At some point in the last decade, auditors seem to have forgotten a major aspect of the Risk and Control Self-Assessment (RCSA) . Lately, it seems like the RCSA has become only a control focused survey, or even just another word for Internal Control Questionnaires (ICQs). It is true that RCSA's have a survey element, but a true self-assessment can be so much more. Best practice organizations are making use of more than surveys.
There are some variations regarding RCSA techniques, but in general there are three common methods for performing the evaluations:
Surveys and Management Analysis are complementary methods that are widely used in internal control scenarios, especially in SOX management. In many corporations, Surveys and Management Analysis are heavily relied on for SOX control quarterly certifications. If you need ideas for surveys, there are numerous examples available from AuditNet® and from The IIA. The book Using Surveys in Internal Audits, published by The IIA, is a particularly excellent resource.
When the concept of RCSA was first introduced, the focus was mostly on the Facilitated Workshop. While we have shifted away from this practice, there is a huge potential benefit to bringing the workshop back.
We'll start with establishing the basics. A Facilitated Workshop is a dynamic, participative event, led by a trained facilitator, generally an internal auditor who holds the Certified in Control Self-Assessment (CCSA) designation, in which the organization's management is actively engaged in a discussion about risks and controls. The objective of the Facilitated Workshop is to engage management in a discussion that leads to an evaluation of the effectiveness of the controls the organization has in place, and ultimately to gain consensus on whether or not all related business objectives will be met with the controls that were examined. There are four formats and underlying workflows for the workshop discussions:
The overall goal of each of the formats may be to evaluate control effectiveness, but the starting point for the discussion is different and will often be determined by the organization's culture and how well management understands the control environment. For relatively new organizations, or for those groups in which management has not been educated in risk and control concepts, it may be best to start with process- or objective-based workshops. These formats will better enable a more educational slant to the workshop. For more experienced management teams, the risk- or control-based workshops may work just as well. In the end, going through the processes, objectives, risks, and controls with management in an engaging workshop setting can have some surprising secondary benefits:
With the introduction of the updated COSO Framework, now is the perfect time to revisit RCSA and the Facilitated Workshop. In 2014, most organizations went through painstaking exercises to map their internal controls to the principles outlined in the updated framework. The conversations about COSO have tended to remain at the senior management level, with compliance teams presenting to Controllers, CFOs, and external audit/accounting firms. The information is just as relevant to the process and control owners. With the information still fresh in our minds, we should take the opportunity to bring the process and control owners into the conversation, and a great way to accomplish this task is through the Facilitated Workshop.
To help you understand how these self-assessment workshops work, consider these basic steps:
Step 1 - Choose the right attendees
Probably the most important part of organizing the facilitated workshop is choosing the right people to include in the meeting. You need to choose attendees who can contribute to the conversation, and you also need to invite people who are willing to speak in front of each other. Bringing in accounting managers from the expense group might be the right idea, but if you also include the controller, the rest of the group might be too nervous to participate.
Step 2 - Plan the Agenda
If you are facilitating the workshop, this is your meeting. You set the agenda, and it's your job to keep everyone on track. As with most exercises, planning is crucial for success. Based on the plan, there might be some work to do up front. For example, if you want to review survey results during the session, you'll need to plan time to send the survey and compile results.
Step 3 - Execute the Workshop
During the workshop, there are a number of methods for getting the group to engage in the conversation. You might try one the following:
Remember as you go through this process, your job is to facilitate. You are not there to feed the participants answers, so don't take over.
Another big aspect of the workshop is documentation. The literature on facilitated workshops usually discusses polling devices and electronic ways to capture data. Most of us will not have access to this particular technology, so just capturing the information is the goal. As a best practice, have a second person in the room to document the session. You'll probably be too busy to do this yourself.
Step 4 - Update the Participants
Once the session is complete, you'll start processing all of the information you obtained during the workshop. If this is done as part of an audit, you may need to perform additional follow up and testing. In this case, the workshop is essentially your walkthrough prior to testing. In any case, you should provide detailed documentation back to the workshop participants. If you made flowcharts during the session, clean these up and get them back to the group. If you created any charts or tables with the data, these should be provided as well. Out of respect for the team, you should provide the documentation that they helped produce. Treating them all with a high level of respect will go a long way in planning future workshops.
For each of the steps, there are variations and details that will make the difference between a good workshop and a great workshop. For more details, The IIA bookstore has a few good resources like Control Self-Assessment: A Practical Guide and the Certification in Control Self-Assessment (CCSA®) Study Guide.
If you are planning to try any RCSA techniques, technology can help. Earlier I mentioned the use of polling devices. If you do have access to polling tools, the effect can be profound. You can move a workshop from an open discussion to one with anonymous responses captured by software that can be used to create a statistical analysis.
Audit Management software and applications made for SOX Compliance Management will often have both survey capability and self-assessment tools built in a standard features. You may already have more tools at your disposal for performing an RCSA than you even realize. Take advantage of them.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.