T T Control Self Assessment Presented by Manoj Agarwal CEP on May 22, 10@IIA-India, Bombay Chapter
TT
Control Self AssessmentPresented by Manoj Agarwal
CEP on May 22, 10@IIA-India, Bombay Chapter
TMay 2010 © ANB Consulting CO. Pvt. Ltd.2
AgendaWhat is CSA? Definitions of CSA
What makes CSA CSA?Benefits and concerns of CSACSA controversies
Objectives, risks, and controls
What are objectives, risks and controls?Soft ControlsERM
Facilitating Workshops Communication traitsFacilitator responsibilitiesPresentation skillsDealing with different personalitiesPreparing for a CSA workshop
Collecting and Reporting CSA Results
CSA Implementation
TMay 2010 © ANB Consulting CO. Pvt. Ltd.3
What is Control Self Assessment
TMay 2010 © ANB Consulting CO. Pvt. Ltd.4
What is CSA?Control Self Assessment
• A set of techniques used to assess risk, control strength, and control weaknesses utilizing a control framework.
The 'self' refers to the involvement of management and staff in the assessment process often facilitated by internal auditors.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.5
What is CSA?Employee teams getting together with their managers and a
facilitator:
• to analyze, within a chosen control framework, the obstacles and strengths which affect their ability to achieve their key business objectives, and
• to decide upon appropriate action.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.6
CSA Rationale• Responsibility for controlling risk belongs to management and all
employees• People are the most important control factor• Most employees are honest, competent, and want their organization
to succeed• People are far more likely to embrace needed changes if they are
involved in the assessment process
• Helps employees understand control
TMay 2010 © ANB Consulting CO. Pvt. Ltd.7
CSA – WHEN IS IT USED?• Whenever practical – Depends on:
– Size of the unit– Management buy-in– Staff availability– Audit scope
TMay 2010 © ANB Consulting CO. Pvt. Ltd.8
When do you want to use CSA?• New work processes/projects• New organizations
– to identify the risk exposures and required controls
• Reorganizations• Management / Employee turnover
– to identify where risks are – to create understanding for business objectives– to assess how risks are changing– to put emphasis on highest priority
risks and controls
• Processes that cross over into other work groups– to get to the root cause of problems– helps bring groups together– participants learn how their activities interrelate– collaborative problem solving
TMay 2010 © ANB Consulting CO. Pvt. Ltd.9
CSA - GOALS & OBJECTIVES• Provide a forum for participants (stakeholders) to:
– Conduct an assessment of risks and controls.– Develop recommendations for improvement.– Enhance their ability to achieve objectives.– Increase communication with the Unit.– Improve the efficiency and effectiveness of operations.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.10
Benefits of CSA• Honest feedback on control environment communication and
monitoring • Ability to discuss and explore areas of concern to determine
reasons and root causes of concern• Ability to obtain an understanding of the degree of concern among
participants• Development of recommendations by employees in the Unit• Buy-in/Ownership of Recommendations
TMay 2010 © ANB Consulting CO. Pvt. Ltd.11
Difficulties Encountered• Getting discussion started• Getting honest and open feedback• Identifying potential areas of concern• Understanding the degree and/or significance of concerns
TMay 2010 © ANB Consulting CO. Pvt. Ltd.12
Objectives, risks, and controls
TMay 2010 © ANB Consulting CO. Pvt. Ltd.13
System in Control• When a system is in control, we mean it can be relied upon to meet
its objectives.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.14
Behaviors Affect Control• People are the most important control factor.
– They make things happen– They can make a poor system work– They can make a good system fail– They are more important than the system– Their actions determine corporate
success
TMay 2010 © ANB Consulting CO. Pvt. Ltd.15
Control Activities• Formal Controls:
– Directive - code of business conduct, policy manual, written specifications and procedures
– Preventive - segregation of duties, security guards, locks, passwords, edits
– Detective - supervisory controls, quality assurance reviews, account reconciliations, exception reports
• Informal controls – Corporate culture– Integrity and ethical values– Commitment to competence– Management philosophy & style– Communication– Tone at the top
TMay 2010 © ANB Consulting CO. Pvt. Ltd.16
Control Model
ActionAction
PURPOSEPURPOSEknowing what to doknowing what to do
CAPABILITYCAPABILITYbeing able to do itbeing able to do it
COMMITMENTCOMMITMENTwanting to do itwanting to do it
LEARNINGLEARNINGto do it betterto do it better
Purpose• Vision• Leadership• Authority• Objectives• Plans• Risks• Targets
Commitment• Ethics• Rewards• Recognition• Accountability• Authority• Trust• Fun
Capability• Skills• Resources• Information• Teamwork• Communication• Control
Activities
Learning• Benchmarks• External events• Challenge assumptions• Review needs• Effective change• Self assessment
TMay 2010 © ANB Consulting CO. Pvt. Ltd.17
COSO Framework - Control Components
INFO
RMAT
ION
COMM
UNICATIO
N
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
MONITORING
TraditionalAuditing/Testing
CSA
TMay 2010 © ANB Consulting CO. Pvt. Ltd.18
Facilitating Workshops
TMay 2010 © ANB Consulting CO. Pvt. Ltd.19
Time commitment for CSA• Workshop - 1/2 to one day• Prep - 1-several hours of pre-discussion
– overall process– known or suspected issues– who should participate– control/risk statement development - input
TMay 2010 © ANB Consulting CO. Pvt. Ltd.20
CSA - SESSION REQUIREMENTS• 2 facilitators - responsible for:
– Explaining the CSA process & rules.– Directing the flow of conversation.– Encouraging everyone to speak.
