Control Self-assessment for Information and Related Technology 

Download Article

To ensure smooth functioning of an enterprise striving to achieve predetermined objectives, business processes are identified and defined. To ensure the proper completion of process work, procedures are defined, documented and established. Business procedures need to be properly controlled to ensure smooth completion. Out-of-control procedures are expensive; therefore, controls need to be in place. These controls can be preventive, detective and/or corrective in nature. However, the adequacy of controls over procedures depends on various factors, including a balance between costs incurred for implementing controls and the resulting benefits derived. Many controls are essential overheads for the business, and therefore, their effectiveness must be reviewed periodically. Internal audit of controls, an essential overhead, helps avoid relaxation on controls. Ultimately, the control overheads constitute a major expenditure item.

Assurance that the controls are in place and effective is essential. This assurance can be given through control self-assessment (CSA), also referred to as control self-assurance.

Systems and procedures for many business organizations within various sectors have evolved over time. For example, banking is the oldest service sector and the controls over banking procedures are essential not only for the bank, but also for society in general. Controls in banking procedures have also evolved over time; however, adoption of information technology by banks has prompted changes in banking operations, which have necessitated changes in control structures. What is applicable to banking can also be applied to other organizations and industries, particularly to medium and large organizations with diversified activities and more than one department/section/branch/office.

Provisions of the US Sarbanes-Oxley Act of 2002 require corporate management to assure investors and satisfy audit committees about the adequacy of operational controls. CSA of the IT operations in these organizations will help assure customers, stakeholders and government agencies that controls are in place and effective.

This paper explains the importance of CSA for IT and suggests three models to develop the CSA program. The examples and discussions are mainly conceptual and cannot be implemented without considering the internal procedures of the individual organization.

Note: Control self-assessment, control self-assurance and control coassessment are three different methods based on the same concept. This paper refers to all three methods as CSA, since the purpose of this paper is not to point out the differences in these methods, but to introduce a basic model for developing CSA.

Need for Internal Controls

There are a number of reasons for the use of internal controls:

  1. Changing business process—Developments in information and related technology over the last 40 years have made it increasingly evident to managers, controllers, regulators, government authorities, lawmakers, users and service providers that there is a need for a reference framework for security and control in IT. Effective IT management is critically important to the success of an organization, due to:
    • The increasing dependence on information systems
    • The increasing vulnerabilities and cyberthreats
    • The scale and cost of current and future investments in IT
    • The potential for technologies to change the business processes, procedures and practices of an organization
    • The likelihood that technology will create new business opportunities at reduced costs
    • The fact that information can travel through cyberspace without the constraints of time, distance and spee
  2. Change of focus on IT—Organizations, particularly service sector organizations, are increasingly dependent on information technology.

    In its earlier days, this technology consisted primarily of costly batch operations. Hence, it was used only as a support function for management. With the reduction in size and computer cost, online operations became possible and the use of IT shifted from a support function to a business enabler. Today, IT is integrated into business processes and it is no longer a separate function.

    Organizations are also creating new IT-enabled products and services, and technocrats are predicting that future organizations will exist only in cyberspace.
  3. Control investment—To maintain a successful organization, understanding and managing the risks associated with implementing new technology is essential, and to provide effective direction and adequate controls, management should have an appreciation for and a basic understanding of the risks and constraints of IT.

    Management must decide what to invest for security and control in IT and how to balance risk and control investment in an often unpredictable IT environment. While information systems security and control help to manage risks, they do not eliminate them. Management, however, must decide on the level of risk it is willing to accept. Judging what level can be tolerated, particularly when weighted against the cost, can be a difficult management decision. Users of IT services need assurance, through accreditation and the audit of IT services, that adequate security and control exists.
  4. Competition—Global competition is here. Organizations are restructuring to streamline operations, take advantage of the advances in IT and improve their competitive position. Business reengineering, right-sizing, outsourcing, empowerment, flattened organizations and distributed processing are all changes that impact the way in which business and governmental organizations operate. These changes are having, and will continue to have, profound implications for the management and operational control structures within organizations.

