Sometimes a control self assessment is also branded as an audit, which it is but there is a major difference. So in this article we are going to learn about what is control self assessment and how it is different from an audit.
What is Control Self Assessment?
This is basically a process of evaluating and improving the prevalent internal controls, but most importantly it is done by the management itself. It is essentially an operational assignment and does not constitute an audit. Because auditor is always an independent person or entity.
The main idea behind control self assessment is to visit or revisit an function or process to ensure that the controls are either satisfactory, as per management’s intentions and design and also if these may be improved. It may also be used as a tool to identify if any new internal controls are required.
The CSA process is similar to an audit in its approach, though being different from audit. It also involves documenting a process or function, risk identification and then evaluation of the internal controls that are in place as risk mitigation measures so that risk is mitigated to a level that is acceptable to the management.
All controls self assessment exercises may have different objectives but the following four are key elements of any CSA assignment.
- Understand a function or process thoroughly. Mostly, the members from process owners’s teams are also part of the CSA team. So they know the process in detail.
- Identify the risks associated with the process or function.
- Determining the acceptable level of risks
- Evaluating the existing controls, forming opinion about that and also evaluate if new controls will be suitable based on a cost benefit analysis
Difference Between CSA and Audit
The main difference that makes control self assessment distinct from internal audit is that the direction, scope and details of the CSA are determined by the management of the operating department. Audit department, internal or external, is not in the driving seat in the CSA exercise. They may be engaged as facilitators or for guidance but they are never part of the remedial measures recommendations.
Another difference between Control Self Assessment and Audit is that audit may also involve transactions testing for a period which is not the case with CSA normally.
IS Auditor and CSA
As an IS auditor, you might be expected to join CSA teams for guidance or advisory capacity but you should never assume a role where you make part of the team that designs and implements remedial measures.