Title: Control Self Assessment A modern tool for Risk Management Page 1
1Control Self Assessment A modern tool for Risk
Management
- Fazal Hussain Gaffoor
- FCA, CISA, CIA
- Chief Internal Auditor
- Central Depository Company of Pakistan Limited
2The Agenda of todays Session
- What is a control system
- What is risk Management
- Introduction to Control Self Assessment (CSA).
- Benefits of CSA to an entity
- How to implement CSA
- Pre-requisite for implementation
- The issues involved in implementation
- The way forward.
3Internal Control and Risk Management in Corporate
Governance
- Good Governance means that all risks are
identified and managed. - Risk management span on overall activities of the
organization.
4Roles in Risk Management
5International Best Practices
- COSO ( Committee of Sponsoring organization)
- SOX ( Sarbanes-Oxley Act 2002)
6Sarbanes Oxley Act 2002
7COSO
- COSO defines internal control as
- a process, effected by the entitys board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in three
particular areas. - Effectiveness and efficiency of operations
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
8What is Control?
- Process, designed to mitigate risks and provide
reasonable assurance regarding the achievement /
accomplishment of set and pre-defined objectives.
9Elements of Control system
- Control Environment
- Awareness and attitude to internal controls
within the company - Part of company culture, management style and
employee attitudes - Control Procedures and policies
- The detailed internal controls
- Devised to ensure an orderly and efficient
conduct of the business
10Broad categories of control
- Preventive Control -To stop a loss from
occurring. - Detective control- To determine if a risk has
occurred. - Directive Control- To avoid risks by providing
specific ways to do things. - Corrective Control- To minimize the impact of a
loss or an event.
11Elements of an Internal Control System
- The COSO framework identifies five elements of
Control system. - Control Environment
- Risk Assessment
- Control Activities
- Information and communication
- Monitoring
12Detailed Control Activities
13DEFINITION OF RISK
- Chance of something happening that will have an
impact on objectives. It (risk) is measured in
terms of likelihood and consequence.
14Risk Management
- It is a process whereby organizations
methodically address the risks attaching to their
activities with the goal of achieving sustained
benefit within each activity
15 STAGES OF MANAGING RISKS
- Stages of managing risks are
- Identifying
- Analyzing
- Treating.
16RISK EVALUATION TEMPLATE
17Ways to manage risk
- Avoid
- Transfer
- Mitigate
- Accept
18Examples of Risks
19Example of Risks (Contd.)
20Control self assessment (CSA)
- It is a process that can be used by the business
units to assess risks and related controls in
order to improve performance and achieve set
business objectives. - It is a method to assist in the development of an
efficient and effective internal control
structure and environment.
21Objectives of CSA
- Enhancement of audit responsibilities, not a
replacement - Educate management about control design and
monitoring - Empowerment of workers to assess the control
environment
22WHY TO IMPLEMENT CSA?
- Staff work in respective department full time and
thus are experts who know more about whats going
on in business than auditors (both internal and
external) ever will. - Staff / Department can appreciate the problems,
hindrances and risks. - Auditors normally do the review on a periodic
basis and have their limitations. - Further the staff will become more aware of their
role to identify risks affecting their operations
and reporting on the same. - The main idea is to make risk assessment part of
every ones job.
23Benefits of CSA
- It helps line employees better understanding of
risks and controls related to a business process - More effective and efficient business processes
- It also helps line employees assume more
responsibility and accountability for effective
control management - Broader perspective on the process and its impact
on organization - Improved focus of process owners on specific
issues - Corrective action can be more effective because
participants own the results - Better communication among those who are involved
in the process, including the control for the
process. - Improved employee morale
24Benefits of CSA to an entity Illustrated.
25Benefits of CSA to an entity Illustrated.
(Contd.)
26Benefits of CSA to Internal Audit
- CSA can help to focus on high risk issues and
concentrate their traditional audit efforts here. - CSA provides an assessment of soft and
collaborative controls that are difficult to
assess with traditional auditing. - More efficient use of internal audit resources
- CSA can enhance the role of internal auditing
- It can improve internal auditing staff morale
27Role of Internal Audit in CSA
- Internal audit in collaboration with operating
staff would produce an assessment of an
operation. - This synergy helps internal auditing assist in
managements oversight function by improving the
quantity and quality of available information. - Through CSA, internal auditing is positioned to
facilitate process improvement, benchmarking ,
controls training, and control advisory services
at entity level. - After CSA implementation, Internal auditing can
act like a consultant rather than auditors.
28How to implement CSA
- Establishing company wide and departmental
objectives. - Identify risk factors.
- Assessing the controls
- Developing the action plan for gaps identified.
- Monitoring Implementation
- Reporting
29How to gather information
- Facilitated work shops
- Surveys
- Interviews
- Electronic and manual voting
30What are objectives
- Objectives are targets and goals which an entity
plans to achieve to ensure achievement of plans
as identified in its vision, mission and value
statements.
31Objective Setting
- Mission Statement
- Vision Statement
- Values
- Environmental Scanning or SWOT analysis
32Impediments to an effective CSA
- Resistance for CSA
- Losing of direction
- Intimidation by senior members
- Non-action on results and recommendation
- Absence or inadequate planning
- Management may not belief that employees should /
can be responsible for effective control and risk
management. - Candid discussion may expose to legal risk.
33Pre-requisite for implementation of CSA
- The organization implementing the CSA should
ensure the following - Employees understand their roles and
responsibilities - Employees understand the company policies and
procedures - Have adequate knowledge of various management,
operational and technical controls
34When CSA will not be appropriate
- Employees are not knowledgeable in their
particular area - There is rapid corporate change
- The culture does not support such an exercise
- Management support is absent
- The audit mandate is restricted
- Sufficient resources are not available
35What the report should contain
- Company and departmental objectives.
- Risk affecting the objectives.
- Adequacy of controls in place
- Gaps highlighted and corrective actions
recommended
36How to make CSA a living exercise
- Regular follow-up be done on implementation of
controls for gap identified - A questionnaire to gather information for
changes during a certain period - An annual exercise to re-assess the risks and
controls - Identification of risk and implementation of
controls made part of job description - Reward employees contributing to improvement of
processes
37- Thank you
- Question Answers