    Emphasis on attaining competitive advantage and cost-efficiency implies an ever-increasing reliance on technology as a major component in the strategy of most organizations. Automating organizational functions, by its very nature, dictates the incorporation of more powerful control mechanisms into computers and networks, both hardware- and software-based. Furthermore, the fundamental structural characteristics of these controls are evolving at the same rate and in the same manner as the underlying computing and networking technologies.

    Within this framework of accelerated change, the skills of managers, information systems specialists and auditors must evolve as rapidly as the technology and the environment, if they are going to be able to effectively fulfill their roles. If one is to exercise reasonable and prudent judgment in evaluating control practices found in typical business or governmental organizations, one must understand the technology of controls involved and its changing nature.
  5. Nature of business—The administrative structure of banks is based on a decentralized model and this branch office structure is applicable to many organizations. The administrator, responsible for the accomplishment of a branch's goals and objectives, is also responsible for the establishment, maintenance and monitoring of the internal control system, which helps ensure the accomplishment of goals and objectives.

    Good internal controls provide reliable financial reporting to assist management's decisions in maintaining sound business conditions, protection of assets including human resources, and compliance with the policies of the board of directors, internal and statutory rules, regulations and procedures.

    Poor internal controls can result in increased bureaucracy, reduced productivity, increased complexity, increased transaction processing time and an increase in nonvalue activities. In addition, poor internal controls interfere with the accomplishment of the branch's goals and objectives, allow misuse or abuse of assets, and may leave an entity open to public mistrust.
  6. Sarbanes-Oxley Act—This US Act has redefined the rules for corporate governance, disclosure and reporting. Sarbanes-Oxley requires that company management should be:
    • Aware of material information that is filed with the government and released to investors
    • Held accountable for the fairness, thoroughness and accuracy of this information
  7. Control self-assessment—While internal and statutory audits assist management in evaluating procedures and internal controls, auditors are unable to visit and work with each branch/office on a regular basis. To assist management in evaluating internal controls and increase the employees' understanding of those controls, CSA needs to be developed and implemented. Many organizations have considered implementation of CSA because of the constraints on internal audit resources due to downsizing and budget tightening.1 CSA assists management in defining objectives; implementing the self-assessment of risks, controls and residual risks; and developing action plans to mitigate excessive risk.

The Need for CSA

CSA is an extension of the internal control mechanism. Unless internal controls are implemented, it cannot function. Therefore, an understanding of internal control is required.

Technology adoption has expanded concern about internal controls from simply being confined to accounting functions to encompassing the entire business enterprise. In the US, increased attention to controls began in the 1970s with the passage of the Foreign Corrupt Practices Act of 1977 and later with the Treadway Commission on Fraudulent Financial Reporting in 1987. More recently, the Federal Deposit Insurance Improvement Act (FDIIA) of 1991 and the Federal Sentencing Guidelines of 1991 have also piqued interest in understanding and applying internal control concepts.

In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published a report that established a generally accepted definition of internal control. This new and comprehensive framework marked a US standard for implementation and evaluation of business controls. Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute, followed and continues to refine these controls.

The 2002 Sarbanes-Oxley Act has added new dimensions to internal controls. Though the act was primarily passed to protect investors' interests, it has direct implications on internal controls of organizations. According to the Act, CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures. Each quarterly filing must contain a certification that they have performed an evaluation of the design and effectiveness of these controls. The certification must also state that they have disclosed to their audit committee and independent auditor any significant control deficiencies, material weaknesses and fraudulent acts.

It also mandates an annual evaluation of internal controls and procedures for financial reporting. In addition, the company's internal auditor must issue a separate report that attests to management's assertion on the effectiveness of internal controls and procedures for financial reporting. This last requirement necessitates the adoption of a control framework against which the internal controls can be measured.

For example, the COBIT framework:

  • Helps management to ensure that its IT decisions balance risks and controls
  • Helps users obtain assurance on security and control of the products and services they acquire
  • Helps auditors provide a tool for apprising management of the internal controls that exist, form opinions on internal controls for management and identify the minimum cost-beneficial controls necessary for the organization

Other documents were developed in Canada, the Criteria of Control Committee (CoCo) document, and in the UK, the Cadbury Report.

