Trust but verify: control self-assessments can increase audit efficiency and spread control awareness throughout the organization.

Author:Acharya, Parikshith


"Trust but verify" is an old adage that is apt for the internal audit profession. It is the core principle of control self-assessment (CSA), which requires internal auditors to place a relatively high degree of reliance on trust in the process owners' judgment, while also verifying the accuracy of their assessment.

CSA is an assurance and audit approach that enables process owners to self-evaluate the effectiveness of their controls to mitigate risks. Management and internal audit can use CSAs collaboratively to assess the adequacy of their organization's risk management and control processes through techniques such as facilitated team workshops and questionnaires.

The internal audit department at Hewlett Packard Enterprise (HPE) has implemented a CSA framework to help it provide assurance on key risks across more than 150 countries and businesses, ranging from hardware and software to services. Auditors use CSAs to perform audit engagements in business units where it is not feasible to deploy a full-fledged audit team. This approach has enabled the department to provide quicker, relevant, and focused assurance while also promoting awareness of controls among business process owners.


HPE's internal audit function performs various types of audits such as individual country and legal entity audits, regional and worldwide horizontal business-process audits, and individual contract audits. The department's first task was to decide which type of audits should be included in the CSA pilot. The department chose to use CSA for country audits because they typically include review of certain standard scope areas such as procurement, employee expense claims, and statutory compliance. Moreover, it decided to try out CSAs in countries with a relatively small volume of operations but with inherent risks such as high perceived corruption. It also selected smaller countries, where the business used local processes and IT systems, rather than the company's standard corporate tools.

The next step was to create a list of standard risks for the processes typically reviewed in such audits and map the existing controls, leveraging internal audit's knowledge and audit programs from past engagements. Auditors developed a simple, spreadsheet-based tool to document this risk and control list and to provide the potential respondents an easy method to assess and rate their respective controls as being effective or ineffective. The tool also provides a section to enable respondents to provide additional...

To continue reading