The document provides an overview of control self-assessment (CSA). It discusses what CSA is, its goals and benefits, how it is implemented through workshops, and how the results are reported. CSA involves employees assessing risks, controls and weaknesses within their process. Workshops are facilitated to have open discussions, develop recommendations and action plans. The results are anonymously reported to management to address issues.

1. Control Self Assessment Presented by Manoj Agarwal CEP on May 22, 10@IIA-India, Bombay Chapter

2. Agenda CSA Implementation Collecting and Reporting CSA Results Communication traits Facilitator responsibilities Presentation skills Dealing with different personalities Preparing for a CSA workshop Facilitating Workshops What are objectives, risks and controls? Soft Controls ERM Objectives, risks, and controls Definitions of CSA What makes CSA CSA? Benefits and concerns of CSA CSA controversies What is CSA?

3. What is Control Self Assessment

4. What is CSA? Control Self Assessment A set of techniques used to assess risk , control strength , and control weaknesses utilizing a control framework . The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors.

5. What is CSA? Employee teams getting together with their managers and a facilitator : to analyze, within a chosen control framework , the obstacles and strengths which affect their ability to achieve their key business objectives , and to decide upon appropriate action .

6. CSA Rationale Responsibility for controlling risk belongs to management and all employees People are the most important control factor Most employees are honest, competent, and want their organization to succeed People are far more likely to embrace needed changes if they are involved in the assessment process Helps employees understand control

7. CSA – WHEN IS IT USED? Whenever practical – Depends on: Size of the unit Management buy-in Staff availability Audit scope

8. When do you want to use CSA? New work processes/projects New organizations to identify the risk exposures and required controls Reorganizations Management / Employee turnover to identify where risks are to create understanding for business objectives to assess how risks are changing to put emphasis on highest priority risks and controls Processes that cross over into other work groups to get to the root cause of problems helps bring groups together participants learn how their activities interrelate collaborative problem solving

9. CSA - GOALS & OBJECTIVES Provide a forum for participants (stakeholders) to: Conduct an assessment of risks and controls. Develop recommendations for improvement. Enhance their ability to achieve objectives. Increase communication with the Unit. Improve the efficiency and effectiveness of operations.

10. Benefits of CSA Honest feedback on control environment communication and monitoring Ability to discuss and explore areas of concern to determine reasons and root causes of concern Ability to obtain an understanding of the degree of concern among participants Development of recommendations by employees in the Unit Buy-in/Ownership of Recommendations

11. Difficulties Encountered Getting discussion started Getting honest and open feedback Identifying potential areas of concern Understanding the degree and/or significance of concerns

12. Objectives, risks, and controls

13. System in Control When a system is in control, we mean it can be relied upon to meet its objectives.

14. Behaviors Affect Control People are the most important control factor. They make things happen They can make a poor system work They can make a good system fail They are more important than the system Their actions determine corporate success

15. Control Activities Formal Controls: Directive - code of business conduct, policy manual, written specifications and procedures Preventive - segregation of duties, security guards, locks, passwords, edits Detective - supervisory controls, quality assurance reviews, account reconciliations, exception reports Informal controls Corporate culture Integrity and ethical values Commitment to competence Management philosophy & style Communication Tone at the top

16. Control Model Purpose Vision Leadership Authority Objectives Plans Risks Targets Commitment Ethics Rewards Recognition Accountability Authority Trust Fun Capability Skills Resources Information Teamwork Communication Control Activities Learning Benchmarks External events Challenge assumptions Review needs Effective change Self assessment Action PURPOSE knowing what to do CAPABILITY being able to do it COMMITMENT wanting to do it LEARNING to do it better

17. COSO Framework - Control Components INFORMATION COMMUNICATION Traditional Auditing/Testing CSA CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES MONITORING

18. Facilitating Workshops

19. Time commitment for CSA Workshop - 1/2 to one day Prep - 1-several hours of pre-discussion overall process known or suspected issues who should participate control/risk statement development - input

20. CSA - SESSION REQUIREMENTS 2 facilitators - responsible for: Explaining the CSA process & rules. Directing the flow of conversation. Encouraging everyone to speak. 1 scribe responsible for: Recording participants’ comments & recommendations. Operating the CSA equipment (Resolver, PowerPoint). Ensuring session remains within time limitations. Approximately 3 ¼ hours to complete. 6 – 12 Unit employees.

21. CSA Workshop Agenda Identify Overall Business Objective Supporting Activities Risk Assessment Control Assessment Control activities review Key control indicators Control gaps - ineffective or missing controls Develop Action Plan

22. CSA Workshop Participants Responsible/knowledgeable parties Parties impacted by activity (internal partners/customers) Parties that can impact process/activity (management) Think like an owner Act as team member

23. Principles Open, honest communication Trust Everyone’s input is valuable Information is provided by those who best understand their jobs Information will be shared with others while retaining individual anonymity Management will implement action plan

24. Getting to the issues (a simplified view of what occurs) Develop hypothetical risk events Statements representing a lack of business controls Participants vote on the importance of this risk, and the likelihood it is occurring , based on their experience/observations Narrow to high risk/high likelihood issues to discuss and work through Action Plan addresses how the control gap will be addressed

25. CSA – ANONYMOUS VOTING Series of internal control statements presented to participants concerning: Control Environment Communication Monitoring Resolver Anonymous voting software and hardware. Participants anonymously respond to their level of agreement with the statements. Using the voting results: Discussion is generated by facilitator. Comments documented by scribe. Recommendations developed via group consensus. Anonymity is maintained and references to specific people are discouraged. Facilitators remain independent and should not impose their opinion on the group.

26. CSA Action Plan OBSTACLE or CONCERN Indicators (evidence that it’s a problem) Impact (what can happen if no action is taken) What Should The Group Do? WHAT/WHO/WHEN?

27. CSA – FACILITATION TIPS DO’s Ask open ended questions, but stay on topic. Use a “parking-lot” to keep off-topic ideas. Act only as a guide. Ask for agreement when recording the responses. Encourage everyone to participate. Look for specific answers. DON’Ts Answer your own questions. Put words in someone's mouth. Ignore someone who does not participate. Allow one person to dominate the session. Force your view of controls on the group. Be critical or short with a participant.

28. CSA - REPORTING Formal, independent report includes: Voting statistics. Voting responses. Participant comments. Recommendations for improvement. Report provided to: Participants to ensure accuracy and completeness. Client management to review results. Formal meeting with management held to discuss results. Management develops actions plans to address participants’ recommendations. Final report, with action plans, provided to Executive management. Management should share action plans with CSA participants.

29. MANAGEMENT ACTION PLANS Developed by client management in response to participants’ recommendations. Provide step-by-step detail concerning how the recommendations will be addressed. Reviewed by Internal Audit for relevance.

30. AUDIT & CSA REPORT - RELATIONSHIP The CSA report is an independent document from the formal Audit report. Reportable items do not generally result from CSA sessions. CSA report is issued only to client’s Executive management.

31. In Summary CSA focuses on business objectives Elicits awareness & understanding of business risk and control Involves people who best know the business Pursues root causes/measures impact Forward-looking to identify emerging risks Covers broad spectrum of control Ensures practical action plans

33. Thank You