An increase in repeat findings often is an indication that the root cause of a control weakness has not been addressed adequately. Frequently when auditors provide similar recommendations, the root causes of these control weaknesses can be traced to human factors. Consider the five P’s of effective controls for organizational success: One may design a well-conceived policy, a well-designed program aligned with the policy, effective procedures to implement the program, and well-suited practices for following the policy. However, if the organization’s people do not follow those practices, it defeats the work of implementing the policy.
While management is responsible for setting good internal controls, implementing them depends on people at all levels of the organization. Therefore, it’s the soft controls that make a difference. These soft controls are intangible controls such as morale, integrity, ethical climate, empowerment, competencies, openness, and shared values. They differ from hard controls such as organizational structure, delegation of responsibility, and human resources policies. However, soft controls can significantly impact the effectiveness of the organization’s internal control structure.
Despite this impact, internal auditors typically focus on reviewing hard controls because it is difficult to obtain evidence of noncompliance with soft controls. This may be because of insufficient experience or skills in testing the soft controls. However, internal audit has a significant role to play in helping management evaluate soft controls. When seeking to identify risks stemming from soft control weaknesses, auditors can use control self-assessments (CSA) to facilitate the identification and evaluation of risks without impairing internal audit’s objectivity. The robustness of CSA processes not only provides a powerful means of addressing these risks, but may also help reduce the likelihood of repeat audit findings that can be a drain on internal audit resources.
Facilitating The CSA
CSA is a process through which internal control effectiveness is examined and assessed through workshops, surveys, and management analysis facilitated and assisted by a subject-matter specialist. Participants, who are typically management or work teams directly involved in a business function, identify the risk factors, assess the control processes, develop action plans to reduce risks to acceptable levels, and determine the likelihood of the entity achieving the intended business objectives. Internal auditors usually are involved in the CSA process as facilitators because of their expertise and experience with both the organization’s business and its related risks and controls. Indeed, The IIA has offered a specialty Certification in Control Self-Assessment since 1999.
CSA differs from the traditional internal audit approach to assessing control effectiveness. Traditionally, auditors were responsible for evaluating and reporting on the risks and effectiveness of controls. With CSA, these tasks are performed by the business units, work teams, or resident experts, and internal audit validates their work by performing tests and applying its professional judgment to the adequacy and effectiveness of the whole process. This coordinated approach can yield several benefits.
Control Responsibility In a well-planned and designed CSA setting, the process owners assume greater responsibility in reviewing the effectiveness of controls. Moreover, the process can transfer knowledge among the owners and implementers of the processes. This also can facilitate greater synergy between process owners and the process implementers and increase input from business units about their activities through a participative approach.
Control Improvement With internal audit’s assistance in facilitating the CSA effort, the business units can review the process flow together with evaluation of control effectiveness and compare them to best-case scenarios based on industry benchmarks. This can assist in greater information flow among the business units, facilitate soft controls such as monitoring, and enable continuous improvement.
Information Gathering Through enhanced level of understanding of the client’s activities, a CSA can assist the internal audit activity in gathering useful and validated information from the workshops. These inputs could assist internal audit in better planning its use of resources to focus on significant control weaknesses. Moreover, they can help auditors forge greater collaboration with the operating managers and work teams.
Management Involvement By encouraging control consciousness, CSA can increase management’s participation and assumption of responsibility for risk management and control processes. Additionally, management can use the CSA forums to clarify its objectives and the ways through which the identified risks are addressed to achieve the organization’s objectives.
Soft Control Testing
While there is no one best approach to conducting a CSA, internal audit clients typically choose to perform facilitated team workshops, surveys, or management analysis of selected business processes, risk management activities, and control procedures.
As facilitators, internal auditors can assist the work teams in interlacing the questions for testing the soft controls together with the tests for hard controls. While there is no standard list of questions that fits every organization, the CSA facilitators could work with operations managers and work teams to ask open questions that could provide information about key issues using techniques such as surveys, interviews, games, and behavioral observation.
The questions could focus on themes such as management’s commitment to fraud risk management, management’s working style, employees’ motivation, communication and sharing of information among members of work teams and management, and the integrity and ethics of employees. CSA workshops can enhance participating employees’ awareness and acceptance of soft controls, because those who perform the tasks are in a better position to appreciate the strengths and weaknesses of the controls, particularly the informal aspects of controls. However, auditors should ensure their questions are framed in consideration of the controls that address behavior and culture. Additionally, they should administer these questions in a mutually motivating and trustworthy environment.
Above all, testing soft controls demands specific interviewing skills such as active listening, empathy, and motivation. For the purpose of their assessments, the CSA team can construct a matrix that considers the issues being tested (see “The CSA Matrix” at right).
Validation of Results
Because the information obtained during the CSA workshops and interviews is verbal information, internal auditors must validate this evidence to assess the controls. Validation of results is necessary because the information gathered during a CSA may not have the same attributes as evidence internal auditors would obtain through its own testing, observation, and walk-through procedures.
Internal audit should plan its validation procedures in advance, including determining the people who will be involved and the extent of validation needed. The degree of quality and quantity of validation helps in determining the type of audit to be undertaken in consideration of the organization’s culture and the extent of testing to be performed.
Some validation procedures inc-lude validating the CSA results with past audit results over the control activities, reviewing the appropriateness of action taken in cases involving violation of the organization’s code of ethics, and in case of sensitive information, discussing and validating the results by the chief audit executive at the appropriate level of senior management. Moreover, auditors should bear in mind the local values, culture, and practices in determining the type of validation procedures to be followed.
The Way Forward
Despite its benefits, CSA can be challenging to successfully implement in an organization. Internal audit may face:
- Lack of management support in setting the tone of the CSA.
- Lack of clarity about the roles and responsibilities of participants in the CSA process and its expected benefits in a formal document.
- Disinterested or skeptical staff.
- Rigid and complex organizational culture and structure that do not facilitate the free flow of ideas and information.
- Management’s inaction on the action plan developed through the CSA process, which could result in resentment and negative feelings among employees.
To ensure that the process will not be counterproductive, the entities planning to undertake CSA should take adequate precautions. They should identify the appropriate format for CSA, such as workshops or surveys, that would facilitate open and candid communications in the CSA process. Additionally, they should review and document the expected value out of the CSA process and create control awareness by educating the staff through focus group discussions and workshops. Senior management should be involved in planning and designing the CSA process.
Undertaking a pilot study of the CSA process for one selected process/business unit can yield lessons that can be applied to future CSA initiatives. Finally, internal audit should follow up the planning phase and the results of the CSA by conducting an independent validation.
Through its collaborative app-roach that promotes self-assessment, CSA provides an opportunity for management, work teams, and internal auditors to meet the challenges in assessing the effectiveness of soft controls. For example, a well-planned CSA can overcome the limitations of traditional audit techniques in assessing the attitudinal issues that confront people when they are pursuing organizational objectives. Such insights could make it easier for management to buy in to the results of self-assessments when they reveal weaknesses in soft controls. Better still, addressing those weaknesses could help internal audit reduce the likelihood of repeat findings in the future.