CCSAControlSelfAssessmentAPracticalGuideCHA.docx
- 文档编号:13073912
- 上传时间:2023-06-10
- 格式:DOCX
- 页数:13
- 大小:27.38KB
CCSAControlSelfAssessmentAPracticalGuideCHA.docx
《CCSAControlSelfAssessmentAPracticalGuideCHA.docx》由会员分享,可在线阅读,更多相关《CCSAControlSelfAssessmentAPracticalGuideCHA.docx(13页珍藏版)》请在冰点文库上搜索。
CCSAControlSelfAssessmentAPracticalGuideCHA
CHAPTER2
CSAFORMATS
APerspectiveoncontrolSelf-AssessmentidentifiesthreeprimaryapproachestoCSA:
facilitatedteammeetings(alsoknownasworkshops).questionnaires(alsoknownassurveys),andmanagement-producedanalysis.Evenwiththesethreeprimaryapproachesdefined,organizationoftenusemorethanoneintheirself-assessmentprocess.SomeofthevariedwaysCSAisusedarelistedbelow
ExamplesofCSAUsage
●Usefacilitatedworkshopswithanonymousvotingtoassessriskasoneofthefactorsindevelopingtheannualauditplan.Thishelpsmanagetherisksinvolvedinpreparingtheplan.
●UseworkshopsFormajorbusinessprocessesthatcrossdepartmentboundaries.
●Sendaquestionnairetomanagementaskingthemtoassessastandardlistofcontrolobjectiveswithintheirdepartments,andselectauditstoperformbasedontheresponses.
●Useafacilitatedinterviewprocessatthestartoftraditionalauditstogatherdataandsetthescopeoftheaudit
●AlternateCSAandtraditionalauditing—conductatraditionalauditoneyearandholdaself-assessmentworkshopthenextyear.
●UseCSAasa“preventative”auditingtool.Itisaconsultingengagementoutsidetheannualopiniononcontrolsissued.
●AdepartmentthatistotallyseparatefrominternalauditingusesCSAworkshopstohelpemployeesunderstandtheirobjectives.risks,andcontrol.
●Sendanannualquestionnairetomanagementthatisusedtosupportanannualopiniononcontrolsrequiredbyoutsideregulators.
●Usethe“wallwriting”approach,wheretheparticipantsrespondtotwoquestions:
“Whatthingshelpyouachieveyour
organization’sobjectives?
”and“Whatthingshinderyouinachievingyourorganization’sobjectives?
”.
●Useself-assessmentworkshopstoevaluatetheoverallcontrolenvironmentoftheorganization.
●Usequestionnairesfollowedbyone-on-oneinterviewswithseniormanagementtoidentifyorganization-levelrisks.
ChoosingtheRightApproachtoCSA
GiventhesedifferentapproachestoCSA,howdoes.inorganizationanditsauditdepartmentchoosetheright.approach,oreven:
asingleapproach?
ACSAapproachusingfacilitatedworkshopswiththeinternalauditorsasfacilitatorsisfavoredbymostorganizations.TheIIAalsorecommendsthisapproachwhenthecultureissupportiveofcandidparticipantresponsesinworkshops.Whenanorganization’sculturedoesnotsupportaparticipativeCSAapproachlikefacilitatedworkshops,questionnairesandmanagement-producedanalysesofcontrolscanbeused.Someoftheotherfactorsforchoosingoneapproachoveranother,otherthanculture,arelistedbelow:
●Thenatureoftheindustry,suchashighlyregulated,financial,manufacturing,orcharitable.
●Thearea(s)ofexpertiseandexperienceoftheinternalauditdepartment-whatworksbestforthemtoinitiateCSA(andthengrowintoothermethods).
●Theattitudeandsupportofmanagement,particularlyoperational,iftheworkshopapproachispreferred,becausetheywillbeaskedtosendtheirstafftotheworkshops.
●Cost—anonymousvotingequipmentisexpensiveandrequirestraining.
●Thecomfortoftheauditstaff,especiallytowardfacilitation.DotheybelieveCSAworksandaretheycomfortablewithleadingworkshops(internalresistancecanbepassiveoraggressive).
●Theresourcesoftheauditshop¡ªcantheymanagethisapproachandkeepupwiththeauditplan?
●Theattitudeoftheauditcommittee.Dotheybelievethisapproachwillwork?
Oneotherprimaryinfluenceinchoosingisthehistoryofinternalauditingwithintheorganization.Ifauditpresentlyperformsonlycompliance-basedorfinancialauditsandisviewedasbeingvery“traditional”,thenaninitialCSAapproachbasedonashortsurveymaybeaneasywaytobeginCSA.Ontheotherhand,ifaudittypicallyreviewsoperationalareas,focusesonbusinessobjectives,andhasmemberswithadvancedfacilitationskills,aworkshopapproachtoCSAbeginninginanoperationalareawouldbepossible.
Anotherfactoristheeaseofintroducingorsellingthetooltomanagement.IftheauditdepartmentisintroducingCSAandtypicallyauditsbusinessprocesses,thenaCSAapproachbasedonprocessesmayoffersomeadvantages.Forinstance,auditisfamiliarwiththeprocessesandmaybemorecomfortableusingthenewtoolinthatenvironment.ManagementalsomayviewusingCSAasanaturalextensionoftraditionalauditing,asopposedtoaradicaldeparturefromthenorm.
Thisisjustthestartingpoint.ThematureCSAauditteamwillquicklyaddmanydifferentapproachestotheirlistofavailabletoolsandtechniquesandapplytheappropriateonebasedonthesituation.
