Control Self Assessment

8,974 views

Published on

How to implement CSA

Published in: Education

Control Self Assessment

  1. 1. Control Self Assessment Presented by Manoj Agarwal CEP on May 22, 10@IIA-India, Bombay Chapter
  2. 2. Agenda CSA Implementation Collecting and Reporting CSA Results Communication traits Facilitator responsibilities Presentation skills Dealing with different personalities Preparing for a CSA workshop Facilitating Workshops What are objectives, risks and controls? Soft Controls ERM Objectives, risks, and controls Definitions of CSA What makes CSA CSA? Benefits and concerns of CSA CSA controversies What is CSA?
  3. 3. <ul><li>What is Control Self Assessment </li></ul>
  4. 4. What is CSA? <ul><li>Control Self Assessment </li></ul><ul><li>A set of techniques used to assess risk , control strength , and control weaknesses utilizing a control framework . </li></ul><ul><li>The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors. </li></ul>
  5. 5. What is CSA? <ul><li>Employee teams getting together with their managers and a facilitator : </li></ul><ul><li>to analyze, within a chosen control framework , the obstacles and strengths which affect their ability to achieve their key business objectives , and </li></ul><ul><li>to decide upon appropriate action . </li></ul>
  6. 6. CSA Rationale <ul><li>Responsibility for controlling risk belongs to management and all employees </li></ul><ul><li>People are the most important control factor </li></ul><ul><li>Most employees are honest, competent, and want their organization to succeed </li></ul><ul><li>People are far more likely to embrace needed changes if they are involved in the assessment process </li></ul><ul><li>Helps employees understand control </li></ul>
  7. 7. CSA – WHEN IS IT USED? <ul><li>Whenever practical – Depends on: </li></ul><ul><ul><li>Size of the unit </li></ul></ul><ul><ul><li>Management buy-in </li></ul></ul><ul><ul><li>Staff availability </li></ul></ul><ul><ul><li>Audit scope </li></ul></ul>
  8. 8. When do you want to use CSA? <ul><li>New work processes/projects </li></ul><ul><li>New organizations </li></ul><ul><ul><li>to identify the risk exposures and required controls </li></ul></ul><ul><li>Reorganizations </li></ul><ul><li>Management / Employee turnover </li></ul><ul><ul><li>to identify where risks are </li></ul></ul><ul><ul><li>to create understanding for business objectives </li></ul></ul><ul><ul><li>to assess how risks are changing </li></ul></ul><ul><ul><li>to put emphasis on highest priority risks and controls </li></ul></ul><ul><li>Processes that cross over into other work groups </li></ul><ul><ul><li>to get to the root cause of problems </li></ul></ul><ul><ul><li>helps bring groups together </li></ul></ul><ul><ul><li>participants learn how their activities interrelate </li></ul></ul><ul><ul><li>collaborative problem solving </li></ul></ul>
  9. 9. CSA - GOALS & OBJECTIVES <ul><li>Provide a forum for participants (stakeholders) to: </li></ul><ul><ul><li>Conduct an assessment of risks and controls. </li></ul></ul><ul><ul><li>Develop recommendations for improvement. </li></ul></ul><ul><ul><li>Enhance their ability to achieve objectives. </li></ul></ul><ul><ul><li>Increase communication with the Unit. </li></ul></ul><ul><ul><li>Improve the efficiency and effectiveness of operations. </li></ul></ul>
  10. 10. Benefits of CSA <ul><li>Honest feedback on control environment communication and monitoring </li></ul><ul><li>Ability to discuss and explore areas of concern to determine reasons and root causes of concern </li></ul><ul><li>Ability to obtain an understanding of the degree of concern among participants </li></ul><ul><li>Development of recommendations by employees in the Unit </li></ul><ul><li>Buy-in/Ownership of Recommendations </li></ul>
  11. 11. Difficulties Encountered <ul><li>Getting discussion started </li></ul><ul><li>Getting honest and open feedback </li></ul><ul><li>Identifying potential areas of concern </li></ul><ul><li>Understanding the degree and/or significance of concerns </li></ul>
  12. 12. <ul><li>Objectives, risks, and controls </li></ul>
  13. 13. System in Control <ul><li>When a system is in control, we mean it can be relied upon to meet its objectives. </li></ul>
