CCSA Control Self-Assessment A Practical Guide CHAPTER 2 CSA FORMAT

A Perspective on control Self-Assessment identifies three primary approaches to CSA: facilitated team meetings (also known as workshops). questionnaires (also known as surveys), and management-produced analysis. Even with these three primary approaches defined, organization often use more than one in their self-assessment process. Some of the varied ways CSA is used are listed below

Examples of CSA Usage

●Use facilitated workshops with anonymous voting to assess risk as

one of the factors in developing the annual audit plan. This helps manage the risks involved in preparing the plan.

●Use workshops For major business processes that cross department boundaries.

●Send a questionnaire to management asking them to assess a standard list of control objectives within their departments, and select audits to perform based on the responses.

●Use a facilitated interview process at the start of traditional audits to gather data and set the scope of the audit

●Alternate CSA and traditional auditing — conduct a traditional audit one year and hold a self-assessment workshop the next year. ●Use CSA as a “preventative” auditing tool. It is a consulting engagement outside the annual opinion on controls issued.

●A department that is totally separate from internal auditing uses CSA workshops to help employees understand their objectives. risks, and control.

●Send an annual questionnaire to management that is used to support an annual opinion on controls required by outside regulators. ●Use the “wall writing” approach, where the participants respond to two questions: “What things help you achieve your organization’s objectives?” and “What things hinder you in achieving your organization’s objectives?”.

●Use self-assessment workshops to evaluate the overall control environment of the organization.

●Use questionnaires followed by one-on-one interviews with senior management to identify organization-level risks.

Choosing the Right Approach to CSA

Given these different approaches to CSA, how does .in organization and its audit department choose the right .approach, or even :a single approach? A CSA approach using facilitated workshops with the internal auditors as facilitators is favored by most organizations. The IIA also recommends this approach when the culture is supportive of candid participant responses in workshops. When an organization’s culture does not support a participative CSA approach like facilitated workshops, questionnaires and management-produced analyses of controls can be used. Some of the other factors for choosing one approach over another, other than culture, are listed below:

●The nature of the industry, such as highly regulated, financial, man

ufacturing, or charitable.

●The area(s) of expertise and experience of the internal audit department - what works best for them to initiate CSA (and then grow into other methods).

●The attitude and support of management, particularly operational, if the workshop approach is preferred, because they will be asked to send their staff to the workshops.

●Cost — anonymous voting equipment is expensive and requires training.

●The comfort of the audit staff, especially toward facilitation. Do they believe CSA works and are they comfortable with leading workshops (internal resistance can be passive or aggressive). ●The resources of the audit shop ¡ª can they manage this approach and keep up with the audit plan?

●The attitude of the audit committee. Do they believe this approach will work? One other primary influence in choosing is the history of internal auditing within the organization. If audit presently performs only compliance-based or financial audits and is viewed as being very “traditional”, then an initial CSA approach based on a short survey may be an easy way to begin CSA. On the other hand, if audit typically reviews operational areas, focuses on business objectives, and has members with advanced facilitation skills, a workshop approach to CSA beginning in an operational area would be possible.

Another factor is the ease of introducing or selling the tool to management. If the audit department is introducing CSA and typically audits business processes, then a CSA approach based on processes may offer some advantages. For instance, audit is familiar with the processes and may be more comfortable using the new tool in that environment. Management also may view using CSA as a natural extension of traditional auditing, as opposed to a radical departure from the norm.

This is just the starting point. The mature CSA audit team will quickly add many different approaches to their list of available tools and techniques and apply the appropriate one based on the situation.

Workshop Approach

The workshop is the most popular approach to CSA. A workshop is a meeting that is facilitated by an internal auditor and designed to assess risks and controls for a given objective or process.

As a rule-of-thumb, workshops involve six to 15 participants and two auditors (one as facilitator and one as scribe or recorder), and last for two to four hours. Of course, there are different sizes of workshops, different modes of facilitation and recording, and different lengths of workshops, but these numbers are typical.

A Perspective on Control Self-Assessment covers four major types of CSA workshops:

Objective-based. Risk-based. Control-based. Process-based.

The objective-based format workshop focuses on accomplishing an objective. The workshop begins by identifying the controls that are presently in place to meet an objective, and then the remaining (or residual) risks are identified. The intent of the workshop is to identify whether the control techniques are working effectively and resulting in acceptable levels of residual risk (residual risks are those that have no mitigating controls in place).

