Part of a series on |
Accounting |
---|
Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.
A "control process" is a check or process performed to reduce or eliminate the risk of error. Since its introduction the technique has been widely adopted in the United States, European Union and other countries. There are a number of ways a control self-assessment can be implemented but its key feature is that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-day responsibilities are within the business unit being assessed. [1] A self-assessment, by identifying the higher risk processes within the organisation, allows internal auditors to plan their work more effectively. [2] A number of governmental organisations require the use of control self-assessment. In the United States it is a requirement of the FFIEC that control self-assessments are performed on IT systems and operational processes on a regular basis. [3] Benefits claimed for control self-assessment include creating a clear line of accountability for controls, reducing the risk of fraud and the creation of an organisation with a lower risk profile. [4] [5]
In certain circumstances control self-assessment is not always effective. For example, it can be difficult to implement in a decentralised environment, in organisations where there is high employee turnover, where the organisation goes through frequent change or where the senior management of the organisation does not foster a culture of open communication. [6]
Control self-assessment was developed by Gulf Canada in 1987 when the company's General Auditor, Bruce McCuaig was dissatisfied with the standard auditing techniques in use following the impact of the Watergate affair on the parent company, Gulf Oil Corporation. The decision to fully implement control self-assessment at Gulf Canada was driven by a number of factors. These included the presence of a consent decree requiring the company to report on its internal controls and the difficulties it was facing in estimating its oil and gas reserves using more traditional audit measures. [7]
Over the next ten years Gulf Canada developed a framework to support the analysis and evaluation of control processes by operational staff. This included anonymous voting to ensure there was no impediment to staff expressing their views. The approach was first published in Internal Auditor in December 1990. [8] Gulf Canada discontinued this facilitated meeting approach in 1997 although it continued with control self-assessment using different techniques. [7]
Following Gulf Canada's introduction of control self-assessment many private sector organisations implemented similar techniques. In the United States several states made reviews based on control self-assessment practices mandatory as did the Federal Deposit Insurance Corporation and the Canadian Deposit Insurance Corporation. [7]
Initially external auditors ignored the benefits of control self-assessment even though it was effective at providing audit evidence around the "soft" areas (such as staff morale) that are critical to the effectiveness of internal control systems. [9]
After a number of financial scandals, notably the collapse of Robert Maxwell's publishing empire, the United Kingdom government commissioned Adrian Cadbury to chair an investigation into corporate governance. The committee published its report The Financial Aspects of Corporate Governance in 1992. In section 4, Reporting and Controls, Cadbury made a number of recommendations that led to the increased adoption of control self-assessment in the UK. In particular section 4.5 of the Code of Practice contained within the report required that the directors of a company should report on the effectiveness of the company's system of internal control in each annual report. [10]
In March 2000 the European Commission approved a white paper on reform that led to a major change in the way the Commission was managed. These changes included recommendations for each department to establish an effective internal control system. To support the implementation of the internal controls the Directorate-General for Budget's Central Financial Service developed a control self-assessment process. This first control self-assessment identified several areas for improvement in internal control across the Commission most notably the need to implement a more systematic approach to risk management. The outcome of this first self-assessment was the implementation of the requirement for every Directorate General to perform a control and risk self-assessment annually. [11]
In 2007 the United States implemented the Sarbanes-Oxley Act. In order to comply with section 404 of the Act the company had to perform a top down risk assessment which necessitated the production of an "internal control report" that affirmed "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." . This report has to include an evaluation of the effectiveness of the internal controls and procedures that are related to financial reporting. To meet this requirement organisations increasingly began to perform a control self-assessment using a recognised standard methodology. The organisation's external auditors, who are required to sign-off the internal control report, typically became more deeply involved in the control self-assessment process as it facilitated their later review of the internal control report. [12]
In the United Kingdom in 2011 the Financial Services Authority recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. It also noted that for the assessment to be fully effective it had to be fully integrated into the financial organisation's risk-management process. [13]
The first step in control self-assessment is to document the organisation's control processes with the aim of identifying suitable ways of measuring or testing each control. The actual testing of the controls is performed by staff whose day-to-day role is within the area of the organisation that is being examined as they have the greatest knowledge of how the processes operate. [1] [4] The two common techniques for performing the evaluations are:
Both approaches are the opposite of formal audits where the auditors, not the business unit staff, will perform the assessment. [1]
On completion of the assessment each control may be rated based on the responses received to determine the probability of its failure and the impact if a failure occurred. These ratings can be mapped to produce a heatmap showing potential areas of vulnerability.
