Control Self-Assessment Advantages and Disadvantages

In my book, CISA Certified Information Systems Auditor All-In-One Exam Guide, control self-assessment is defined as follows:

“A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.”

Control self-assessment (CSA) is a tool used by internal audit, information security, and privacy professionals to better learn how internal controls are being operated. As the name implies, CSA consists of a directive sent to a control owner to ask him or her to answer specific questions about a particular control, and provide particular artifacts about the control to substantiate the answers to some of those questions.

While CSA can be conducted via e-mail, it is often a part of an integrated risk management (IRM) system, formerly known as a governance, risk, and compliance (GRC) system. An IRM can be used to collect information about controls and even score the results electronically.

Appropriately managed, CSA can extend the reach and visibility of internal audit activities, but it is not a silver bullet. I list some of the advantages and disadvantages of CSA here.

Advantages:

• Saves time. More controls can be assessed in a given period, versus traditional walkthrough sessions that consume meeting time and may be difficult to schedule.
• Extends visibility. Information about more controls can be obtained than through walkthrough sessions only.
• Reinforces control ownership responsibility. By having control owners answer questions and provide artifacts on their own, CSA supports the concept that control owners are responsible for the effectiveness of their controls.
• Digital record. Because CSA is usually performed electronically, it is not necessary to transcribe meeting notes.

Disadvantages:

• Integrity. Because a control owner is answering questions and providing artifacts away from internal audit personnel, there may at times be a question of whether it was the control owner who answered the questions, and whether they altered any of the provided evidence.
• Exploration. In a typical walkthrough, an internal auditor will ask follow-up questions based on responses to earlier questions. It can be exceedingly difficult to anticipate all possible responses to questions in a CSA questionnaire.
• Body language. In an in-person walkthrough, an internal auditor will observe the body language of the control owner as a part of the overall assessment. Body language provides additional information that may help an internal auditor better understand where control weaknesses might exist.
• Overburdening control owners. In an IRM (integrated risk management), it can be easy to “load up the CSA gun” and fire off numerous CSA assignments to control owners. Unlike in-person walkthroughs, which require a more equal time commitment between auditors and auditees, CSA’s require little up-front time for internal audit. Internal auditors need to be cognizant that the effort to complete a CSA is asymmetrical: the control owner may have to spend considerable time answering questions and gathering artifacts.
• Problem controls. A CSA should not be used alone for controls known to have problems. Controls with problems require deeper scrutiny in conversations that are difficult to script in a questionnaire.
• Relationship. In-person control assessments help to establish and deepen relationships between internal auditors and control owners. Since they are purely digital, CSAs do little in this regard. As a corporate function, Internal Audit (and information security and privacy) need to be established as collaborative relationships. Establishing a relationship based on the assignment of digital tasks may hinder this effort.

Planned properly, control self-assessments can extend the reach and visibility of internal audit, information security, and privacy functions. However, because relationships with auditees are vital to the long-term success of these programs, CSA needs to be applied thoughtfully.

Implementation of audit recommendations

The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.

Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.”  And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.

– from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky

CISA Forum surpasses 3,000 members

(Seattle, WA) The CISA Forum, founded in 2002 by Peter H. Gregory, CISA, CISSP, has now exceeded 3,000 members.  The Forum continues to grow, with new members being added almost every day.

Created to assist and encourage professionals to pursue a career in data security and IT auditing and to earn the CISA certification, the CISA Forum contains an extensive e-mail archive, as well as collections of useful files and links.  CISA stands for Certified Information Systems Auditor, one of the most sought-after professional certifications in the information security profession.

One of the most important features is the addition of the CISA FAQ, written by Dinesh Bareja.  Gregory announced his vision of the CISA FAQ to Forum members on December 29, 2006, and Bareja took the initiative to create it.  A link to the FAQ is found on the CISA Forum site.

The CISA Forum is located here: http://tech.groups.yahoo.com/group/CISAforum/ .

The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.

IT auditing is more about people than technology

I was recently asked the following question in one of my forums:

“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”

IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.

My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.

I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”

Have a gentle touch. Be confident and friendly, but non-threatening.

I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.

CISA forum guides certification candidates

The CISA Forum is an online community whose purpose is to assist CISA candidates in their studies towards the Certified Information Systems Auditor certification.  The forum, started in 2002 by Peter H Gregory, CISA, CISSP, is hosted by Yahoo Groups and has more than 3,000 members.

“The forum has helped many achieve their certification through lively discussions about the security audit profession and the CISA exam itself,” Gregory states.  “I started this forum as a way to help new CISA candidates and to provide a platform for others to help these new candidates.”  Gregory encourages newly-minted CISA holders to stay on the van and help others on their way.

The CISA Forum is open to all who possess the CISA certification or are interested in attaining it.

http://groups.yahoo.com/group/CISAforum/

The CISA certification is owned and managed by the Information Systems Audit and Control Association.  ISACA does not endorse or sponsor the CISA Forum.  Read more about the CISA certification here.

About ISACA.   With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 55,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by 7,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

CISA is a registered trademark of ISACA.