Evaluating internal controls: control self-assessment in government.
The Institute of Internal Auditors defines control self-assessment as "a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met." (2) As the term self-assessment implies, an organization's own employees--not external auditors or consultants--perform the evaluation of internal controls, usually with the help of the internal audit department. GSA provides an opportunity for management and/or internal auditors, along with operating staff, to join forces in objectively reviewing key business objectives, the risks involved in achieving those objectives, and the internal controls designed to manage those risks. (3) A properly implemented control self-assessment program is a powerful management tool.
Government managers and finance officers are well versed in the concepts and practices of internal control. GFOA first provided extensive guidance on the design, implementation, monitoring, and reporting of controls in its 1981 publication, How to Evaluate and Improve Internal Controls in Governmental Units. This publication has since been replaced by one entitled Evaluating Internal Controls: A Local Government Manager's Guide. Still, there is evidence that local governments in general are not familiar with the relatively new concept of control self-assessment. This article explains what GSA is and how it is being used by governments to enhance internal controls.
Control self-assessment was developed in Canada in the late 1980s but was not widely practiced in the United States until the mid 1990s, when companies began incorporating GSA as a major component of their audit strategies. The Institute of Internal Auditors embraced the concept in its infancy, and began sponsoring the annual GSA Users' Conference in 1993. Four years later, the IIA established the Control Self-Assessment Center to provide guidance, publications, seminars, and conferences on GSA implementation. By 1999, the IIA was offering a specialty certification for practitioners of control self-assessment--the Certification in Control Self-Assessment, or CCSA.
In control self-assessment, the evaluation of risks and controls is performed by personnel responsible for the work under evaluation. This causes a shift in some responsibilities related to internal control. Exhibit 1 compares the assignment of responsibilities under the traditional audit approach to the GSA approach. (4) Traditionally, the internal auditors evaluate and assess the adequacy of controls and prepare an audit report for management. Under the GSA approach, however, work teams comprised of operating staff issue this report directly to management.
Notice that responsibility for setting business objectives, assessing risks, and ensuring the adequacy of internal controls is the same under both approaches. However, responsibility for evaluating risks and controls and for reporting the results shifts from internal auditors to work teams. This reflects the fact that employees are in a better position to evaluate risks and controls relevant to their operations than either internal or external auditors.
BENEFITS OF SELF-ASSESSMENT
The primary benefit of control self-assessment is that it strengthens the internal control environment by involving operating units in the process. In Self-Assessment: Making a Choice, Glenda Jordan identified five major benefits of control self-assessment:
* GSA helps line employees at all levels better understand and assume responsibility and accountability for effective control and risk management
* Corrective action can be more effective because participants "own" the results
* GSA provides broader coverage on important issues because the experts, the work team, can quickly focus on key risks and controls
* GSA improves communication at all levels since workshops can include multiple locations, departments, functions, and levels of personnel
* CSA teaches participants how to analyze and report on internal control, thus helping to increase the control consciousness of the entire organization (5)
In our first survey, respondents reported a number of positive outcomes that were the direct result of their control-self assessment efforts. Consider the following examples:
* Improved plant maintenance and safety practices
* Avoided development of an unnecessary $2 million information system
* Evaluated department objectives and reorganized department to meet new objectives
* Implemented a communication plan to keep employees informed of concerns associated with institutional growth
* Increased awareness of business process risks
* Eliminated duplicate work efforts
* Reorganized the billing function and changed to an outside billing vendor
* Improved the internal control environment and communication between departments, making it easier for departments to share information about objectives, performance, and business recovery plans
Texas governments responding to our second survey also reported a number of significant benefits stemming from their GSA efforts. These included higher employee morale, increased implementation rate for action plans, improved communication, better understanding of operations, improved internal control environment, and increased efficiency.
Just as every organization has a different approach to internal auditing, every organization has a different approach to control self-assessment. However, there are three primary GSA approaches being used by organizations today: facilitated team meetings (workshops), questionnaires, and management-produced analysis. Under the workshop approach, a trained facilitator gathers internal control information from work teams representing multiple levels of the organization. The questionnaire approach relies on the results of a survey instrument to assess internal control effectiveness. Management-produced analysis is any method that does not involve either a workshop or a survey. (6)
Research conducted by both the Institute of Internal Auditors and the authors shows that the workshop approach is the most common overall. However, the few government respondents using GSA indicate a slight preference for the questionnaire approach.