Internal control is defined by COSO as:

A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations"2

COSO also identified five components of internal control that support the achievement of the separate, but overlapping, operational, financial reporting and compliance objectives.

The enhancement of internal controls requires strengthening the internal audit function.

CSA is a tool designed to assist in the internal audit function, and to test the effectiveness of internal controls. A concise definition of CSA is not available; however, many organizations have described CSA in the following ways:

  • CSA is a risk management program in which risks and controls are examined and assessed to provide reasonable assurance to management that its business objectives will be achieved. The responsibility of the CSA program is shared among all employees.3
  • CSA is a self-assessment conducted on a system (major application or general support system), or a set of multiple self-assessments conducted for a group of interconnected systems (internal or external to the organization). It is one method used to measure IT security assurance, which is the degree of confidence one has that the managerial, technical and operational security measures work as intended to protect the system and the information it processes.4
  • CSA asks employees and managers who are directly involved in a business activity to determine whether the processes in place are effective and the objectives are being achieved.5
  • CSA is a powerful tool because it is inclusive and sets an expectation of high performance and a high level of knowledge about the work structure and policies. CSA helps evaluate informal or subjective controls in such areas as ethical practices, management philosophy and human resource policies. By employees' involvement of all levels, CSA solicits open communication and teamwork, and encourages improvement.6
  • From the senior management perspective, CSA assists in determining whether the organization is meeting its objectives. Key advantages to implementing a CSA program include early detection of risk and the development of concrete action plans that safeguard organizational programs against significant business risk. The CSA goals are to:
    • Reduce or eliminate costly and ineffective controls while creating valuable alternatives
    • Pinpoint risk areas while developing adequate control measures
    • Evaluate the control standards that are already in place
    • Emphasize management's responsibility for developing and monitoring effective internal control systems
    • Communicate the results to others7
  • CSA is a technique that involves bringing the staff members together for a facilitated workshop where they can discuss risk and control issues and devise action plans to address those issues. The process offers a means of identifying control problems and recommendations for improvement. The facilitator helps the group reach agreement.8
  • Self-assessments provide a method for employees and management to determine the current status of their information security programs and, if necessary, establish a target for improvement. The method utilizes specific control objectives and techniques in which an unclassified system, or group of interconnected systems, can be tested and measured. It may not, however, establish new security requirements. The control objectives and techniques are abstracted from an organization's statute, policy and guidance on security.9
  • CSA is a natural response to relevance that has been lost in the more traditional forms of assurance. The disconnect between those who provide audit services and their client community remains fairly severe to this day. Self-techniques are a means by which internal control owners are taking back primary ownership of assurance.10
  • To become or remain relevant to internal control owners, the audit function must transition to an integral component of the internal control process rather than maintaining the role as corporate monitor or policeman. CSA is the path to regaining relevance in an organization.11
  • The goal is not to practice forms of audit function, but rather to transition to various forms of CSA, which are embedded into the routine practices of each business process, with ownership of assurance assigned to the internal control owners as part of organizational design.12

The basic characteristics of CSA follow:

  • It is a technique.
  • It involves employees and process owners.
  • The aim is to ensure that business objectives are achieved.
  • It reduces the audit function load.
  • It is proactive verification of internal controls.
  • It increases the frequency of controls verification.
  • It involves control improvement—the timely detection and correction of weak controls.

CSA Defined

CSA is a management technique that assures stakeholders, customers and other parties that the internal control system of the business is reliable. It also ensures that employees are aware of the risks to the business and they conduct periodic proactive reviews of controls.

The Benefits of CSA

The benefits of effectively conducted CSA include:

  • Early detection of risks
  • More effective and improved internal controls
  • Creation of cohesive teams through employee involvement
  • Increased employee awareness of organizational objectives and knowledge of risk and internal controls
  • Increased communication between operational and top management
  • Highly motivated employees
  • Improved audit rating process
  • Reduction in control cost
  • Assurance provided to stakeholders and customers
  • Necessary assurance given to top management about the adequacy of internal controls, as required by the US Sarbanes-Oxley Act

Disadvantages of CSA

CSA can hold some disadvantages as well. They include:

  • It could be mistaken as an audit function replacement.
  • It is regarded as an additional workload—one more report to be submitted to management.
  • Failure to act on improvement suggestions could damage employee morale.
  • Lack of motivation may limit effectiveness in the detection of weak controls.

