Control self-assessment

Part of a series on
Accounting
Early 19th-century German ledger
Major types
Key concepts
Selected accounts
Accounting standards
Financial statements
Bookkeeping
Auditing
People and organizations
Development
Misconduct

Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.

A "control process" is a check or process performed to reduce or eliminate the risk of error. Since its introduction the technique has been widely adopted in the United States, European Union and other countries. There are a number of ways a control self-assessment can be implemented but its key feature is that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-day responsibilities are within the business unit being assessed.[1] A self-assessment, by identifying the higher risk processes within the organisation, allows internal auditors to plan their work more effectively.[2] A number of governmental organisations require the use of control self-assessment. In the United States it is a requirement of the FFIEC that control self-assessments are performed on IT systems and operational processes on a regular basis.[3] Benefits claimed for control self-assessment include creating a clear line of accountability for controls, reducing the risk of fraud and the creation of an organisation with a lower risk profile.[4][5]

In certain circumstances control self-assessment is not always effective. For example, it can be difficult to implement in a decentralised environment, in organisations where there is high employee turnover, where the organisation goes through frequent change or where the senior management of the organisation does not foster a culture of open communication.[6]

Development and worldwide adoption

Control self-assessment was developed by Gulf Canada in 1987 when the company's General Auditor, Bruce McCuaig was dissatisfied with the standard auditing techniques in use following the impact of the Watergate affair on the parent company, Gulf Oil Corporation. The decision to fully implement control self-assessment at Gulf Canada was driven by a number of factors. These included the presence of a consent decree requiring the company to report on its internal controls and the difficulties it was facing in estimating its oil and gas reserves using more traditional audit measures.[7]

Over the next ten years Gulf Canada developed a framework to support the analysis and evaluation of control processes by operational staff. This included anonymous voting to ensure there was no impediment to staff expressing their views. The approach was first published in Internal Auditor in December 1990.[8] Gulf Canada discontinued this facilitated meeting approach in 1997 although it continued with control self-assessment using different techniques.[7]

Following Gulf Canada's introduction of control self-assessment many private sector organisations implemented similar techniques. In the United States several states made reviews based on control self-assessment practices mandatory as did the Federal Deposit Insurance Corporation and the Canadian Deposit Insurance Corporation.[7]

Initially external auditors ignored the benefits of control self-assessment even though it was effective at providing audit evidence around the "soft" areas (such as staff morale) that are critical to the effectiveness of internal control systems.[9]

After a number of financial scandals, notably the collapse of Robert Maxwell's publishing empire, the United Kingdom government commissioned Adrian Cadbury to chair an investigation into corporate governance. The committee published its report The Financial Aspects of Corporate Governance in 1992. In section 4, Reporting and Controls, Cadbury made a number of recommendations that led to the increased adoption of control self-assessment in the UK. In particular section 4.5 of the Code of Practice contained within the report required that the directors of a company should report on the effectiveness of the company's system of internal control in each annual report.[10]

In March 2000 the European Commission approved a white paper on reform that led to a major change in the way the Commission was managed. These changes included recommendations for each department to establish an effective internal control system. To support the implementation of the internal controls the Directorate-General for Budget's Central Financial Service developed a control self-assessment process. This first control self-assessment identified several areas for improvement in internal control across the Commission most notably the need to implement a more systematic approach to risk management. The outcome of this first self-assessment was the implementation of the requirement for every Directorate General to perform a control and risk self-assessment annually.[11]

In 2007 the United States implemented the Sarbanes-Oxley Act. In order to comply with section 404 of the Act the company had to perform a top down risk assessment which necessitated the production of an "internal control report" that affirmed "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." 15 U.S.C. § 7262(a). This report has to include an evaluation of the effectiveness of the internal controls and procedures that are related to financial reporting. To meet this requirement organisations increasingly began to perform a control self-assessment using a recognised standard methodology. The organisation's external auditors, who are required to sign-off the internal control report, typically became more deeply involved in the control self-assessment process as it facilitated their later review of the internal control report.[12]

In the United Kingdom in 2011 the Financial Services Authority recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. It also noted that for the assessment to be fully effective it had to be fully integrated into the financial organisation's risk-management process.[13]

Performing the control self-assessment

Section 1 of the control self-assessment form used by the Federal Transit Administration

The first step in control self-assessment is to document the organisation's control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the organisation that is being examined as they have the greatest knowledge of how the processes operate.[1][4] The two common techniques for performing the evaluations are:

  • Workshops, that may be but do not have to be independently facilitated, involving some or all staff from the business unit being tested;
  • Surveys or questionnaires completed independently by the staff.

