Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required the companies to perform a top down risk assessment which necessitated CSA. In the United Kingdom in 2011 the Financial Services Authority (now Financial Conduct Authority) recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. Today, a wide range of entities including private sector companies, voluntary sector (charities) and the public sector entities use CSA to assess the effectiveness of their risk management and control processes.
The Institute of Internal Auditors run courses, seminars and offer Certification in Control Self-Assessment (CCSA).
The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-Assessment is contained within COBIT’s Control Objective ME2.4.
What is Control Self-Assessment
CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal controls system is reliable. CSA allows managers and work teams directly involved in the business units, functions or processes to participate in assessing the company’s risk management and control processes. CSA can cover objectives, risks, controls and processes.
CSA is a sustainable process whereby management validates the operating effectiveness of its internal controls via testing. Each process owner and functional control owner within a company performs effectiveness testing to verify that the key controls are operating effectively.
Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from merely assessing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year.
Benefits of a CSA Program
An effective CSA program can deliver a number of benefits including:
• Creation of clear line of accountability for internal controls;
• Minimising the risk of fraud;
• Creation of an improved controls environment resulting in a lower risk profile for the company;
• Sustainability of management’s compliance program;
• Reduction in regulatory compliance costs
The first step in any CSA program is to document the company’s control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the company that is being evaluated as they have the greatest knowledge of how the processes operate. The common techniques for performing the evaluations are:
• Internal Control Questionnaire (ICQ) or Customised Survey Questionnaires
• Interview Techniques
• Control model Workshops or Interactive Workshops
Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be summarised to produce a risk matrix showing potential areas of vulnerability.
In any CSA program, the key steps are to define the nature and extent of the company’s CSA program, roll out the program, perform the first round of testing and review, and then incorporate lessons learned before going through the process again.
Entities have different drivers for wanting to enhance internal controls environment e.g. regulatory requirements, change in ownership, change in senior management, implementation of a major ERP system or simply wanting stronger internal controls to improve efficiency. Whatever the driver is, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the company, ensure the sustainability of the internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much improved internal control environment, giving assurance to all key stakeholders, internal and external alike, that the company’s controls are operating effectively.