As businesses grapple with how best to comply with new regulations such as Section 404 of Sarbanes-Oxley (SOA), the use of control self-assessment techniques might deserve a fresh look at many companies.
Control self-assessment (CSA) is a process that allows key stakeholders in a company to look at the risks they face, examine the controls in place to deal with those risks and evaluate or “assess” their adequacy. CSA is a flexible discipline of customizable techniques for compiling key organizational information for decision-making. This attribute makes control self assessment techniques widely applicable to and valuable for enterprise initiatives like Section 404 compliance, enterprise-wide risk management programs, and internal control initiatives.
Key role for Sarbanes compliance
A self-assessment process can be employed by organizations at various stages of an SOA project ranging from initial scope definition to development of the testing strategy. Additionally, self-assessment may facilitate understanding of:
- Which processes and related internal controls drive financial reporting?
- How are financial statement assertions, such as the COSO Integrated Internal Control Framework, incorporated in the control structure?
- What approach will assist management to develop an aggregate view of risk and control attributes?
Answers to these complex questions can be developed through a collaborative self-assessment process that will facilitate the collection of data from the appropriate personnel. An organized program accompanied by a tool for data storage and analysis will greatly enhance these efforts.
CSA can play three major roles in compliance efforts:
- Facilitate sessions with key personnel, process owners, and other related personnel to understand processes and control points
- Utilize survey technology to collect important information about risks, processes, and related controls
- Perform entity level assessments of the “tone at the top” for Section 302 Certifications
One advantage of using CSA is that it may help save time. A recent survey of 321 companies by Financial Executives International, an association of finance executives, found that companies with revenues in excess of $5 billion plan to spend $4.7 million, on average, implementing SOA 404 compliance this year.
Another benefit of control self-assessment is that it gets both process owners and management involved in reviewing controls. Section 404 “is all about management owning controls, accountability has to be built in,” notes Fred Umbach, a Protiviti managing director in New York.
Profiles of risk
Internal auditors perpetually evaluate risk throughout an organization to determine the priorities that will be addressed within the annual risk-based audit plan. An ideal process includes significant participation by executives and line managers in a collaborative effort.
Using control self-assessment can help an internal audit department craft an effective auditing plan that directs department efforts to the areas of highest risk within a company. In that way, control self-assessment can help an audit department more effectively allocate budget dollars at a time of increasing demand for those dollars to comply with new regulations.
Many organizations are looking to build in enterprise wide risk management and continuous risk assessment capability. COSO’s ERM framework provides a basis for a continuous risk management program as part of ongoing operations rather than a one-time annual assessment. Collecting information from personnel knowledgeable about changes in organizational risk attributes is a significant challenge to an effective ERM program. Executive management is often not afforded the luxury of both timely and accurate information to execute decisions.
A CSA tool can help bridge this gap. “From a technology perspective, you should seek a tool that meets your diverse needs,” says Michael Mask, an associate director with Protiviti in Denver. Incorporating a web-based technology into your CSA program offers the following benefits:
- Consolidation of numerous “ad-hoc” sessions, surveys and exercises into a single program
- Increased global reach via the “accessibility” of technology
- Automation of time intensive tasks like data gathering
- Efficiencies achieved through a ‘common language’, process and tool
- Broader dissemination of knowledge, best practices, and useful resources
- Integration of a control and risk mindset into daily processes
- Help automate the creation of reports that are concise, understandable and actionable by Senior Management
Protiviti’s Mask has helped a number of organizations implement a Web-based CSA tool from Protiviti called The Self Assessor, which he describes as “a stellar assessment engine that enables rigorous and robust assessments.” TSA provides management with an ability to design an assessment that incorporates concepts such as action planning, test planning as well as review and signoff. The most effective technologies will be flexible and provide real-time transparency into your assessments. Additionally, a tool should illustrate “dashboards” and produce quality reports in a format that converts data into information. “Ultimately, your CSA tool of choice should be configurable, user-friendly and serve as a “decision-support” system for management,” notes Mask.
An internal audit case study: The more you learn, the better
Carmen Lapointe Young, IIA chair in 1994-’95, was a pioneer of control self-assessment. Now chair of the IIA’s control self-assessment certification, she notes that some may question the value of getting key stakeholders in a company to assess themselves. But the response of internal audit to that should be, “the more you can learn from clients, the better off we all are,” she says.
While serving as corporate auditor for Canada Post (the Canadian government-owned mail delivery company), Young instituted an annual control self-assessment program.
She identified four business processes and 11 enabling processes supporting those business functions.
Her evaluation began by looking at the company’s overall business objectives and then applying those to a given business process. Key personnel would be invited to a process workshop. Each would receive a pre-meeting packet of information, asking them to evaluate risks and controls and to vote on control effectiveness.
Some of her annual workshops included more than 50 people for a given process with about 400 people across the company being involved in one of the 15 workshops held.
Following those, a corporate-level workshop would be held looking at the company’s top five risks, its control framework, the likely impact of those risks on its ability to achieve its annual business objectives and the likelihood of achieving various objectives.
“Internal audit is the process owner” for control self-assessment, Young explains. “It’s my assessment in the end, but it’s now much more credible. Control self-assessment becomes a learning experience to the people in the workshop.”
One benefit of bringing together process stakeholders from different departments is to discover discrepancies in how a given department rates its controls vs. how internal clients see them, notes Young, who recently became vice president, internal audit and evaluation, for Export Development Canada in Ottawa.
Marc Dominus, a managing director with Protiviti in Chicago, agrees: “It (CSA) really has to do with the people responsible for the individual processes assessing the adequacy of controls. It frequently raises the awareness of everyone involved in the process. You frequently get unexpected outcomes. People begin to identify opportunities for synergy or sharing that often would go unnoticed otherwise.”
For example, using a CSA web-based tool, internal audit could administer quarterly controls surveys to process owners or risk management teams asking them to identify any changes that have taken place in their departments. Understanding the changing risk attributes that may have impacted either the design or the operational effectiveness of the controls over that process can be critical to mitigating risks. Internal audit then analyzes the survey results to determine whether additional investigation or reviews are warranted.
The same tool can be leveraged by multiple risk management initiatives and for various other information gathering or monitoring purposes.
A centralized control focus
At Rexam, a UK-based multinational that manufacturers beverage cans, Ron Lottman, chief financial officer and a vice president, sees control self-assessment as a way to achieve a more centralized control focus over the company’s 15 can plants around the world. He’s planning control self-assessment workshops in March to look at controls in such areas as purchasing, inventory and receivables.
While Rexam and Canada Post use workshops, many companies begin control self- assessment with questionnaires to key stakeholders, notes Protiviti’s Umbach. The first year of collecting data via such forms can create a baseline of knowledge about a company that can be built on in future CSA cycles. “The first time through, you’ve got to roll up your sleeves,” he says. “From the second year on, self-assessment becomes tremendously powerful.”
Companies searching for guidance to help them develop control self-assessment programs can turn to the IIA which maintains a control self-assessment center with 823 active members, notes Young. The IIA also offers a certification in CSA, which helps auditors demonstrate an understanding of key knowledge points about CSA. The IIA has certified 992 people since the CSA certification program began in 2000. Certification in CSA can count toward the 4th part of the Certified Internal Auditor exam.