Questionnaires are usually considered the preferred approach in organizations in which the environment does not accept and support candid responses on sensitive issues such as control. However, questionnaires do not promote creative thinking and may hamper the development of ideas to improve the control environment. Obviously, questionnaires must be written in language that can be readily understood by the respondents. Otherwise, respondents will either answer certain questions incorrectly or not answer them at all. The questions should also be worded in such a way as to force respondents to think deeply about their responses, thus yielding the kind of information that can facilitate improvements in the internal control framework. Finally, all questionnaires should be pretested to identify structural problems.
The workshop approach works well when management supports open and honest responses from participants. Led by a trained facilitator, workshops usually last for several hours. The facilitator is often an internal auditor who understands the control and risk objectives of the organization and is trained in facilitation techniques. Proper facilitator training is important to the success of the workshop. Participants must be motivated to honestly evaluate the processes, controls, and risks, and to offer constructive suggestions for improvement. Facilitators must be trained to handle ambiguous situations and to avoid intimidating participants. Exhibit 2 summarizes the four major types of workshops identified in A Perspective on Control Self-Assessment.
Organizations desiring a more informal workshop, and one that is easier to facilitate and record, often use the departmental or situational approach in which the focus is on individual departments. Work teams are typically asked two questions: (1) What things help or enable you to meet your department's objectives? and (2) What things hinder your efforts to meet your department's objectives?" (7) Participants are asked to record their responses to each question on a single sheet of paper. Responses are then posted on the wall, categorized, summarized, and prioritized. The work team then discusses solutions to the top-ranking problems.
THE STATE OF THE PRACTICE
To determine the extent of CSA usage, the authors posted a survey on the Global Auditing Information Network, or GAIN. (8) Maintained by the Institute of Internal Auditors, GAIN is a benchmarking project that tracks the use of current auditing standards and practices. Although most of the 145 respondents were from the United States, a number of foreign entities also participated. Eleven of the respondents represented government agencies. Of the government respondents, 54.6 percent were either currently using or planning to use control self-assessment, 18.2 percent had never considered it, and 27.2 percent had decided against it. Those governments that had decided against using CSA cited three reasons: lack of resources, lack of management support, and the use of top-down risk management.
We e-mailed a second survey to 750 members of the Government Finance Officers Association of Texas. Only three of the respondents reported the use of control self-assessment in their jurisdictions. Many respondents commented that they were altogether unfamiliar with the concept of CSA. This suggests that either GSA is underutilized by governments in the state of Texas or that it is being used but is known by another name, such as enterprise risk management.
Exhibit 3 compares the responses from the first (S1) and second (S2) surveys on a number of critical factors. The center column marked S1G represents the responses of government agencies to the S1 survey. Here we take a look at the state of CSA based on the results of our surveys.
The first survey shows that a higher percentage of governments (16.6 percent) employ certified CSA facilitators than the group as a whole (11.8 percent). Governments were also more likely to employ staff that had attended an outside facilitator workshop. Given that the workshop is the preferred approach to CSA, however, there is a clear need for additional trained facilitators in both the public and private sectors.
Only 13.8 percent of the respondents to the first survey reported using CSA work teams of more than eight people. The typical work team is comprised of two to five team members who are usually appointed. Government respondents in both surveys reported a much higher percentage of appointed members than their private sector counterparts, who rely more heavily on volunteers and other methods of selection.
All of the government respondents in both surveys indicated that they follow up on CSA findings. This is approximately 15 percent higher than in the private sector. Fifty percent of Texas governments reported that changes take longer than a year to implement, which is a much higher percentage than both the public and private respondents in the first survey.
CSA IN ACTION
Through control self-assessment, the work teams or survey participants perform a thorough analysis of objectives, risks, and controls. The analysis should consider every conceivable risk to the achievement of organizational objectives--from legislation to natural disasters. The results are often surprising. For example, a government might be surprised to learn that an activity involving millions of dollars and multiple controls and individuals may actually have less risk exposure than a simple, low-profile activity such as a cashier window. The difference lies in the effectiveness of the controls over the inherently risky endeavor of cash handling.
