August 2001
USE OF CONTROL SELF-ASSESSMENT IN AUDITS
By Terry J. Engle and Gilbert W. Joseph
Control self-assessment (CSA) is an effective tool that many organizations use to continually improve their internal control systems and business processes. Many internal auditing departments use CSA to fulfill internal auditing objectives, and the Institute of Internal Auditors (IIA) has published detailed guidance on the subject.
Independent auditors, however, have largely ignored the benefits of CSA, despite its effectiveness as a source of audit evidence for many of the difficult-to-audit “soft” areas that are a salient component of internal control systems. In addition, CSA can be helpful in understanding a business or industry, setting control and inherent risks, and generating valuable recommendations.
CSA requires additional training in the areas of facilitation, communication, and CSA methodology. In addition, independent auditors may have to expend resources marketing the “CSA audit.” While an investment is required, the return can be substantial.
The Basics
The following IIA definition of CSA is succinct and representative: “CSA is a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met.” Auditors can use CSA to assess financial statement risks, controls directed at those risks, and compliance with laws and organizational procedures. They can also use the methodology to evaluate a wide range of business processes, and it is effective in identifying opportunities for improvement. While anyone can initiate CSA, internal auditors commonly introduce it and remain actively involved in the process. CSA is unique because internal control evaluations and risk assessments are performed by operational employees as opposed to internal or independent auditors. CSA forces employees to think about control and continuous improvement, and it instills a sense of ownership.
Using a control standard/framework. The CSA process is commonly structured around a normative standard of control, such as the following:
The COSO control framework is commonly used as the normative standard in the United States, and this framework is consistent with the internal control guidance in the AICPA Professional Standards.
Advantages of CSA
The advantages of CSA include the following:
Exhibit 1 summarizes the five components of internal control that comprise the COSO control framework. Although soft controls are part of all five components of control, they are found primarily in the control environment and, to a lesser degree, in the risk assessment component. The pervasiveness of soft controls makes them essential to any control system and any internal control assessment.
Performing a CSA
Two commonly used approaches to CSA are facilitated team meetings and CSA surveys. These approaches can be used alone or in combination.
The facilitated team meeting is the most popular CSA approach. Each CSA session commonly has six to 15 participants, consisting of line employees and operational management, plus a trained facilitator to lead the meeting and another to take notes. Facilitated meetings typically last two to four hours. The participants should have firsthand knowledge of the controls or processes being evaluated, and the facilitator should be trained in internal control systems and facilitation techniques.
Facilitated meetings work best when an organization’s culture permits candid responses in a group setting. Even in the most relaxed cultures, employees may wish to have their responses and opinions remain anonymous. Various software programs, such as groupware, can be used to anonymously gather responses on particular topics or even conduct an electronic meeting.
If the organizational culture is not an open one, the survey approach is a viable alternative. The survey approach uses questionnaires to obtain information about controls and processes, and has the added advantage of being able to obtain information from a large number of individuals fairly quickly.
What distinguishes this CSA approach from traditional internal control evaluations using questionnaires is that operational employees, not auditors, subsequently use the survey results to assess the control systems or processes. When internal auditors use this method, the questionnaire is typically followed by facilitated meetings or interviews.
Selling CSA
In situations where a company has not used CSA, external auditors will have to convince management that the costs are justified. The marketing effort must address why the company should use CSA as a part of the independent audit. The answer is CSA’s increased effectiveness over traditional auditing techniques in understanding and assessing soft controls. In addition, CSA enhances auditor understanding of the client’s business operations and generates more accurate assessments of inherent and control risks, reducing the likelihood of audit failure.
When management supports the CSA approach to auditing, independent auditors can—
In order to preserve their independence, however, independent auditors must be careful not to assume the role of management or of an employee.
Working with Internal Auditors
Internal auditors generally have a wealth of CSA experience and can be a valuable resource. When independent auditors are satisfied with the competence and objectivity of the internal auditors, AU 322, “The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements,” permits them to use existing internal audit work and to request direct assistance in implementing independent audit programs. For example, internal auditors can serve as consultants during the design phase of CSA applications, or serve as meeting facilitators.
