SlideShare a Scribd company logo

Control Self-Assessment article

Deepika Menon
Deepika Menon
1 of 3
Download to read offline
© Copyright Hari Iyer. Page 1 of 3 Background Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required the companies to perform a top down risk assessment which necessitated CSA. In the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct Authority) recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. Today, a wide range of entities including private sector companies, voluntary sector (charities) and the public sector entities use CSA to assess the effectiveness of their risk management and control processes. The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self- Assessment (CCSA). The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-Assessment is contained within COBIT’s Control Objective ME2.4. What is Control Self-Assessment CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal controls system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the company's risk management and control processes. CSA can cover objectives, risks, controls and processes. CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. Each process owner and functional control owner within a company performs effectiveness testing to verify that the key controls are operating effectively. Control Self-Assessment
© Copyright Hari Iyer. Page 2 of 3 Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year. Benefits of a CSA Program An effective CSA program can deliver a number of benefits including:  Creation of clear line of accountability for internal controls;  Minimising the risk of fraud;  Creation of an improved controls environment resulting in a lower risk profile for the company ;  Sustainability of management’s compliance program;  Reduction in regulatory compliance costs CSA Program The first step in any CSA program is to document the company's control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the company that is being evaluated as they have the greatest knowledge of how the processes operate. The common techniques for performing the evaluations are:  Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires  Interview Techniques  Control model Workshops or Interactive Workshops Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be summarised to produce a risk matrix showing potential areas of vulnerability. In any CSA program, the key steps are to define the nature and extent of the company’s CSA program, roll out the program, perform the first round of testing and review, and then incorporate lessons learned before going through the process again.
© Copyright Hari Iyer. Page 3 of 3 Hadigy Limited is a private limited company incorporated in England with registered number 07010656. Hadigy is a Practice Assurance scheme member of the Chartered Institute of Public Finance and Accountancy (CIPFA). Hadigy is a member of the Federation of Small Business. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy, validity or completeness of the information contained in this publication, and, to the extent permitted by law, Hadigy Limited, its employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. Your Trusted Business Partner www.hadigy.com For details please contact: info@hadigy.com 17 Clareville Street, South Kensington, London SW7 5AJ Conclusion Entities have different drivers for wanting to enhance internal controls environment e.g. regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system or simply wanting stronger internal controls to improve efficiency. Whatever the driver is, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the company, ensure the sustainability of the internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much improved internal control environment, giving assurance to all key stakeholders, internal and external alike, that the company’s controls are operating effectively. Author - Hari Iyer MBA, FCPA (Australia), CISA, Chartered FCSI Hari is the founding partner of Hadigy Limited, a management consultancy firm in London. Hari has over 25 years of financial and IT auditing experience gained partly with the Big 4 professional accountancy firms (EY, Deloitte & PwC) in the UK. This includes audit assurance reviews, SAP project assurance, business process reviews, IT audits, financial audits, business continuity management, and SAP governance, risk and compliance (GRC) implementation & reviews.

Recommended

Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)Idear S. Wanichkul
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
INTERNAL CONTROL SYSTEM -QUESTIONNAIRE
INTERNAL CONTROL SYSTEM -QUESTIONNAIREINTERNAL CONTROL SYSTEM -QUESTIONNAIRE
INTERNAL CONTROL SYSTEM -QUESTIONNAIRESREENIVAS IYER
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 

Recommended

Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)Idear S. Wanichkul
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
INTERNAL CONTROL SYSTEM -QUESTIONNAIRE
INTERNAL CONTROL SYSTEM -QUESTIONNAIREINTERNAL CONTROL SYSTEM -QUESTIONNAIRE
INTERNAL CONTROL SYSTEM -QUESTIONNAIRESREENIVAS IYER
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...asvary asvary
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Internal audit
Internal auditInternal audit
Internal auditS.M. Towhidul Islam
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Frameworkhyesue
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate GovernanceSalih Islam
 
Internal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceInternal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceBrowne & Mohan
 
ISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality controlISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality controlKim Hung Teoh
 
Recently Updated International Professional Practices Framework
Recently Updated International Professional Practices FrameworkRecently Updated International Professional Practices Framework
Recently Updated International Professional Practices FrameworkAziz Fataliyev, Internal Audit Practitioner
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The AuditorCorporate Compliance Seminars
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
Internal Audit Quality Assessment
Internal Audit Quality AssessmentInternal Audit Quality Assessment
Internal Audit Quality AssessmentMohammad Draidi
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkJhurt7103
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Managing The Business Risk Of Fraud
Managing The Business Risk Of FraudManaging The Business Risk Of Fraud
Managing The Business Risk Of FraudMahmoud Elbagoury
 
Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Armando Settimi CAT, BBS, MBS, ACA, CIA
 
Audit methodology 2013
Audit methodology 2013Audit methodology 2013
Audit methodology 2013Nidhi Gupta
 
