“Control Self-Assessment is an important component of risk assessment and is based on engaging all different levels of an organization’s staff to help achieve the desired objectives.”
Control Self-Assessment is a modern concept in the field of control and risks. It is a system that helps an organization to improve its ability to achieve its objectives, where all different levels of employees take part in risk identification and control procedures assessment. This is achieved through many workshops, of which the Internal Audit Department works as a coordinator, and it is carried out as follows:
- These workshops are applied to the projects, operations and units that can precisely define their objectives;
- These workshops include the persons directly responsible for achieving the organization’s objectives; and
- Through these workshops, the extent to which the objectives are achieved is tested and evaluated; and necessary reports are filed.
First: What is Control Self-Assessment?
There are many definitions. Yet, there are two that have been accredited by the Institute of Internal Auditors (IIA):
The first definition was developed in 1995 by Glenda Joran who defined Control Self-Assessment as: “The organizations that perform self-assessment through the use of certified assessment forms, so the management and/or teams can directly enter into operational operations with the aim of:
– Judging the effectiveness of operations;
– Provide reasonable assurance that the operational objectives have been wholly or partly achieved.
 – Al-Yacoub, Faihaa Abdullah, Internal Auditing: Its Role in Institutional Control, Empirical Study on Businesses in Iraq, Ph.D. Thesis on Accounting, Faculty of Management and Economics, University of Mustansiriya, Iraq, 2006, P. 125.
 – Glenda Jondon, Control Self-Assessment, Marketing Thechoise Altamonte spring, Florida, the IIA, 1995, p1.
The second concept was accredited and published by the American Institute of Internal Auditors in 1998, and it defines Control Self-Assessment as: “A process through which internal control is tested and evaluated with the aim of providing reasonable assurance that all the operational objectives will be achieved.”
Furthermore, Paul Makosz has outlined a concept for Control Self-Assessment through two levels:
First Level (Team Level): through this level, teams work together in addition to the team leaders and the specialized coordinators, and carry out an analysis for the strengths, challenges and risks that may affect the organization’s ability to achieve its objectives within the control framework and to take the appropriate procedures in this regard.
Second Level (Organization Level): through this level, the results reached by the team in the first level are analyzed to identify the strengths, weaknesses and risks and to link them in order to identify the main reasons for each one of them in the existing control system.
In the light of these definitions, it is shown that Control Self-Assessment relies on internal control assessment through the use of specific assessment techniques, in which the major role is carried out by the operational management rather than internal audit. In addition, this technique depends on team work rather than individual work, and it provides a reasonable rather than absolute assurance that the objectives will be achieved.
 – Larry HUBBARD, Control Self-Assessment, A Practical Guide, the IIA, 2000, P.2.
- Keithwade, Ardywyme, Control Self-Assessment For Risk Management And Other Practical Applications, 1999, P. 30
“Control Self-Assessment results are dependable on the team level in the process of Control Self-Assessment on the organization level”.
Second, Control Self-Assessment Techniques
There are three techniques used in Control Self-Assessment, and these are:
- Workshops technique;
- Questionnaire technique; and
- Management tailored analysis technique.
- ibid, PP 12-21.
- Workshops Technique “Workshops technique is a simplified technique that can depend on five different foundations.”
It is a simplified technique whereby teams are formed to carry out Control Self-Assessment procedures. The coordination of this team is carried out by the internal audit. The team consists of 6-15 members in addition to two members from Internal Audit Department, one is a coordinator and the other is a writer of what the team agrees on. There are five foundations on which Control Self-Assessment procedures can be built: objectives, risks, control, operations and location.
1.1 Workshops based on objectives: this technique focuses on the extent to which the objectives are achieved. According to this technique, workshops identify objectives, and define the existing controls to achieve these objectives. After that, the residual risks (risks remaining after assuming the application of controls) are identified. Thus, this technique is based on the assumption that controls and risks are already present in the system. The team’s task is identifying and assessing these controls.
1.2 Workshops based on risks: this workshop technique relies on objectives identification, and then definition of risks that face the achievement of such objectives. Controls that ensure enough management of risks are then determined. This is the most used technique internationally in comparison with the other techniques.
