Use of Control Self-Assessment by Independent Auditors
Gilbert W. Joseph and Terry J. Engle
DECEMBER 2005 - Control
self-assessment (CSA) is an effective tool for improving a
business’ internal controls and business processes.
CSA can be implemented in several ways, but its distinguishing
feature is that risk assessments and internal control evaluations
are made by operational employees or lower-level managers
who work in the area being evaluated.
activities also have the potential to improve the efficiency
and effectiveness of independent financial statement audits
in response to changing demands on independent auditors.
While independent auditors can benefit from CSA activities,
little evidence indicates the extent to which independent
auditors avail themselves of these benefits. The authors
investigated the uses of CSA by independent auditors, as
well as the perceptions about the value of independent-auditor
involvement with CSA activities.
Institute of Internal Auditors (IIA) defines CSA as a process
through which internal control effectiveness is examined
with the objective of providing reasonable assurance that
all business objectives are met. The employees performing
CSA work are in the functional area being examined rather
than upper-level managers that are above the system of internal
controls. These employees have a wealth of information about
internal controls and fraud (if it exists). While internal
(or independent) auditors can be involved with CSA initiatives,
auditors do not “own” the process and do not
make the assessments and evaluations. The most common approaches
to performing CSA activities are facilitated team meetings
and CSA surveys.
Facilitated team meetings are the most popular form of
CSA. The facilitated sessions consist of six to 15 employees
who are subject on a day-to-day basis to the internal
controls being evaluated. A trained facilitator guides
the meeting, and another individual records the activity.
Anonymity can be promoted by using “groupware”
The survey approach uses questionnaires to elicit data
about controls, risks, and processes. It differs from
traditional internal control questionnaires used by auditors
because the operational employees (not the auditors) use
the survey results to self-evaluate the controls or processes.
Experiences of the Internal Auditing Profession
internal auditing profession has widely embraced the use
of CSA. The IIA supports internal auditors who use CSA to
achieve internal auditing objectives and recognized the
importance of CSA by creating a Control Self-Assessment
Center. The IIA does not prohibit internal-auditor participation
in the CSA activities of auditees due to independence concerns,
and in practice, organizations have not had independence
issues when internal auditors have participated in a variety
of ways (e.g., as facilitators of CSA meetings).
of the internal auditing profession have considerable experience
in successfully using CSA in the internal auditing process.
These experiences are relevant to external auditors because
they face many of the same challenges. For example, both
external and internal auditors must effectively evaluate
internal control systems, effectively make fraud risk assessments,
understand their auditees’ operations and business,
and focus auditing resources based on risk. In addition,
both types of auditors are going to be increasingly responsible
for assessing enterprise risk management (ERM) systems under
the new Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Enterprise Risk Management–Integrated
Framework. John Flaherty, 2004 COSO chairman, and Tony Maki,
COSO Advisory Council chair, noted: “[C]ompanies may
decide to look to this enterprise risk management framework
both to satisfy their internal control needs and to move
toward a fuller risk management process.” The COSO
ERM framework explicitly recognizes that it is intended
to assist organizations in achieving their objectives, including
the reporting objectives that are so relevant to independent
The internal auditing profession has aggressively
promoted the use of CSA, and internal auditors at many different
organizations have used CSA to improve the internal auditing
process in ways that are relevant to external auditors.
For example, the internal auditors at Cargill Inc. have
integrated CSA into the auditing process for more than six
years and have successfully used it to assess auditee risks
at the front end of an audit, to better learn the auditee’s
business, to uncover ethics violations, and to improve the
evaluation of essential “soft” controls (e.g.,
quality of communications, and the ability to discuss sensitive
issues with the next level of management). (For more information,
see Christina Brune and Diane Sears Campbell, “Integrating
CSA as Another Audit Tool,” CSA Sentinel Online, IIA
Control Self-Assessment Center, October 2002.)
internal auditors at Pennsylvania State Employees Credit
Union have demonstrated that CSA can be successfully used
with that organization’s ERM system. A senior internal
auditor reported that: “The auditors’ knowledge
of risks and controls throughout each business unit has
also increased, which has improved the efficiency and effectiveness
of audits and with developing the audit schedule.”
(See T.L. Heimbaugh, “CSA—An Integral Part of
the Process,” CSA Sentinel Online, IIA Control Self-Assessment
Center, February 2004.)
Stachnik, as Inspector General for the SEC, extensively
used CSA to achieve a variety of internal auditing objectives.
