How Do CSA Programs Miss the Mark Even with Extensive Resources?
Despite investing millions of dollars and years of effort, some organizations find their Control Self-Assessment (CSA) programs ineffective and disconnected. From my experience in leading Business, Risk, and Internal Audit (IA) functions, I’ve observed several reasons why some organizations struggle to create effective and cohesive CSA programs.
Some organizations view CSA as a formality for year-end attestations, rather than an ongoing journey to enhance their control environment. This could prevent the maintenance of an integrated yet complementary approach among lines 1, 2, and 3, which is a key enabler for identifying gaps, deriving actionable insights and enabling a closed-loop process.
Proactive declaration of deficiencies may be unpopular at certain organizational levels. Additionally, the mechanism for Lines 1 and 2 to learn and improve from failures by linking them with accountability may be in its early stages or absent. Effective CSA programs promote a culture of transparency and accountability to continuously improve the framework and quality of execution.
In a few organizations, the CSA program may have become an “animal” fueled by complicated tools, potentially losing sight of its core objectives: identifying the right controls, key risks and addressing its alignment with changing business/risk landscape with clear descriptions. The facilitating Control Assurance function may lack the means to gauge the pulse of the business on the ground nor would the IA be open to support. In such organizations, governance meetings appear those outlined in textbooks, but shocks emerge every five years.
Often, there is no taxonomy of a business process map and details of process > sub-process > risks > controls used across all 3 lines. There could be some literature in Line 1, but it is not fungible with Lines 2 and 3. IA’s work programs, IA planning framework, or audit analytics may remain disconnected from CSA. This leads to disjointed assurance activities. Hence, the concept of “integrated assurance” is a talking point but not practiced in reality in such organisations.
Internal Audit (IA) functions have the potential to significantly mature the CSA program and become recognized as collaborators of change for the better.
IA functions can perform short projects to advise on key controls that are missing in CSA referential, automatable controls, and controls that may be rationalized due to duplication or redundancy among others.
A more value-added approach for each business unit audited could be a section on “quality of CSA review” where IA confirms whether CSA results are in conformity or otherwise, by comparing its own assessment with CSA for a set of key controls.
IA can also share qualitative insights from a business perspective. For example, highlight if the CSA referential lacks questions pertinent to a fast-growing retail business in a conglomerate. A uniform CSA referential is essential but can be tailored for IA purposes to identify areas that the CSA might have overlooked.
Reviewing the quality of self-assessment can start with the scope of areas /domains covered under the internal audit. This would spur closed-loop insights among the lines and provide a source of reference for the Audit Committee (AC) to understand the bigger picture beyond conference room meetings.
This approach helps management address independent perspectives identified during IA more efficiently. The AC can also pinpoint specific control areas or sub-processes not covered by IA but included in CSA. In one of our leader’s stints, an IA function of a large conglomerate was convinced to share insights to management and AC by adopting a structured mechanism.
It’s a journey. If done well with an open mindset, this can be a long-term enabler of sustainable growth. Mature organizations have integrated cyber maturity assessments and compliance program assessments into CSA. They use CSA as a business enabler, not merely as a checkbox for annual reports and the Audit Committee (AC) meetings.
Inno-Go is a revolutionary governance and business enhancement framework launched by Innowave360 to mitigate risks, drive operational excellence, and foster sustainable growth.
If you want to learn more about Inno-Go, reach out to us at raghupathi.rao@innowave360.com and nitesh.pr@innowave360.com.
CEO & MD at Innowave360
Experienced Chief Internal Auditor, Chief Risk Officer and Controller – Large US, Europe and Asia listed MNCs
Copyright © 2024. All rights reserved.