In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:
“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”
Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.
While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.
Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.
- Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
- Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
- Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
- Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.
- Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
- Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
- Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
- Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
- Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
- Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.
Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.