Introduction to Internal Controls and Control Self-Assessments (CSA)
1. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
A Brief Introduction to
Control Self Assessments
Abdullah Mohammed, MSc, BSc, CISA
October, 2017
2. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 2
2 Auditors
“Sea” of Risk
Trying to find Controls
3. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Internal Controls (ACCA Definition)
‘The policies, processes, tasks, behaviours and other aspects of an organisation that taken together:
• Facilitate effective operation by enabling it to respond in an appropriate manner to significant business, operational,
financial, compliance and other risks to achieve its objectives. This includes safeguarding of assets and ensuring that
liabilities are identified and managed.
• Ensure the quality of internal and external reporting, which in turn requires the maintenance of proper records and
processes that generate a flow of timely, relevant and reliable information from both internal and external sources.
• Ensure compliance with applicable laws and regulations and also with internal policies.’
3
Note: There is no such thing as a perfect internal control system, as all organisations operate in a
dynamic environment: just as some risks recede into insignificance, new risks will emerge, some of which will
be difficult or impossible to anticipate.
The purpose of any control system should therefore be to provide reasonable
assurance that the organisation can meet its objectives.
4. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Internal Controls (ISACA Definition)
• Internal controls are normally composed of policies, procedures, practices and
organizational structures that are implemented to reduce risk to the
organization.
• 3 types:
1. Preventative
2. Detective
3. Corrective
4
Preventative / Detective / Corrective
5. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 5
6. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 6
Preventative / Detective / Corrective
7. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 7
8. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 8
Preventative / Detective / Corrective
9. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 9
Preventative / Detective / Corrective
10. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 10
Preventative / Detective / Corrective
11. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 11
2 Auditors
“Sea” of Risk
Trying to find Controls
12. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Responsibility for Internal Controls
• Lies with the owners themselves
• In a limited company, the board of directors is responsible for ensuring that
appropriate internal controls are in place.
• The directors must pay due attention to the control environment
12
13. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 13
COSO ERM Framework 2017
14. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 14
15. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 15
16. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 16
17. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 17
18. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 18
Outline
1. What are Control Self-Assessments?
2. How do they differ from other types of Assurance and Risk Mgt
3. Approaches to conducting CSAs
4. Four (4) Workshop Formats
5. Benefits and CSF’s of a CSA Programme
19. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
What are Control Self Assessments (CSA’s)
Sometimes called:
– Control Risk Self-Assessment (CRSA) or
– Risk Control Self-Assessment (RCSA),
especially if risk-based (discussed later).
IIA Definition: “CSA is a methodology used to
– (i) review key business objectives,
– (ii) risks involved in achieving the objectives, and
– (iii) internal controls designed to manage those risks.”
19
20. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
What are Control Self Assessments (CSA’s) continued
• As opposed to a formal Audit Review, with a CSA the internal audit
team works with the operational team in an effort to evaluate their
current internal control procedures, and then to use the results of the
review to improve internal controls. (adapted from Moeller, 2015)
• Important: Facilitation exercise, which allows management
participation in risk identification and examination of their own controls
for effectiveness.
20
21. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Objectives of a CSA Programme
• Leverage the internal audit function by shifting some of the control monitoring
responsibilities to the functional areas. Audit Clients, such as line managers, are
responsible for controls in their environment; the managers also should be
responsible for monitoring the controls.
• CSA programs also must educate management about control design and
monitoring, particularly concentration on areas of high risk. These programs are not
just policies requiring clients to comply with control standards. instead, they offer a
variety of support ranging from written suggestions outlining acceptable control
environments to in-depth workshops.
• When workshops are included in the program, an additional objective-the
empowerment of workers to assess or even design the control environment-
may be included in the program.
21
22. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Objectives of a CSA Programme (continued)
Communication
• To ensure better communication of CEO’s objectives and strategies to all business lines
• To ensure business line managers communicate their risks and controls more effectively
Education
• To ensure business line managers have a better comprehension of effective risk control
• To ensure business line managers have a better comprehension of risk management
Proactive Management
• To ensure business line managers align their objectives and strategies with the
• CEO's objectives and strategies
• To ensure business line managers assume greater responsibility and accountability for their risks and controls
• To ensure business line managers monitor their risk effectively and timely
• To ensure business line managers utilize and allocate their resources effectively
22
23. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 23
The CSA Model for Continuous Improvement
• Identify business objectives, which can be
defined either in terms of business targets or
process delivery goals;
• Identify risks that could threaten the achievement
of those objectives and the activities and
processes affected by the different risks identified;
• Identify controls in place intended to prevent the
risks from crystallizing; Determine where
responsibility for performing those controls lies;
and assess the effectiveness of the controls in
operation and the level of residual risk remaining
after control.