This approach assumes that the initial risk identification and control design for objectives has already been done and, after reviewing existing controls in the workshop, the remaining or residual risk is communicated. This would be the case if the organization has already successfully implemented a control framework such as COSO and controls are indeed viewed as included in employees¡¯ everyday jobs. During the COSO implementation, each part of the organization would have performed their own risk assessment and designed controls to mitigate the risks identified. Since management owns the risk-assessment process and COSO was put together to aid management, the assumption that management already has identified and controlled risks is a reasonable one. In the objective-based fo

rmat, CSA begins with the identification and evaluation of that pre-existing control design.

For some organizations, the assumption of having already performed a risk assessment is not realistic. In fact, risk assessment may be the exact thing CSA is intended to address. For those organizations, the objective-based approach is not likely the best one. They would be better off selecting the risk-based approach.

The risk-based workshop focuses on identifying the risks to achieving an objective. The workshop begins with an identification of the barriers, roadblocks, or hindrances (called inherent risks) that might prevent meeting an objective, and then identifies the control activities to ensure they are sufficient to manage the key risks. Finally, any significant residual risks are identified. The risk-based workshop takes the work team entirely through the objective-risks-controls formula during the workshop.

Like the objective-based approach, this takes place on an objective-by-objective basis. The risk- based approach examines risks first and then looks at controls in the workshop, whereas the objective-based approach looks first at controls and then at residual risks ¡ª essentially reversing the order. The risk-based approach may result in more global self-assessment workshops than other methodologies since all possible risks and identified in the workshops. Detailed identification and discussion of risks based on a risk framework may take place in this format.

Where organizations have already implemented COSO, this risk identification and control design may already have been performed for each major objective. If so, revisiting this risk identification. in the CSA workshop may be viewed as a duplication of work already performed by the work team. When this is the ease, a control-based or objective-based approach may be more useful.

The control-based approach focuses on how well the controls in place are working, but is different from the first two approaches because the auditor/facilitator indentifies the key risks and controls before the workshop during the planning process for CSA. much like a traditional audit process. This identification may be through interviews with management and employees. flowcharting, etc. Better yet, such information would be obtained directly from documentation maintained by the work team members themselves, since these are part of the team’s responsibilities.

During the workshop, the work team assesses how well the controls are working to mitigate risks and achieve objectives, This approach produces .in analysis of the differences between how controls are working and h

ow management intended for these controls to work. It may lead to shorter workshops, since the risks and Controls are identified before the workshop begins. This approach might be favored if management wants very short workshops and believes the controls in place are sufficient The process-based approach examines an overall process as well as the activities performed within it. The intent of this workshop is to evaluate, update. validate, and/or streamline the selected process. “Processes” in this context mean looking at a series of related activities from end-to-end, such as the purchasing process, product development, contract preparation, the revenue process, etc.

This approach usually includes the identification of objectives for both the overall process (such as service levels or product output) as well as the various steps of the process. Some groups call the objectives at the various steps of the process “control objectives” or “activity-level objectives”. These objectives are agreed with management before the facilitated meeting During the workshop, the participants identify the risks and controls that help achieve each objective

The process-based approach may have a greater breadth of analysis than a control-based format, covering multiple objectives within the activities of a process. This approach may be used a conjunction with reengineering efforts or quality action team initiatives, or by audit departments favoring a process-based approach to their traditional audits.

Process workshops may involve reengineering (e.g.. we must cut overall production costs by 10 percent) or a framework thin which specific risks and controls are addressed (e g.. production of the subvalve assembly is at risk because the current rejection rate exceeds two percent). Changes are recommended or discussed that address specific risk and control issues, but the outcome remains focused on overall business process. This ensures that recommendations are relevant to and focused on the business area under examination. Some groups often start with an overview of¯the process objectives even if the focus is on risks and/or controls within the process to provide that business-focused approach.

Another format of the CSA workshop, called the departmental or situational approach, is also popular. Rather than focusing on a single objective or process, this approach focuses on an entire department at once. The workshop basically includes asking the work team or department two questions: I) What things help or enable you to meet your department’s obj

ectives?, and 2) What things hinder you meeting your department’s objectives? Various methods of gathering this data are used. but using Post-It Notes on a wall so everyone can view the answers is an easy, low- tech way to gather the data. The participants answer each of the questions, with one answer per Note page. summarizing the factors that help or hinder them from their own perspective. The results are categorized, and often the group discussed potential solutions for the top-ranking hindrances.

