Control Self-Assessment (CSA) is a technique that was originally developed by Gulf Canada in 1987. In March 2000, the European Commission approved a white paper on CSA. In the United States, when the Sarbanes-Oxley Act was implemented in 2007, section 404 of the Act required companies to perform a top-down risk assessment that required CSAs. In the UK in 2011 the Financial Services Authority (now the Financial Conduct Authority) recognized in its recommendations for improving operational risk management that risk assessment through a control self-assessment can be an important means of identifying risks. Today, a wide range of entities, including companies in the private sector, the voluntary sector (charities) and public sector entities, use CSA to assess the effectiveness of their risk management and control processes.
The Institute of Internal Auditors conducts courses, seminars and offers the Control Self-Assessment Certification (CCSA).
The Information Systems Audit and Control Association (ISACA) created a framework called COBIT (Control Objectives for Information and Related Technologies). The Control Self-Assessment is contained in COBIT Control Objective ME2.4.
What is the control self-assessment?
CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s system of internal controls is reliable. CSA allows managers and work teams directly involved in business units, functions or processes to participate in the evaluation of the company’s risk management and control processes. CSA can cover objectives, risks, controls and processes.
CSA is a sustainable process by which management validates the operating effectiveness of its internal controls through testing. Every process owner and functional control owner within an enterprise performs effectiveness tests to verify that key controls are working effectively.
Each process owner develops test scripts for each key control and engages their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program expands the role of operations management from simply evaluating the design of your internal controls to testing and validating the effectiveness of your internal controls throughout the year.
Benefits of a CSA Program
An effective CSA program can provide a number of benefits, including:
• Creation of a clear line of responsibility for internal controls;
• Minimize the risk of fraud;
• Creation of an improved controls environment resulting in a lower risk profile for the company;
• Sustainability of management’s compliance program;
• Reduction of regulatory compliance costs
The first step in any CSA program is to document the company’s control processes with the goal of identifying appropriate ways to measure or test each control. The actual testing of the controls is carried out by personnel whose daily role is within the area of the company that is being evaluated, as they are the ones with the greatest knowledge about the operation of the processes. Common techniques for conducting assessments are:
• Internal Control Questionnaire (ICQ) or Personalized Survey Questionnaires
• Technical interviews
• Control model workshops o Interactive workshops
Some companies choose a combination of methodologies that suits their operations to implement an effective CSA program. Once the evaluation is complete, each control can be scored based on the responses received to determine the probability of its failure and the impact if a failure were to occur. These ratings can be summarized to produce a risk matrix showing possible areas of vulnerability.
In any CSA program, the key steps are defining the nature and scope of the company’s CSA program, implementing the program, conducting the first round of testing and review, and then incorporating lessons learned before going through the process again.
Entities have different drivers for wanting to improve the internal controls environment, for example, regulatory requirements, change of ownership, change in senior management, implementation of a major ERP system, or simply wanting stronger internal controls to improve efficiency. Whatever the reason, implementation of a CSA program should be considered. By implementing an effective CSA program, the entity can embed responsibility for internal control within the enterprise, ensure the sustainability of internal controls compliance efforts, and ultimately reduce the cost of overall compliance efforts. In other words, an effective CSA program will drive a much better internal control environment, providing reassurance to all key stakeholders, both internal and external, that company controls are working effectively.