Both approaches are the opposite of formal audits where the auditors, not the business unit staff, will perform the assessment.[1]

On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be mapped to produce a heatmap showing potential areas of vulnerability.

Methodologies

A heatmap produced from the information captured in a control self-assessment. The cluster of issues in the red and amber sections of the heatmap indicate that this is a high risk area and probably in need of new or changed control processes.

Six basic methodologies for control self-assessment have been defined:[14]

  • Internal Control Questionnaire (ICQ) self-audit
  • Customised questionnaires
  • Control guides
  • Interview techniques
  • Control model workshops
  • Interactive workshops

The National Institute of Standards and Technology control self-assessment methodology is based on customised questionnaires. It is an IT focused methodology suitable for assessing system based controls. It provides a cost-effective technique to determine the status of information security controls, identify any weaknesses and, where necessary, define an improvement plan.[15] The methodology uses a questionnaire that contains specific control objectives and techniques against a system or group of systems can be tested and measured. The methodology was designed for United States federal agencies but can also be valuable for private sector organisations.[15]

The COBIT methodology can be used for control self-assessment; like the NIST methodology it was designed for IT focused assessments. COBIT's Process Description component provides a reference model of an organisation's processes and their ownership. Its Control Objectives component provides a set of requirements considered necessary for effective control of each IT process with the organisation. Assessment and evaluation of these components using the Management Guidelines component provides an assessment mechanism that generates a maturity model indicating if the organisation is meeting its control objectives.[14]

The Institute of Internal Auditors based its control self-assessment methodology on the Total Quality Management approaches of the 1990s as well as the COSO's framework. The methodology became part of the International Standards for Professional Practice of Internal Auditing and was adopted by a large number of major organisations.[16]

A number of other methodologies to standardise the control self-assessment have been published.[17][18] The Institute of Internal Auditors offers a certification in control self-assessment practice.[19]

Software tools

A number of software packages are available to support the control self-assessment process. These are typically modified versions of software developed originally for internal use by audit and accountancy firms such as Deloitte or by niche vendors specialising in business or financial management tools.

Benefits

Control self-assessment creates a clear line of accountability for controls, reduces the risk of fraud (by examining data that may flag unusual patterns of transactions) and results in an organisation with a lower risk profile.[4][5]

A number of other soft benefits have been claimed for organisations performing control self-assessment. These include a better understanding of business operations (by both management and operational staff); stronger awareness of risk practices; a reinforced corporate governance regime and internal audit efficiency improvements.[4][20]

Criticism

Some researchers have criticised control self-assessment as a flawed approach as the way risk is defined and measured is unsophisticated. In particular, control self-assessment may understate risk by not identifying extreme downside risk. An extreme downside risk is a highly improbable event that would have catastrophic consequences if it occurred. These risks should have a high overall risk score (generally calculated as a product of the probability of a risk occurring and the impact if it does occur on a scale of 1 to 5). Individuals performing the control self-assessment are consequently unable to significantly differentiate between risks leading to extreme low probability risks either being excluded from the analysis or grouped together with other more probable (but still unlikely) risks that have a less severe impact.[21]

The continual focus on risk elimination that a control self-assessment can lead to has also been criticised. The process of continual evaluation of risks and making plans to mitigate and eliminate them may lead to an unbalanced corporate culture where risks are eliminated ignoring the risk-return ratio of different business choices.[21]

