Control Self Assessment

TT

Control Self AssessmentPresented by Manoj Agarwal

CEP on May 22, 10@IIA-India, Bombay Chapter

TMay 2010 © ANB Consulting CO. Pvt. Ltd.2

AgendaWhat is CSA? Definitions of CSA

What makes CSA CSA?Benefits and concerns of CSACSA controversies

Objectives, risks, and controls

What are objectives, risks and controls?Soft ControlsERM

Facilitating Workshops Communication traitsFacilitator responsibilitiesPresentation skillsDealing with different personalitiesPreparing for a CSA workshop

Collecting and Reporting CSA Results

CSA Implementation


What is Control Self Assessment


What is CSA?Control Self Assessment

• A set of techniques used to assess risk, control strength, and control weaknesses utilizing a control framework.

The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors.


What is CSA?Employee teams getting together with their managers and a

facilitator:

• to analyze, within a chosen control framework, the obstacles and strengths which affect their ability to achieve their key business objectives, and

• to decide upon appropriate action.


CSA Rationale• Responsibility for controlling risk belongs to management and all

employees• People are the most important control factor• Most employees are honest, competent, and want their organization

to succeed• People are far more likely to embrace needed changes if they are

involved in the assessment process

• Helps employees understand control


CSA – WHEN IS IT USED?• Whenever practical – Depends on:

– Size of the unit– Management buy-in– Staff availability– Audit scope


When do you want to use CSA?• New work processes/projects• New organizations

– to identify the risk exposures and required controls

• Reorganizations• Management / Employee turnover

– to identify where risks are – to create understanding for business objectives– to assess how risks are changing– to put emphasis on highest priority

risks and controls

• Processes that cross over into other work groups– to get to the root cause of problems– helps bring groups together– participants learn how their activities interrelate– collaborative problem solving


CSA - GOALS & OBJECTIVES• Provide a forum for participants (stakeholders) to:

– Conduct an assessment of risks and controls.– Develop recommendations for improvement.– Enhance their ability to achieve objectives.– Increase communication with the Unit.– Improve the efficiency and effectiveness of operations.


Benefits of CSA• Honest feedback on control environment communication and

monitoring • Ability to discuss and explore areas of concern to determine

reasons and root causes of concern• Ability to obtain an understanding of the degree of concern among

participants• Development of recommendations by employees in the Unit• Buy-in/Ownership of Recommendations


Difficulties Encountered• Getting discussion started• Getting honest and open feedback• Identifying potential areas of concern• Understanding the degree and/or significance of concerns


Objectives, risks, and controls


System in Control• When a system is in control, we mean it can be relied upon to meet

its objectives.


Behaviors Affect Control• People are the most important control factor.

– They make things happen– They can make a poor system work– They can make a good system fail– They are more important than the system– Their actions determine corporate

success


Control Activities• Formal Controls:

– Directive - code of business conduct, policy manual, written specifications and procedures

– Preventive - segregation of duties, security guards, locks, passwords, edits

– Detective - supervisory controls, quality assurance reviews, account reconciliations, exception reports

• Informal controls – Corporate culture– Integrity and ethical values– Commitment to competence– Management philosophy & style– Communication– Tone at the top


Control Model

ActionAction

PURPOSEPURPOSEknowing what to doknowing what to do

CAPABILITYCAPABILITYbeing able to do itbeing able to do it

COMMITMENTCOMMITMENTwanting to do itwanting to do it

LEARNINGLEARNINGto do it betterto do it better

Purpose• Vision• Leadership• Authority• Objectives• Plans• Risks• Targets

Commitment• Ethics• Rewards• Recognition• Accountability• Authority• Trust• Fun

Capability• Skills• Resources• Information• Teamwork• Communication• Control

Activities

Learning• Benchmarks• External events• Challenge assumptions• Review needs• Effective change• Self assessment


COSO Framework - Control Components

INFO

RMAT

ION

COMM

UNICATIO

N

CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES

MONITORING

TraditionalAuditing/Testing

CSA


Facilitating Workshops


Time commitment for CSA• Workshop - 1/2 to one day• Prep - 1-several hours of pre-discussion

– overall process– known or suspected issues– who should participate– control/risk statement development - input


CSA - SESSION REQUIREMENTS• 2 facilitators - responsible for:

– Explaining the CSA process & rules.– Directing the flow of conversation.– Encouraging everyone to speak.