CSA Models

Various organizations are working on developing CSA models for IT-related processes; however, none has developed a generic model. In Control and Risk Self Assessment, David McNamee has described six methods:

  • ICQ self-audit
  • Customized questionnaires
  • Control guides
  • Interview techniques
  • Control model workshops
  • Interactive workshops13

Three models that use one or more of the above methods are discussed in more detail below:

  • NIST model—The US National Institute of Standards and Technology (NIST) developed a CSA questionnaire in September of 2001. The questionnaire can be used to develop a CSA for any organization.
  • COBIT model—Developed by the IT Governance Institute, this standard can be used to implement the internal controls on which a CSA model can be based.
  • Business process model—Each business process has risk of failure. CSA models are based on the identification of risks for each process and controls against materialization of the risks.

NIST Model

NIST has identified three basic controls for IT processes:

  • Management
  • Operational
  • Technical

Within each of the control areas are a number of topics. For example, personnel security, contingency planning and incident response are topics that can be found under the operational control area.

There are a total of 17 topics (refer to figure 1).14 Each topic contains critical elements and supporting security control objectives and techniques about the system. If a number of the control objectives and techniques are not implemented, the critical elements have not been met.

Each control objective and technique may be implemented, depending on the system and the risks associated with it. Under each control objective and technique question, one or more source documents are referenced.

To measure the progress of effectively implementing the needed security control, five levels of effectiveness are provided for each answer to the security control question:

  1. Control objectives are documented in a security policy.
  2. Security controls are documented as procedures.
  3. Procedures have been implemented.
  4. Procedures and security controls are tested and reviewed.
  5. Procedures and security controls are fully integrated into a comprehensive program.

NIST has developed a questionnaire for IT system users. The questions, which are generic, are framed to test the level of all controls. The method for answering the questions can be based primarily on an examination of relevant documentation and a rigorous examination and test of the controls. The review should consist of testing the controls, as an auditor might perform tests. For example, testing access controls can be done with a penetration test; software change controls can be tested by examining system documentation change request forms, test plans and approvals, security logs and audit trails. Supporting documentation, describing what has been tested and the results of the test, adds value to the assessment and makes the next review of the system easier. However the difference between audit and CSA is that CSA is self-audit. Also, if users are aware of the control situation they may elect to skip actual testing.

Once the checklist with all references is completed for the first time, future assessments of the system will require considerably less effort. The completed questionnaire establishes a baseline. If this year's assessment indicates that most of the controls in place are at level two or level three, then that would be the starting point for the next evaluation. More time can be spent identifying ways to increase the level of effectiveness instead of having to gather the initial information again. The comment section can be used to list whether there is supporting documentation, and the notes section provides an area for any lengthy explanations.

COBIT Model15

COBIT was born out of a research project that addressed the need for management and control of information and related technology. It resulted in this IT governance tool that helps organizations understand and manage the risks associated with information and IT. An organization needs information to achieve its objectives, and IT resources need to be managed by a set of naturally grouped IT processes.

COBIT consists of:

  1. Executive Summary
  2. Framework
  3. Management Guidelines
  4. Control Objectives
  5. Audit Guidelines
  6. Implementation Tool Set

Management Guidelines provides an assessment mechanism based on the maturity models, critical success factors (CSFs), key goal indicators (KGIs) and key performance indicators (KPIs). CSFs are vital and must be completed based on the choices made in the maturity model, while monitoring through KPIs whether or not an organization will reach its goals set by the KGIs.

These measurements offer the necessary direction that management needs for IT control assessment. Control Objectives and Audit Guidelines help define and implement the control framework.

Management can place the existing level of controls over IT processes at:

  • 0—Nonexistence: there are no controls.
  • 1—Initial: The need for controls is recognized and ad hoc controls are in place.
  • 2—Repeatable: Controls for repeatable processes are identified and in place but the implementation is person-dependant rather than uniform.
  • 3—Defined: The controls have been standardized and documented. The process owners are aware of standardized control procedures.
  • 4—Managed: A monitoring mechanism is in place to ensure the implementation of standard controls. The feedback from this monitoring is used to improve the controls.
  • 5—Optimized: The controls have been refined to a level of industry best practice. The feedback and monitoring mechanism is placed effectively to adapt to the changes required.

