Control Self Assessment A modern tool for Risk Management Page 1

1
Control Self Assessment A modern tool for Risk
Management

• Fazal Hussain Gaffoor
• FCA, CISA, CIA
• Chief Internal Auditor
• Central Depository Company of Pakistan Limited

2
The Agenda of todays Session

• What is a control system
• What is risk Management
• Introduction to Control Self Assessment (CSA).
• Benefits of CSA to an entity
• How to implement CSA
• Pre-requisite for implementation
• The issues involved in implementation
• The way forward.

3
Internal Control and Risk Management in Corporate
Governance

• Good Governance means that all risks are
  identified and managed.
• Risk management span on overall activities of the
  organization.

4
Roles in Risk Management
5
International Best Practices

• COSO ( Committee of Sponsoring organization)
• SOX ( Sarbanes-Oxley Act 2002)

6
Sarbanes Oxley Act 2002
7
COSO

• COSO defines internal control as
• a process, effected by the entitys board of
  directors, management and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives in three
  particular areas.
• Effectiveness and efficiency of operations
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.

8
What is Control?

• Process, designed to mitigate risks and provide
  reasonable assurance regarding the achievement /
  accomplishment of set and pre-defined objectives.

9
Elements of Control system

• Control Environment
• Awareness and attitude to internal controls
  within the company
• Part of company culture, management style and
  employee attitudes
• Control Procedures and policies
• The detailed internal controls
• Devised to ensure an orderly and efficient
  conduct of the business

10
Broad categories of control

• Preventive Control -To stop a loss from
  occurring.
• Detective control- To determine if a risk has
  occurred.
• Directive Control- To avoid risks by providing
  specific ways to do things.
• Corrective Control- To minimize the impact of a
  loss or an event.

11
Elements of an Internal Control System

• The COSO framework identifies five elements of
  Control system.
• Control Environment
• Risk Assessment
• Control Activities
• Information and communication
• Monitoring

12
Detailed Control Activities
13
DEFINITION OF RISK

• Chance of something happening that will have an
  impact on objectives. It (risk) is measured in
  terms of likelihood and consequence.

14
Risk Management

• It is a process whereby organizations
  methodically address the risks attaching to their
  activities with the goal of achieving sustained
  benefit within each activity

15
STAGES OF MANAGING RISKS

• Stages of managing risks are
• Identifying
• Analyzing
• Treating.

16
RISK EVALUATION TEMPLATE
17
Ways to manage risk

• Avoid
• Transfer
• Mitigate
• Accept

18
Examples of Risks
19
Example of Risks (Contd.)
20
Control self assessment (CSA)

• It is a process that can be used by the business
  units to assess risks and related controls in
  order to improve performance and achieve set
  business objectives.
• It is a method to assist in the development of an
  efficient and effective internal control
  structure and environment.

21
Objectives of CSA

• Enhancement of audit responsibilities, not a
  replacement
• Educate management about control design and
  monitoring
• Empowerment of workers to assess the control
  environment

22
WHY TO IMPLEMENT CSA?

• Staff work in respective department full time and
  thus are experts who know more about whats going
  on in business than auditors (both internal and
  external) ever will.
• Staff / Department can appreciate the problems,
  hindrances and risks.
• Auditors normally do the review on a periodic
  basis and have their limitations.
• Further the staff will become more aware of their
  role to identify risks affecting their operations
  and reporting on the same.
• The main idea is to make risk assessment part of
  every ones job.

23
Benefits of CSA

• It helps line employees better understanding of
  risks and controls related to a business process
• More effective and efficient business processes
• It also helps line employees assume more
  responsibility and accountability for effective
  control management
• Broader perspective on the process and its impact
  on organization
• Improved focus of process owners on specific
  issues
• Corrective action can be more effective because
  participants own the results
• Better communication among those who are involved
  in the process, including the control for the
  process.
• Improved employee morale

24
Benefits of CSA to an entity Illustrated.
25
Benefits of CSA to an entity Illustrated.
(Contd.)
26
Benefits of CSA to Internal Audit

• CSA can help to focus on high risk issues and
  concentrate their traditional audit efforts here.
• CSA provides an assessment of soft and
  collaborative controls that are difficult to
  assess with traditional auditing.
• More efficient use of internal audit resources
• CSA can enhance the role of internal auditing
• It can improve internal auditing staff morale

27
Role of Internal Audit in CSA

• Internal audit in collaboration with operating
  staff would produce an assessment of an
  operation.
• This synergy helps internal auditing assist in
  managements oversight function by improving the
  quantity and quality of available information.
• Through CSA, internal auditing is positioned to
  facilitate process improvement, benchmarking ,
  controls training, and control advisory services
  at entity level.
• After CSA implementation, Internal auditing can
  act like a consultant rather than auditors.

28
How to implement CSA

• Establishing company wide and departmental
  objectives.
• Identify risk factors.
• Assessing the controls
• Developing the action plan for gaps identified.
• Monitoring Implementation
• Reporting

29
How to gather information

• Facilitated work shops
• Surveys
• Interviews
• Electronic and manual voting

30
What are objectives

• Objectives are targets and goals which an entity
  plans to achieve to ensure achievement of plans
  as identified in its vision, mission and value
  statements.

31
Objective Setting

• Mission Statement
• Vision Statement
• Values
• Environmental Scanning or SWOT analysis

32
Impediments to an effective CSA

• Resistance for CSA
• Losing of direction
• Intimidation by senior members
• Non-action on results and recommendation
• Absence or inadequate planning
• Management may not belief that employees should /
  can be responsible for effective control and risk
  management.
• Candid discussion may expose to legal risk.

33
Pre-requisite for implementation of CSA

• The organization implementing the CSA should
  ensure the following
• Employees understand their roles and
  responsibilities
• Employees understand the company policies and
  procedures
• Have adequate knowledge of various management,
  operational and technical controls

34
When CSA will not be appropriate

• Employees are not knowledgeable in their
  particular area
• There is rapid corporate change
• The culture does not support such an exercise
• Management support is absent
• The audit mandate is restricted
• Sufficient resources are not available

35
What the report should contain

• Company and departmental objectives.
• Risk affecting the objectives.
• Adequacy of controls in place
• Gaps highlighted and corrective actions
  recommended

36
How to make CSA a living exercise

• Regular follow-up be done on implementation of
  controls for gap identified
• A questionnaire to gather information for
  changes during a certain period
• An annual exercise to re-assess the risks and
  controls
• Identification of risk and implementation of
  controls made part of job description
• Reward employees contributing to improvement of
  processes

37

• Thank you
• Question Answers