"Sharing the Knowledge" The website for internal audit professionals
"Sharing the Knowledge"
Control Self-Assessment (CSA) A Control Self-Assessment (CSA) is a tool designed to assist in identifying and evaluating the effectiveness of internal controls. Typically the CSA is a survey (question and answer) used in evaluating the internal controls related to a business activity. The CSA should be completed by management, specifically the business activity owner. The survey format of the CSA encourages management to assess the adequacy of their own controls by placing the responsibility on them for the assurance that controls are in place and functioning.
The Goals of Control Self-Assessment
Reduce or eliminate costly and ineffective controls while creating valuable alternatives;
Pinpoint risk areas while developing adequate control measures;
Evaluate the controls already in place;
Emphasize management responsibility for developing and monitoring effective internal controls;
Communicate results to others resulting in improved understanding and performance.
Control Self-Assessment Format Although the CSA can be designed by management, it is recommended that it be designed with the assistance of Internal Audit. It is usually the preference of Internal Audit to design the Control Self-Assessment in a “conversational style” to elicit detailed information about the people, processes and controls associated with a particular business activity. For maximum effectiveness, Internal Audit generally uses a mixture of the most common types of questions recommended for proper questionnaire construction. The types of questions include:
Closed ended questions - Respondents’ answers are limited to a fixed set of responses. For example - the respondent is only allowed to answer with a “yes” or a “no”.
Open ended questions - No options or predefined categories are suggested. The respondent supplies their own answer without being constrained by a fixed set of possible responses. For example - “What is your opinion of….?”
Contingency questions - A question that is answered only if the respondent gives a particular previous response. For example – If you answered yes to this question, then what is …?
Matrix questions - Identical response categories are assigned to multiple questions. The questions are placed one under the other, forming a matrix with response categories along the top and a list of questions down the side. This is an efficient use of page space and respondents’ time.
Scaled questions - Responses are graded on a continuum. For example rate the effectiveness or quality of …on a scale from 1 to 5.
Suggested Control Self-Assessment Content The following is a list of suggested content when developing a Control Self-Assessment: 1. Business Activity Overview Questions regarding employees, computer systems, forms generated, internal/external partners used to complete the processes and procedures of the business activity. 2. Process and Procedure Identification Questions regarding the fundamental processes and procedures of the business activity. 3. Segregation of Duties A table listing key processes -- requiring the identification of the specific individuals who have authority for and access to them. 4. Internal Control Identification Tables listing commonly accepted control objectives and controls related to the given business activity -- requiring confirmation that the controls are currently in use. 5. Internal Control Assessment A table listing the control objectives for the given business activity – requiring that a rating score (between 1 and 5) be chosen to describe the perceived effectiveness of current controls. 6. Process Risk Assessment A table listing the processes related to the given business activity – requiring that a risk rating level (low, medium, high) be assigned to each process based on the results of #5, the internal control assessment. 7. Best Practices Checklist A checklist representing standard best practices for the given business activity --- requiring confirmation that the practice is currently in use. 8. Business Activity Control Rating Based on the results of steps 1 through 7, a proposed internal control rating should be assigned to the business activity by the business activity owner.
Advantages of a Control Self-Assessment CSA is a powerful tool because it is an inclusive tool that sets an expectation of high performance and a high level of knowledge about the work structure and policies. CSA also helps evaluate informal or subjective controls in such areas as ethical practices, management philosophy, and business processes. From the senior management perspective, CSA assists in determining whether the organization is meeting its objectives. Key advantages to implementing a CSA program include early detection of risks as well as weaknesses in the internal control system.
Maintenance and Use of the Control Self-Assessment The CSA should be updated on a continuous basis to document changes in business activities, processes, controls, key people, systems, etc. Once in place, business activity owners can use the CSA as part of a constant monitoring effort. Internal Audit can use information from the CSA during its key control audit of that given business activity. Therefore, one of the purposes of the key control audit could be to verify the presence and strength of any internal controls that had been documented on the CSA by the business activity owner.