See also

References

  1. ^ a b c Gilbert W. Joseph; Terry J. Engle (December 2005). "The Use of Control Self-Assessment by Independent Auditors". The CPA Journal. Retrieved 2012-03-10.
  2. ^ "Control Self-assessment: An Introduction". The Institute of Internal Auditors. Archived from the original on 2010-08-23. Retrieved 2012-03-10.
  3. ^ "FFIEC IT Examination Handbook". FFIEC. Archived from the original on 2012-02-27. Retrieved 2012-03-10.
  4. ^ a b c d McNally, J.Stephen (12 November 2007). "Control self-assessment:Everybody pitching in with internal controls". accountingweb.
  5. ^ a b Spencer Pickett, K.H. & Pickett, Jennifer M. (2010). The Internal Auditing Handbook (3rd ed.). John Wiley & Sons Ltd. p. 585.
  6. ^ "Control Self-Assessment:The Future of Store Audits in Retail Stores" (PDF). Protivit Incorporated. 2006. Retrieved 2012-03-30.
  7. ^ a b c Professional Practice Pamphlet 98-2 A Perspective on Control Self-Assessment (PDF). Florida: The Institute of Internal Auditors. 1998. ISBN 089413406X. Retrieved 2012-03-31.
  8. ^ K.H. Spencer Pickett (2011). The Essential Guide to Internal Auditing (Second ed.). John Wiley & Sons Limited. p. 81.
  9. ^ Joseph, Gilbert W (1 August 2001). "Use of control self-assessment in audits". The CPA Journal. Retrieved 2012-03-12.
  10. ^ Financial Aspects of Corporate Governance (PDF) (Report). 1 December 1992. ISBN 0852589131. Archived from the original (PDF) on 2012-05-12. Retrieved 2012-03-12.
  11. ^ Central Financial Service, European Commission (18 March 2002). "2nd Quality Conference for Public Administration in the EU: Note for the File". Archived from the original on 27 September 2006. Retrieved 2012-03-12.
  12. ^ Engel, Terry J.; Joseph, Gilbert W. (2007). "Improving Internal and External Audit Coordination". CSA Sentinel. 11 (2). Archived from the original on 2014-03-20. Retrieved 2012-04-02 – via The Institute of Internal Auditors.
  13. ^ "Enhancing frameworks in the standardised approach to operational risk – Guidance note" (PDF). Financial Services Authority. January 2011. Archived from the original (PDF) on 2018-10-03. Retrieved 2012-03-11.
  14. ^ a b Sunil Bakshi (2004). "Control Self-assessment for Information and Related Technology". Journal of the Information Systems Audit and Control Association. 1: 4.
  15. ^ a b Marianne Swanson. "Security Self-assessment Guide for Information Technology Systems". National Institute of Standards and Technology. Retrieved 2012-04-04.
  16. ^ Robert Moeller (2009). Brink's Modern Internal Auditing: A Common Body of Knowledge. John Wiley & Sons Inc., Canada.
  17. ^ Álvarez, Gene (2004). Operational Risk: Practical Approaches to Implementation.
  18. ^ Gene Álvarez; Phil Gledhill (24 November 2010). "A comprehensive risk and control self-assessment methodology". Risk.net. Retrieved 2012-03-10.
  19. ^ "Certification in Control Self Assessment (CCSA)". Institute of Internal Auditors. Archived from the original on 2012-04-02. Retrieved 2012-10-03.
  20. ^ "Control Self Assessment". PriceWaterhouseCoopers. Retrieved 2012-03-10.
  21. ^ a b Lee, Judy; Wee, Lieng-Seng (28 September 2005). "Companies Using Control Self Assessment Don't Really Know their Risk" (PDF). Dragonfly. Retrieved 2012-03-14.

Read other articles:

بيترن (ألبرتا)

بيترن الإحداثيات 53°00′16″N 113°03′32″W / 53.0045°N 113.059°W / 53.0045; -113.059  [1] تقسيم إداري  البلد كندا[2]  التقسيم الأعلى ألبرتا  خصائص جغرافية  المساحة 6.57 كيلومتر مربع[3]  ارتفاع 862 متر  عدد السكان  عدد السكان 220 (2016)[3]216 (2021)[4]  معلومات ...

 

Kabupaten Kinmen

Kabupaten Kinmen 金門縣Kabupaten BenderaLambang kebesaranKabupaten TaiwanPusat pemerintahanJinchengKota terbesarJinchengJumlah satuan pemerintahan0 kota, 6 kota kecil (3 perkotaan, 3 pedesaan)Pemerintahan • Hakim KabupatenChen Fu-hai (independen) • Deputi Hakim KabupatenLin De-gong (林德恭)Luas • Total153,1 km2 (591 sq mi)Peringkat20 dari 22Populasi (Desember 2014) • Total127.723 • Peringkat20 of 22 

 

Matriz de Moore

Em álgebra linear, uma matriz de Moore, introduzida por Eliakim Hastings Moore, é uma matriz definida ao longo de um corpo finito. Quando é uma matriz quadrada seu determinante é chamado um determinante Moore (este não está relacionado com o determinante Moore de uma matriz quaterniônica Hermitiana [nota 1]). A matriz de Moore tem potências sucessivas do endomorfismo de Frobenius aplicada à coluna em primeiro lugar, por isso, é um m × n matriz.[1] Matrizes são muito utilizadas...

Purusha Pretham

2023 Indian film Purusha PrethamPosterDirected byKrishandWritten byAjith HaridasManu ThodupuzhaProduced byDijo AugustineJomon JacobEinstin Zac PaulVishnu RajanSajin RajPrasanth AlexanderStarringDarshana RajendranAlexander PrasanthJagadishCinematographyKrishandDistributed bySonyLIVRelease date 24 March 2023 (2023-03-24) CountryIndiaLanguageMalayalam Purusha Pretham (transl. Male Ghost) is a 2023 Indian Malayalam-language police procedural film directed by Krishand and prod...