1.3 Workshops based on control: this technique depends on evaluating how much the controls cover risks in order for the objectives to be achieved. The auditors or coordinators determine the risks and controls beforehand and prior to the workshops. During the preparations of Control Self-Assessment, the task of workshops is evaluating how these controls work to reduce risks.
The difference between the first technique, which is based on objectives, and this technique is that in the first, the controls are already present in the system and built into it when it was designed. In the third technique, which is based on control, the controls are identified during the preparatory phase before the start of the work of workshops.
1.4 Workshops based on operations: this technique depends on the evaluation of the operations through which the activities are carried out, such as procurement, production, lending, issuing bank transfers, etc. Teams define all the operations’ objectives at the activity level, and then the risks and controls that contribute to the achievement of objectives are determined.
1.5 Workshops based on location: this is a simplified technique, whereby each work center is dealt with separately. Through the workshop, two questions are asked to each work center and they must be answered:
Question 1: What are the factors that contribute to the achievement of objectives?
Question 2: What are the obstacles standing in the way of the achievement of objectives?
The coordinator then collects and summarizes the answers and they are discussed during the workshops to reach possible solutions to address significant obstacles.
- Questionnaire technique: “One of the most important advantages of the questionnairetechnique is its wide scope and the limitedness of effort and cost in comparison with other techniques. One of the drawbacks of this technique is the possibility of lack of seriousness by respondents, especially in the case of no follow-up, and the low response rate.”
This technique is based on performing Control Self-Assessment through designing a questionnaire including a number of yes-no questions. The results of the questionnaire are then analyzed to reach the required evaluation of internal control. This technique is preferably used in the following cases:
- When the culture of the organization is not based on explicit dialogue; therefore, discussions in the workshops between the members of teams lack credibility. Due to the members’ fear of any administrative procedures that may be taken against them, this technique is preferable.
- When the scope of Control Self-Assessment is wide and quick information is needed. In this case, holding workshops is difficult.
- When the auditors lack the expertise and skills necessary to work as coordinators for the workshops.
- When the organization is so time-sensitive that devoting a lot of time for the workshops is not allowed.
It should be mentioned that disclosing the names of the respondents to these questionnaires is not preferable in order to obtain more credible results. One of the most important advantages of this technique is its wide scope. It also requires a small amount of time from the concerned people. It does not require much effort or meetings coordination skills. The shortcomings of this technique include the lack of seriousness by respondents, especially when there is no follow-up. The response rate may be low, with no chances to clarify the questions of the questionnaire.
- Management tailored analysis technique: “Management tailored analysis technique is the least common of all the techniques. It is usually used in certain cases.”
This technique includes the analyses through which the management are provided with information on the control situation. This technique is the least common of the three and is used in certain cases including:
- Questionnaires developed by the management to provide an opinion on internal control procedures.
- Discussions between the financial administration officials to submit the annual representation letter required by external auditors.
- The investigations carried out to discover the reason for a fraud or the failure of a certain control.
- The evaluation of internal control applications within the newly developed systems.
Third, Control Self-Assessment Building Strategies
Below are the most important strategies for building Control Self-Assessment, which are selected through expertise and experience.
First Strategy: Training all the auditors, then training a group of them on workshops coordination methods, and hiring external consultants to manage the first two workshops.
Second Strategy: Hiring external consultants to plan and manage a pilot workshop, and then training a secondary group of auditors on the key concepts of control and workshops coordination methods.
Third Strategy: Purchase of computers and software, and holding a pilot workshop to use these technologies.
Fourth Strategy: Training all auditors, then training a group of them on workshops coordination methods, then assigning those auditors to administer the workshops through the Internal Audit Department.
Fifth Strategy: Sending a specific person from the organization in a training course on the key concepts of Control Self-Assessment and coordination skills, and then assigning that person to administer the pilot workshops of self-assessment.
Sixth Strategy: Training all auditors, then training a group of them on workshops coordination methods, and hiring consultants to train these auditors so that they can administer workshops for Control Self-Assessment.
Seventh Strategy: Sending a specific person from the organization to a training course on key concepts of Control Self-Assessment and coordination skills, then this person, through a workshop, collects the data of the last two actually performed audits, then administers a pilot workshop for Control Self-Assessment.
 – Larry HUBBARD, op-cit: P.83.