  14. 14. Behaviors Affect Control <ul><li>People are the most important control factor. </li></ul><ul><ul><li>They make things happen </li></ul></ul><ul><ul><li>They can make a poor system work </li></ul></ul><ul><ul><li>They can make a good system fail </li></ul></ul><ul><ul><li>They are more important than the system </li></ul></ul><ul><ul><li>Their actions determine corporate success </li></ul></ul>
  15. 15. Control Activities <ul><li>Formal Controls: </li></ul><ul><ul><li>Directive - code of business conduct, policy manual, written specifications and procedures </li></ul></ul><ul><ul><li>Preventive - segregation of duties, security guards, locks, passwords, edits </li></ul></ul><ul><ul><li>Detective - supervisory controls, quality assurance reviews, account reconciliations, exception reports </li></ul></ul><ul><li>Informal controls </li></ul><ul><ul><li>Corporate culture </li></ul></ul><ul><ul><li>Integrity and ethical values </li></ul></ul><ul><ul><li>Commitment to competence </li></ul></ul><ul><ul><li>Management philosophy & style </li></ul></ul><ul><ul><li>Communication </li></ul></ul><ul><ul><li>Tone at the top </li></ul></ul>
  16. 16. Control Model <ul><li>Purpose </li></ul><ul><li>Vision </li></ul><ul><li>Leadership </li></ul><ul><li>Authority </li></ul><ul><li>Objectives </li></ul><ul><li>Plans </li></ul><ul><li>Risks </li></ul><ul><li>Targets </li></ul><ul><li>Commitment </li></ul><ul><li>Ethics </li></ul><ul><li>Rewards </li></ul><ul><li>Recognition </li></ul><ul><li>Accountability </li></ul><ul><li>Authority </li></ul><ul><li>Trust </li></ul><ul><li>Fun </li></ul><ul><li>Capability </li></ul><ul><li>Skills </li></ul><ul><li>Resources </li></ul><ul><li>Information </li></ul><ul><li>Teamwork </li></ul><ul><li>Communication </li></ul><ul><li>Control Activities </li></ul><ul><li>Learning </li></ul><ul><li>Benchmarks </li></ul><ul><li>External events </li></ul><ul><li>Challenge assumptions </li></ul><ul><li>Review needs </li></ul><ul><li>Effective change </li></ul><ul><li>Self assessment </li></ul>Action PURPOSE knowing what to do CAPABILITY being able to do it COMMITMENT wanting to do it LEARNING to do it better
  17. 17. COSO Framework - Control Components INFORMATION COMMUNICATION Traditional Auditing/Testing CSA CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITORING
  18. 18. <ul><li>Facilitating Workshops </li></ul>
  19. 19. Time commitment for CSA <ul><li>Workshop - 1/2 to one day </li></ul><ul><li>Prep - 1-several hours of pre-discussion </li></ul><ul><ul><li>overall process </li></ul></ul><ul><ul><li>known or suspected issues </li></ul></ul><ul><ul><li>who should participate </li></ul></ul><ul><ul><li>control/risk statement development - input </li></ul></ul>
  20. 20. CSA - SESSION REQUIREMENTS <ul><li>2 facilitators - responsible for: </li></ul><ul><ul><li>Explaining the CSA process & rules. </li></ul></ul><ul><ul><li>Directing the flow of conversation. </li></ul></ul><ul><ul><li>Encouraging everyone to speak. </li></ul></ul><ul><li>1 scribe responsible for: </li></ul><ul><ul><li>Recording participants’ comments & recommendations. </li></ul></ul><ul><ul><li>Operating the CSA equipment (Resolver, PowerPoint). </li></ul></ul><ul><ul><li>Ensuring session remains within time limitations. </li></ul></ul><ul><li>Approximately 3 ¼ hours to complete. </li></ul><ul><li>6 – 12 Unit employees. </li></ul>
  21. 21. CSA Workshop Agenda <ul><li>Identify Overall Business Objective Supporting Activities </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Control Assessment </li></ul><ul><ul><li>Control activities review </li></ul></ul><ul><ul><li>Key control indicators </li></ul></ul><ul><ul><li>Control gaps - ineffective or missing controls </li></ul></ul><ul><li>Develop Action Plan </li></ul>
  22. 22. CSA Workshop Participants <ul><li>Responsible/knowledgeable parties </li></ul><ul><li>Parties impacted by activity (internal partners/customers) </li></ul><ul><li>Parties that can impact process/activity (management) </li></ul><ul><li>Think like an owner </li></ul><ul><li>Act as team member </li></ul>
  23. 23. Principles <ul><li>Open, honest communication </li></ul><ul><li>Trust </li></ul><ul><li>Everyone’s input is valuable </li></ul><ul><li>Information is provided by those who best understand their jobs </li></ul><ul><li>Information will be shared with others while retaining individual anonymity </li></ul><ul><li>Management will implement action plan </li></ul>
