An increase in repeat findings often is an indication that the root cause of a control weakness has not been addressed adequately. Frequently when auditors provide similar recommendations, the root causes of these control weaknesses can be traced to human factors. Consider the five P's of effective controls for organizational success: One may design a well-conceived policy, a well-designed program aligned with the policy, effective procedures to implement the program, and well-suited practices for following the policy. However, if the organization's people do not follow those practices, it defeats the work of implementing the policy.
While management is responsible for setting good internal controls, implementing them depends on people at all levels of the organization. Therefore, it's the soft controls that make a difference. These soft controls are intangible controls such as morale, integrity, ethical climate, empowerment, competencies, openness, and shared values. They differ from hard controls such as organizational structure, delegation of responsibility, and human resources policies. However, soft controls can significantly impact the effectiveness of the organization's internal control structure.
Despite this impact, internal auditors typically focus on reviewing hard controls because it is difficult to obtain evidence of noncompliance with soft controls. This may be because of insufficient experience or skills in testing the soft controls. However, internal audit has a significant role to play in helping management evaluate soft controls. When seeking to identify risks stemming from soft control weaknesses, auditors can use control self-assessments (CSA) to facilitate the identification and evaluation of risks without impairing internal audit's objectivity. The robustness of CSA processes not only provides a powerful means of addressing these risks, but may also help reduce the likelihood of repeat audit findings that can be a drain on internal audit resources.
FACILITATING THE CSA
CSA is a process through which internal control effectiveness is examined and assessed through workshops, surveys, and management analysis facilitated and assisted by a subject-matter specialist. Participants, who are typically management or work teams directly involved in a business function, identify the risk factors, assess the control processes, develop action plans to reduce risks to acceptable levels, and determine the likelihood of the entity achieving the intended business...