Auditing, assurance, & CSA - control self-assessment - includes related articles on CSA a...

Page 1 of 3

Find Articles in:

All
Business
Reference
Technology
Lifestyle
Newspaper Collection

Business Services Industry

0 Comments

Au d itin g, as s u ran ce , & CSA - co n tro l

s e lf-as s e s s m e n t - in clu d e s re late d
article s o n CSA ap p ro ach e s , as s u ran ce
s trate gie s an d d e fin itio n o f co n tro ls
Internal Auditor, June, 1998 by Bruce McCuaig
Asking whether CSA is bona fide auditing may not be nearly so important as asking how it's
helping organizations. Around the world, CSA is providing assurance and helping more and
more entities achieve their business objectives.

Many of us who pioneered the control self-assessment (CSA) concept in the late 1980s and
early '90s, myself included, held the view that control self-assessment would one day
completely replace the traditional audit as the primary assurance tool in the auditor's tool kit.
We were wrong.

Nonetheless, control and risk self-assessment has become a highly effective assurance tool with
a diverse range of applications extending far beyond what we ever imagined when a co-author
and I wrote "Ripe for a Renaissance," an Internal Auditor article published in December 1990.
In describing CSA approaches we had developed at Gulf Canada, we suggested that the process
could be narrowly defined and that one basic CSA process would fit all the assurance
requirements of any organization. We believed that if the choice had to be made between
traditional direct report audits and CSA, then CSA would win hands down every time. We
vastly underestimated the strategies that would emerge and where each would work.

All of the organizations described throughout this article in the real-world scenarios like the
one above profess to be practicing CSA; yet they are all doing dramatically different things for
totally different reasons. They are alike in that they all have adopted diverse control self-
assessment practices appropriate to their organizations; and they are all providing, at least to
some extent, assurance services.

AUDITING VERSUS ASSURANCE

http://findarticles.com/p/articles/mi_m4153/is_n3_v55/ai_20860224/ 3/23/2010
Auditing, assurance, & CSA - control self-assessment - includes related articles on CSA a... Page 2 of 3

During a recent training assignment in Melbourne, Australia, one of my clients stood up and
made a strong, emotional point. "Control self-assessment is not auditing" she said, "and
auditing is what we are paid to do. If I am going to sign my name on a report, it will be signed
on an audit report. If it doesn't meet the IIA Standards, I won't do it!" She was not alone in her
sentiments.

One of the first lessons we learned at Gulf Canada in the 1980s speaks to this point. We
decided that the mission of an audit department was not to perform audits. Our job was to
provide assurance to management, staff, the board, and others on a wide variety of end-result
business objectives, including - but in no way limited to - compliance with policies, reliable
financial information, and economy and efficiency.

AUDITS - The value in performing an audit is not to issue a report stating that controls do or
do not exist. Audits add value only when they provide assurance that some business end-result
objective will be met. The existence of controls may have no beating on the level of assurance
that an objective will be achieved.

For example, requiring that a corporate purchasing function approve all purchase requisitions
provides, at best, only limited assurance that fraudulent acquisitions do not occur. It provides
even less assurance that unnecessary costs are minimized.

Likewise, reporting the existence or absence of such controls provides, at best, limited
assurance and, at worst, false assurance. Should an organization determine that they are at risk
because of the possibility of fraud or inefficiency, then a whole range of measures may be
appropriate to gain the required assurance. Most of the measures may not be even considered
by a traditional audit approach.

Having reviewed thousands of internal audit reports from around the world, I would say that
only about five percent of audit reports clearly identify the business objective underlying the
controls that are being examined. Almost invariably, auditors claim that the business objective
of the audit is obvious and does not need to be stated.

Nonetheless, I have learned never to underestimate how little work groups know about their
objectives. Even if all members of a work group are individually clear on the group's objectives,
gaining consensus or even priority is usually very difficult. One of the most common mistakes
we see occurs when no distinction is made between a control and a business objective. Failing
to explicitly state the end-result business objective of the audit is a fatal flaw.

Approvals on purchase requisitions once again offers an apt illustration. An auditor might
conduct an audit with the "objective" of ensuring all purchase requisitions are properly
approved. This might be a "control objective," but it is not a business end-result objective. The
real business objective might be to prevent fraudulent purchases of goods and services. To
achieve the objective, segregation of duties and proper approval is important, but the existence
of either control will not lead to the accomplishment of the business objective.

Even fewer audit reports provide any definition or criteria of what they refer to as controls;
that is, they do not define what they do or do not consider a control to be. This situation
prevails in spite of significant development in control models or criteria of control, beginning
with the first coso draft in 1991. The audit reports are purely devoted to reporting on the

http://findarticles.com/p/articles/mi_m4153/is_n3_v55/ai_20860224/ 3/23/2010
Auditing, assurance, & CSA - control self-assessment - includes related articles on CSA a... Page 3 of 3

existence, absence, or breakdowns in traditional controls. In the absence of explicit control

criteria, the weakness of traditional audit reports lies in the subjectivity and complete
inconsistency of the auditor's views on the adequacy of controls or what constitutes a control.

in free2010
Advanced Search Control Self Assessment training and premium articles Search

http://findarticles.com/p/articles/mi_m4153/is_n3_v55/ai_20860224/ 3/23/2010