Management can plot the control level by mapping:

  • Current status in the organization
  • Current best practices in the industry
  • International best practices
  • Improvement strategy

In its Board Briefing on IT Governance, 2nd Edition,16 the ITGI provides a checklist for top management. This checklist is an excellent tool for self-assessment to evaluate IT governance. This checklist forms the initial input for the development of CSA.

The control framework of COBIT defines a set of 34 high-level IT processes with objectives for controlling the processes, which are grouped into four domains:

  1. Plan and organize
  2. Acquire and implement
  3. Deliver and support
  4. Monitor and evaluate

This structure covers all aspects of information and the technology that supports it. Each of these 34 high-level processes and control objectives has been further divided into 318 detailed processes. COBIT also provides broad audit guidelines for each high-level process to enable the review of IT processes against COBIT.

Each process is associated with one or more of the following five IT resources:

  1. People
  2. Data
  3. Application systems
  4. Technology
  5. Facilities

Furthermore, each process has an emphasis on one or more of the following seven attributes of information:

  1. Effectiveness
  2. Efficiency
  3. Confidentiality
  4. Integrity
  5. Availability
  6. Compliance
  7. Reliability

A generic set of CSFs, KPIs and KGIs for each process, which can be used in designing and monitoring the CSA program, has been provided in COBIT's Management Guidelines.

COBIT is a control framework and does not give any guidance in the development of the control assessment method. However, it has been made easier by identifying the tasks and processes. One must identify the processes that are relevant to the business environment and then define the controls for relevant activities.

A CSA questionnaire can be developed using the audit guidelines provided by COBIT.

Business Process Model

This model is based on the identification of risks associated with each business process. A process is a structured, measured set of activities designed to produce a required or specified output. The COSO generic business model forms the basis for this approach.

For effective completion of a process, controls are required to be in place. Every process has a purpose or objectives, and inputs and outputs. It also has a risk of objectives not being met. Analysis of possible threats that can cause failure in the process forms the basis for controls over the process. The controls may reduce the probability of an event occurring, or mitigate the impact of these threats if materialized. The objective of CSA is to generate a comprehensive risk and control profile.

The basis for development of this model is top-down analysis of processes. Some IT processes are a part of a more general business process, and others are self-contained. The major IT processes of the organization may be progressively broken down into smaller tasks.

For example, starting computer operations at a computerized branch is part of the major branch operations process, which can be comprised of many smaller processes, such as checking main switches for power, checking UPS for proper output, starting peripherals, checking server power, checking power to all nodes, starting "Day Begin" operations, and checking logs of "Day Begin" operations. Each of the smaller processes can have various obstacles and/or threats, which can stop the process from successful completion (e.g., load shedding might have drained the UPS batteries, or the "Day Begin" process may have terminated abnormally).

In such situations, controls to prevent, detect and correct these situations are activated. However, the changing environment requires constant evaluation of these controls for their effectiveness. Hence, evaluation of controls is necessary to make adjustments. Periodic IS audit can aid in identifying the required changes in controls, but the effectiveness of the audit process depends on factors such as the rate of change in environment, auditor attitude, and the attitude of employees towards audit.

The purpose of the CSA program is to involve process owners in identifying the need for and implementing the changed controls.

CSA Methodology

Actual development of CSA can be done using a combination of these models. There cannot be a generic CSA model. Each organization must develop a CSA model to suit the internal control requirements of the organization.

The starting point is to achieve a sound grasp of business and IT objectives, both strategic and operational. Risks are associated with objectives. Controls are designed to mitigate identified risks within accepted tolerances. Assurance then follows where internal control owners deem such a need to exist. This never-ending cycle is frequently recalibrated.17

CSA is designed to give the most effective form of assurance (i.e., strategic assurance, which is forward-looking). This mindset is not easily achieved by many auditors, as their education and training has traditionally been focused on historical assurance. Today, there is a need for assurance over events happening here and now, or events that will happen tomorrow.18 Sound knowledge of company dynamics, business processes, information systems, internal control objectives, risk and mitigating control techniques are critical factors in the successful introduction of CSA.