 

Мусіївка (Лубенський район)

село Мусіївка Країна  Україна Область Полтавська область Район Лубенський район Громада Хорольська міська громада Облікова картка картка  Основні дані Населення 473 Поштовий індекс 37830 Телефонний код +380 5362 Географічні дані Географічні координати 49°47′48″ пн. ш...

 

Kapan Kawin?

Kapan Kawin?Poster filmSutradara Ody C. Harahap Produser Robert Ronny Ditulis oleh Monty Tiwa Robert Ronny Ody C. Harahap SkenarioMonty TiwaRobert RonnyOdy C. HarahapPemeranAdinia WirastiReza RahadianAdi KurdiFeby FebiolaIvanka SuwandiErwin SutodihardjoEllis AlishaFirman FerdiansyahPenata musikAghi Narottama Bemby GustiSinematograferPadri NadeakPenyuntingAline JusriaPerusahaanproduksiLegacy PicturesDistributorNetflix OriginalsVidio OriginalTanggal rilis12 Februari 2015Durasi1 jam 55 men...

Guangyun

Awal kelompok sajak pertama Guangyun, dengan karakter pertama 東 (berarti timur) Guangyun atau Kuangyun (Hanzi tradisional: 廣韻; Hanzi sederhana: 广韵; Pinyin: Guǎngyùn; Wade–Giles: Kuang3-yün4; harfiah: 'Sajak Luas') adalah sebuah kitab sajak Tionghoa yang disusun pada tahun 1007 hingga 1008 di bawah arahan Kaisar Zhenzong. Nama penuh dari kitab ini adalah Dà Sòng chóngxiū guǎngyùn (大宋重修廣韻, secara harfiah berarti Sajak Song yang diperbaiki dan...

 

Chrodegang

Santo ChrodegangLahirabad ke-8Hesbaye (Belgia)Meninggal6 Maret 766MetzDihormati diGereja Katolik RomaGereja OrtodoksTempat ziarahBiara GorzePesta6 Maret Santo Chrodegang (Bahasa Latin:Chrodogangus; Bahasa Jerman:Chrodegang, Hruotgang; meninggal 6 Maret 766 M) merupakan Uskup Metz asal Franka dari tahun 742 atau 748 sampai kematiannya.[1] Biografi Chrodegang dilahirkan pada awal abad ke-8 di Hesbaye (Belgia, di sekitar civitas Romawi kuno Tongeren) dari keluarga bangsawan Franka. Ia ad...

 

Inception (soundtrack)

2010 soundtrack album by Hans ZimmerInception: Music from the Motion PictureSoundtrack album by Hans ZimmerReleasedJuly 13, 2010 (2010-07-13)GenreFilm scoreLength49:13LabelRepriseProducerHans ZimmerLorne BalfeChristopher NolanAlex GibsonHans Zimmer chronology Through the Wormhole(2010) Inception: Music from the Motion Picture(2010) Megamind(2010) Christopher Nolan film score chronology The Dark Knight (Original Motion Picture Soundtrack)(2008) Inception (Original Motion...

Ново (у деревни Вашеевская, Пестяковский район)

ДеревняНово 56°42′44″ с. ш. 42°28′48″ в. д.HGЯO Страна  Россия Субъект Федерации Ивановская область Муниципальный район Пестяковский Сельское поселение Пестяковское История и география Прежние названия Нова Часовой пояс UTC+3:00 Население Население 0 человек (2010)...

 

Naz Shah

British Labour politician This article is about the politician Naseem Shah. For other people with the same name, see Naseem Shah (disambiguation). Naz ShahMPOfficial portrait, 2020Shadow Minister for Crime ReductionIn office4 December 2021 – 15 November 2023LeaderKeir StarmerPreceded byHolly LynchShadow Minister for Community CohesionIn office9 April 2020 – 4 December 2021LeaderKeir StarmerPreceded byDawn ButlerSucceeded byPosition abolishedShadow Minister for Women and ...

 

Passerelle Léopold-Sédar-Senghor

Pour les articles homonymes, voir Senghor. Ne doit pas être confondu avec Pont Léopold-Sédar-Senghor. Passerelle Léopold-Sédar-Senghor Géographie Pays France Région Île-de-France Département Paris Commune Paris Coordonnées géographiques 48° 51′ 43″ N, 2° 19′ 29″ E Fonction Franchit la Seine Caractéristiques techniques Type Pont en arc Longueur 106 m Largeur 15 m Matériau(x) Acier, bois Construction Construction 1997-1999 Architect...

