5

CONTROL RISK SELF-ASSESSMENT

Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems.

IIA Standard 2120.A1

INTRODUCTION

Control risk self-assessment (CRSA) is a powerful tool that may be used to support ERM. It is about getting managers and the work team to self-assess their risk and controls, typically in workshops or facilitated meetings. ERM is the big picture, while CRSA is one of the tools that can be used to promote good ERM. Figure 5.1 illustrates this point.

The point is that CRSA is not ERM; it is just part of it. Just because the auditor feels there is a sound CRSA program in place, this does not mean there is bound to be a good ERM process as a result. Having said this, CRSA, with its emphasis on people and how they work, has been given good press by many important people:

In the years since it first started, CSA has spread rapidly across the world and now appears in a number of guises such as RSA, QSA, etc. It is being practiced in industry, government, health, education and international multilateral bodies, and not-for-profit agencies. In all these sectors it has been well received by thousands of clients who see it as a breath of fresh air. Why? Perhaps it is because we are now asking them about issues in their world—the real world—and recognizing their expertise. Perhaps, also, because we are beginning to understand ...

Get Auditing the Risk Management Process now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.