Finally, one has to understand the culture of the organization. Since implementation of CSA depends upon the participation of employees and managers (process owners), their support is essential to the successful implementation of CSA. The best method is to conduct workshops with process owners and ask them to develop CSA for the business. An IS auditor or internal auditor can guide the workshop. These workshops can address change management, communication, training, facilitation and assessment skills.

The CSA program follows a definite life cycle. The stages of this life cycle are outlined in figure 2. A database that can be updated is created during the first cycle. With every cycle, the CSA program matures and forms the natural business process.

Identifying business processes and objectives is the first stage (stage 0) of the development of the CSA. Generally, every organization has this stage completed during the development of the system requirement definition. However, redoing the same by process owners during workshops helps in identifying new or previously unthought-of risks.

The process analysis is based on the operational controls or is developed by using COBIT's defined processes. Defining the scope of a process requires an analysis of system boundaries and organizational responsibilities. NIST has developed a system to identify the process unit by defining boundaries around a set of processes, communications, storage and other related resources. The elements within the boundaries constitute a single system, requiring a system security plan and a security evaluation. Each element of the system must:19

  • Be under the same direct management control
  • Have the same function or mission objective
  • Have essentially the same operating characteristics and security needs
  • Reside in the same general operating environment

All components of a process unit do not need to be physically connected, for example:

  • A group of stand-alone PCs (personal computers) in an office
  • A group of PCs placed in employee homes under defined telecommuting program rules
  • A group of portable PCs provided to employees who require mobile computing capability to perform their jobs
  • A system with multiple, identical configurations installed in locations with the same environmental and physical controls

Once the processes are identified, the following steps must be completed:

  • For each process, identify inputs, outputs and tools.
  • Identify the elements and connected processes.
  • List the processes that have similar security requirements.
  • Determine the objective of the process, a desired outcome that is provided by the process and is essential for identifying risks.

Identifying and assessing risks is the next stage (stage 1). For a self-assessment to be effective, a risk assessment should be conducted prior to the control assessment. A CSA does not eliminate the need for a risk assessment.

A risk is the possibility that an event or action will adversely affect the outcome of the process (i.e., process objectives will not be met). It is usually expressed in terms of the consequence of an event and the likelihood of its occurrence.20

There are various risk assessment and prioritization methods in use.21 One of them is the matrix method, in which a matrix of probability parameters and consequences is prepared.22

This stage has the following steps:

  • Validate the process list and objectives.
  • Identify significant process risks that threaten the achievement of the process objective and the business objective.
  • Assess the risks in terms of probability of occurrence and consequences.
  • Prioritize the risks (risks that pose a threat to business objectives get higher priority).

While evaluating the risk, the sensitivity of the information being processed must be considered. If the process uses highly sensitive information, then the risks associated with the process are evaluated more critically.

In stage 2, controls are safeguards put in place by management that support the achievement of business objectives by managing the level of risk in the business. The following steps are suggested:

  • Validate risks identified in the previous stage.
  • Identify current controls.
  • Evaluate the current controls for extreme and high-risk situations.
  • Assess the adequacy of controls and prepare an improvement plan.
  • List alternate controls.
  • Identify key controls that most effectively manage the risk.

The existing controls may be evaluated by giving ratings:

  • Adequate—The risk is mitigated to an acceptable level.
  • Limited—The risk is reduced but not up to an acceptable level.
  • Deficient—Controls are absent or inadequate.
  • Excess—Control can be reduced.

The adequacy of the controls can also be evaluated. If vendor information is outdated, controls can be evaluated as limited, i.e., information is available, but might be insufficient or outdated. The outcome will be updating the inputs required for the process.

Stage 3 is the documentation and development of a questionnaire for process owners. The goal of the questionnaire is to provide a standardized approach to assessing a system. The document strives to blend the control objectives found in the requirement and guidance documents.

Questionnaire and documentation development can be difficult. NIST has developed a generic questionnaire; however, it needs to be customized whenever it is used.