• 1 scribe responsible for:– Recording participants’ comments & recommendations.– Operating the CSA equipment (Resolver, PowerPoint).– Ensuring session remains within time limitations.
• Approximately 3 ¼ hours to complete.• 6 – 12 Unit employees.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.21
CSA Workshop Agenda• Identify Overall Business Objective Supporting Activities • Risk Assessment• Control Assessment
– Control activities review – Key control indicators– Control gaps - ineffective or missing controls
• Develop Action Plan
TMay 2010 © ANB Consulting CO. Pvt. Ltd.22
CSA Workshop Participants• Responsible/knowledgeable parties• Parties impacted by activity (internal partners/customers)• Parties that can impact process/activity (management)• Think like an owner • Act as team member
TMay 2010 © ANB Consulting CO. Pvt. Ltd.23
Principles• Open, honest communication• Trust• Everyone’s input is valuable• Information is provided by those who best understand their jobs• Information will be shared with others while retaining individual
anonymity• Management will implement action
plan
TMay 2010 © ANB Consulting CO. Pvt. Ltd.24
Getting to the issues(a simplified view of what occurs)
• Develop hypothetical risk events – Statements representing a lack of business controls
• Participants vote on the importance of this risk, and the likelihood it is occurring, based on their experience/observations
• Narrow to high risk/high likelihood issues to discuss and work through
• Action Plan addresses how the controlgap will be addressed
TMay 2010 © ANB Consulting CO. Pvt. Ltd.25
CSA – ANONYMOUS VOTING• Series of internal control statements presented to participants
concerning:– Control Environment– Communication– Monitoring
• Resolver – Anonymous voting software and hardware.– Participants anonymously respond to their level of agreement with the
statements.• Using the voting results:
– Discussion is generated by facilitator.– Comments documented by scribe.– Recommendations developed via group consensus.
• Anonymity is maintained and references to specific people are discouraged.
• Facilitators remain independent and should not impose their opinion on the group.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.26
CSA Action PlanOBSTACLE or CONCERN
Indicators (evidence that it’s a problem)
Impact (what can happen if no action is taken)
What Should The Group Do?
WHAT/WHO/WHEN?
TMay 2010 © ANB Consulting CO. Pvt. Ltd.27
CSA – FACILITATION TIPS• DO’s
– Ask open ended questions, but stay on topic.– Use a “parking-lot” to keep off-topic ideas.– Act only as a guide.– Ask for agreement when recording the responses.– Encourage everyone to participate.– Look for specific answers.
• DON’Ts– Answer your own questions.– Put words in someone's mouth.– Ignore someone who does not participate.– Allow one person to dominate the session.– Force your view of controls on the group.– Be critical or short with a participant.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.28
CSA - REPORTING• Formal, independent report includes:
– Voting statistics.– Voting responses.– Participant comments.– Recommendations for improvement.
• Report provided to:– Participants to ensure accuracy and completeness.– Client management to review results.
• Formal meeting with management held to discuss results.• Management develops actions plans to address participants’
recommendations.• Final report, with action plans, provided to Executive management.• Management should share action plans with CSA participants.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.29
MANAGEMENT ACTION PLANS• Developed by client management in response to participants’
recommendations.
• Provide step-by-step detail concerning how the recommendations will be addressed.
• Reviewed by Internal Audit for relevance.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.30
AUDIT & CSA REPORT - RELATIONSHIP• The CSA report is an independent document from the formal Audit
report.
• Reportable items do not generally result from CSA sessions.
• CSA report is issued only to client’s Executive management.
TMay 2010 © ANB Consulting CO. Pvt. Ltd.31
In Summary
• CSA focuses on business objectives• Elicits awareness & understanding of
business risk and control• Involves people who best know the
business• Pursues root causes/measures impact• Forward-looking to identify emerging risks• Covers broad spectrum of control• Ensures practical action plans
TMay 2010 © ANB Consulting CO. Pvt. Ltd.32
TMay 2010 © ANB Consulting CO. Pvt. Ltd.33
Thank You