This CSA approach can be easier on the facilitator and recorder because the work team is more involved in generating and sorting the raw data. There is no bottleneck in the workshop waiting on the recording process. The result is a broad overview. along with specific issues, of the current situation in the department.

Characteristics of Different Workshop Formats

Objective-Based

Workshop flow is: objective controls - residual risks - assessment. Recognizes the investment already made by the organization (if they have already performed a thorough risk identification and control design effort by implementing COSO) by using those as a starting point. Starts with the assumption that the existing control-design is current and optimized.

Risk-based

Workshop flow is objective - risks - controls - residual risks - assessment

Management is often very interested in identification of risks. so they like this approach.

Provides a through or global identification of risks and controls, since it begins with identifing all risks

Strengthens. and supplements the risk-identification process called for in COSO and other control frameworks by reinforcing risk identification with work teams.

May be a departure from the traditional role of auditors (to evaluate controls) in some organizations, therefore making it more difficult to sell to management.

Control-Based

Workshop flow is: Agreement on existing risks and control - assessment.

Shorter workshops. since controls are identified before workshops begin. Less interactive work for the facilitator during the workshop. making the workshop easier to conduct.

More pre-workshop preparation to identify the existing controls. Less assurance that all controls are identified since the preliminary work was done by the auditors.

Less buy-in to the controls by workshop participants since they did not identify the controls themselves.

Process-Based

Workshop flow is: process objectives – activity-leve1 objectives – assessment.

Subject of workshop (the business process) is similar to many audit approaches - the subject may be more familiar and comfortable for some auditors and management

Can accommodate processes that cross departmental lines - there is added opportunity for better coverage and improved communication between groups that do not regularly talk.

High-level process mapping adds to the participant’s understanding and contribution to the workshop.

Like a process-based audit, an owner for the process may be difficult to identify and ownership for any action items may be limited.

Multiple workshops may be needed to cover the same scope as one process-based audit. thereby seemingly requiring more resources.

Workshops will likely include participants who do not regularly work together — may require more skills on the part of the facilitator to get the participants to open up.

Objectives for each major step of the process need to be identified. This is often done by internal audit, so buy-in by the participants and management may be lower.

If the process is large in scope (spanning the organization), participants may need to travel to the workshop, thus Incurring travel expenses,

Situationa1 Approach

Workshop flow is: enablers - hindrances - discuss solutions to hindrances.

Easier to facilitate and record.

May not address special objectives (it is at s higher level, looking at the entire department at once).

Does not include au asc5i,flL.flt of ihc controls rlac.d to each obtective likely takes less preparation time by the facilitator since specific objectives need not be identified

Other attributes of these approaches.

Management generally likes the approaches that focus on their specific objectives., such as objective, risk, and control-based These approaches also help an organization clarify its objectives.

It may be difficult for some audit departments, to link or reconcile the objectives used in their traditional audits to the objectives management has for the organization, so CSA based on business objectives can be a radical change for the auditors.

It may be difficult for some management outside of audit to see the link between their objectives for the organization and the objectives of internal auditing, so they may object to auditors looking at non-financial, non-compliance objectives.

Clearly. based on the list of ways CSA is used at the start of this chapter and the list of names given to CSA in Chapter 1, there are other approaches to CSA than have been described so far. The five approaches lis

ted above involve facilitated workshops, but many organizations that are successfully using self-assessment are using variants of these workshop approaches, or altogether different approaches. Just because some approaches are not discussed here does not mean that they are not good - if the approach is successful in improving the organization’s ability to meet business objectives, then it is a good approach for that organization. The workshop approaches described above basically follow A Perspective on Control Self-Assessment and, along with the departmental approach described before, are the most popular methods of performing CSA workshops. In the author’s experience, workshops account for the majority of self-assessment efforts - somewhere around 70 percent of CSA. Of the other two types of CSA in A Perspective on Control Self-Assessment - surveys and management-produced analyses - surveys are the next most popular format.

Survey Approach

The questionnaire or survey approach to CSA uses a survey form that offer opportunities for simple “Yes/No” or “Have/ Have Not” responses. Process owners use the survey results to assess their control structure. Auditors have used questionnaires for many years, and using them in CSA is not much different. One difference from audit questionnaires is that the CSA questionnaires need to be written in the recipients’ language, not the auditor’s. No one will be on hand to interpret or clarity the question for the recipients, so they will answer it the way they interpret it, or will skip it altogether if they do not understand it.

Questionnaires are often used when the organization’s culture cannot effectively accept and support candid participant responses in workshops (when participants will not discuss issues openly and honestly). This could be because of fear of reprisal from management, fear of peer group support, or some other factors. Another way to deal with these circumstances is through anonymous voting devices, which are discussed in Chapter 4.

