CSA - Control Self Assessment is not a substitute for auditing.
I have observed that internal auditors are getting knowledge for the application of the CSA control self-assessment tool in order to apply it for its assurance review.
Of course, CSA is a good tool for disseminating and strengthening risk and control concepts in the internal environment of the organization, however, we have to understand that this tool is not owned by internal auditing and it not replaces the application of the audit methodology for an independent and objective assessment of processes, risks and controls.
Conceptually the CSA is a structured form that allows managers and employees to evaluate the internal control system, identifying and evaluating the strengths and weaknesses in their own processes, systems, and risk and control environments.
Practical guidance 2120 of the IIA's IPPFs defines the CSA as a formal process, documented and designed to allow management and work teams composed of individuals from business units, functions or processes, to collaboratively:
- Identify risks, exposures and vulnerabilities,
- Evaluate control processes that mitigate or manage corporate and process risks,
- Develop action plans to improve mitigation actions that allow risks to be maintained at acceptable levels,
- Increase the likelihood that the organization will achieve business objectives through business cycles and processes.
Of course, the CSA, can be used by internal auditing for those auditable objects which is considered as low risk and mainly in the form of an internal control questionnaire.
The philosophy behind this tool is to make managers more responsible for risk management and internal controls, strengthening risk-based management from the definition of transactions to strategic decisions.
There are three primary forms for CSA application, which can be applied together:
1 - Workshops - They are facilitated sessions with managers and their staff to identify, evaluate and treat risks and internal controls. It can be in the following formats:
- The. objective-based format
- Risk-based format
- Control-based format
- Process-based forma
2 - Questionnaire research - Use of questionnaire that tends to ask binary questions like "yes-no" or "has-not". The internal audit can use this form, producing specific questionnaires to send to those processes, units or entities that for a matter of materiality and / or limitation of funds for travel, can be sent to the managers to respond. It is important that the questionnaire is drawn up so that every negative response (no or not) is a weakness and needs a plan of action.
3. Analyzes produced by management. - Management produces its own information that can be quantitative (statistical reports) or qualitative (narrative or flowcharts). It is used in combination with other primary forms.
It is important to mention that in whatever form it will be applied, all participants should be trained and instrumented. It is no use sending an internal control questionnaire if the manager has not been trained in how to analyze and respond to it, or to conduct a workshop without the participants knowing the basics of process, risk and control.
The auditor, in addition to being proficient in the concepts of governance and in the application of the tool, should have communication skills and knowledge to facilitate workshops, leading the discussions and reflections of the participating team towards the proposed objectives.
Finally, I would remind you again that the CSA does not bear the same weight as the independent and objective evaluation produced by the Audit, and it is no substitute for it.