Stage 4, collect and analyze, addresses the analysis of the completed questionnaire for effectiveness. All completed questionnaires should be marked, handled and controlled. It should be noted that the information contained in a completed questionnaire could easily depict where the system, or group of systems, is most vulnerable.

Since it is CSA, the process owners assess the system and are responsible for operating and administering the system. The same individuals who complete the assessment can conduct the analysis of the completed questionnaire and summarize the findings.

The questionnaire can be used for two purposes:

  1. By managers who know their systems and security controls, to quickly gain a general understanding of where security needs improvement
  2. As a guide for thoroughly evaluating the status of internal controls as required by the Sarbanes-Oxley Act. The results of such thorough reviews provide a much more reliable measure of security effectiveness and may be used to fulfill reporting requirements, prepare for audits and identify resource needs.

The database of all processes is then updated according to the questionnaire answers, which is the beginning of CSA.

The process owner's control suggestions are to be reviewed for understanding the risk and control concepts. This analysis forms the basis of the next stage. After the analysis is completed for the first time, future assessments of the system will require considerably less effort. The completed questionnaire establishes a baseline. Time can be used to identify ways of increasing the level of effectiveness, rather than gathering the initial information again.

Stage 5 is awareness training. From the basis of inputs received from the questionnaire, training requirements for the employees, managers and others involved can be assessed and necessary training/workshops/seminars tailored. As the CSA program matures and passes through additional cycles, this stage can subsequently be eliminated or replaced by coeducation or peer training.

In stage 6, an action plan and reporting mechanism are developed. Action plans define what controls must be introduced, enhanced or removed to provide assurance that all high and significant risks are mitigated to an acceptable level. Action plans are developed based on the inputs from process owners at workshops and from questionnaire responses.

The action plan is required for controls that are rated as limited, deficient or excess.

The final stage is the return to stage 1—the continuation of the CSA cycle—for continuing assurance. The next cycle has a documented risk and control profile for all processes. The continuance need arises from the dynamic nature of the business environment and the high rate of IT advancement. The advances in IT lead to a change in processes.


Success of CSA depends on the culture of the organization, the leadership of the project and the skills of those involved. What works best in one organization may not translate well to a different environment.

IT governance is becoming an important consideration for all organizations. CSA is an effective tool for successful implementation of IT governance. Considering the security incidences, limited internal audit resources and requirements of the Sarbanes-Oxley Act, CSA will help medium and large organizations build security consciousness among IT users and will provide a mechanism to comply with the Act's provisions.


1 McNamee, David; Control and Risk Self
2 Key Concept and Internal Control-Integrated Framework, Committee of Sponsoring Organizations, 1992,
3 Doughty, Ken; "Control Self-Assessment" presentation at 17th Annual Asia-Pacific CACS, Kisarazu-shi, Chiba, Japan, 9-11 September 2001
4 Security Self-Assessment Guide for Information Technology Systems, National Institute of Standards and Technology (NIST), Special Publication - 800-26,
6 Ibid.
7 Ibid.
8 Chakravarty, Ranjita; Frank Topper; "Risk and Control Self-Assessment (RCSA): A Useful Complement to Information Systems Audits at Stanford University," Information Systems Control Journal, volume 1, 2001
9 Op. cit., NIST
11 Ibid.
12 Ibid.
13 Op. cit., McNamee
14 Op. cit., NIST
15 COBIT 3rd Edition, IT Governance Institute, 2000,
16 Board Briefing on IT Governance, IT Governance Institute, 2001,
19 Op. cit., NIST
20 Australian/New Zealand Standard, Risk Management, AS/NZS 4360:1999
21 Peltier, Thomas R.; Information Security Risk Analysis, Auerbach Publications, 2001
22 Op. cit., AS/NZS

Sunil Bakshi, CISA, CISM, AMIIB
has been working in IT for about 20 years. He is experienced in IT development, IT management, IS audit and IT security for the banking industry. He is a past president of the ISACA Pune Chapter (2001) and is currently a member of the ISACA Membership Board. He is also a member of Computer Society of India, Indian Institute of Bankers and Association for Overseas Technical Scholarships, Japan. He can be reached at and