WorkshopApproach
TheworkshopisthemostpopularapproachtoCSA.Aworkshopisameetingthatisfacilitatedbyaninternalauditoranddesignedtoassessrisksandcontrolsforagivenobjectiveorprocess.
Asarule-of-thumb,workshopsinvolvesixto15participantsandtwoauditors(oneasfacilitatorandoneasscribeorrecorder),andlastfortwotofourhours.Ofcourse,therearedifferentsizesofworkshops,differentmodesoffacilitationandrecording,anddifferentlengthsofworkshops,butthesenumbersaretypical.
APerspectiveonControlSelf-AssessmentcoversfourmajortypesofCSAworkshops:
Objective-based.
Risk-based.
Control-based.
Process-based.
Theobjective-basedformatworkshopfocusesonaccomplishinganobjective.Theworkshopbeginsbyidentifyingthecontrolsthatarepresentlyinplacetomeetanobjective,andthentheremaining(orresidual)risksareidentified.Theintentoftheworkshopistoidentifywhetherthecontroltechniquesareworkingeffectivelyandresultinginacceptablelevelsofresidualrisk(residualrisksarethosethathavenomitigatingcontrolsinplace).
Thisapproachassumesthattheinitialriskidentificationandcontroldesignforobjectiveshasalreadybeendoneand,afterreviewingexistingcontrolsintheworkshop,theremainingorresidualriskiscommunicated.ThiswouldbethecaseiftheorganizationhasalreadysuccessfullyimplementedacontrolframeworksuchasCOSOandcontrolsareindeedviewedasincludedinemployees¡¯everydayjobs.DuringtheCOSOimplementation,eachpartoftheorganizationwouldhaveperformedtheirownriskassessmentanddesignedcontrolstomitigatetherisksidentified.Sincemanagementownstherisk-assessmentprocessandCOSOwasputtogethertoaidmanagement,theassumptionthatmanagementalreadyhasidentifiedandcontrolledrisksisareasonableone.Intheobjective-basedformat,CSAbeginswiththeidentificationandevaluationofthatpre-existingcontroldesign.
Forsomeorganizations,theassumptionofhavingalreadyperformedariskassessmentisnotrealistic.Infact,riskassessmentmaybetheexactthingCSAisintendedtoaddress.Forthoseorganizations,theobjective-basedapproachisnotlikelythebestone.Theywouldbebetteroffselectingtherisk-basedapproach.
Therisk-basedworkshopfocusesonidentifyingtheriskstoachievinganobjective.Theworkshopbeginswithanidentificationofthebarriers,roadblocks,orhindrances(calledinherentrisks)thatmightpreventmeetinganobjective,andthenidentifiesthecontrolactivitiestoensuretheyaresufficienttomanagethekeyrisks.Finally,anysignificantresidualrisksareidentified.Therisk-basedworkshoptakestheworkteamentirelythroughtheobjective-risks-controlsformuladuringtheworkshop.
Liketheobjective-basedapproach,thistakesplaceonanobjective-by-objectivebasis.Therisk-basedapproachexaminesrisksfirstandthenlooksatcontrolsintheworkshop,whereastheobjective-basedapproachlooksfirstatcontrolsandthenatresidualrisks¡ªessentiallyreversingtheorder.Therisk-basedapproachmayresultinmoreglobalself-assessmentworkshopsthanothermethodologiessinceallpossiblerisksandidentifiedintheworkshops.Detailedidentificationanddiscussionofrisksbasedonariskframeworkmaytakeplaceinthisformat.
WhereorganizationshavealreadyimplementedCOSO,thisriskidentificationandcontroldesignmayalreadyhavebeenperformedforeachmajorobjective.Ifso,revisitingthisriskidentification.intheCSAworkshopmaybeviewedasaduplicationofworkalreadyper
formedbytheworkteam.Whenthisistheease,acontrol-basedorobjective-basedapproachmaybemoreuseful.
Thecontrol-basedapproachfocusesonhowwellthecontrolsinplaceareworking,butisdifferentfromthefirsttwoapproachesbecausetheauditor/facilitatorindentifiesthekeyrisksandcontrolsbeforetheworkshopduringtheplanningprocessforCSA.muchlikeatraditionalauditprocess.Thisidentificationmaybethroughinterviewswithmanagementandemployees.flowcharting,etc.Betteryet,suchinformationwouldbeobtaineddirectlyfromdocumentationmaintainedbytheworkteammembersthemselves,sincethesearepartoftheteam’sresponsibilities.
Duringtheworkshop,theworkteamassesseshowwellthecontrolsareworkingtomitigaterisksandachieveobjectives,Thisapproachproduces.inanalysisofthedifferencesbetweenhowcontrolsareworkingandhowmanagementintendedforthesecontrolstowork.Itmayleadtoshorterworkshops,sincetherisksandControlsareidentifiedbeforetheworkshopbegins.Thisapproachmightbefavoredifmanagementwantsveryshortworkshopsandbelievesthecontrolsinplacearesufficient
Theprocess-basedapproachexaminesanoverallprocessaswellastheactivitiesperformedwithinit.Theintentofthisworkshopistoevaluate,update.valida
te,and/orstreamlinetheselectedprocess.“Processes”inthiscontextmeanlookingataseriesofrelatedactivitiesfromend-to-end,suchasthe
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- CCSAControlSelfAssessmentAPracticalGuideCHA
![提示](https://static.bingdoc.com/images/bang_tan.gif)