Self-assessment is an organized means of using the knowledge of those who are most familiar with a topic, such as processes and controls. The self-assessment procedure is essential to every organization and business in that it periodically ensures that the entity being assessed is operating effectively. In doing so, appointed members of management and the staff investigate and review possible improvements for specific processes that the organization carries out in its daily course of business.
Self-assessment encourages the following action points:
- Discussions and documentation that can be used to facilitate a business self-assessment
- Meetings and meeting agendas
- An initial map of business process risks
- A map of risks vs. controls
- Topics to discuss
- Best practices in management for the process being analyzed
- Creative ideas for people’s issues
The Self-Assessment Meeting and the Role of the Facilitator
Performing a self-assessment should start with a self-assessment meeting. The most important aspect of planning the meeting is to define the meeting objectives. Members of the audit team (the team carrying out the assessment) should meet with the auditee (the team being assessed and carrying out the process) in advance to determine their needs and wants. The following questions should be addressed:
- Why are we meeting, and for what purpose?
- What are the objectives of the self-assessment meeting?
As an example, the auditee may ask the auditor to facilitate a self-assessment meeting at the organizational level designed to:
- Identify, source and measure the business risks threatening the company's strategic business objectives.
- Evaluate the design and operating effectiveness of the management control structure when supporting the company's business strategy and reducing business risks to an acceptable level.
- Identify and prioritize opportunities for eliminating control deficiencies and improving the cost-effectiveness of the management control structure.
Clearly defined and measurable objectives establish a framework for conducting the meetings and evaluating their outcomes. At the outset of the meeting, the facilitator is responsible for establishing a contract with the participants to achieve the specified self-assessment objectives and for directing the meetings toward successful outcomes. In doing so, the facilitator should ask the following questions:
- What are natural topics for discussion?
- What is the logical way to examine self-assessment issues?
The internal audit team should organize the flow of the self-assessment meeting to establish the key focal points for the discussion and to focus the participants' attention on the pertinent issues. The organization of the discussion will often be influenced by the wants and needs of the participants. As such, a self-assessment meeting would be best organized by focusing on a multitude of issues, such as a pre-determined topic affecting top management, consideration of a specific control model used by the company, and key objectives and functional activities of a business process.
In the self-assessment framework, the facilitator should divide the major self-assessment issues into more manageable subtopics for discussion, using the basic elements of the process or issue as a discussion guide. The facilitator should ask the following:
-
- How will we gather the right information?
- What questions will we ask during the self-assessment meeting?
Clearly articulated meeting objectives establish the foundation for defining the right questions to use during a self-assessment meeting. The key to gathering the right information is asking the right discussion issues and voting questions.
The internal audit team should prepare self-assessment discussion questions prior to the meetings that address the current state of the business (what is) and opportunities for improvement (what should be). The questions should be designed to focus participants' attention on the key self-assessment issues. A facilitator might ask the following questions to elicit a discussion about the risks of a business process:
- What are the key objectives of the process?
- What are the significant consequences of not achieving these objectives?
- What are the root causes of risks threatening the achievement of the key business objectives?
- How likely is it that these root causes will lead to significant adverse consequences if they are not adequately controlled?
Organization and prioritizing time are key components of structuring a self-assessment meeting. In doing so, the following questions should be asked:
-
- In what order will the major steps of the self-assessment meeting be completed?
- What is the agenda?
Once the internal audit team has (a) defined the objectives of the meeting, (b) established the major topics or issues around the focus of the discussion, and (c) formulated the questions that will be used to lead the discussion, it is ready to organize these elements into a flow chart. The flow chart is a visual representation of the expected flow of the self-assessment meeting.
Formation of the Meeting Agenda
The defined elements of the self-assessment meeting are thus combined to form the meeting agenda in a manner that is presentable and acceptable to the participants. Once the agenda is agreed upon, the next steps are to set up the meeting, including the selection and invitation of participants, organization of logistics, etc.
As an example, when performing a self-assessment when evaluating an organization's business processes, one could ask the following questions:
- Which manager is responsible for the accounts payable (AP) process?
- How many full-time employees (FTEs) are in the AP process?
- How many information systems are used in AP processing?
- Who enters invoices into the system?
- What is the average number of invoices processed per month?
- Does anyone review expense accounts later to ensure that there are no unusual items?