Evaluation. Before independent auditors can rely on information obtained from CSA, they must be satisfied that the client’s CSA process is sound. They can do this by evaluating existing programs or new initiatives against normative criteria fit to the CSA approach employed (e.g., facilitated team meeting, CSA survey) and the client’s unique situation. Exhibit 2 contains a representative listing of the criteria that auditors can use in this evaluation.
Specific Uses of CSA in a Financial Statement Audit
Once the CSA process is considered reliable, the auditor can use information resulting from the process to satisfy audit objectives in several important areas. For most CSA applications, the independent auditor must still validate the evidence, although the more reliable the CSA process, the less testing that will be necessary.
Understanding the client’s business. AU 311, “Planning and Supervision,” requires that auditors obtain an adequate understanding of a client’s business and industry to adequately plan and perform the audit. AU 311 recognizes that a portion of this information is commonly obtained from client personnel; the auditor can use CSA to obtain this information. For example, a facilitated team meeting could involve managers and employees selected because of their extensive firsthand knowledge of the industry and the client’s unique business operations. The facilitator could direct the discussion to an in-depth analysis of the industry and specific client operations. The auditor could structure the meeting to integrate information from a variety of sources and pursue unanswered questions relevant to the audit.
Understanding of internal control. According to AU 319, “Consideration of Internal Control in a Financial Statement Audit,” the auditor should always: “obtain an understanding of each of the five components of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements, and whether they have been placed in operation.”
To accomplish this using CSA, for example, the meeting facilitator could elicit information about issues such as the integrity and ethical values of existing management, management’s commitment to competence, the effectiveness of communications with the board of directors or audit committee, management’s philosophy and operating style, and human resources policies and practices. The interaction among the participants in a facilitated meeting venue often provides valuable insights that would not typically be available with traditional audit tools (e.g., internal control questionnaires).
Assessing control risk. After obtaining the required understanding of all five components of control, AU 319.47 requires that control risk be assessed for material financial statement assertions. The information gleaned from CSA can be used to improve the understanding of these areas (particularly “soft” controls).
Supplementing traditional tests of controls. AU 319.48 requires testing control effectiveness when the independent auditor assesses control risk below the maximum level. Evidence from CSA activities can supplement traditional control testing. For example, when an auditor tests controls by observing individuals within a particular transaction cycle (e.g., the sales/receivable cycle), a typical concern is that this may not be representative of the entire audit period. CSA data can supplement the auditor’s observations. Consistency of job performance, unusual events during the audit period, employee turnover, absenteeism, and training can be covered in a facilitated meeting or CSA survey. When several participants agree on the facts, the evidence from the CSA process can be effectively used to supplement the one-time observation of the transaction cycle.
Assessing inherent risk. Inherent risk is particularly difficult to assess using traditional auditing techniques. As a result, auditors commonly do not attempt to assess the actual inherent risk and merely set the risk at a default value of maximum. AU 312, “Audit Risk and Materiality in Conducting an Audit,” states that independent auditors should assess both control risks and inherent risks during the planning of every audit. AU 312.27a defines inherent risk as “the susceptibility of an assertion to a material misstatement, assuming that there are no related controls.” To assess this risk, auditors must obtain information about issues such as the complexity of transactions and calculations, the susceptibility of inventory to theft or damage, the degree to which estimates are used in the recording of information, the extent to which employees are forced to perform tasks without the necessary information, and the factors affecting the obsolescence of assets.
CSA can be particularly useful in improving the effectiveness of this process by providing insight on “soft issues.” For example, the auditor can use a facilitated meeting or survey to thoroughly explore these topics with employees that have direct day-to-day involvement with the controls and processes being evaluated. If there is an agreement among employees on the issue, the auditor has strong evidence on which to base inherent risk levels and thereby more efficiently and effectively plan substantive testing.
Editor:
Thomas
W. Morris
The CPA Journal
The
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.