Control self-assessments, or CSAs, are where the leaders and supporting teams of business units, departments, or business processes directly engage in an evaluation of the objectives, risks, controls and processes they are responsible for managing. An effective CSA process is designed to enable process owners to evaluate their risks and controls directly, often through the use of questionnaires and workshops. These are often organized and facilitated by the risk management department. Information obtained from these CSAs can be used to determine if the organization has correctly identified their risks and if the right control processes have been put in place.
CSAs can be performed quickly and often are useful in engaging the business owners in enhancing their knowledge of the true risks and raising their control awareness. They can also be helpful in identifying and leveraging opportunities in business processes by pointing out duplicate activities or areas where costs can be reduced. Typically, the risk management department doesn’t have endless personnel, and creating a well-run CSA process can stretch the value of those risk resources by leveraging the business staff. CSAs bring visibility and can help the business owners gain an understanding of and accept the responsibility of owning and managing their department’s risks and controls directly.
There are many ways to perform these CSAs – using a standard template in Microsoft Word or Google Docs, tracking answers on a spreadsheet in Microsoft Excel or Google Sheets, or even using a custom web form built in Google Forms to gather information. If your organization has an eGRC tool such as RSA Archer, the CSAs can be even more robust, offering a comprehensive view of the relationship between business processes, risks, controls, loss events and identified issues.
Whatever the method selected to perform the CSA, it’s important to keep a few best practices in mind:
The practitioners at Cential can help your organization quickly roll out an effective CSA process. Our established processes and CSA procedures have been tried and tested successfully across multiple industries and companies of all sizes. Our resources will help you to more efficiently administer and report on the CSA results, allowing your business process owners more time for analysis. Other benefits of a successful CSA program include quicker identification of risks and the reduction in audit findings and other surprises. Let us help you examine and improve your internal control environment. Contact Cential today!