In describing his experiences, Stachnik stated: “CSA
is not necessarily a faster or easier tool to use than traditional
auditing. On the other hand, we get a much deeper understanding
of the critical factors involved when we use CSA to evaluate
soft controls. The quantitative results of traditional auditing
are easier to defend sometimes, but the qualitative understanding
of issues supplied by CSA generally adds significantly more
value to the control environment.” In describing an
audit that focused on a formal communication process at
the SEC, he said: “Traditional
auditing methodology can be used to assess soft controls
like communication, but the results are frequently off-the-mark.
This CSA on communication delivered a significantly different,
but much more useful result than what we previously attained
with traditional methods” (Jonathan Figg, “The
Power of CSA,” Internal Auditor, August 1999).
While external auditors must perform limited testing to
corroborate CSA-generated evidence, the experiences of these
internal auditors are obviously relevant to achieving many
Value of CSA to Financial Statement Audits
auditors face a changing environment and higher expectations,
particularly in the areas of internal control evaluations
and fraud detection. After several amendments, AU 319, Consideration
of Internal Control in a Financial Statement Audit,
now requires auditors to gain an adequate understanding
of all five components of control to adequately plan the
audit. The AICPA has also promulgated Statement on Auditing
Standards (SAS) 99, Consideration of Fraud in a Financial
Statement Audit, which requires financial statement
auditors to evaluate the potential for fraud. SAS 99 clearly
recognizes the importance of effective internal control
evaluations and calls for the development of new auditing
approaches to help fulfill auditors’ expanded responsibilities.
Significant new control responsibilities are also part of
the Public Company Accounting Oversight Board (PCAOB)’s
Auditing Standard (AS) 2, An Audit of Internal Control
Over Financial Reporting Performed in Conjunction with an
Audit of Financial Statements, which requires that
financial statement auditors audit and attest to the fairness
of management’s assessment of their internal control
system over financial reporting.
this environment, auditors need both hard and soft controls.
Both types are found in all five components of the COSO
control framework (i.e., control environment, risk assessment,
control activities, information and communication, and monitoring).
Auditors can effectively evaluate hard controls (e.g., bank
reconciliations, credit approvals) by traditional auditing
procedures such as reperformance, confirmations, inspections,
and physical observation. These procedures are far less
effective in evaluating critical soft controls such as management’s
integrity and ethical values, management’s commitment
to competence, or management’s philosophy and operating
style. For example, when evaluating client management’s
integrity and ethical values, there may be no documents
to examine, no confirmations available from third parties,
and no recalculations to perform. Soft controls are often
reflected in employees’ perceptions and impressions
about management’s attitudes and intentions that can
only be investigated using the “inquiry” audit
expands the reliability of the inquiry audit procedure to
supplement traditional tests of controls. With CSA, the
auditor is not obtaining the impressions of only a few employees,
but rather the anonymous, composite impressions of at least
six to 15 operational employees or lower-level operational
managers, which reflect repeatable attitudes over time.
When many knowledgeable employees agree on an issue, the
evidence is highly corroborated and typically superior to
evidence gathered from selected individuals while completing
traditional internal control questionnaires, narratives,
language from paragraph 97 of AS 2 demonstrates this premise:
A “signature on a voucher package to indicate that
the signer approved it does not necessarily mean that the
person carefully reviewed the package before signing it.”
AS 2 recommends that the auditor test the control by reperforming
it, and that the auditor perform inquiries of the person
responsible for approving voucher packages and that person’s
supervisor regarding what they look for and any history
of errors made in these judgments. A better approach would
be to use the results of a CSA evaluation of the procedures
surrounding voucher package approval and processing, and
to involve all employees affected by those procedures. The
CSA evaluation would identify changes or consistencies in
procedures over the period under audit, assess procedural
problems, identify errors and irregularities experienced,
and recommend control and procedural improvements. This
would require less effort on the part of the independent
auditor (i.e., improve audit efficiency), because the auditor
would use the work of others (company personnel in addition
to internal auditors), which AS 2 allows. Because the individuals
performing the CSA evaluation are directly involved in approving
and processing voucher packages, they have high competence.
The composite impressions of this larger group of directly
involved individuals would provide more-objective results
than limited inquiries of people who may be motivated to
protect their personal judgments and actions. AS 2 (paragraph
117) states that the higher the degree of “competence
and objectivity” reflected in the work of others,
the greater the auditor may make use of that work. In fact,
AS 2 (paragraph 53) specifically groups “self-assessment
programs” with the activities of the internal audit
function and the audit committee, as controls designed to
monitor and evaluate other internal controls.
addition to evaluating many aspects of the internal control
system, external auditors can use CSA to gain a better understanding
of a company’s business and industry, to document
an understanding of the internal control system, and to
assess all types of risks (e.g., control risk, inherent
Understanding the business and the industry. The
CSA facilitator could direct the discussion by marketing,
engineering, product development, and production employees
toward an in-depth analysis of the industry and specific
Understanding the internal control system. The
CSA facilitator could elicit information about issues
such as the integrity and ethical values of management,
management’s commitment to competency, the effectiveness
of communications with the board of directors and the
audit committee, management’s philosophy and operating
style, and human resources policies and practices. Interaction
between CSA participants provides insight often not available
with traditional tools (e.g., internal control questionnaires).