Six basic methodologies for control self-assessment have been defined: [14]
The National Institute of Standards and Technology control self-assessment methodology is based on customised questionnaires. It is an IT focused methodology suitable for assessing system based controls. It provides a cost-effective technique to determine the status of information security controls, identify any weaknesses and, where necessary, define an improvement plan. [15] The methodology uses a questionnaire that contains specific control objectives and techniques against a system or group of systems can be tested and measured. The methodology was designed for United States federal agencies but can also be valuable for private sector organisations. [15]
The COBIT methodology can be used for control self-assessment; like the NIST methodology it was designed for IT focused assessments. COBIT's Process Description component provides a reference model of an organisation's processes and their ownership. Its Control Objectives component provides a set of requirements considered necessary for effective control of each IT process with the organisation. Assessment and evaluation of these components using the Management Guidelines component provides an assessment mechanism that generates a maturity model indicating if the organisation is meeting its control objectives. [14]
The Institute of Internal Auditors based its control self-assessment methodology on the Total Quality Management approaches of the 1990s as well as the COSO's framework. The methodology became part of the International Standards for Professional Practice of Internal Auditing and was adopted by a large number of major organisations. [16]
A number of other methodologies to standardise the control self-assessment have been published. [17] [18] The Institute of Internal Auditors offers a certification in control self-assessment practice. [19]
A number of software packages are available to support the control self-assessment process. These are typically modified versions of software developed originally for internal use by audit and accountancy firms such as Deloitte or by niche vendors specialising in business or financial management tools.
Control self-assessment creates a clear line of accountability for controls, reduces the risk of fraud (by examining data that may flag unusual patterns of transactions) and results in an organisation with a lower risk profile. [4] [5]
A number of other soft benefits have been claimed for organisations performing control self-assessment. These include a better understanding of business operations (by both management and operational staff); stronger awareness of risk practices; a reinforced corporate governance regime and internal audit efficiency improvements. [4] [20]
Some researchers have criticised control self-assessment as a flawed approach as the way risk is defined and measured is unsophisticated. In particular, control self-assessment may understate risk by not identifying extreme downside risk. An extreme downside risk is a highly improbable event that would have catastrophic consequences if it occurred. These risks should have a high overall risk score (generally calculated as a product of the probability of a risk occurring and the impact if it does occur on a scale of 1 to 5). Individuals performing the control self-assessment are consequently unable to significantly differentiate between risks leading to extreme low probability risks either being excluded from the analysis or grouped together with other more probable (but still unlikely) risks that have a less severe impact. [21]
The continual focus on risk elimination that a control self-assessment can lead to has also been criticised. The process of continual evaluation of risks and making plans to mitigate and eliminate them may lead to an unbalanced corporate culture where risks are eliminated ignoring the risk-return ratio of different business choices. [21]
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. The process to manage operational risk is known as operational risk management. The definition of operational risk, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks: "The risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events, differ from the expected losses". The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.
An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
Audit management is responsible for ensuring that board-approved audit directives are implemented. Audit management helps simplify and well-organise the workflow and collaboration process of compiling audits. Most audit teams heavily rely on email and shared drive for sharing information with each other.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.
Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers all types of organizations. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.
The information audit (IA) extends the concept of auditing from a traditional scope of accounting and finance to the organisational information management system. Information is representative of a resource which requires effective management and this led to the development of interest in the use of an IA.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
The following outline is provided as an overview of and topical guide to accounting:
Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
An entity-level control is a control that helps to ensure that management directives pertaining to the entire entity are carried out. These controls are the second level to understanding the risks of an organization. Generally, entity refers to the entire company.
The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.
Risk assurance is often associated with accounting practices and is a growing industry whereby internal processes are developed to create a "checks and balances" system. These checks predominantly identify differences between risk appetite and real risk .Business risk refers to factors that can affect the company, both internally and externally. There are various types of business risks: strategic, compliance, financial and operational. Risk assurance aims to mitigate any of these areas. As such, companies can pre-analyse the industry to scout for potential risks or if a risk has already occurred, managers can analyse the problem in an attempt to mitigate the effects.
{{cite journal}}
: Cite journal requires |journal=
(help)