Z 3h 2 - application of ppf in practice
Z 3h 2 - application of ppf in practiceZ 3h 2 - application of ppf in practice
Z 3h 2 - application of ppf in practiceRajeswaran Muthu Venkatachalam
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Ahmad Tariq Bhatti
 

More Related Content

What's hot

Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...asvary asvary
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Frameworkhyesue
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate GovernanceSalih Islam
 
Internal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceInternal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceBrowne & Mohan
 
ISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality controlISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality controlKim Hung Teoh
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
Internal Audit Quality Assessment
Internal Audit Quality AssessmentInternal Audit Quality Assessment
Internal Audit Quality AssessmentMohammad Draidi
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkJhurt7103
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Managing The Business Risk Of Fraud
Managing The Business Risk Of FraudManaging The Business Risk Of Fraud
Managing The Business Risk Of FraudMahmoud Elbagoury
 
Audit methodology 2013
Audit methodology 2013Audit methodology 2013
Audit methodology 2013Nidhi Gupta
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 

What's hot (20)

Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...Resume : "Internal audit quality : developing a quality assurance and improve...
Resume : "Internal audit quality : developing a quality assurance and improve...
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Internal audit
Internal auditInternal audit
Internal audit
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 
Internal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governananceInternal controls maturity and SME corporate governanance
Internal controls maturity and SME corporate governanance
 
ISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality controlISQC 1 / ISA 220 Quality control
ISQC 1 / ISA 220 Quality control
 
Recently Updated International Professional Practices Framework
Recently Updated International Professional Practices FrameworkRecently Updated International Professional Practices Framework
Recently Updated International Professional Practices Framework
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your Organization
 
Internal Audit Quality Assessment
Internal Audit Quality AssessmentInternal Audit Quality Assessment
Internal Audit Quality Assessment
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAH
 
A COSO Based Risk & Control Framework
A COSO Based Risk & Control FrameworkA COSO Based Risk & Control Framework
A COSO Based Risk & Control Framework
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It Right
 
Managing The Business Risk Of Fraud
Managing The Business Risk Of FraudManaging The Business Risk Of Fraud
Managing The Business Risk Of Fraud
 
Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)
 
Audit methodology 2013
Audit methodology 2013Audit methodology 2013
Audit methodology 2013
 
Z 3h 2 - application of ppf in practice
Z 3h 2 - application of ppf in practiceZ 3h 2 - application of ppf in practice
Z 3h 2 - application of ppf in practice
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 

Viewers also liked

Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Ahmad Tariq Bhatti
 
Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Hasnain Gardezi
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls InnoTech
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSalih Islam
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Internal Control Checklist for Multi Purpose Cooperative
Internal Control Checklist for Multi Purpose Cooperative Internal Control Checklist for Multi Purpose Cooperative
Internal Control Checklist for Multi Purpose Cooperativejo bitonio
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 

Viewers also liked (17)

Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)
 
Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.final
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessments
 
Internal Control Checklist for Multi Purpose Cooperative
Internal Control Checklist for Multi Purpose Cooperative Internal Control Checklist for Multi Purpose Cooperative
Internal Control Checklist for Multi Purpose Cooperative
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Self Assessment
Self AssessmentSelf Assessment
Self Assessment
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 

Similar to Control Self-Assessment article

Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
How an Organization Can Elevate Compliance Standards
How an Organization Can Elevate Compliance StandardsHow an Organization Can Elevate Compliance Standards
How an Organization Can Elevate Compliance Standards360factors
 
Tyco Internal Audit Case Study
Tyco Internal Audit Case StudyTyco Internal Audit Case Study
Tyco Internal Audit Case StudyJessica Myers
 
20 Key Considerations for Implementing an Effective Corporate Compliance Program
20 Key Considerations for Implementing an Effective Corporate Compliance Program20 Key Considerations for Implementing an Effective Corporate Compliance Program
20 Key Considerations for Implementing an Effective Corporate Compliance ProgramMarket iT
 
AUDIT - AUDITING STRATEGIES.pptx
AUDIT - AUDITING STRATEGIES.pptxAUDIT - AUDITING STRATEGIES.pptx
AUDIT - AUDITING STRATEGIES.pptxMohamed Fazil M
 
Chapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics ProgramsChapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics ProgramsFirdaus Fitri Zainal Abidin
 
Iso 55000 white_paper_english
Iso 55000 white_paper_englishIso 55000 white_paper_english
Iso 55000 white_paper_englishKaizenlogcom
 
The importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditsThe importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditspaul young cpa, cga
 
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness Ethisphere
 
Performance management-ppt-generosa-jessica-charie-b.
Performance management-ppt-generosa-jessica-charie-b.Performance management-ppt-generosa-jessica-charie-b.
Performance management-ppt-generosa-jessica-charie-b.Alo Lacsamana
 
compliance tracking
compliance trackingcompliance tracking
compliance trackingammicure
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxINTERCERT
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit GovernanceAswin Kumar
 

Similar to Control Self-Assessment article (20)

Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
How an Organization Can Elevate Compliance Standards
How an Organization Can Elevate Compliance StandardsHow an Organization Can Elevate Compliance Standards
How an Organization Can Elevate Compliance Standards
 
Tyco Internal Audit Case Study
Tyco Internal Audit Case StudyTyco Internal Audit Case Study
Tyco Internal Audit Case Study
 
20 Key Considerations for Implementing an Effective Corporate Compliance Program
20 Key Considerations for Implementing an Effective Corporate Compliance Program20 Key Considerations for Implementing an Effective Corporate Compliance Program
20 Key Considerations for Implementing an Effective Corporate Compliance Program
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party Risks
 
AUDIT - AUDITING STRATEGIES.pptx
AUDIT - AUDITING STRATEGIES.pptxAUDIT - AUDITING STRATEGIES.pptx
AUDIT - AUDITING STRATEGIES.pptx
 
Chapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics ProgramsChapter 9 Managing and Controlling Ethics Programs
Chapter 9 Managing and Controlling Ethics Programs
 
Iso 55000 white_paper_english
Iso 55000 white_paper_englishIso 55000 white_paper_english
Iso 55000 white_paper_english
 
The importance of value for money and perfomance based audits
The importance of value for money and perfomance based auditsThe importance of value for money and perfomance based audits
The importance of value for money and perfomance based audits
 
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness
Compliance Control: Assessing Your Program For Anti-Corruption Effectiveness
 
Mcs report
Mcs reportMcs report
Mcs report
 
Performance management-ppt-generosa-jessica-charie-b.
Performance management-ppt-generosa-jessica-charie-b.Performance management-ppt-generosa-jessica-charie-b.
Performance management-ppt-generosa-jessica-charie-b.
 
compliance tracking
compliance trackingcompliance tracking
compliance tracking
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docx
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
 
Green audit
Green auditGreen audit
Green audit
 
Green audit
Green auditGreen audit
Green audit
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
 
Operational Auditing
Operational AuditingOperational Auditing
Operational Auditing
 

Control Self-Assessment article

  • 1. © Copyright Hari Iyer. Page 1 of 3 Background Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required the companies to perform a top down risk assessment which necessitated CSA. In the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct Authority) recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. Today, a wide range of entities including private sector companies, voluntary sector (charities) and the public sector entities use CSA to assess the effectiveness of their risk management and control processes. The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self- Assessment (CCSA). The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-Assessment is contained within COBIT’s Control Objective ME2.4. What is Control Self-Assessment CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal controls system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the company's risk management and control processes. CSA can cover objectives, risks, controls and processes. CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. Each process owner and functional control owner within a company performs effectiveness testing to verify that the key controls are operating effectively. Control Self-Assessment
  • 2. © Copyright Hari Iyer. Page 2 of 3 Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year. Benefits of a CSA Program An effective CSA program can deliver a number of benefits including:  Creation of clear line of accountability for internal controls;  Minimising the risk of fraud;  Creation of an improved controls environment resulting in a lower risk profile for the company ;  Sustainability of management’s compliance program;  Reduction in regulatory compliance costs CSA Program The first step in any CSA program is to document the company's control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the company that is being evaluated as they have the greatest knowledge of how the processes operate. The common techniques for performing the evaluations are:  Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires  Interview Techniques  Control model Workshops or Interactive Workshops Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be summarised to produce a risk matrix showing potential areas of vulnerability. In any CSA program, the key steps are to define the nature and extent of the company’s CSA program, roll out the program, perform the first round of testing and review, and then incorporate lessons learned before going through the process again.
  • 3. © Copyright Hari Iyer. Page 3 of 3 Hadigy Limited is a private limited company incorporated in England with registered number 07010656. Hadigy is a Practice Assurance scheme member of the Chartered Institute of Public Finance and Accountancy (CIPFA). Hadigy is a member of the Federation of Small Business. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy, validity or completeness of the information contained in this publication, and, to the extent permitted by law, Hadigy Limited, its employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. Your Trusted Business Partner www.hadigy.com For details please contact: info@hadigy.com 17 Clareville Street, South Kensington, London SW7 5AJ Conclusion Entities have different drivers for wanting to enhance internal controls environment e.g. regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system or simply wanting stronger internal controls to improve efficiency. Whatever the driver is, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the company, ensure the sustainability of the internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much improved internal control environment, giving assurance to all key stakeholders, internal and external alike, that the company’s controls are operating effectively. Author - Hari Iyer MBA, FCPA (Australia), CISA, Chartered FCSI Hari is the founding partner of Hadigy Limited, a management consultancy firm in London. Hari has over 25 years of financial and IT auditing experience gained partly with the Big 4 professional accountancy firms (EY, Deloitte & PwC) in the UK. This includes audit assurance reviews, SAP project assurance, business process reviews, IT audits, financial audits, business continuity management, and SAP governance, risk and compliance (GRC) implementation & reviews.