Consider the case of an accounts payable department whose objective is to process, pay, and record valid invoices in a timely and accurate manner. The CSA work team begins by identifying the current control elements and risks. One such risk is the potential for receiving reports to get lost in the shuffle between purchasing and accounts payable, thus delaying payment and disqualifying the government from taking advantage of discounts. The next step is to determine what, if any, changes need to be made to strengthen the control environment and mitigate risks. In this case, the government might choose to give accounts payable online, read-only access to purchasing's records. In implementing changes, it is important to assign specific responsibilities to specific individuals and to set a target date for completion.
"A Case Study in Control Self-Assessment" (see sidebar) describes how one government agency has successfully used CSA to enhance its management capabilities.
Control self-assessment is a powerful management tool that appears to be underutilized by governments. Perhaps the most compelling argument in favor of using GSA is that it offers many benefits at a relatively low cost. Many governments, especially smaller ones, do not have the luxury of hiring an outside consulting firm to evaluate the effectiveness of their internal control systems. By entrusting internal staff with this important function, they can actually enhance the utility of these evaluations, as well as the likelihood that necessary changes will be implemented.
Exhibit 1: Shifting Responsibilities -- Traditional Audit Approach vs. The CSA Approach Traditional CSA Responsibilities Approach Approach Setting business objectives Management Management Assessing risks Management Management Adequacy of internal controls Management Management Evaluating risks and controls Auditors Work Teams Reporting Auditors Work Teams Validate evaluation of risks and controls Auditors Auditors Objectives used Auditors Management Exhibit 2: Types of CSA Workshops Objective-based The workshop focuses on accomplishing an objective. It is assumed that the initial risk identification and control design have already been done. The workshop is used to determine whether the existing controls are working effectively and resulting in acceptable levels of risk. Risk-based The workshop focuses on identifying probable risks and controls needed achieve individual objectives. It is an excellent approach for an entity that has not yet performed a risk assessment. Control-based The workshop focuses on how well existing controls are working. The facilitator identifies risks and controls before the workshop, and the work team produces a gap analysis showing the difference between how the controls are working and how they are intended to work. Process-based The workshop focuses on a specific process such as purchasing. Prior to the workshop, management establishes objectives for the process as a whole and for each activity therein. Workshop participants identify risks and controls associated with each objective, evaluating, updating, and reengineering processes as appropriate. Exhibit 3: The State of the Practice -- Comparing Survey Results Area S1 S1G S2 How many years have you used CSA? Less than 1 year 31.5 33.3 66.6 1 - 2 years 20.6 16.6 -- 3 - 5 years 38.0 50.0 33.3 6 or more years 9.7 -- -- Is there a certified CSA person on your staff? Yes 11.8 16.6 -- No 76.2 50.0 100.0 Working on certification 11.8 33.3 -- Have you or someone on your staff attended a facilitator workshop? Yes 55.1 62.5 33.3 No 44.8 37.5 66.6 How will employees and management be educated and informed about the CSA process? Outside seminar 12.1 30.0 n/a In-house seminar 56.5 50.0 n/a Other (including both and on-line training) 31.3 20.0 n/a How many members comprise an average CSA team? 2 - 5 67.3 83.3 66.6 6 - 8 18.8 16.6 33.3 9 - 10 8.9 -- -- 11 - 20 4.9 -- -- More than 20 -- -- -- How are the CSA team members selected? Volunteer 37.1 20.0 -- Appointment 39.0 80.0 66.6 Election 0.9 -- -- Other 22.8 -- 33.3 Is there any type of follow-up on the CSA results? Yes 84.8 100.0 100.0 No 15.1 -- -- Indicate the average length of time it takes to make changes. Less than 6 months 51.2 75.0 50.0 6 - 12 months 41.2 12.5 -- Longer than 1 year 7.5 12.5 50.0
(1.) Stephen J. Gauthier, Evaluating Internal Controls: A Local Government Manager's Guide (Chicago: GFOA, 1996).
(2.) A Perspective on Control Self-Assessment, Professional Practices Pamphlet 98-2 (Altamonte Springs, Florida: Institute of Internal Auditors, 2000), "CSA Definition."
(4.) L Hubbard, Control Self-Assessment: A Practical Guide (Altamonte Springs: Institute of Internal Auditors, 2000), 5.
