CSA: Course Overview and The Basics

The CCSA exam can cover a broad spectrum of topics. In addition, the questions and topics on the exam are changed periodically.

The objective of this course is to help participants become more familiar with the material that may be tested on the CCSA Examination and to become more comfortable dealing with multiple-choice questions. The wording of multiple-choice questions can often be a greater challenge than the actual material being tested. Therefore, throughout this workbook there will be opportunities to review both the technical material that may appear on the CCSA examination as well as clarifying the wording used in questions.

The workbook material contains extensive discussion of the technical topics that may be present on the CCSA examination. In addition, there are sample questions related to the topics at the end of each chapter. These sections contain the correct answer to each question along with an explanation, which often examines the wording of the question. At the back of the workbook there are a substantial number of advanced questions. These questions are probably more typical of what will appear on the examination. These advanced questions are presented in two parts. The first part provides the question only. The second part is more comprehensive with questions and their answers highlighted, along with an explanation of the correct answer. Periodically throughout the workbook, there will be extractions from these advanced questions to examine their wording content, keyword traps, and the technical content of the questions.

Although the workbook contains substantial material, it is advised that the participants review both the end of chapter questions and the advanced questions in the back of the workbook with their explanations. Most often reviewing practice questions and becoming familiar with the wording of multiple-choice questions can be a great aid in preparation for a multiple-choice format test.

The objective of this module is to acquaint the participant with the concepts of Control Self-Assessment (CSA). The module will demonstrate how the participant may use CSA as a tool to help clients and to gain confidence in order to train clients so they may help themselves.

At the end of this module, the participant will:

• understand the concepts of Control Self-Assessment.
• understand how other control and risk models work with Control Self-Assessment.
• learn how to present this material so that the client may use it as an ongoing business tool.
• be more comfortable addressing the CCSA exam questions related to basic CSA concepts.

Control Self-Assessment is a process by which an individual assesses themselves. To put this in perspective, let's think about taking one's own blood pressure. In order to complete this task we attach the blood pressure device and the device reads the results. If the results were 280/250 we could say we have just performed a self-assessment. However, there may be an issue.

In simplest terms, this could be called a blood pressure self-assessment. But there are lessons to be learned here. The first lesson is that we have performed a physical task of self-assessment by measuring the blood pressure. The next issue is determining what this means. What does 280/250 mean? Considering this, there are three things that need to be included in a self-assessment process. The first is the physical task of the self-assessment, the second involves understanding the results, and the third is what could be done to control the results.

In this example, we call our self-assessment process a blood pressure self-assessment. Control Self-Assessment is, therefore, measuring the adequacy of risk and control management in one's own process and taking appropriate corrective action.

Just as in our blood pressure example, the physical task is necessary when performing a self-assessment process. In a Control Self-Assessment process the physical tasks are often in the form of questionnaires/surveys or workshops. These are the physical tasks of performing the Control Self-Assessment process. However, it is not only important to perform the physical task of the self-assessment process but to also understand the results and act on them appropriately.

Action must be taken to correct any deficiencies. Self-assessment/Control Self-Assessment is a methodology to systematically document and evaluate risk controls and the achievement of objectives. This concept can be applied in most areas.

As we can see from our first example, the process can be applied in testing our own blood-pressure. In business, it can be applied to test the blood pressure of the business process.

Action is probably the most important task of a Control Self-Assessment process. Performing a self-assessment process without a commitment to action is merely a waste of time.

From a business perspective, the Control Self-Assessment process is a method by which the people who are responsible for the business process evaluate the adequacy of their risk and control management. From common business stance, this makes sense.

The owners of the business process are in fact responsible for their own risk and control management. Unfortunately, in many cases, this is not widely accepted in the business environment. Control Self-Assessment can help broaden the acceptance of risk and control management within the business community. It can help eliminate the confusion, misunderstanding, and fear of risk and control management by expanding an understanding of these concepts.

A Control Self-Assessment process in the business environment simply means that employees responsible for performing the work evaluate the adequacy of their risking controls. Further, this Control Self-Assessment process can be a learning device. It can help the business community and business professionals better understand the concepts of risk and control management. In addition, it can help evaluate the accuracy of risk and control management related to soft controls and soft issues. The soft issues are often the foundation for good business process. They include such things as attitude, morale, ethical values, tone at the top, and communications. Lack of adequate controls in these areas are often the root cause for many other business issues and areas of concern.

The internal audit department often plays a vital role in the implementation and initiation of the Control Self-Assessment process. This is often because of the perception that internal auditors have an in-depth understanding of risking control management. In addition, it is perceived that internal auditors are familiar with addressing groups of people and upper-level executives. Because of this perception the internal auditors are often called upon to facilitate the Control Self-Assessment workshops. In the next chapter, we will discuss the facilitators’ responsibilities and how they play a key role in the successful outcome of a business workshop.