• 1 scribe responsible for:– Recording participants’ comments & recommendations.– Operating the CSA equipment (Resolver, PowerPoint).– Ensuring session remains within time limitations.

• Approximately 3 ¼ hours to complete.• 6 – 12 Unit employees.


CSA Workshop Agenda• Identify Overall Business Objective Supporting Activities • Risk Assessment• Control Assessment

– Control activities review – Key control indicators– Control gaps - ineffective or missing controls

• Develop Action Plan


CSA Workshop Participants• Responsible/knowledgeable parties• Parties impacted by activity (internal partners/customers)• Parties that can impact process/activity (management)• Think like an owner • Act as team member


Principles• Open, honest communication• Trust• Everyone’s input is valuable• Information is provided by those who best understand their jobs• Information will be shared with others while retaining individual

anonymity• Management will implement action

plan


Getting to the issues(a simplified view of what occurs)

• Develop hypothetical risk events – Statements representing a lack of business controls

• Participants vote on the importance of this risk, and the likelihood it is occurring, based on their experience/observations

• Narrow to high risk/high likelihood issues to discuss and work through

• Action Plan addresses how the controlgap will be addressed


CSA – ANONYMOUS VOTING• Series of internal control statements presented to participants

concerning:– Control Environment– Communication– Monitoring

• Resolver – Anonymous voting software and hardware.– Participants anonymously respond to their level of agreement with the

statements.• Using the voting results:

– Discussion is generated by facilitator.– Comments documented by scribe.– Recommendations developed via group consensus.

• Anonymity is maintained and references to specific people are discouraged.

• Facilitators remain independent and should not impose their opinion on the group.


CSA Action PlanOBSTACLE or CONCERN

Indicators (evidence that it’s a problem)

Impact (what can happen if no action is taken)

What Should The Group Do?

WHAT/WHO/WHEN?


CSA – FACILITATION TIPS• DO’s

– Ask open ended questions, but stay on topic.– Use a “parking-lot” to keep off-topic ideas.– Act only as a guide.– Ask for agreement when recording the responses.– Encourage everyone to participate.– Look for specific answers.

• DON’Ts– Answer your own questions.– Put words in someone's mouth.– Ignore someone who does not participate.– Allow one person to dominate the session.– Force your view of controls on the group.– Be critical or short with a participant.


CSA - REPORTING• Formal, independent report includes:

– Voting statistics.– Voting responses.– Participant comments.– Recommendations for improvement.

• Report provided to:– Participants to ensure accuracy and completeness.– Client management to review results.

• Formal meeting with management held to discuss results.• Management develops actions plans to address participants’

recommendations.• Final report, with action plans, provided to Executive management.• Management should share action plans with CSA participants.


MANAGEMENT ACTION PLANS• Developed by client management in response to participants’

recommendations.

• Provide step-by-step detail concerning how the recommendations will be addressed.

• Reviewed by Internal Audit for relevance.


AUDIT & CSA REPORT - RELATIONSHIP• The CSA report is an independent document from the formal Audit

report.

• Reportable items do not generally result from CSA sessions.

• CSA report is issued only to client’s Executive management.


In Summary

• CSA focuses on business objectives• Elicits awareness & understanding of

business risk and control• Involves people who best know the

business• Pursues root causes/measures impact• Forward-looking to identify emerging risks• Covers broad spectrum of control• Ensures practical action plans



Thank You

Control Self Assessment

Education