More Related Content
Similar to Control Self-Assessment article
Similar to Control Self-Assessment article (20)
Control Self-Assessment article
- 1. © Copyright Hari Iyer. Page 1 of 3
Background
Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada
in 1987. In March 2000, the European Commission approved a white paper on CSA. In the
United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act
required the companies to perform a top down risk assessment which necessitated CSA. In
the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct
Authority) recognised in its recommendations for the improvement of operational risk
management that the assessment of risks through a control self-assessment may be an
important means of identifying risks. Today, a wide range of entities including private sector
companies, voluntary sector (charities) and the public sector entities use CSA to assess the
effectiveness of their risk management and control processes.
The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self-
Assessment (CCSA).
The Information Systems Audit and Control Association
(ISACA) created a framework called COBIT (Control
Objectives for Information and Related Technology). Control
Self-Assessment is contained within COBIT’s Control
Objective ME2.4.
What is Control Self-Assessment
CSA is a management technique that can be used to assure key stakeholders, both internal
and external, that a company’s internal controls system is reliable. CSA allows managers and
work teams directly involved in the business units, functions or processes to participate in
assessing the company's risk management and control processes. CSA can cover objectives,
risks, controls and processes.
CSA is a sustainable process whereby management validates the operating effectiveness of
its internal controls via testing. Each process owner and functional control owner within a
company performs effectiveness testing to verify that the key controls are operating effectively.
Control
Self-Assessment
- 2. © Copyright Hari Iyer. Page 2 of 3
Each process owner develops test scripts for each key control and engages their team to
perform the given tests throughout the year. This allows management to verify that these
controls are working effectively. A CSA program expands the role of operations management
from merely assessing the design of its internal controls to testing and validating the
effectiveness of its internal controls throughout the year.
Benefits of a CSA Program
An effective CSA program can deliver a number of benefits including:
Creation of clear line of accountability for internal controls;
Minimising the risk of fraud;
Creation of an improved controls environment resulting in a lower risk profile for the
company ;
Sustainability of management’s compliance program;
Reduction in regulatory compliance costs
CSA Program
The first step in any CSA program is to document the company's control processes with the
aim of identifying suitable ways of measuring or testing each control. The actual testing of the
controls is performed by staff whose day-to-day role is within the area of the company that is
being evaluated as they have the greatest knowledge of how the processes operate. The
common techniques for performing the evaluations are:
Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires
Interview Techniques
Control model Workshops or Interactive Workshops
Some companies choose a combination of methodologies that suits their operations to
implement an effective CSA program. On completion of the assessment each control may be
rated based on the responses received to determine the probability of its failure and the impact
if a failure occurred. These ratings can be summarised to produce a risk matrix showing
potential areas of vulnerability.
In any CSA program, the key steps are to define the nature and extent of the company’s CSA
program, roll out the program, perform the first round of testing and review, and then
incorporate lessons learned before going through the process again.
- 3. © Copyright Hari Iyer. Page 3 of 3
Hadigy Limited is a private limited company incorporated in England with registered number 07010656. Hadigy is a Practice Assurance scheme member of
the Chartered Institute of Public Finance and Accountancy (CIPFA). Hadigy is a member of the Federation of Small Business. This publication has been prepared
for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy, validity or completeness of the
information contained in this publication, and, to the extent permitted by law, Hadigy Limited, its employees and agents do not accept or assume any liability,
responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication
or for any decision based on it.
Your Trusted Business Partner
www.hadigy.com
For details please contact: info@hadigy.com
17 Clareville Street, South Kensington, London SW7 5AJ
Conclusion
Entities have different drivers for wanting to enhance internal controls environment e.g.
regulatory requirements, change in ownership, change in senior management, implementation
of a major ERP system or simply wanting stronger internal controls to improve efficiency.
Whatever the driver is, implementing a CSA program should be considered. By implementing
an effective CSA program, the entity can embed internal control accountability deep into the
company, ensure the sustainability of the internal controls compliance efforts, and ultimately
reduce the cost of overall compliance efforts. In other words, an effective CSA program will
drive a much improved internal control environment, giving assurance to all key stakeholders,
internal and external alike, that the company’s controls are operating effectively.
Author - Hari Iyer MBA, FCPA (Australia), CISA, Chartered FCSI
Hari is the founding partner of Hadigy Limited, a management consultancy firm in London.
Hari has over 25 years of financial and IT auditing experience gained partly with the Big 4
professional accountancy firms (EY, Deloitte & PwC) in the UK. This includes audit assurance
reviews, SAP project assurance, business process reviews, IT audits, financial audits,
business continuity management, and SAP governance, risk and compliance (GRC)
implementation & reviews.