Although internal auditors are often called upon to perform the role of facilitator in the CSA process, it is not necessary that they be part of the process. In fact, as time passes, the ultimate goal is that the business professionals conduct their own workshops. Depending upon the current levels of experience, this transition may take place in varying degrees of time.

The Control Self-Assessment process in the business community has another advantage; the advantage of ownership. It is a known fact that there is a certain amount of pride, possessiveness, and acceptance of responsibility that comes with ownership. This ownership active participation in risk and control decisions will result in a more solid foundation with a greater long-term effect on the risk and control process. An alternative is to dictate the management of the risk and control process. This approach may result in a weaker foundation with weaker long-term effects.

• Employees performing the work evaluate controls and risks.
• It can be done without internal audit.
• It utilizes tools that may be new to auditors.
• Audit’s role is that of facilitator.
• CSA helps evaluate soft controls.
• Workshops or management may issue the reports.
• CSA can be a learning device.
• Greater probability of buy-in of the issues.
• Business professionals are more involved with CSA than with traditional audits.
• Clients like the involvement.

There are three basic components in any business process, like those involved in everyday life. They occur in this order: objective, risk, and control. Simply stated, the objective is what is trying to be accomplished. The next component of our foundation is risk. Risk is simply the barrier that will stop or slow down the achievement of the objective. The third component is control. Control is the policy, procedure, and action that will diminish or eliminate the barrier of risk.

In today's business environment and everyday life it is virtually impossible to protect 100% against all possible risk. Generally, protection against risk is with some reasonable assurance. This is often called acceptance of risk, risk appetite, or risk tolerance.

Consider this: in everyday life, commuting to work, going shopping, or investing, we accept risk. With these everyday events, the acceptance of risk may mean different things to different people. We all accept risk in everyday life and in business processes. The problem is not with the acceptance of risk, but understanding the consequences of what has been accepted.

Sometimes it is difficult to capture all the consequences. There are often two reasons for this vagueness and excepting the risk. One is that the world changes rapidly. When a certain risk has been addressed and as action has begun, the risk situation may change introducing new risks. The other reason is a lack of understanding the consequences. It is important to think of the end. The end holds the consequences that may have to be dealt with in a reactionary mode. Should the risk of driving to work with bald tires on snow and ice be accepted? Some risk would be accepted, but what are the consequences of the accepted conditions? The same thought process can be applied in business.

In today's business environment the consequences of accepting risk are far more drastic than they were even a few years ago. Addressing laws and regulations, embarrassment and reputation in various news media have substantially increased the consequences of accepting risk. The risk and control professional can help their clients become better equipped to accept risk and its consequences by helping them to better understand the contemporary consequences of a risk assessment.

Back to basics; risk and control management begins with three basic concepts. These three concepts are objectives, what is trying to be accomplished; risks, what will stop or slow down the process from achieving the objectives; and controls, the policies, procedures, and tools and techniques and action to diminish or eliminate the barrier of risk.

The Control Self-Assessment process can address these basic concepts individually or in concert with each other. How the Control Self-Assessment process is designed, should be driven by the needs and the objectives of the individual business process.

Control Self-Assessment is a way to help organizations improve their ability to meet objectives.

Organizations that use CSA have a formally documented process to evaluate their controls and risks.

CSA is a process through which internal control effectiveness is examined and assessed. It is a tool that provides reasonable assurance that all business objectives will be met.

CSA is a process where management and/or workshops, not internal auditors, perform the assessment of internal controls.

Generally, the process covers a broad spectrum of objectives. Integrated control frameworks can help in this effort.

Management evaluates their own controls and identifies opportunities for improvement.

Two primary tools:

• Facilitated workshops
• Surveys / Questionnaires

These tools may be used by management to evaluate their control processes.

However, management may not know what to do. Therefore, auditors can take advantage of an opportunity to work with management and facilitate the CSA process.

Integrated Control Frameworks are important tools when using CSA. COSO, CoCo, and COBIT are examples of Integrated Control Frameworks. They can help keep the CSA effort focused and help make sure that all the dimensions of the business are addressed.

• Control framework usage
• Internal auditing role
• Reporting
• Attendance
• Quality assurance
• Relationship to internal audit

The use of COSO, CoCo, COBIT, and other control frameworks can be vital in an effective CSA process.

In the internal audit role, auditors are sometimes the owners of the results and processes and sometimes they are not. It depends. It depends on the business culture, the objectives, and the concerns.

Workshops can be horizontal or vertical. The workshops can be structured by level, by function, or be a combination. There is no right or wrong answer. The chosen workshop format is what works best for each business.