Assessing risk. In addition to letting the auditor
assess control risk, CSA can also identify the consistency
of controls during the period under audit by addressing
issues such as unusual events, employee turnover, employee
absenteeism, and the quality of training. The CSA facilitator
can direct discussions to issues relevant to inherent
risk. Employees can evaluate soft issues, including the
complexity of transactions, the susceptibility of inventory
to theft or damage, the degree to which estimates are
used to record accounting information, the extent to which
employees must perform tasks without necessary information,
and factors that affect the obsolescence of assets. Employee
agreement on these issues gives the auditor evidence on
which to base inherent risk levels, and thereby to more
efficiently and effectively plan substantive testing.
previously stated, independent auditors and internal auditors
face many of the same challenges in using CSA; they can
reap similar benefits as well. For example, independent
auditors could similarly participate in audit-relevant CSA
activities. While the independent auditor must not assume
the role of management or employee, in order to protect
its independence, it could provide input during CSA planning,
serve as the CSA meeting facilitator, attend CSA meetings
in a nonfacilitator capacity, or simply use data already
developed by CSA activities. Nothing in Generally Accepted
Auditing Standards (GAAS), SOA, or the PCAOB auditing standards
prohibits, these types of involvements.
lack of information about the extent of CSA use during the
independent auditing process motivated this research project.
Data were gathered via two questionnaires. The first questionnaire
was sent to 430 individuals working for U.S. or Canadian
organizations that were listed as members in the IIA Control
Self-Assessment Center 2001 Membership Directory.
Individuals employed by public accounting or professional
services firms were excluded, as were multiple members employed
by the same organization.
hundred and thirteen respondents answered questions about
the specific uses of CSA at their organization, communications
between their organization and their independent auditors
about CSA, and their sentiments about auditor involvement
in CSA activities. Sixty-seven respondents forwarded an
enclosed second questionnaire to their independent auditor.
Thirty-one independent auditors responded to questions about
how often the audit firm used CSA to accomplish auditing
objectives and to specific questions about the prior year’s
financial statement audit of the client that forwarded the
survey. Tests concluded that results were not materially
affected by nonresponse biasing.
respondents were evenly split between being audit partners
and audit managers, with a few identifying themselves as
audit seniors. Twenty-six of the 31 auditors were employed
by the (then) Big Five firms.
use of CSA. The auditors were first asked
to indicate the approximate percentage of the independent
audits performed out of their office in the previous year
that used evidence from client CSA activities to help achieve
independent auditing objectives. This question was about
the general use of CSA, not use specific to the client organization
that forwarded the survey. The results clearly indicate
that CPAs were not commonly using CSA to achieve independent
Ten respondents (35.7%) indicated that none of their audits
involved the use of CSA to achieve auditing objectives.
Of the 18 respondents who indicated that CSA was used,
13 (72.2%) said that CSA was used in less than half of
On average, CSA was used in only 21.6% of the audits.
remaining questions on the survey pertained to the use of
CSA during the financial statement audit of the company
that forwarded the survey. Only nine of the 31 respondents
used CSA on this audit. This low CSA utilization rate is
consistent with the findings pertaining to the overall CSA
usage rates, and it sends a pointed message.
for not using CSA. Exhibit
1 presents the reasons why CSA was not used on the independent
audit. The two most common were the belief that doing so
was inefficient (54.5%) and the fact that the independent
auditors lacked training in its use (50.0%). Whether CSA
would be inefficient is a matter of opinion. Lack of training
is factual and uncontestable, but can be corrected. The
third most common response (40.9%) was “other.”
