Control Self-Assessment

Government Finance Officers

Association – Nov 4/5 2004
Bill Cox, CA, BDO Dunwoody LLP

What is Control Self-

Assessment?
n (“CSA” for short)
n CSA is a methodology used to review
key business objectives, risks involved
in meeting those objectives, and the
controls in place to manage the risks
n Also – use the results to look for
opportunities for improvement

1
Why ?

n Meet requirements of new corporate

accountability legislation (US public
companies)
n Best practices

Where did it Come From?

n COSO (1992)
n CoCo (1995)
n Sarbanes Oxley (2002)
– PCAOB
– Rule 404
n Canada - CPAB

2
Where Did it Come From?

n COSO
– Committee of Sponsoring Organizations
of the Treadway Commission
– Precludes the major corporate scandals
– One of the Frameworks to apply CSA
against

Where Did it Come From?

n COSO to set a common definition of internal

control and provide a standard against
which organizations can assess their control
systems
n COSO Core Elements
– Control Environment
– Risk Assessment
– Control Activities
– Information & Communications
– Monitoring

3
Where Did it Come From?
n COSO Example of Framework: Control Environment

Integrity & Ethical n Existence and implementation of codes of conduct

Values n Dealing with employees, suppliers, etc. on high
ethical plane
n Pressure to meet unrealistic performance targets

Commitment to n Formalor informal job descriptions

Competence n Analysesof the knowledge and skills needed to
perform jobs adequately

Board of n Independence from management

Directors/Audit n Frequency and timeliness of meetings
Committee n Sufficiency and timeliness of which provided
sensitive information
Management’s n Nature of Business Risks accepted
Philosophy and n Frequency of interaction between senior
Operating Style management and operating management
n Attitudes and actions towards financial reporting

Where Did it Come From?

n CoCo
– CICA, now “Risk Management and Governance”
– No longer interested in detailed framework – will
leave to COSO
n Sarbanes – Oxley
– Legislates need to assess internal control relative
to “a” framework – most will use COSO
n PCAOB (US)/CPAB (Canada)
– Monitoring of firms and functions

4
How Reporting on Internal
Control Mandated?
n US Large public companies – now
n Other US public companies – coming
n Canadian public companies – expected that will be
something similar
n Public sector
– Some US states have mandated that public sector entities
must adopt
– Quite a number of universities have adopted
– Local government
n No legislated requirement
n Nothing in Canada on immediate horizon
n Best practices

Tools Used to
Monitor/Report on Internal
Control
n CSA is just one – it does not
necessarily have to be used
n Direct testing
– Internal audit and external audit
– Test controls
– Test results
n Monitoring
n Continuous Audit

5
Code of Ethics

n Important starting point

n If you don’t have one – really can’t do
effective CSA

Key Factors of CSA

n Teams
– Multi-level
– Clerks, etc. important – are we really
doing what process says?
n Control environment
n Fraud risks and controls
n IT controls
n Results and Follow-up

6
Management of CSA

n Senior management
n Audit Committee oversight
– (throughout process)
n Internal audit
– (may lead)
n External audit
– (advisory)

6 methods of CSA

n ICQ Self Audit

n Customized Questionnaires
n Control Guides
n Interview Techniques
n Control Model Workshops
n Interactive Workshops

7
Different CSA Interactive
Workshop Formats
n Risk-based
– Work teams focus on identifying risks
n Objective-based
– Work teams focus on ways to accomplish an objective
n Control-based
– Work teams focus on how well controls in place are
working
n Process-based
– Work teams examine a process from beginning to end and
identify strengths and weaknesses of each step
n Departmental-based
– Work teams evaluate a departments overall situation and
items that will help or hinder dep from reaching goals

CSA – Typical Project Plan

n Identify the individual with overall responsibility for the
project (CFO?)
n Identify the designated project manager and related team
members
n Identify the framework that will underlie the analysis (maybe
COSO)
n Identify the accounts, locations and processes that will be
subject to review, documentation and testing
n Select the approach and tools that will be used
n Document a project plan
n Document relevant controls
n Assess the effectiveness of controls designs
n Test control effectiveness (CSA or in conjunction with other)
n Communicate issues and conclude

8
CSA Workshop Plan

n Workgroup concerns, discussion of

strengths and weaknesses, finalize list
of manageable issues
n Questioning of workgroup with 30-40
questions based on the control
framework chosen
n Ethics discussion

Example - Travel Expense

n Group would meet, assess risks and

controls in place/should be in place to
cover risks (including fraud)
n Might come up with the following
questions:

9
CSA – Travel Exp – Q’s
n Is the municipal policy for travel expenses complete
and in line with corporate ethics
n Is there clear distinction between business and
personal expenses and only business reimbursed
n Do expense claims include written documentation
of dates, purpose, attendees
n Are those who approve knowledgeable of policy
and of staff’s activities
n Are payments made only on original invoices?
n Are expense claims made within 2 weeks of
expense being incurred?
n Is air travel economy?

CSA - Review

n Discussion/documentation on each
point throughout staff level
n Degree of compliance discussed,
reasons for non-compliance discussed
n Action plan for improvement
n Follow-up report and monitoring

10
CSA Pitfalls

n Wrong person for facilitator

n Oversimplification of plans
n Launch as a huge project
n Lack of management support
n Narrowing focus too far

CSA Benefits

n Additional hands and eyes for internal

and external auditors
n Specialized expertise
n Operations knowledge
n Commitment to implementing
recommendations

11
Reasons Why CSA is Likely
to Continue to Expand
n Many organizations have a legislative
requirement for reporting on controls – CSA
a good tool for this
n Helps foster management responsibility for
controls
n CSA is both a collaborative and empowering
process
n Restraints on internal audit and costs of
external audit make this a useful tool

Comparison of Auditing
and CSA
n CSA differs by
– Use of line employees to evaluate risks and
controls not internal/external auditors
– Workgroups issue report on risks and controls –
not third party mgmt letter
– Mgmt and staff more likely to accept results as
they sourced it
n CSA proactive, auditing reactive
n CSA prevent/monitor, auditing
detect/correct

12
Accountants’ Misplaced
Values
A very successful accountant parked his brand-new Lexus in front of his office, ready to show
it off to his colleagues. As he got out, a truck passed too close and completely tore off
the door on the driver's side. The accountant immediately grabbed his cell phone, dialed
911, and within minutes a policeman pulled up.

Before the officer had a chance to ask any questions, the accountant started screaming
hysterically. His Lexus, which he had just picked up the day before, was now completely
ruined and would never be the same, no matter what the body shop did to it.

When the accountant finally wound down from his ranting and raving, the officer shook his
head in disgust and disbelief. "I can't believe how materialistic you accountants are," he
said. "You are so focused on your possessions that you don't notice anything else."

"How can you say such a thing?" asked the accountant.

The cop replied, "Don't you know that your left arm is missing from the elbow down? It must
have been torn off when the truck hit you."

n "My God!" screamed the accountant. "Where's my Rolex?"

Summary
n Legislative req’mnts and best practices
suggest internal reporting on risks and
controls
n This can be managed by a few methods
such as direct testing, continuous audit and
review of control environment
n CSA is a tool aimed at review of control
environment
n CSA involves multi-level teams working
together to evaluate, document, report and
facilitate change and improvement

13
14