(5.) Hubbard, 7.
(6.) A Perspective on Control Self-A Assessment, "CSA Approaches."
(7.) Hubbard, 17.
(8.) Visit www.gain2.org
RELATED ARTICLE: A CASE STUDY IN CONTROL SELF-ASSESSMENT
As the states chief tax collector, revenue estimator, accountant, and treasurer; the Texas Comptroller of Public Accounts is the lifeline of the state's vast public service network. In this central and critical role, the Comptroller conducts its business with the highest regard for taxpayers and a strong commitment to continuous improvement through innovation.
In April 2001, based on a recommendation from the manager of the Comptroller's Internal Audit Division, executive administration staff participated in a risk self-assessment workshop to evaluate this new tool and to decide whether it was something they wanted to recommend for adoption by individual Comptroller divisions. Based on their favorable recommendation, the enterprise risk management (ERM) project was launched. Initially a trainer/facilitator was selected to learn the risk self-assessment process and to make it available to agency divisions. Divisions have now completed 50 risk assessment workshops, and requests for more continue to come in.
The Comptroller's ERM process is built around risk self-assessment (RSA) sessions involving work teams at all levels of the agency, from executive to front-line workers. During the RSA sessions, team members perform the following six activities:
1. Review their mission statement
2. Identify their key processes
3. Identify the risks that threaten each of their key processes
4. Rate the severity and probability of each risk without controls
5. Decide which internal controls can avoid or reduce the risks
6. Re-rate the probability of each risk with the suggested controls in place
After the session, the manager receives a risk self-assessment report showing the work team's prioritized key activities, a summary chart showing all of these activities and the associated risk levels before and after controls, and a breakdown by activity of all risks and suggested internal controls for mitigating those risks.
The sessions are usually completed in a single morning or afternoon session of one to four hours, depending on the number of participants. The risk information is provided to the team leader in an Excel workbook created during the RSA sessions.
To date, the Comptroller has reaped a number of important benefits from its self-assessment efforts, including the following:
* Expanded employee understanding of their area's risks and internal controls
* Increased employee involvement in managing risks
* Improved employee understanding of how their key activities are related to the key activities of other employees or work teams
* Discovery of and preparation for new risks before they happen
The Controller has experienced an enhanced management ability to focus on the internal controls that really matter. Instead of focusing on processes with the largest cost or staff, managers use the tool to focus on processes at the greatest current risk. As a result, decisions about hiring, contracting, spending and the like are evaluated with questions like, Which internal controls will be improved as a result of this decision? How severe is the risk profile of the key process the improved controls are intended to protect? What does the cost-benefit profile look like? Such questions lead to decisions based on hard facts instead of feelings. And, because the staff affected by the decisions produced the risk profile upon which the decisions are based, managers usually obtain a high degree of staff buy-in to the proposed controls.
SHARRON N. GRAVES, CPA, is an assistant professor at Stephen F. Austin State University in Nacogdoches, Texas. She holds a bachelor's degree from the University of Texas and a master's degree from Stephen F. Austin State University. Her research and teaching interests include financial accounting and accounting information systems.
BILL LONGENECKER is a senior training specialist in the Human Resources Division of the Texas Comptroller of Public Accounts. He holds a Ph.D. in educational administration from the University of Texas at Austin. His primary teaching and research interests are organizational development and adult learning.
TREBA L MARSH, DBA, CPA, is an associate professor and interim chair of the accounting department at Stephen F Austin State University. Dr. Marsh holds a DBA in accounting from Louisiana Tech. Her research and teaching interests include financial and governmental and not-for-profit accounting.
HEIDI MILSTEAD graduated from Stephen F. Austin State University's Master of Professional Accountancy program in May and now works for Deloitte and Touche, LLP.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||includes related article|
|Author:||Graves, Sharron M.; Longenecker, Bill; Marsh, Treba L.; Milstead, Heidi|
|Publication:||Government Finance Review|
|Date:||Jun 1, 2003|
|Previous Article:||Guidelines for effective uses of swaps in asset-liability management.|
|Next Article:||Circumscribing debt issuance with written policies. (Best Practices).|
|Evaluate the control environment: documentation is only a start; now it's all about asking questions.|
|Two new publications on PCAOB Auditing Standard No. 2 Released.|