Why CSA is an effective approach to evaluating business risks.
Approaches to self-assurance auditing – often referred to as control self-assessment (CSA) – can differ but the basic objectives and benefits of it remain the same across various methodologies.
Put simply, CSA is a structured approach for an organisation to evaluate – and provide reasonable assurance on – whether its internal control environment is effective to support it to achieve its strategic objectives, given its assessment of internal and external risks.
The key feature of CSA is that it is performed by individuals responsible for the organisation’s day-to-day operations (the first line of defence), rather than the second line, for example the risk and compliance functions, or the third line, internal audit.
A programme of self-assessment will likely be conducted on an annual basis, but it can take place more frequently if, for example, the pace of change within the organisation – or outside of it – requires it.
CSA supports the organisation’s governing body to discharge its corporate governance responsibilities. In the case of companies subject to listing rules, these responsibilities are set out in the Financial Reporting Council’s UK Corporate Governance Code which states that boards should, at least annually, carry out a review of the effectiveness of the organisation’s internal control systems. This review can be delivered through a CSA programme, together with the work of the second and third lines of defence.
Therefore, it is useful for the results of CSA to be reported using a consistent approach to that adopted by the second and third lines of defence, in particular in relation to risk categorisation, impact assessment and effectiveness measures for controls. This allows aggregation of data across assessments for reporting upwards and the governing body to take a broader view on risk and control.
Good quality CSA can improve significantly the strength of an organisation’s internal control environment and the alignment of it to its objectives, not just through the CSA process itself but through fostering amongst first line management and their teams' understanding of, and accountability for, risks and controls, as well as actions to address identified control weaknesses.
Valuable insight In an environment where there is an ever-increasing focus on the role of culture in the effectiveness of an organisation’s internal control systems, CSA can provide valuable insight. In its July 2013 publication Effective Internal Audit in the Financial Services Sector the Chartered Institute of Internal Auditors stated that‘internal audit should consider the attitude and assess the approach taken by all levels of management to risk management and internal control’ through, for example, management’s regular assessment of controls and actions it has taken to address known control deficiencies.
Also, many soft controls lend themselves to being self-assessed and CSA can be used to gather information from teams about the ethics, integrity and attitude of management. From the perspective of internal audit’s work, where CSA is of good quality, it can reduce the time and effort it takes for the audit team to gather information on the area being audited and helps it to identify risks and controls where greater focus during the audit may be required. It also provides information on local management’s awareness of the strength and weaknesses of the control environment for which it is responsible, which some internal audit functions take into consideration in their rating methodologies.
The quality of CSA can vary; the more effective programmes receive support from senior management at the top of the organisation, not just in sentiment, but in the resources – people and time – allocated to the exercise and to considering the results.
To add real value to an organisation’s risk management activities, those performing CSA need to be engaged and prepared to challenge themselves: are we identifying the right risks, including emerging risks, tail events and headline risks experienced at other organisations; could controls be improved; are the number of controls in place appropriate or could the control environment be leaner and still remain effective; and where there are weaknesses, how can we best deliver cost-effective and positive change?
Second and third lines In facilitating quality CSA, and in particular if workshops are used, the second lines of defence – and often the third line – play a key role. As such, they need to have relevant expertise, credibility and people skills to manage collaboratively group dynamics and maintain the first line’s focus on the assessment of risks and controls in the context of the organisation’s strategic objectives. Recognising the subjective nature of CSA, second lines should also review and challenge the results from the programme.
The expectations of second lines of defence to identify, evaluate, manage and report risks have increased significantly since the financial crisis and subsequent recession. Organisations continue to make enhancements to the capabilities of their second lines with the aim of creating high quality oversight functions that are respected across the organisation.
Key challenges There are a number of key challenges to creating effective second lines of defence.
First, the attraction of high calibre individuals who understand the organisation’s objectives, how it makes money, the risks being taken on and the potential impact the current and emerging economic, regulatory and political environment may have on the entity.
Second, the existence of a culture that supports these individuals’ standing and authority within the organisation; where they can challenge on an equal footing the first line’s risk decisions, assessments and accountability.
Third, a senior management team and governing body who empower those in the second line to be bold, to focus and report on fewer, strategically important risks rather than performing extensive – often falsely comforting and lesser value – risk mapping.
To be truly effective, second lines of defence need clear direction and appropriate tools. Quality risk management activities cannot be delivered in a vacuum: the governing body will first define its risk appetite and risk strategy for the organisation in a way which is capable of being easily measured and understood.
Governing bodies also benefit from spending time with second line senior management to help it to understand its expectations with regards to risk reporting to support the preparation of reporting which is more insightful, relevant and succinct. However, reporting is limited by the consistency and transparency of risk terminology and reporting systems in use across the organisation. Therefore, organisations will need to continue to invest in these to align them as far as possible so that the second lines of defence can report an aggregate enterprise view on risks.
And best in class second lines of defence will be those which tell their governing bodies not just what these risks are – their likelihood, potential impact and early warning indicators – but how well prepared the organisation is to respond promptly and effectively to these risks if they occur.
Anna Thursby ACA – director of audit – risk, TSB Bank plc