Arkansas Department of the Inspector General

Office of Internal Audit

Control Self-Assessment

Basics

This presentation is a very high-level overview about control self-assessment whichincludes discussion of the requirement to perform a CSA, the definition of CSA, and theoverall CSA process and purpose. Additional detail can be found in the written CSAinstructions manual.

1

R1-19-4-505: (Financial Management Guide)

• Due at the end of March in even numbered years

• Must be submitted through the CSA Tool

CSA Requirement

The requirement for Arkansas State agencies can be found in the Financial ManagementGuide within Rule 1 for code section 19-4-505. Agency CSAs are to be submitted to theOffice of Internal Audit at the end of March in even numbered years. It is also required thatthe CSA be submitted through the CSA Tool. Submissions in the form of an Excelspreadsheet or any other format will be rejected and returned.

2

Anti-Fraud Program (2005)

• Formal Code of Ethics• Background Checks• Employee Fraud Hotline• Formal Fraud Risk Assessment (aka CSA)

CSA Requirement

The requirement came about in 2005 due to an audit finding from the State’s externalauditor, which noted that the State lacked a formal ethics and fraud control framework. Ananti-fraud program was developed which included requirements for a formal code of ethics,background checks for certain positions, an employee fraud hotline, and a formal fraud “riskassessment.”

Control self-assessment or CSA is the terminology used most often now, but “riskassessment” and “control self-assessment” are considered interchangeable terms for thepurpose of this requirement.

3

CSA DefinitionControl self-assessment (CSA) is an exercise conducted by agency management that utilizes feedback from employees to identify and assess risks which may hinder the agency from achieving its objectives. This practice also includes management’s evaluation of the current control activities in place to prevent, detect, and mitigate the impact of the identified risks. Based on this evaluation management may determine it is necessary to implement changes or corrective action plans (CAPs).

Let’s look at the definition of CSA. It states, control self-assessment is an exerciseconducted by agency management that utilizes feedback from employees to identify andassess risks which may hinder the agency from achieving its objectives. This practice alsoincludes management’s evaluation of the current control activities in place to prevent,detect, and mitigate the impact of the identified risks. Based on this evaluation managementmay determine it is necessary to implement changes or corrective action plans.

Notice the word management is in red font. This was done to emphasize that the CSAprocess should be driven by management. Those who are considered management and whyit is important that the process be driven by management will be discussed in a moment.First, notice that there are a few phrases underlined in the definition. These phrases havebeen lifted out and are what appears on the next slide.

4

CSA Definition (simplified)

1. Management utilizes feedback to identify and assess risks

2. Includes management’s evaluation of control activities

3. Management may determine changes or CAPs are needed

This is the simplified version of the definition. There are basically three steps to theprocess. Management utilizes feedback to identify and assess risks, it includesmanagement’s evaluation of control activities, and then management may determinechanges or corrective action plans are needed.

5

Management

• Oversight Boards or Commissions• Agency Directors• Upper Management

Manage proactively by taking a leadership role.

Management is a group of individuals who serve on oversight boards or commissions, asagency directors, and in large agencies, upper management such as division directors oradministrators. When reading the definition of CSA, these are the positions that are beingreferred to as management.

It was mentioned earlier that management should drive the CSA process. That is becausemanagement, who takes a leadership role and makes cost-beneficial internal control designa priority, will have the insight needed to manage proactively by making decisionsregarding issues before they occur, rather than reacting to problems afterwards and spendingvaluable resources correcting an issue. One effective way for management to emphasize thepriority of appropriate internal control design is to lead the CSA process by participation, letemployees know the results of the review will be discussed by upper management, andencourage employee participation in the CSA exercise.

6

CSA Process

Now let’s review the CSA process. Before the CSA process begins, departments of anagency are identified as well as activities within each department. Risk AssessmentCoordinators are to ensure that the CSA information in the CSA Tool is consistent with theorganizational structure of the agency. It should be noted, that the term “department” forCSA Tool purposes should not be confused with the term “cabinet-level department.” Acabinet-level department refers to one of the fifteen state departments which were created inFY2020. Most of these cabinet-level departments were made up of multiple agencies. Theterm “department” in the CSA Tool is referring to the departments or separate units of anindividual agency.

To begin the process, managers specify suitable objectives for each activity. Then the CSASessions are conducted. In the CSA Sessions, participants identify and analyze risk, assessfraud risk, and identify and analyze significant change. After the risks are identified in theCSA Sessions, participants discuss and develop control activities, include those overtechnology, and identify deficiencies in policies and procedures. The information from theCSA Sessions is recorded and becomes the “feedback” that management uses to perform thesame analysis during the next step in the process, which is referred to as managementreview.

