Management is responsible for setting the organisation’s structure, allocating resources throughout the entity, overseeing the programs and processes, and monitoring the related objectives, risks, and controls. Yet, when business managers are asked about risks and controls, a troublingly high number of them at many organisations are unaware of these responsibilities.
Given this condition, it should not come as a surprise that so many organisations have weak risk assessment and management mechanisms in place, or that their controls receive scant attention. In many entities, business managers don’t know what controls mean or what they should do with them. Instead, they leave it up to the internal and external auditors, compliance professionals and regulators to look after. Control self-assessments (CSAs) are a great tool to correct this deficiency.
CSAs consist of templates, questionnaires and other forms that ask process owners, managers, and business leaders to document:
- The nature of the processes under their responsibility;
- Key parameters and demographics of these programs and processes, such as volumes, key inputs, and outputs, and systems depended upon;
- Key actors participating in the performance of the related work and whose knowledge and diligence are key for success;
- Key risks threatening or affecting the success of the programs or processes they are responsible for;
- Key controls protecting these programs and processes;
- Monitoring, testing and reporting mechanisms in place that are depended upon;
- The key indicators that would alert management of anomalies requiring intervention.
The CSA documents are distributed at least annually to process owners for completion and are collected in internal audit as documentary evidence for review and discussion. This information is very valuable during the preparation of internal audit’s risk assessment and when preparing audit programs.
Independence, Objectivity, and Competence of Preparers
A primary concern of CSAs is the lack of objectivity on the part of the document preparers. Since business managers own, oversee or work within the program or process that is the subject of the questionnaire, the preparer is not independent and may be motivated to present a more favorable picture of prevailing conditions than is right.
The lack of knowledge about risks and controls can also compromise the completeness and quality of these documents. Since many managers are poorly or insufficiently trained on these topics, the quality of the information provided may be suspect as well.
Given these potential shortcomings, internal auditors should apply appropriate levels of professional skepticism to these documents. Trust, but verify.
To improve the quality and use of the CSA process, internal auditors should:
- Help management by providing orientation and training sessions on why these documents are essential and how to complete them appropriately. If managers don’t know why they need to do this and how to do it properly, they will not invest sufficiently in the CSA process. Orientation should be provided to all newly hired or promoted business managers. Refresher training and workshops should be offered regularly to make sure managers, and process owners are aware of emerging risks, are familiar with new documentation requirements and to discuss the results of compliance, internal or external audit results.
- Include testing procedures as part of completing the CSA. In many organisations, the CSA process includes a requirement to conduct regular checking and testing by staff within the business unit being assessed. This leverages their existing knowledge of how processes operate, but it also means they need to know about sample selection (or 100 percent testing), testing procedures, documentation standards, and reporting requirements to make sure the results of the tests are communicated to those who need to know and can take corrective action when necessary. Testing may include transactions, but also IT system configurations, information security controls, and operational effectiveness. The results should help the staff prepare an improvement plan.
- Use CSA documents during the risk assessment and audit planning phase to calibrate risk ratings. This information could help to identify current and emerging risks, and how to rate their impact, likelihood, velocity, and persistence if they were to occur. This review can provide valuable insights when internal auditors are preparing for an upcoming audit and should be a standard request item for analysis and discussion.
- Re-visit CSA documents after completing internal audits to determine how accurate the contents were when completed initially. This will enable auditors to provide feedback to management to improve their future quality and reliability.
The third bullet is particularly essential, but unfortunately, often neglected. It constitutes a feedback loop. After CSA forms are completed, and an audit is performed, the results of both should be compared. Sometimes the CSAs indicate that conditions and practices are in order; therefore, there is little residual risk to be concerned about. If the audit shows that conditions are not that favorable, this discrepancy should be communicated to management, and as necessary supplemented with appropriate training so the next time the CSAs are completed, they are more accurate. Deviations can indicate a lack of knowledge about risks, controls and prevailing practices, a desire to distract and conceal, or a misplaced reliance on existing controls.
If the CSAs indicate that conditions are deficient, but the audit returns satisfactory results, that should also be communicated to the corresponding business managers. While the discrepancy could be due to being overly conservative, it may also indicate they are not as familiar with the operational results as they should be, and they can benefit from the positive feedback.
Ideally, both the CSA and audit results will be similar, showing there is a great deal of reliability in the process. This feedback loop provides a way to calibrate the CSA process and make sure that it provides management with a reliable source of information to manage their programs and processes better, identify weaknesses early, and serve as an input for the performance evaluation process.
Potential Trouble Spots
If the organisation is very decentralised, there is an excessive turnover or frequent change, then it may be difficult to implement an effective CSA process. However, it is not impossible. A key determinant for success is the commitment of senior management to have a healthy and robust control environment, the communication of the importance of compliance and continuous improvement, and fostering a culture of open communication and transparency.
Frequent training, linking the performance evaluation process to the effectiveness of risk and control measures, and employee surveys help to promote the program, its importance, and correct issues promptly.
CSAs provide a mechanism to raise awareness about the organisation’s activities and highlighting the importance of establishing and monitoring objectives, risks, and controls. They also offer a way for business managers to demonstrate their ownership and accountability for controls, reduce the likelihood and impact of fraud, and lower the organisation’s overall risk profile.