Control Self-Assessment article
2 likes1,177 views
Control Self-Assessment (CSA) is a technique originally developed in 1987 to allow managers and employees to evaluate their company's risk management and internal controls. CSA involves process owners testing the effectiveness of key controls throughout the year. Benefits of a CSA program include clear accountability for controls, reduced risk of fraud, and lower regulatory costs. Implementing an effective CSA program helps ensure internal controls are operating as intended and provides assurance to stakeholders.
Control Self-Assessment article
- 1. © Copyright Hari Iyer. Page 1 of 3 Background Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required the companies to perform a top down risk assessment which necessitated CSA. In the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct Authority) recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. Today, a wide range of entities including private sector companies, voluntary sector (charities) and the public sector entities use CSA to assess the effectiveness of their risk management and control processes. The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self- Assessment (CCSA). The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-Assessment is contained within COBIT’s Control Objective ME2.4. What is Control Self-Assessment CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal controls system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the company's risk management and control processes. CSA can cover objectives, risks, controls and processes. CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. Each process owner and functional control owner within a company performs effectiveness testing to verify that the key controls are operating effectively. Control Self-Assessment
- 2. © Copyright Hari Iyer. Page 2 of 3 Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year. Benefits of a CSA Program An effective CSA program can deliver a number of benefits including: Creation of clear line of accountability for internal controls; Minimising the risk of fraud; Creation of an improved controls environment resulting in a lower risk profile for the company ; Sustainability of management’s compliance program; Reduction in regulatory compliance costs CSA Program The first step in any CSA program is to document the company's control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the company that is being evaluated as they have the greatest knowledge of how the processes operate. The common techniques for performing the evaluations are: Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires Interview Techniques Control model Workshops or Interactive Workshops Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be summarised to produce a risk matrix showing potential areas of vulnerability. In any CSA program, the key steps are to define the nature and extent of the company’s CSA program, roll out the program, perform the first round of testing and review, and then incorporate lessons learned before going through the process again.
- 3. © Copyright Hari Iyer. Page 3 of 3 Hadigy Limited is a private limited company incorporated in England with registered number 07010656. Hadigy is a Practice Assurance scheme member of the Chartered Institute of Public Finance and Accountancy (CIPFA). Hadigy is a member of the Federation of Small Business. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy, validity or completeness of the information contained in this publication, and, to the extent permitted by law, Hadigy Limited, its employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. Your Trusted Business Partner www.hadigy.com For details please contact: info@hadigy.com 17 Clareville Street, South Kensington, London SW7 5AJ Conclusion Entities have different drivers for wanting to enhance internal controls environment e.g. regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system or simply wanting stronger internal controls to improve efficiency. Whatever the driver is, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the company, ensure the sustainability of the internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much improved internal control environment, giving assurance to all key stakeholders, internal and external alike, that the company’s controls are operating effectively. Author - Hari Iyer MBA, FCPA (Australia), CISA, Chartered FCSI Hari is the founding partner of Hadigy Limited, a management consultancy firm in London. Hari has over 25 years of financial and IT auditing experience gained partly with the Big 4 professional accountancy firms (EY, Deloitte & PwC) in the UK. This includes audit assurance reviews, SAP project assurance, business process reviews, IT audits, financial audits, business continuity management, and SAP governance, risk and compliance (GRC) implementation & reviews.