East Timor at the 2020 Summer Olympics

Sporting event delegationEast Timor at the2020 Summer OlympicsFlag of East TimorIOC codeTLSNOCNational Olympic Committee of East Timorin TokyoJuly 23, 2021 (2021-07-23) – August 8, 2021 (2021-08-08)Competitors3 in 2 sportsFlag bearers (opening)Imelda XimenesFelisberto de DeusFlag bearer (closing)N/AMedals Gold 0 Silver 0 Bronze 0 Total 0 Summer Olympics appearances (overview)200420082012201620202024Other related appearances Individual Olympi...

 

Храм святителя Ігнатія Маріупольського (Донецьк)

Храм святителя Ігнатія Маріупольського (Донецьк) 47°58′ пн. ш. 37°48′ сх. д. / 47.967° пн. ш. 37.800° сх. д. / 47.967; 37.800Координати: 47°58′ пн. ш. 37°48′ сх. д. / 47.967° пн. ш. 37.800° сх. д. / 47.967; 37.800Тип споруди церкваРозташування  ...

 

Dewan Perwakilan Rakyat Daerah Kabupaten Nias Utara

Dewan Perwakilan Rakyat Daerah Kabupaten Nias UtaraDewan Perwakilan Rakyat Kabupaten Nias Utara2019-2024JenisJenisUnikameral Jangka waktu5 tahunSejarahSesi baru dimulai30 Oktober 2019PimpinanKetuaSukanto Waruwu, S.E. (Golkar) sejak 23 Desember 2019 Wakil Ketua INoferman Zega (PAN) sejak 19 Februari 2021 Wakil Ketua IIFatizaro Hulu, S.E., M.M. (Gerindra) sejak 23 Desember 2019 KomposisiAnggota25Partai & kursi  PDI-P (2)   NasDem (1)   Hanura (3) &#...

Twelve sacred hills of Imerina

Sacred hills of Imerina The twelve sacred hills of Imerina are hills of historical significance to the Merina people of Madagascar. Located throughout Imerina, the central area of the highlands of Madagascar, the sites were often ancient capitals, the birthplaces of key public figures, or the tomb sites of esteemed political or spiritual leaders. The first set of sacred sites was designated by early 17th-century king Andrianjaka. The notion was re-sanctified under late 18th-century king Andri...

 

General Dynamics

General Dynamics Corporation Тип Публичная компания Листинг на бирже NYSE: GD Основание 1952; 71 год назад (1952) Основатели Electric Boat Расположение  США: Рестон (Виргиния) Ключевые фигуры Фиби Новакович (председатель совета директоров и CEO)[1] Отрасль Военно-промышленный комплек...

 

Animal Planet (German TV channel)

German television channel Television channel Animal PlanetBroadcast areaGermany, Austria, SwitzerlandHeadquartersMunich, GermanyProgrammingLanguage(s)GermanPicture format1080i HDTV(downscaled to 576i for the SD feed)OwnershipOwnerWarner Bros. Discovery EMEASister channelsDiscovery ChannelDMAXEurosport 1Eurosport 2Eurosport 2 XtraTLCHistoryLaunched31 March 2004; 19 years ago (2004-03-31)LinksWebsitehttps://www.animalplanet.de Animal Planet is a German television channel broad...

千葉県立図書館

千葉県立図書館Chiba Prefectural Library施設情報事業主体 千葉県延床面積 13,023.59 m2開館 1924年(大正13年)3月8日(中央)1987年(昭和62年)4月1日(西部)1998年(平成10年)11月1日(東部)所在地 千葉県千葉市市場町11-1(中央)千葉県松戸市千駄堀657-7(西部)千葉県旭市ハ349(東部) 中央図書館西部図書館東部図書館統計・組織情報蔵書数 1,403,618冊(2016年3月31日時点)貸...

 

Montedison

Montecatini Edison, MontedisonLogo Stato Italia Forma societariaSocietà per azioni Fondazione1966 Fondata daMontecatini ed Edison Chiusura2002 (ridenominata Edison) Sede principaleMilano Settorechimica (principale) chimica industriale petrolchimica materie plastiche tecnofibre altri agroalimentare assicurazioni editoria energia farmaceutica metallurgia Modifica dati su Wikidata · Manuale Montecatini Edison S.p.A. (dal 1966 al 1969), successivamente abbreviato in Montedison S.p.A.,...

 

Strategi Solo vs Squad di Free Fire: Cara Menang Mudah!