  24. 24. Getting to the issues (a simplified view of what occurs) <ul><li>Develop hypothetical risk events </li></ul><ul><ul><li>Statements representing a lack of business controls </li></ul></ul><ul><li>Participants vote on the importance of this risk, and the likelihood it is occurring , based on their experience/observations </li></ul><ul><li>Narrow to high risk/high likelihood issues to discuss and work through </li></ul><ul><li>Action Plan addresses how the control gap will be addressed </li></ul>
  25. 25. CSA – ANONYMOUS VOTING <ul><li>Series of internal control statements presented to participants concerning: </li></ul><ul><ul><li>Control Environment </li></ul></ul><ul><ul><li>Communication </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul><ul><li>Resolver </li></ul><ul><ul><li>Anonymous voting software and hardware. </li></ul></ul><ul><ul><li>Participants anonymously respond to their level of agreement with the statements. </li></ul></ul><ul><li>Using the voting results: </li></ul><ul><ul><li>Discussion is generated by facilitator. </li></ul></ul><ul><ul><li>Comments documented by scribe. </li></ul></ul><ul><ul><li>Recommendations developed via group consensus. </li></ul></ul><ul><li>Anonymity is maintained and references to specific people are discouraged. </li></ul><ul><li>Facilitators remain independent and should not impose their opinion on the group. </li></ul>
  26. 26. CSA Action Plan <ul><li>OBSTACLE or CONCERN </li></ul><ul><li>Indicators (evidence that it’s a problem) </li></ul><ul><li>Impact (what can happen if no action is taken) </li></ul><ul><li>What Should The Group Do? </li></ul><ul><li>WHAT/WHO/WHEN? </li></ul>
  27. 27. CSA – FACILITATION TIPS <ul><li>DO’s </li></ul><ul><ul><li>Ask open ended questions, but stay on topic. </li></ul></ul><ul><ul><li>Use a “parking-lot” to keep off-topic ideas. </li></ul></ul><ul><ul><li>Act only as a guide. </li></ul></ul><ul><ul><li>Ask for agreement when recording the responses. </li></ul></ul><ul><ul><li>Encourage everyone to participate. </li></ul></ul><ul><ul><li>Look for specific answers. </li></ul></ul><ul><li>DON’Ts </li></ul><ul><ul><li>Answer your own questions. </li></ul></ul><ul><ul><li>Put words in someone's mouth. </li></ul></ul><ul><ul><li>Ignore someone who does not participate. </li></ul></ul><ul><ul><li>Allow one person to dominate the session. </li></ul></ul><ul><ul><li>Force your view of controls on the group. </li></ul></ul><ul><ul><li>Be critical or short with a participant. </li></ul></ul>
  28. 28. CSA - REPORTING <ul><li>Formal, independent report includes: </li></ul><ul><ul><li>Voting statistics. </li></ul></ul><ul><ul><li>Voting responses. </li></ul></ul><ul><ul><li>Participant comments. </li></ul></ul><ul><ul><li>Recommendations for improvement. </li></ul></ul><ul><li>Report provided to: </li></ul><ul><ul><li>Participants to ensure accuracy and completeness. </li></ul></ul><ul><ul><li>Client management to review results. </li></ul></ul><ul><li>Formal meeting with management held to discuss results. </li></ul><ul><li>Management develops actions plans to address participants’ recommendations. </li></ul><ul><li>Final report, with action plans, provided to Executive management. </li></ul><ul><li>Management should share action plans with CSA participants. </li></ul>
  29. 29. MANAGEMENT ACTION PLANS <ul><li>Developed by client management in response to participants’ recommendations. </li></ul><ul><li>Provide step-by-step detail concerning how the recommendations will be addressed. </li></ul><ul><li>Reviewed by Internal Audit for relevance. </li></ul>
  30. 30. AUDIT & CSA REPORT - RELATIONSHIP <ul><li>The CSA report is an independent document from the formal Audit report. </li></ul><ul><li>Reportable items do not generally result from CSA sessions. </li></ul><ul><li>CSA report is issued only to client’s Executive management. </li></ul>
  31. 31. In Summary <ul><li>CSA focuses on business objectives </li></ul><ul><li>Elicits awareness & understanding of business risk and control </li></ul><ul><li>Involves people who best know the business </li></ul><ul><li>Pursues root causes/measures impact </li></ul><ul><li>Forward-looking to identify emerging risks </li></ul><ul><li>Covers broad spectrum of control </li></ul><ul><li>Ensures practical action plans </li></ul>
  32. 33. <ul><li>Thank You </li></ul>

×