Sometimes audit may follow-up after the workshop effort. Other times they may not. Again, it depends.

The role of the auditor and the question of independence and objectivity is often a concern in a CSA effort. Under the new IIA standards, auditors are allowed to come closer to the line of objective and independence.

However, common sense should prevail. The auditors should be used to the best advantage in a CSA effort, without compromising their objectivity and independence guidelines.

• CSA helps with the understanding of objectives, risks, and controls.
• CSA develops ownership of results.
• CSA provides a broader coverage.
• CSA improves communications.
• CSA helps with the appropriate analysis and reporting of controls.

CSA helps employees understand and assume responsibility and accountability for effective control and risk management. Education of the CSA process, as well as the concepts of risk and control management, is a vehicle to this end.

Corrective action is more effective and longer lasting because of the ownership of the issues and the corrective actions.

By using integrated control tools as part of the CSA process, all parts of the business are analyzed and addressed.

CSA improves communications on all levels.

CSA helps employees understand how to analyze, address, and report on the adequacy of controls.

• Internal Audit may not be skilled facilitators.
• Resistance to change.
• Lower level staff is often not trained to address controls?????
• Experiential, political, and cultural differences among participants.
• Organization not candid enough to reveal root causes.
• Legal implications.

People generally resist change. CSA, as a tool, is a different way of doing business. Therefore, to be more successful with a CSA exercise it is important to minimize the unknowns from the participants’ minds. Some tools that help facilitate change are communications, participation in the change effort, and training of the new process.

It is important to first understand the atmosphere, culture, and politics where the CSA exercise will be conducted. By its nature the CSA is participatory and will be much more successful when used in this type of environment. Typically, the more empowered or more participatory the management style is the more successful the CSA effort will be.

Conducting a CSA workshop is different from conducting a meeting, a training session, or a presentation. Internal auditors are often called upon to facilitate CSA workshops because of their expertise with risk and control management, along with their experience conducting meetings and presentations. Although these professionals may be perceived as having the basic platform skills to conduct training sessions, presentations, and meetings, they may not be trained in specific facilitation techniques. It is recommended that anyone facilitating a workshop attend appropriate facilitator training.

Pre-workshop or CSA education efforts may be required to help the participants feel more at ease and less resistant to change. These efforts will also address lower level staffs that have not been trained to identify controls. These training sessions may include the topics of risk and control management or the CSA process in general. Additionally, they may include interviews with potential participants to gain an understanding of their issues and concerns.

It is the obligation of the facilitator to identify the extent and the need for these pre-CSA efforts. CSA is not cookie-cutter! Therefore, the extent and need for these pre-CSA exercises should be driven by the experience, exposure, concerns, politics, culture, and variations in communications of the potential participants. The facilitator will need to identify the components, design, and address the pre-CSA engagements appropriately.

In some CSA workshop cases, discussions are not candid enough to get to the root cause. The more at ease the participants are during the CSA exercise, the more candid they will be. It is the responsibility of the facilitator to put the potential participants at ease. The more candid the participants are about their processes, identifying both positives and negatives, the more likely weaknesses will be addressed.

Discussion of legal and/or security issues in an open forum may not be appropriate. These are exceptions to the candidness in a CSA workshop. Legal and security issues should be removed from the workshop and discussed privately with the appropriate professionals. The facilitator should discuss the potential of security and/or legal issues as a topic of conversation in the pre-meeting rule setting stage. All participants should be made aware that if such topics come into the conversation the facilitator will end the conversation. It is important to identify this in the rule setting stage so participants do not feel their candidness has been impeded and that there are exceptions to the rule.

• Answer the Following Self-test Question(s). (The question numbers from the workbook of this study system have been retained for cross compatibility between versions.)
• Then click the link that follows the question(s) to check your answer(s) and receive feedback about why the one answer is the best.

• Fraud situations
• Rapid change situations
• Cultural issues
• Compliance audit shops
• Inadequate resources
• Weak management support

The CSA process is a long-term fix. In situations like fraud, which require swift and decisive action, it may not be the best tool. However, after swift and decisive action is taken, CSA could be used to prevent future occurrences.

Other situations requiring rapid change are mergers, acquisitions, downsizing, takeovers, and other types of crisis situations. In these situations, CSA could be an effective tool in the planning stage. However, swift and decisive action may be required during the process.

The environment has to be right for a CSA effort to work. If it is not supported by audit and business management, or if there is not an atmosphere of trust and/or an adequate staff, the CSA effort will not work.

Generally, CSA is not the best tool for compliance or security audit work. This is because swift and decisive action may be more appropriate. However, CSA may be used to augment these types of audits and may help get to the root cause and prevent future occurrences.