Surveys can also be used to widen the scope of coverage in self-assessment. You can send a survey to hundreds of people at one time, but it would take many sessions and much coordination to include those same people in workshops.

The responses to 10 surveys may be anonymous, or the respondents may be asked to disclose their names. This could impact how honest the res

ponses are viewed to be actually are. Almost all survey users agree that conducting just a survey with no follow-up or investigation into the responses does not lead to accurate results. If the respondents know that no one will follow up on their responses, there is a tendency to answer the survey in a way that will cause the least amount of follow-up work. Many respondents will say that everything is fine, even if it is not true unless they know someone may catch them.

Surveys could be preferable to workshop-based CSA under the following circumstances:

The organization’s culture is not ready for sharing sensitive control information in an open workshop.

There is a high level of concern from management about the time required to get employees together in a meeting.

The auditors are looking for a low-cost way to obtain information about risks to use in preparing an annual audit plan,

Skills are not present in audit to conduct a facilitated meeting. The scope of the self-assessment is organization-wide and information is needed quickly.

Techniques for Successful Surveys

Although many say that conducting a survey is easier than planning and facilitating a CSA workshop, it still requires a skill all its own. Like most anything else, you get better at preparing surveys with practice, but that means you have to make some mistakes first. Utilizing someone with some prior experience conducting written surveys is important if a department chooses the survey approach to CSA Often, human resource departments can help out with survey techniques. Some helpful hints in preparing questionnaires include: Use the recipient’s language. Use one topic per question.

Use words with clear meaning to the recipients. Ask easy-to-answer questions first.

Keep the questionnaire short and simple. Address the questionnaire in a personal manner. Personally distribute and collect the survey.

Use the questionnaire as a conversation tool in an interview,

The use of questions requiring only “Yes” or “NO” answers makes a survey easier to compile than using open-ended questions. but it may not yield as useful an evaluation of controls. For example, there is a great deal of difference in how a manager would respond to these questions for his or her department:

Are employees aware of your departmental goals and objectives? (Yes!) How do you ensure that the employees are aware of your departmental goals and objectives?(That requires some thought.)

Do employees agree with your departmental goals and objective? (Yes!) How do you know employees agree with your departmental goals and objective (Again, that requires thought.)

Also, asking departmental personnel questions directly might yield different answers than if the department manager posed the same questions to the department.

Advantages and Disadvantages of Surveys

The IIA research study, Control Model Implementation: Best Practices ,contains information about surveys and questionnaires, along with examples of surveys. For the purposes of this chapter, we will end the subject of surveys with a look at their advantages and disadvantages as compared to workshops. Advantages Can obtain more coverage. Require less time from each participant. Disadvantages Without follow-up, respondents may not be truthful. No opportunity to clarify questions or probe responses on the spot. Can be anonymous with little added expense. Require no facilitation skills and no coordination of meetings. Response rate may be low. In the author’s experience, surveys or questionnaires are used in about 30 percent of CSA efforts and are almost always followed by workshops or interviews of the results.

Management-Produced Analyses

These include any number of ways groups may produce information about controls for management. Although included as a method of CSA in A Perspective on Control Self- Assessment, this is not typically what an audit group is thinking about when CSA is mentioned. Workshops and surveys are by far the more popular formats of CSA. Some examples of management-produced analyses include:

A questionnaire developed and administered by management to support an opinion about internal controls required by a law or regulation, such as the FDIC Improvement Act.

A discussion among senior financial management to support the annual representation letter required by external accountants.

An investigation into the reasons why a particular control breakdown or fraud occurred.

A review of the internal control implications of a new system being developed or the combination of business units.

The nature and form of this type of self-assessment are varied. The more popular forms of CSA, and what most people tend to think of when CSA is mentioned, are workshops and surveys.

As you already know, CSA is done differently by all its practitioners. I am sure some readers will review this chapter and say, “That is not how we do CSA.” That is understood. Everyone is doing CSA differently and that does not mean anyone is doing it wrong. If facilitated workshops, surveys, or other analyses help an organization meet its objectives, then that is the whole point anyway. (But if I were planning to take the

CCSA exam, I would make sure I knew something about the approaches described above.)

This chapter discussed the most popular formats of CSA, primarily focusing on the facilitated workshop. The following chapter discusses the risk assessment process at the heart of any type of self-assessment, and indeed of auditing itself.