Control Self-Assessments

How do I get the best value from a self assessment?

There are many ways to judge a self assessment, it is after all something that most people find hard to do with complete objectivity and clarity. In many cases when completing a self assessment the respondent doesn’t want to appear in a bad light and interprets the objective or question to match the positive side of their activities. With the best will in the world, an unevidenced assessment can only be an indication of what is happening, without evidence there cannot be any substantial reliance for any audit or regulatory requirements. In some instances unevidenced assessments can be misleading and damaging leading to reputational and financial loss.

The two most common types of self assessment are the indicator and the evidenced assessments.

The indicator, where a simple yes or no response is required; do you have a controls to meet this objective? This can work as a quick gauge to see where potential weaknesses appear within an organization. When new policies or regulations are drafted, prior to final syndication, the indicator can be used to assess the impact of potential new requirements. Results can show impact on working practices, resource plans and budgets

The evidenced assessment, this requires the respondent to provide details of the control used to address the objective, a test plan and evidence of effective operation. This allows for independent review and verification. This assessment can be customized to suit needs, as an initial review phase it may sufficient to document controls, highlighting commonality across areas and identifying gaps. As with the indicator, more informative but not providing substantial evidence that the controls exist and operate.

To truly get the full benefit of the evidenced self assessment, it should contain a complete record of the control and the evidence of operation. The documentation should allow for independent verification. Once the self assessment is validated by an independent audit function or an external auditor, management can place a greater reliance upon the self assessment process as a tool within the control framework.

The identification of target areas, owners and the scheduling of any self assessment is key to managements ability to manage and monitor the environment.

The management pyramid that exists in many firms can be used to identify where the categorization of assessments can be used. Objectives supporting a firms governance should aimed at the senior members of the management team, while detailed application controls should be aimed at application owners.

The maturity of the process, the effective of remediation actions and the independent validation of the findings in time can lead to an overall reduction in audit costs.

At Playbook Solutions we have worked with clients to build self assessments, using them to address internal and external requirements. We have used our industry knowledge to providing scalable solutions to control gaps. Regardless of size and the location we have been able to provide cost effective and reliable advice to clients.