Background

Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States, when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required companies to conduct a top-down risk assessment that CSA required. In the UK in 2011 the Financial Services Authority (now the Financial Conduct Authority) recognized in its recommendations for the improvement of operational risk management that risk assessment through a control self-assessment can be an important means of identifying risks. Today, a wide range of entities, including private sector companies, the voluntary sector (charities) and public sector entities, use CSAs to assess the effectiveness of their risk management and control processes.

The Institute of Internal Auditors conducts courses, seminars and offers the Control Self-Assessment Certification (CCSA).

The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technologies). The Control Self-Assessment is contained in COBIT Control Objective ME2.4.

What is the control self-assessment?

CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s system of internal controls is reliable. CSA allows managers and work teams directly involved in business units, functions or processes to participate in the evaluation of the company’s risk management and control processes. CSA can cover objectives, risks, controls and processes.

CSA is a sustainable process by which management validates the operating effectiveness of its internal controls through testing. Every process owner and functional control owner within an enterprise performs effectiveness tests to verify that key controls are working effectively.

Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from simply evaluating the design of your internal controls to testing and validating the effectiveness of your internal controls throughout the year.

Benefits of a CSA Program

An effective CSA program can provide a number of benefits, including:

• Creation of a clear line of responsibility for internal controls;

• Minimize the risk of fraud;

• Creation of an improved controls environment that results in a lower risk profile for the company;

• Sustainability of management’s compliance program;

• Reduction of regulatory compliance costs

CSA Program

The first step in any CSA program is to document the company’s control processes with the goal of identifying appropriate ways to measure or test each control. The actual test of the controls is carried out by personnel whose daily role is within the area of ​​the company that is being evaluated, as they are the ones with the greatest knowledge about the operation of the processes. Common techniques for conducting assessments are:

• Internal Control Questionnaire (ICQ) or Custom Survey Questionnaires

• Technical interviews

• Control model workshops or interactive workshops

Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. Once the evaluation is complete, each control can be scored based on the responses received to determine the probability of its failure and the impact if a failure were to occur. These ratings can be summarized to produce a risk matrix showing potential areas of vulnerability.

In any CSA program, the key steps are to define the nature and scope of the company’s CSA program, implement the program, go through the first round of testing and review, and then incorporate lessons learned before going through the process again.

conclusion

Entities have different drivers for wanting to improve the internal controls environment, for example, regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system, or simply wanting stronger internal controls to improve efficiency. Whatever the reason, implementation of a CSA program should be considered. By implementing an effective CSA program, an entity can embed the responsibility for internal control into the business, ensure the sustainability of internal control compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much better internal control environment, providing assurance to all key stakeholders, both internal and external, that the company’s controls are working effectively.