7

CSA Process

In larger agencies, the management review may go through multiple layers of management.Lower management may look at the CSA results first and make necessary changes; thenmiddle management, and then upper management. The management review phase of theCSA process may result in changes in the CSA documentation. Upper managers have thefinal decision about what control activities should be as well as the determination ofwhether the control activities are sufficient. Upper management should also finalize theimplementation of changes to control activities or corrective action plans.

Group and individual discussions about control activities should take place during thisprocess. These discussions allow for internal communication related to objectives andresponsibilities for internal control to occur.

CSA information should not be submitted until after the documentation is updated andfinalized with management’s approved changes. This will include corrective action planswith expected implementation dates occurring after the submission due date.

8

CSA PurposeIt demonstrates an effort to strengthen INTERNAL CONTROL within an entity.

Fraud is most effectively prevented and detected in entities with a strong INTERNAL CONTROLsystem in place.

An INTERNAL CONTROL system will not remain effective without periodic assessments and updates to reflect changes occurring inside and outside of the entity.

The purpose of conducting a CSA is to demonstrate an effort to strengthen internal controlwithin an entity.

Before, it was mentioned that the requirement for CSA came about due to implementing aState anti-fraud program. One of the reasons that CSA is a part of that program is becausefraud is most effectively prevented and detected in entities with a strong internal controlsystem in place.

It is required that it be completed on a periodic basis because an internal control system willnot remain effective without periodic assessments and updates to reflect changes occurringinside and outside of the entity.

Notice that the phrase internal control is emphasized in this slide. That is because it isimportant to understand that the control self-assessment process has a direct relationship tointernal control. To understand this relationship, it is important to understand what internalcontrol means.

9

CSA PurposeUnderstanding Internal ControlDefinition:“Internal control is a process, effected by anentity’s board of directors, management,and other personnel, designed to providereasonable assurance regarding theachievement of objectives relating tooperations, reporting, and compliance.”(COSO 2013)

The 2013 definition of internal control that the Committee of Sponsoring Organizations ofthe Treadway Commission (COSO) developed is currently the most widely accepteddefinition of internal control. COSO is a committee that was formed over 30 years ago inresponse to fraudulent corporate financial reporting; more information about COSO can befound in the written CSA instructions.

The definition states, internal control is a process, effected by an entity’s board of directors,management, and other personnel, designed to provide reasonable assurance regarding theachievement of objectives relating to operations, reporting, and compliance.

10

Internal Control-Integrated Framework (COSO 2013) Principles

COSO had determined that there were five components of internal control. These can beseen here as control environment, risk assessment, control activities, information andcommunication, and monitoring activities. In 2013, COSO added 17 principles that tiedirectly to the five components. Those 17 principles are paraphrased in this slide. Ingeneral, COSO supports that entities displaying these principles will have a greatercapability of meeting objectives. Keep in mind, if major fraud is occurring in an entity,then there will be greater risk that an objective or even all objectives may not be achieved.

Also, note that internal control is not just segregation of duties. In the past, it was commonto think of internal control as segregation of duties, but now segregation of duties isconsidered a type of control activity. Internal control is considered to be a much broaderconcept than just segregation of duties.

Some of the principles may look familiar because the same terminology was used on aprevious slide when the CSA process was discussed. Notice principles 6-9 of the riskassessment component as well as principles 10-12 of the control activities component. Allof these principles have a direct relationship to the CSA process. Note principle number 14.The principles are paraphrased on this slide and so here it states, “communicates internally”.The full version of principle 14 is, “the organization internally communicates information,including objectives and responsibilities for internal control, necessary to support thefunction of internal control.” In other words, the organization discusses and communicatesabout internal control.

11

CSA ProcessP# 6

P# 7, 8, 9 P# 10, 11,

12

P# 14

Here is the process that was reviewed earlier. Notice that the principle numbers are in redfont which indicates the relationship to internal control within the CSA process. Principlenumber 14 is represented by the arrows connecting the different parts of the CSA process. Itis at these points of the process that discussions about internal control have the opportunityto occur.

Performing these steps in the CSA process and demonstrating the internal control principlesrelated to risk assessment, control activities, and internal communication can be veryeffective in strengthening an entity’s internal control design. In summary, the requirementto periodically conduct the CSA process is to demonstrate an effort to strengthen internalcontrol which better enables an agency to be proactive in reducing fraud opportunities.

12

Arkansas Department of Inspector General

Office of Internal Audit

Questions?

If you have any questions about this presentation, feel free to contact your OIA Liaison.

13