Adding Value Through Control Self-Assessments

Publication Date: December 7, 2022

The ever-changing business environment requires institutions to embrace dynamic practices to manage risks appropriately and achieve organizational goals. Hence, audit departments worldwide strive to ensure their key activities align with the needs of the organizations. Control Self-Assessment (CSA) is an important tool that auditors can use to enhance the role of the internal audit function by adding value to the institution. By partnering with Internal Audit, institutions can take a structured approach to identify the risks associated with processes or activities, assess the related controls to ensure risks are managed effectively, and ensure organizational goals are achieved.

Management and Process Owners Buy-In

The success of the CSA program depends on buy-in at all levels of the organization: from management to department heads to process owners. This involves discussions on how the process works, the benefits of the program, and the resources required to execute the project successfully.

Project Selection Process

Similar to audit projects, the CSA engagements should add value to the institution by addressing the risks to the entity. By incorporating the CSA project selection process as part of the annual risk assessment, the internal audit department can ensure high risk areas are identified for potential projects. Based on residual risk, areas that are high-risk would be first considered for an audit. Any high-risk areas not selected for audits are viable candidates for a CSA project. Once identified, internal audit departments can recruit the departments to participate in the CSA program. During the infancy stage of the program, the audit departments may need to actively recruit volunteers to participate. As the program matures and the institution begins to reap the benefits of the program, internal audit departments will have departments actively volunteering to participate in the program.

CSA Process

The most important step in the process is selecting the CSA team that will oversee the project. It is vital that much consideration is given in selecting the team members. The CSA team mainly comprises of individuals who are involved in the process being assessed. These individuals will play a major role in ensuring the risks pertinent to the process/activity are identified and addressed appropriately.
The internal auditor facilitates the CSA process by performing the following steps.

    1. Conduct an Initial Meeting

    • Similar to the entrance meeting during an audit, the initial meeting is held to finalize the following details:
      • CSA team members,
      • Objectives and scope of the project
      • Timeline for completing the engagement

    2. Execute the Engagement Letter

    • The Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing (Standards) states “Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented”. To comply with the letter and spirit of the Standards, a formal engagement letter should be prepared to document the objective, scope, process, and roles and responsibilities.

    3. Perform the CSA

    • Each step listed below is crucial for the program’s success.
    StepDetails of the process
    Identify risksThe CSA team identifies and documents the risks pertinent to the process. This is the most important step in the process since the rest of the procedures stems from this.
    Identify corresponding control(s) and evaluate the design effectiveness of the control(s)Identify and document the corresponding controls for the risks identified in the procedure above. The design effectiveness of the controls is evaluated during this phase to determine whether adequate controls exist to address the risks. If the CSA team concludes that either control does not exist or is inadequate, an opportunity for improvement will be developed.
    Evaluate the operating effectiveness of controlsFor the controls that are designed effectively, one or more of the following techniques can be utilized to evaluate the operating effectiveness of the controls: Team Meeting, Survey, and Facilitated Workshop.
    Validate ResultsThe assessments results must be validated by someone independent to ensure the results support the conclusion(s).
    Identify opportunities for improvementOpportunities for improvement are developed based on the conclusions from the Team Meeting, Survey, and Facilitated Workshop.
    Develop Management Action PlanManagement develops an action plan that enhances controls, guided by auditors.

    4. Share the results

      • The report is issued by the process owner and addressed to Management. It includes the following: Objective, Scope, Methodology, Analysis of Results, Conclusion, and Management Action Plan.

      5. Post Engagement Survey

      • Consider sending a Post Engagement Survey to the CSA client to solicit feedback on the engagement; it will help improve the process.

      6. Follow Up

      • Follow up on the planned action to ensure gaps in controls are remediated.

      Conclusion

      CSA promotes departments taking a structured approach in assessing risks and controls, through which it promotes accountability of controls. In addition, it helps the process owners and operational staff get a better understanding of the operations and helps them understand the importance of their respective roles and responsibilities in addressing the risks to the institution and achieving the organizational goals. By facilitating CSA projects, the audit department builds a trusting relationship with departments on campus. In addition, the audit team gets access to information, including risk management practices and control environment, that is vital in the annual risk assessment process. Internal audit departments can successfully facilitate CSA engagements using fewer resources than required for an audit while providing great benefits to the business units.

      About the Author

      Tharanee Ravindran

      Tharanee Ravindran joined The University of Alabama in Huntsville in 2004. She held numerous positions with the University prior to joining the University of Alabama System in 2010, and is currently the Director of the Office of Internal Audit in Huntsville.  Tharanee is a graduate of The University of Alabama in Huntsville, earning a BS in Business Administration in 2002 and a Masters of Accountancy in 2004. She is a Certified Internal Auditor. She also holds certifications in Certification in Control Self –Assessment and Certification in Risk Management Assurance.