The most commonly cited reasons for not using CSA were that
the client was not using CSA much, the client had not developed
an adequate CSA program, or the auditors were unaware of
how (or if) the client was using CSA. It appears that independent
auditors are not taking the initiative to request audit-relevant
CSA activities, and management is not communicating with
their independent auditors about CSA activities. Logically,
this lack of communication, and lack of initiative, is contributing
to low CSA utilization levels during independent audits.
of CSA during the audit. Exhibit
2 reveals the attitudes of the nine independent auditors
who used CSA during the previous audit of the referring
company. A comparison with Exhibit 1 reveals interesting
differences of opinion between auditors that did not use
CSA and auditors with first-hand experience of CSA. Exhibit
2 shows data about how CSA was used and its perceived value.
percentage of the respondents used CSA to understand the
company’s business and industry, to document the required
understanding of all five components of internal control,
and to supplement traditional tests of controls. A majority
(55.6%) of these respondents were not using CSA to assess
fraud risk, which is surprising because fraud risk assessments
typically require auditors to evaluate soft controls (e.g.,
management’s ethics and integrity). Exhibit 2 also
reveals that auditors commonly found CSA either “very”
or “somewhat” useful in all areas except substantive
testing (few auditors used CSA for this purpose, and their
opinions were widely divergent).
3 presents the overall sentiments about the value of
CSA. A majority of the auditors “strongly agreed”
that CSA resulted in a more efficient and effective audit,
the opposite of the expectations of auditors that did not
actually use CSA (as shown in Exhibit 1).
auditors’ direct participation in CSA activities.
Only a small subset of the nine CPA firms
that used CSA were actively involved in those CSA activities.
Exhibit 4 shows that only five participated in planning
CSA activities, and even fewer were actively involved with
their client’s facilitated team meetings.
absence of auditors’ involvement in their clients’
CSA activities is particularly interesting when related
to one finding from the first questionnaire. Respondents
from many companies thought that auditor involvement would
reduce the value of CSA to their organization. The data
4 suggest that these negative sentiments were based
not on direct negative experiences, but rather on preconceptions.
It appears that many companies and their auditors are forming
their opinions about CSA without firsthand information.
of responses. The authors matched the responses
of 31 independent auditors to their clients’ response
to obtain further insights into the very low level of CSA
utilization by independent auditors. Eight of the 31 companies
said that they did not use CSA during the audit period under
study, leaving 23 client organizations that did use CSA.
of caution about interpreting the meaning of the following
matched responses: CSA is a very robust tool, and different
parties can use the same CSA-generated data for different
purposes. For example, an auditor can use information from
CSA activities to evaluate the strength of the control environment,
and to determine control risk and fraud risk. The company
under audit can use information from the exact same CSA
activities for other purposes (e.g., assessing the efficiency
and effectiveness of operations).
of available evidence. The following three
sets of comparisons reveal specific instances where auditors
probably underutilized available audit-relevant information
generated from their client’s CSA activities:
Six companies used CSA to assess management ethics (important
to the control environment), but their auditors did not
use CSA data to gain an understanding of the control environment.
Four companies used CSA to assess the risk of material
fraud within their organization, but their auditors did
not use CSA data for their fraud risk assessments.
Four companies used CSA to evaluate internal controls
promoting the reliability of the firm’s financial
statements. Three of the four auditors did not use CSA
data to assess control risk.
CSA utilization by auditors, and the possible effects. Earlier,
it was suggested that low CSA use during independent audits
was due to auditors’ rarely requesting CSA information
from their clients. The following comparisons are very revealing.
The company had CSA data and the auditor did not request
it. Twenty-three of the 31 organizations used CSA
in some fashion, whereas only three confirmed that their
independent auditors requested CSA data.
The use of CSA data for independent auditing objectives
may be lower than the amount of requests. Three companies
said their auditors requested CSA data, but their auditors
said that CSA data were not used. This suggests that the
actual use of CSA data to achieve independent auditing
objectives is lower than the number of auditor requests
for client CSA data.
The lack of auditor initiative and communication may
have led to inaccurate perceptions by the independent
auditors. Nine auditors said they did not use CSA
because the client did not have sufficiently developed
CSA activities to be useful, yet in six of these cases,
the companies used CSA in areas relevant to the independent
audit. Clearly, the independent auditors had inaccurate
perceptions about their client’s CSA involvement.
auditors can use CSA to improve the effectiveness of their
internal control evaluations, this study revealed very low
CSA utilization levels by independent auditors. Companies
and their independent auditors both have a role to play
in increasing CSA usage. The data strongly suggest that
enhanced auditor training and effective two-way communication
between companies and their independent auditors could lead
to increased CSA use by independent auditors. Such measures
would likely result in more-effective and -efficient audits
that would benefit all parties.
W. Joseph, PhD, CPA, CISA, is the Dana Professor
of Accounting at the University of Tampa, at Tampa, Fl.
Terry J. Engle, PhD, CPA, is the Advisory
Council Professor of Accounting at the University of South
Florida, in Tampa, Fl.