JUNEIDY@ONLINE

Control self-assessment (CSA) is an effective tool for improving a business’ internal controls and business processes. CSA can be implemented in several ways, but its distinguishing feature is that risk assessments and internal control evaluations are made by operational employees or lower-level managers who work in the area being evaluated.  CSA activities also have the potential to improve the efficiency and effectiveness of independent financial statement audits in response to changing demands on independent auditors. While independent auditors can benefit from CSA activities, little evidence indicates the extent to which independent auditors avail themselves of these benefits. The authors investigated the uses of CSA by independent auditors, as well as the perceptions about the value of independent-auditor involvement with CSA activities. Approaches to CSA The Institute of Internal Auditors (IIA) defines CSA as a process through which internal control effectiveness i...

Control Self-Assessment (CSA) as a useful tool for focusing the audit. CSA may be used by management as a tool for assessing risk at a local level as a contribution to ERM throughout the organization.  CSA may be used by the auditor to help the management understand and deal with risks to their business. It may also be used to work alongside management in isolating risks in area that is due to be audited so that the audit may focuse on these risks and kick-start the CSA process that management may wish to adopt in the future. It is clear that CSA can be a very powerful technique that fits nicely into the governance, risk management, and internal control agenda. IIA guidance makes clear the benefits from a well-constructed CSA program:  A methodology encompassing self-assessment surveys and facilitated workshops called CSA is useful and efficient approach for managers and internal auditors to collaborate in assessing and ...

To evaluate internal control using the COSO criteria, an auditor must evaluate soft controls like " tone at the top ", management philosophy and operating style and communications. Many soft controls are too subjective to be evaluate by an outside observer acting alone. In some cases, the onlyvalid measure of their effectiveness is employees' perceptions. For this reason, most of the new internal control evaluation practices have a strong elemnet of self-assessment.    The guiding principle is that evaluating soft controls requires a partnership between auditors and their customers. Management and/or employees must share their knowledge and perceptions openly with the auditors. Auditors must use an approach that poster openness and has the analytical discipline to turn subjective perceptions into legitimate audit evidence. The best-known self assessment practise - sometimes called "classic" self-assessment - is the Control Self Assessment (CSA) workshop. W...

CONTROL SELF-ASSESSMENT (CSA) is a generic term that covers risk self--assessment (RSA), control and risk self-assessment (CRSA), and other processes whereby an organization's personnel evaluate their own risks and controls with the help of facilitators from the internal audit department.  Assessments can be performed through a series of workshops or meetings or through questionnaires and can be applied to projects, processes, business units, and functions --basically any area of a company. Whatever format is used, the goal is the same: to help organizations assess the likelihood of achieving their business objectives by using the knowledge of the workers responsible for meeting them. Self-assessment--whether it is called CSA, RSA, CRSA, or some other term--is a powerful way to gather audit information in the right circumstances. It is used when there is a need for soft control information, when the auditors want to educate others in ris...

The dimensions and potential of CSA keep expanding exponentially. It's a tool for achieving attestation regarding coso controls over financial reporting. The impact of Internal Control - Integrated Framework, the coso report issued in 1992, has been extensive in the banking community. Banks with assets of more than $500 million have implemented the financial reporting category of COSO in an effort to comply with the FDIC Improvement Act of 1993, which requires external attestation regarding the existence and operation of a sound system of control over financial reporting.    The Act does not directly mandate COSO; but because COSO is the most widely recognized framework for internal control, it is the model most often adopted by banks and their auditors. Although COSO has not been as extensively adopted in other industries, its impact on internal control environments is undeniable. In a recent initiative, Departmen and or Institution used control self-assessment (CSA) to...

CSA is a process of examining internal control effectiveness and identifying opportunities for improvement through assessment of the risks and controls within the area by staff within the area. The process can assist management to identify the areas of risk, assess the effectiveness of existing controls and if necessary implement additional or improved controls to overcome any identified deficiencies. An advantage of Control Self Assessments is that risk assessments and internal control evaluations are performed by employees working in the area being evaluated rather than by internal audit. Internal Audit resources are limited and not all areas can be reviewed every year. CSA's help management and Internal Audit gain assurance that there is a robust system of internal controls which minimise the likelihood and severity of risks within the particular area. They can also assist Audit to understand the operations, risks and controls within particul...

COSO defines internal control as follows: " A Process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, Reability of financial reporting, and Compliance with applicable laws and regulation."  The implication for internal auditors is that we must evaluate control over all three categories of objectives in order to render an opinion on "adequacy and effectiveness of overall system internal control." Internal Auditor that focus almost exclusively on financial and compliance controls --as many still do--cannot say they they are evaluating all of internal control.  The definition reflects certain fundamental concepts:  Internal controlis is a process . It's a means to an end, not an end in itself. • Internal control is affected by people. It's not merely policy manuals...

If we are render a professional opinion on internal control, COSO seems to imply, we must evaluate not just the "hard" tangible control activities, but all the "soft" intangible things management uses to control the organization.  COSO tells us this includes things like: People's integrity and ethical values Management's philosophy and operating style The organization's commitment to competence The understanding and management of risk Communication  The 5 component definitions and that we must evaluate, are: Control Environment --- The core of any activities/business is its people ; their individual attributes, including integrity, ethical values and competence, and the environment in which they operate. They are the engine theat drives the entity and the foundation on which everythings rest. Risk Assessment --- The entity must be aware...