We are increasingly being approached for guidance on what should be asked in a control self-assessment.
This article gives a quick introduction to control self-assessments and then explains how to identify what you should be asking in your self-assessments.
A brief introduction to control self-assessments
Controls are an organisation’s policies, procedures and activities operating to help do things right and reduce or eliminate the risk of error.
Good governance means management is responsible for having an effective system of internal controls in place and the board oversees and reviews the effectiveness of that system. Many laws also require controls to be in place to ensure legal compliance, including our health and safety laws.
The challenge is to ensure people understand and are applying the controls relevant to them and to ensure that controls are effective in practice. Control self-assessments offer a solution to this challenge.
Control self-assessments involve identifying suitable ways of measuring or testing controls by managers and staff within the organisation. This is usually done using workshops, surveys, or questionnaires.
What to ask in a control self-assessment
The purpose of your control self-assessment should inform what is being asked. Organisations may run different types of control self-assessments for different purposes. Here are some examples:
- To ensure people are aware of and are applying the policies and procedures relevant to them.
- To ensure specific control activities are being performed and are effective.
- Testing the internal control environment against external benchmarks.
Ensuring awareness and application of policies and procedures
Here the focus is on two approaches, with the ideal being a mix of both:
- Regular reporting on a small set of high-priority policies and procedures. For example, anti-fraud policies, conflicts of interest processes, health and safety policies and procedures.
The self-assessment statements here may be along the following lines:
- “I have read and understood the [name of] policy” (giving them easy access to the policy, of course)
- “I have discussed the [name of] policy with all of my team, including ensuring that each of them has read and understood the policy”
- “I am confident that my team and I have complied with the [name of] policy”
Some organisations will push the self-assessment out to all employees, which is much easier now that this can be done online, in which case you'd slightly modify the assessment statements for managers and staff.
To ensure specific control activities are being performed and are effective
This type of assessment is for the purpose of ensuring specific risk control activities or measures are being applied effectively. Some organisations may be using a spreadsheet of risk controls to manually manage this type of self-assessment.
Here the people who are responsible for carrying out specific risk-controls are presented with the relevant risk-control statements, together with supporting information about that control and how to report on its effectiveness.
Examples of this type of self-assessment statement for a site manager might be:
- “Our site has completed the six-monthly Trial Emergency Evacuation.”
- “All staff know/understand how to register a visitor with Reception and how to provide a safety briefing.”
As part of the assessment process, more senior managers may then be required to confirm they have reviewed their teams’ responses to the control self-assessment. Again, this is much easier when done online.
Testing the internal control environment against external benchmarks
The purpose of this kind of control self-assessment is to test and measure aspects of your organisation’s risk-control policies, processes, and activities against an external set of measures.
Examples of the type of external benchmarking measures that might be used include: an accounting standard, a security standard or a board self-assessment questionnaire. These resources tend to set out what it is your internal controls should be achieving if they are operating effectively.
For this type of control self-assessment, the assessment statements will be taken from the benchmarking resource and it is recommended that respondents are able to respond in a more evaluative way. Examples of this include:
- Having a scale, of say 1 to 5, on which the person undertaking the self-assessment can express their assessment of how your organisation measures up against each requirement i.e. with 1 = strongly disagree through to 5 = strongly agree
- A more objective scale where it is set out what each response level means in the context of that assessment. Here’s an example from a questionnaire about control activities – the scale is 1 to 3, with the highest rating of 3 meaning: “Process is documented, staff received training on the process and job descriptions are aligned with the process responsibilities”