USING CSA for FOCUSING The AUDIT

Control Self-Assessment (CSA) as a useful tool for focusing the audit. CSA may be used by management as a tool for assessing risk at a local level as a contribution to ERM throughout the organization. 

CSA may be used by the auditor to help the management understand and deal with risks to their business. It may also be used to work alongside management in isolating risks in area that is due to be audited so that the audit may focuse on these risks and kick-start the CSA process that management may wish to adopt in the future. It is clear that CSA can be a very powerful technique that fits nicely into the governance, risk management, and internal control agenda.

IIA guidance makes clear the benefits from a well-constructed CSA program: 

A methodology encompassing self-assessment surveys and facilitated workshops called CSA is useful and efficient approach for managers and internal auditors to collaborate in assessing and evaluating control procedures. In its purest form, CSA integrates business objectives and risk with control processes. CSA is also referred to as Control/Risk Self-Assessment or CRSA. Althought CSA practitioners use a number  of differing techniques and formats, most implemented programs share some key features and goals. An organization that uses self-assessment will have a formal, documented process that allows management and work teams, who are directly involved in a business unit, function, or process to participate in a structured manner for the purpose of:

1. Identifiying riks and exposures
2. Assessing the control processes that mitigate or manage those risks
3. Developing action plans to reduce risks acceptable levels, and
4. Determining the likelihood of achieving the business objectives

The Auditor may use CSA approach in engagement planning. There is full recognition of that internal audit may play in stimulating effective CSA within an organization, so long as audit doses not assume responsibility for what is a management tool.