• Continue to monitor performance and controls.
24. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 24
Where do CSAs
fit in, as an
Assurance
Technique?
25. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 25
26. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Three Approaches to CSAs
26
27. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Three CSA Approaches
1. Facilitated team meetings (workshops)
Gather internal control information from work teams that may represent multiple levels within the
organization. Facilitators are trained in controls examination and assessment, as well as facilitation
techniques.
2. Questionnaires (Surveys)
Questionnaire approach uses a survey instrument that offers opportunities for yes/no or have/have-not
responses. Process owners use the survey results to assess their control structure.
3. Management-produced analysis
Any other approach. Management produces a staff study of the business process. Should be validated by
the CSA specialist.
27
28. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017. 28
29. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshop Formats
29
30. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshop Formats (CSA‐facilitated sessions)
1. Objective‐based
2. Risk‐based
3. Control‐based
4. Process‐based
30
31. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshops: Objective Based
31
32. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshops: Risk Based
32
33. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshops: Controls Based
33
34. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Workshops: Process Based
34
35. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Questionnaires (Survey)
35
36. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Survey Approach to CSAs
1. Develop using control framework (e.g. COSO) and/or management objectives
2. Distribute online surveys / questionnaires
3. Summarize & analyze results
4. Deliver results to management
36
37. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Questionnaire Examples
Planning & Budgeting Accruals
37
38. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Management produced self-analysis
• As an alternative to a survey or a facilitated workshop, a management•]produced analysis is very similar to the
type of operational review that an internal auditor would perform. This is one of the three CSA analysis
approaches suggested by the IIA, where management produces a staff study of the business process. almost
a research study.
• The CSA specialist, who may be an internal auditor, combines the results of the study with information
gathered from sources, such as other managers and key personnel. By synthesizing this material, the CSA
specialist develops an analysis that process owners can use in their CSA efforts.
• The management•-produced analysis approach, although endorsed by the IIA as one of three suggested CSA
approaches, is difficult to perform for the typical enterprise. It suggests an almost •academic•review by
someone in the enterprise, followed by some comparative research for subsequent analysis.
38
39. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Implementing a CSA Programme
39
40. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
CSA Framework
1. Identification of CSA Projects
2. Preliminary Activities
3. Workshop
4. Reporting
5. Validating
40
41. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Benefits of a CSA Programme
• Early detection of risk
• More effective and improved internal controls
• Creation of cohesive teams through employee involvement
• Developing a sense of ownership of the controls in the employees and process owners and
reducing their resistance to control improvement initiatives
• Increased employee awareness of organizational objectives, and knowledge of risk and internal
controls
• Increased communication between operational and top management;
• A common language and common set of values across the organisation;
• Highly motivated employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and customers
41
42. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Model CSA Policy Template (KnowledgeLeader)
42
43. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Planning Workshops
43
44. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Nb, Basic Facilitator Skills
A facilitator does not have to be an expert in a certain process or subject matter; however, the facilitator
should have basic skills such as:
• Active listening skills and the ability to ask good questions, including questions that probe the topics and
move the discussions forward
• Good verbal communication skills, including the ability to pose questions in a nonthreatening manner and
the ability to summarize material
• The ability to manage the dynamics of the group, including managing various personalities so that a few
members do not dominate the discussions and managing processes so that goals are met
• The ability to resolve conflicts
• The ability to manage time and keep the proceedings on schedule
44
45. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Some downsides of CSAs
• It could be mistaken as an audit function replacement
• It may be regarded as an additional workload (e.g., one more report to be
submitted to management)
• Failure to act on improvement suggestions could damage employee morale
• Lack of motivation may limit effectiveness in the detection of weak controls
45
46. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Critical Success Factors
• Involving the right people in the organisation to support, foster and own the CSA process.
• Allocating sufficient time and resources to properly prepare for and carry out workshops and
subsequent follow-up.
• Having adequately trained and experienced facilitators to conduct CSA workshops.
• Proper design of a structured but flexible CSA methodology that avoids the creation of overly
simple or confusing checklists.
46
47. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Further Reading
47
48. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
Review Questions
48
49. ISTM 6009: IT Governance. Mohammed, A. (2017)Introduction to CSAs | Abdullah Mohammed | October, 2017.
A Brief Introduction to
Control Self Assessments
Abdullah Mohammed, MSc, BSc, CISA
Thank you.