4 factors of an effective control self-assessment (CSA) program

One approach to evaluating an organization’s governance, risk management, and control processes is through a control self-assessment (CSA) process. During a CSA, management and their teams—involved in either a business unit, department, or process—engage in a structured discussion for the purposes of:

• Identifying risks and potential exposures to achieving strategic business objectives
• Determining the likelihood of incurring the identified risks
• Evaluating the controls tasked with managing or mitigating the risks
• Implementing remediation plans to either eliminate, reduce, or transfer the risks

The history of control self-assessments

The origin of the CSA can be tied back to the Watergate scandal in the early 1970s. Social, political, and business turbulence necessitated its inception. In 1987, the first application of a CSA was documented by a Canadian internal audit department who was dissatisfied with the standard auditing techniques used in response to a consent decree as a result of the scandal.

The Institute of Internal Auditors started sponsoring an annual CSA conference in 1993 and began offering the Certification in Control Self-Assessment (CCSA) in 1999. Finally, the Sarbanes-Oxley Act of 2002 solidified the requirement of management’s assessment over a company’s internal control system, including in the identification of the organization’s significant processes and key controls.

Why you should use CSAs

CSAs provide a framework for analyzing an enterprise’s risk profile. It is a methodology that assures stakeholders that the system of internal controls is reliable. CSAs create a clear line of accountability, reduce the risk for fraud, and strengthen the overall risk profile.

CSAs fundamentally integrate strategic business objectives with risk and control processes. There are several formats and techniques that practitioners can choose to implement, most notably in the form of facilitated workshops or surveys. Regardless of format, here are three key questions to ask when performing a CSA:

1. Are the internal controls operating as designed?
   This eludes to how well ownership and accountability is embedded in the risk and control processes.


2. How is the control effectiveness being monitored?
   This helps to identify additional risks and opportunities for improvement in the control activities.


3. How are control deficiencies reported and remediated?
   This helps to understand and resolve the identified issues.

Four factors of an effective CSA program

Several factors are critical to the success of the implementing an effective CSA program.

1. Ensure you have the proper stakeholders involved to support and own the effort. Auditors by themselves cannot sufficiently assess such a broad-based perspective of controls. All stakeholders need to participate and contribute. Start with your business process and control owners.


2. Create a culture of continuous improvement. Your culture is constantly evolving, so be sure to allow for sufficient time and resources to conduct the assessment thoroughly.


3. Engage highly skilled and trained professionals to facilitate the process. The term “control” in CSA insinuates a broad framework which encompasses the numerous variables that contribute to a firm’s ability in achieving its objectives, with people being the most significant factor in an organization. I suggest you leverage teams, such as the internal audit department.


4. Adapt the CSA program based on your specific business needs, and make sure to have both quantitative metrics and qualitative judgement present. The last thing an organization needs is another check-the-box exercise. While metrics are necessary for evaluation, they are not mutually exclusive from the judgement required as the final basis for assessment.

Benefits of CSAs

There are a number of intangible benefits gained by companies who perform control self-assessments. Your organization gains better insight into its processes, both at management and operational levels. CSAs also foster and improve a risk-based culture, one that can reinforce governance responsibilities across the organization. Finally, an effective CSA program can help reduce audit fatigue and limit the amount of effort required for extensive audit testing of internal controls.

While there isn’t a universal approach to the control self-assessment process, an effective program implementation will deeply embed accountability into your company.

Internal controls are fundamental to any system. Its analysis should involve everyone in the organization in order to benefit from a greater appreciation of control procedures and their importance in achieving your strategic business objectives. CSAs help strengthen the internal control environment, which in turn, heightens the level of assurance for all stakeholders involved.

To learn more, watch this webinar recording, The Benefits of Control Self-Assessments.