July 24, 2021
Who’s the Expert? Process Owners Know Their Risks
My favorite part of starting a new internal audit project is the opportunity to learn from the process owner. Process owners are the subject matter experts and more often, they need to be included in the discussion of risk and controls. One way to do this is with control self-assessment.
Control Self-Assessment (CSA) is a technique that allows managers and teams directly involved in business units, functions or processes to participate in assessing the organization’s risk management and control processes.1
When process owners are involved in the risk management and control processes, they begin to take more ownership of their internal controls, gain a better understanding of why they’re in place and what can go wrong if a control fails. Better risk and control understanding across the organization decreases the total number of internal control failures.
I remember one day at one of my previous jobs the internal audit director asking process owners the following:
“Would you rather find out from your internal or external auditors that you have a control design failure in a report provided to senior management, or would you rather identify the issue yourself?”
This really hit home for me.
Additionally, pivoting to a CSA approach can facilitate a culture of continuous improvement. Risk and controls are no longer reactionary but embedded in process change discussions when control owners are responsible for their assessment.
Who Needs to be Involved?
The short answer – everyone.
- Executive leadership will champion the change to CSA,
- Business unit management must analyze the impact on their units and why the change is important to the organization,
- Internal audit will create the framework, training, and monitoring/assistance necessary to be successful, and
- Control owners will now be more involved in the control assessment process.
How to Make it Successful
Like most new processes in an organization, the foundation is key. In a CSA, the foundation is the framework for executing the CSA. It draws clear lines of responsibility, standardized documentation templates, and timelines for performance.
The next step is training.
Training cannot be a one-and-done exercise. The CSA process will be new to many control owners and they will need training to understand both why and how to perform their reviews. This is your opportunity to sell the benefits.
Most charged with governance would love to have an organization filled with risk and control experts. CSA is the process by which you can achieve this goal and elevate your organization’s control framework. While the shift in approach may seem daunting, the benefits far exceed the cost.
Need an expert to help you develop and implement a Control Self-Assessment framework, contact the Johnson Lambert team.