results ownership. Corrective action for controls that aren't working is more effective because participants "own" the results. * Improved communication. Workshops improve communication at all levels, particularly between departments and between managers and work teams. * Controls education. CSA teaches participants how to analyze and report on internal control and provides them a tool for dealing with changes in objectives. * Clarification of objectives. CSA increases the awareness and understanding of organizational objectives. * Concentration on risks. CSA can quickly focus on high-risk issues and concentrate efforts where they are most needed. * Assessment facilitation. CSA workshops can provide an assessment of soft, or collaborative, controls that are difficult to assess with traditional auditing. To submit a "Back to Basics" article for consideration, or to request coverage of an introductory-level internal audit topic, please e-mail Larry Hubbard at Larry@LHubbard.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion