Control Self-Assessment
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, and welcome back to
00:00
the next lesson, Control Self-Assessment.
00:00
In this lesson, we'll be covering what
00:00
the Control Self-Assessment is or the CSA,
00:00
some of the objectives and the benefits,
00:00
also some of the disadvantages.
00:00
And as an auditor,
00:00
what your role in facilitating
00:00
the Control Self-Assessment will be. So let's begin.
00:00
A Control Self-Assessment is essentially an audit
00:00
conducted by staff or management of the audit target.
00:00
So this is self-audit,
00:00
basically what it does,
00:00
it basically provides assurance that
00:00
employees are aware of the risks to the business.
00:00
So it is the people using
00:00
the system who actually live with the day-to-day risks
00:00
providing the audit function and
00:00
essentially auditing and checking
00:00
the integrity of the system.
00:00
In this case, the IS auditor
00:00
will realistically act as a facilitator only.
00:00
Today is basically that can be facilitated by
00:00
either a number of workshops or procedures policy.
00:00
It's implemented in organizational policy and procedures.
00:00
There are two main objectives of the CSA.
00:00
Shifts some control monitoring
00:00
responsibilities to the functional area.
00:00
So areas that are actually working
00:00
with the system itself and now it's
00:00
partially responsible for monitoring
00:00
the function of those systems.
00:00
It's to enhance the formal auditing program.
00:00
So it's never intended to
00:00
replace the Formal Auditing Program,
00:00
but it's potentially to provide another artifact
00:00
or evidence that a formal audit can actually use.
00:00
There are a couple of benefits to performing a CSA.
00:00
Early risk detection if the people who are using
00:00
the system are actually responsible for the auditing.
00:00
There is every chance that the risks
00:00
will be detected a lot earlier
00:00
than what an external audit would do.
00:00
There's improved internal controls.
00:00
So the people are actually dealing
00:00
on the day-to-day basis with the system,
00:00
will be able to help to
00:00
define and determine the controls,
00:00
and there's also employee involvement.
00:00
People who are working with this system have a level of
00:00
ownership of the responsibility of the system as well.
00:00
There's also an increased employee awareness,
00:00
particularly with security.
00:00
This can certainly be a benefit to
00:00
enhance the security awareness
00:00
training that the employees will
00:00
also receive and it also produces
00:00
better communication between
00:00
the operations area and management.
00:00
The people who were doing the job are talking
00:00
and communicating a little bit
00:00
better with people who are managing the job.
00:00
It will also improve the audit writing process.
00:00
So the fact that this is
00:00
essentially a continual audit or an audit that's
00:00
occurring on a fairly regular basis
00:00
far more than what our formal audit would.
00:00
We all help with the overall audit process.
00:00
There is also a reduction potential in control costs,
00:00
and there's a greater level of insurance to customers and
00:00
stakeholders as well as to top management.
00:00
Now there are some disadvantages of the CSA.
00:00
Of course. Now as I stress.
00:00
The CSA is not a replacement for the audit function,
00:00
but it could be mistaken as
00:00
a replacement for the audit function.
00:00
So this isn't just a cheaper way to do the audit,
00:00
it's to enhance the existing audit process.
00:00
And employees may also see
00:00
this as an additional workload.
00:00
If you have an organization that is rather
00:00
stretched in terms of employee numbers,
00:00
this may just be seen as another task they have to do.
00:00
And also there is a downside that if
00:00
your employees basically conducted
00:00
a CSA and management failure
00:00
to act on recommendations
00:00
that come out of that that can be very
00:00
readily observed by the employees
00:00
and will potentially have an impact on morale.
00:00
The lack of the motivation
00:00
of the employee to conduct this
00:00
may limit the effectiveness.
00:00
As an IS auditor.
00:00
You've got three key roles.
00:00
So basically facilitation and as I said,
00:00
that can be done in a number of ways
00:00
by development of policy and procedures,
00:00
conducting or facilitating workshops and
00:00
your other role is to understand
00:00
the process being audited.
00:00
So if you are facilitating a workshop,
00:00
you need to have some understanding
00:00
of exactly the business,
00:00
the needs of the environment.
00:00
Overall, it's basically
00:00
leading and guiding and not doing.
00:00
So the key factor here is you
00:00
facilitate but you don't hold it.
00:00
Okay, so that was the end of the lesson.
00:00
We've covered a little bit about
00:00
the Control Self-Assessment,
00:00
some of the objectives and the benefits that you
00:00
can obtain in your organization from CSA.
00:00
Some of the disadvantages to be mindful of what
00:00
the IS auditor's role will be in the conduct of the CSA.
00:00
While I hope you enjoyed the lesson
00:00
and I'll see you at the next one.
Up Next