- How are invoices coded?
- What is the process for requesting checks for payments needed without invoices?
- Who cuts the checks?
- Who authorizes check requests?
Once these questions have been answered, the organization is ready for a self-assessment integration. At this stage, a checklist can help to facilitate the division of a merging company’s subsidiaries and to evaluate the divisions’ duplicate processes.
How to Prioritize: Turning Self-Assessment Into Action
With several projects being carried out in an organization at any given time, each with its processes, schedules, teams and time commitments, how should a business determine what projects to prioritize and how many should they assess at any given time? Surely there is no cookie-cutter approach to the self-assessment process, as each organization is unique and has its own set of risks, goals, operations and structures.
There is a wealth of information on self-assessments available but locating and evaluating them and determining which sources apply to a particular business or sector are time-consuming and potentially cost-intensive commitments.
Outsourcing the self-assessment function is one option, but some organizations may find that this approach is not within their budget or that an element of control is lost in the process. One could purchase off-the-shelf software or self-assessment technology; however, not all technologies are ideal for all organizations and may not integrate with current systems and technologies.
KnowledgeLeader’s tools and publications are designed to serve as a central hub for your auditing needs. Here are some examples of our current content on self-assessment best practices and self-assessment policies and procedures.
Guides
The SOX Self-Assessment and Self-Testing Guide provides instructions for performing a self-assessment and self-testing for Sarbanes-Oxley (SOX) compliance. It includes sections for Mapping Global Risk, Set of Risks, and Initial Template Completion for self-testing (for those entities with existing SOX documentation that require self-testing for specific processes) and self-assessment (for those entities without any existing SOX documentation), Reporting Results, Project Timeline, etc.
Checklists and Questionnaires
The Control Self-Assessment Questionnaire contains two self-assessment templates that you can use to design, adhere to and monitor your company’s significant operating and financial controls. Sample questions related to specific areas of a business include:
- Are the policies and procedures documented?
- Are the policies and procedures up to date?
- Which risks do you see that threaten the business objectives?
- How do you control the major activities, output, etc.?
- What are the key information systems utilized?
- Do senior and line management executives demonstrate that they accept control responsibility, not just delegate that responsibility to financial and audit staff?
Methodologies and Models
The Business Self-Assessment Methodology provides an overview of the business self-assessment (BSA) process and includes four components of business self-assessment. BSA helps organizations improve business performance by enabling them to understand, prioritize, and reach a consensus on strategic objectives for the company or a specific business process; identify, prioritize, measure and source business risks or a specific business process; evaluate the effectiveness of controls or a specific business process; and enhance the performance of that business process.
Policies and Procedures
Our Control Self-Assessment Policy outlines a set of procedures for the control self-assessment process. The intent of this document is to assist control owners, process owners and internal audit with implementing and executing the control self-assessment (CSA) process. It follows an eight-step testing approach:
- Define the CSA control scope.
- Build the test plan.
- Execute testing.
- Test QA/analyze test results.
- Determine documentation and retention.
- Close meetings.
- Manage and remediate action plans.
- Perform independent verification (internal audit only).
Audit Reports
The Internal Controls Self-Assessment Report is a sample audit report that you can use to assess and improve your organization’s internal controls. Testing involved documenting updates based on responses to the questions and results of the walk-through, expanding notations and capturing compensation controls where applicable, assessing the overall control objectives and the process area, developing an entity-level controls (ELC) questionnaire based on the Committee of Sponsoring Organizations (COSO) framework, completing the ELC questionnaire, reviewing the final internal controls questionnaires (ICQs), and developing and reviewing a draft of the self-assessment report.
Process Flows
A control self-assessment is a technique used to facilitate the early identification of emerging or changing risks to manage compliance requirements more effectively. Our Self-Assessment Process Flow – High-Level Overview provides a high-level overview of the control self-assessment process, focusing on identifying inherent risks and developing surveys and action/test plans for identified gaps requiring remediation.
Introducing a self-assessment process into an organization’s risk management plan can be instrumental in establishing and maintaining a compliance process, which provides management with the real-time information necessary to focus on identifying issues and solving problems. This document should be used as a general guide to understanding and reviewing this business process. Organizations should customize this tool to ensure that it reflects their business operations and continuously monitor the process to ensure that the steps described are accurate.