• Blog

Thinking Like an Auditor

  • Risk and Control Self-Assessment: Beyond the Survey

    June 17, 2015 | By Toby DeRoche

    At some point in the last decade, auditors seem to have forgotten a major aspect of the Risk and Control Self-Assessment (RCSA) . Lately, it seems like the RCSA has become only a control focused survey, or even just another word for Internal Control Questionnaires (ICQs). It is true that RCSA's have a survey element, but a true self-assessment can be so much more. Best practice organizations are making use of more than surveys.

    There are some variations regarding RCSA techniques, but in general there are three common methods for performing the evaluations:

    • Facilitated Workshops
    • Surveys or questionnaires
    • Management Analysis

    Surveys and Management Analysis are complementary methods that are widely used in internal control scenarios, especially in SOX management. In many corporations, Surveys and Management Analysis are heavily relied on for SOX control quarterly certifications. If you need ideas for surveys, there are numerous examples available from AuditNet® and from The IIA. The book Using Surveys in Internal Audits, published by The IIA, is a particularly excellent resource.

    When the concept of RCSA was first introduced, the focus was mostly on the Facilitated Workshop. While we have shifted away from this practice, there is a huge potential benefit to bringing the workshop back.

    We'll start with establishing the basics. A Facilitated Workshop is a dynamic, participative event, led by a trained facilitator, generally an internal auditor who holds the Certified in Control Self-Assessment (CCSA) designation, in which the organization's management is actively engaged in a discussion about risks and controls. The objective of the Facilitated Workshop is to engage management in a discussion that leads to an evaluation of the effectiveness of the controls the organization has in place, and ultimately to gain consensus on whether or not all related business objectives will be met with the controls that were examined. There are four formats and underlying workflows for the workshop discussions:


    Process Based Objective Based Risk Based Control Based
    Examine Processes
    Identify Risks
    Evaluate Controls
    Understand Objectives
    Identify Risks
    Evaluate Controls
    Identify Risks
    Evaluate Controls
    Evaluate Controls


    The overall goal of each of the formats may be to evaluate control effectiveness, but the starting point for the discussion is different and will often be determined by the organization's culture and how well management understands the control environment. For relatively new organizations, or for those groups in which management has not been educated in risk and control concepts, it may be best to start with process- or objective-based workshops. These formats will better enable a more educational slant to the workshop. For more experienced management teams, the risk- or control-based workshops may work just as well. In the end, going through the processes, objectives, risks, and controls with management in an engaging workshop setting can have some surprising secondary benefits:

    • Management will walk away with a better understanding of their business
    • Management will gain an education on the nature of risk and control environments
    • The burden of evaluating controls will be shifted to the control owners
    • Internal Audit and Compliance teams will be viewed more as a business partner and less as policy enforcement

    With the introduction of the updated COSO Framework, now is the perfect time to revisit RCSA and the Facilitated Workshop. In 2014, most organizations went through painstaking exercises to map their internal controls to the principles outlined in the updated framework. The conversations about COSO have tended to remain at the senior management level, with compliance teams presenting to Controllers, CFOs, and external audit/accounting firms. The information is just as relevant to the process and control owners. With the information still fresh in our minds, we should take the opportunity to bring the process and control owners into the conversation, and a great way to accomplish this task is through the Facilitated Workshop.

    Process based RCSA Facilitated Workshop Example

    To help you understand how these self-assessment workshops work, consider these basic steps:

    Step 1 - Choose the right attendees
    Probably the most important part of organizing the facilitated workshop is choosing the right people to include in the meeting. You need to choose attendees who can contribute to the conversation, and you also need to invite people who are willing to speak in front of each other. Bringing in accounting managers from the expense group might be the right idea, but if you also include the controller, the rest of the group might be too nervous to participate.

    Step 2 - Plan the Agenda
    If you are facilitating the workshop, this is your meeting. You set the agenda, and it's your job to keep everyone on track. As with most exercises, planning is crucial for success. Based on the plan, there might be some work to do up front. For example, if you want to review survey results during the session, you'll need to plan time to send the survey and compile results.

    Step 3 - Execute the Workshop
    During the workshop, there are a number of methods for getting the group to engage in the conversation. You might try one the following:

    • Reviewing survey results
    • Building out and discussing process maps
      • Maps should include the process, risks, and ultimately the controls
      • Documenting the process together is very useful for inexperienced management teams
    • Drawing out the group with questions, such as:
      • How do you do this? (process)
      • What could go wrong? (risk)
      • What would stop you from getting this done? (risk)
      • How do you make sure this gets done? (control)

    Remember as you go through this process, your job is to facilitate. You are not there to feed the participants answers, so don't take over.

    Another big aspect of the workshop is documentation. The literature on facilitated workshops usually discusses polling devices and electronic ways to capture data. Most of us will not have access to this particular technology, so just capturing the information is the goal. As a best practice, have a second person in the room to document the session. You'll probably be too busy to do this yourself.

    Step 4 - Update the Participants
    Once the session is complete, you'll start processing all of the information you obtained during the workshop. If this is done as part of an audit, you may need to perform additional follow up and testing. In this case, the workshop is essentially your walkthrough prior to testing. In any case, you should provide detailed documentation back to the workshop participants. If you made flowcharts during the session, clean these up and get them back to the group. If you created any charts or tables with the data, these should be provided as well. Out of respect for the team, you should provide the documentation that they helped produce. Treating them all with a high level of respect will go a long way in planning future workshops.

    For each of the steps, there are variations and details that will make the difference between a good workshop and a great workshop. For more details, The IIA bookstore has a few good resources like Control Self-Assessment: A Practical Guide and the Certification in Control Self-Assessment (CCSA®) Study Guide.

    Leveraging Technology
    If you are planning to try any RCSA techniques, technology can help. Earlier I mentioned the use of polling devices. If you do have access to polling tools, the effect can be profound. You can move a workshop from an open discussion to one with anonymous responses captured by software that can be used to create a statistical analysis.

    Audit Management software and applications made for SOX Compliance Management will often have both survey capability and self-assessment tools built in a standard features. You may already have more tools at your disposal for performing an RCSA than you even realize. Take advantage of them.

  • View Demo
    Contact Us
    Request More Information