Control self-assessment

There are a number of ways a control self-assessment can be implemented but its key feature is that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-day responsibilities are within the business unit being assessed.

[1] A self-assessment, by identifying the higher risk processes within the organisation, allows internal auditors to plan their work more effectively.

In the United States it is a requirement of the FFIEC that control self-assessments are performed on IT systems and operational processes on a regular basis.

These included the presence of a consent decree requiring the company to report on its internal controls and the difficulties it was facing in estimating its oil and gas reserves using more traditional audit measures.

[7] Over the next ten years Gulf Canada developed a framework to support the analysis and evaluation of control processes by operational staff.

[7] Following Gulf Canada's introduction of control self-assessment many private sector organisations implemented similar techniques.

In order to comply with section 404 of the Act the company had to perform a top down risk assessment which necessitated the production of an "internal control report" that affirmed "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting."

To meet this requirement organisations increasingly began to perform a control self-assessment using a recognised standard methodology.

The actual testing of the controls is performed by staff whose day-to-day role is within the area of the organisation that is being examined as they have the greatest knowledge of how the processes operate.

It provides a cost-effective technique to determine the status of information security controls, identify any weaknesses and, where necessary, define an improvement plan.

[14] The Institute of Internal Auditors based its control self-assessment methodology on the Total Quality Management approaches of the 1990s as well as the COSO's framework.

These are typically modified versions of software developed originally for internal use by audit and accountancy firms such as Deloitte or by niche vendors specialising in business or financial management tools.

[4][20] Some researchers have criticised control self-assessment as a flawed approach as the way risk is defined and measured is unsophisticated.

Section 1 of the control self-assessment form used by the Federal Transit Administration
A heatmap produced from the information captured in a control self-assessment. The cluster of issues in the red and amber sections of the heatmap indicate that this is a high risk area and probably in need of new or changed control processes.