The Control Self-Assessment (CSA)
If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it? How about if it virtually assured better audits and examinations? OK, you’re interested, but the last thing you need is to implement another complicated process, right? What if the framework is probably already in place at your institution, and all you need to do is fine-tune it a bit?
I’m referring to the Control Self-Assessment (CSA), and let’s first make the regulatory case for it. The FFIEC Operations Handbook says:
If you’re familiar with “FFIEC-speak”, then you know that “should” really translates to “must”. But the Information Security Handbook makes the most compelling argument for utilizing the CSA in your risk management program:
Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.
So there is plenty of regulatory support for the CSA process, what about the audit and exam benefits? All of the major auditing standards bodies (IIA, AICPA, ISACA) address the importance of internal control reviews. Indeed most auditors say that institutions with an internal CSA process in place generally demonstrate a much more evolved risk management process, resulting in fewer, and less severe, audit findings. This stands to reason, as they tend to identify, and correct, control weaknesses prior to audit, as opposed to waiting for the auditor to identify them. And since one of the first things the examiner wants to see when they come in is your most recent audit, this often results in fewer examination findings as well.
One more reason to implement a CSA process from the examination perspective is something I touched on here…for those institutions trying to maximize their CAMELS IT composite ratings, one of the biggest differentiators between a “1” and a “2” is that in institutions rated a “1” “…management identifies weaknesses promptly (i.e. internally) and takes appropriate corrective action to resolve audit and regulatory concerns”. Conversely, in those institutions rated a “2” “…greater reliance is placed on audit and regulatory intervention to identify and resolve concerns”. A CAMELS “3” rating speaks directly to the CSA, stating that “…self-assessment practices are weak…“.
OK, so there are certainly lots of very good reasons to implement a CSA process in your institution. How can this be done with minimal disruption and the least amount of resource overhead? Chances are you already have a Tech Steering Committee, right? If the committee consists of members representative of all functional units within the organization, it has the support of senior management, and is empowered to report on all risk management controls, all that’s needed is a standardized agenda to follow. The agenda should address the following concerns:
- Identification of risks and exposures
- Assessment of the controls in place to reduce risks to acceptable levels
- Analysis of the gap between how well the controls are working, and how well management expects them to work
As you can see, this is not substantially different from what you are probably already doing in your current Tech Steering Committee meetings. In fact, this list is really only a sub-set of your larger agenda…the only possible difference is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.
In summary; the FFIEC strongly encourages it, the auditors and examiners love it, and for most institutions it’s not too difficult to implement and administer. But if you only need one good reason to consider the CSA process, it should be this:
Improved audit and examination ratings!
8 comments
Write a Comment
You must be logged in to post a comment.
April 5, 2011
I agree with everything you have to say about the CSA however the world most of my clients operate in is one where this will be looked at as one of those “great idea, no resources, we are lucky to even have a tech committee meeting”.
My clients are running with extremely lean staffing – I would say cut to the bone but then you might accuse me of trying to be punny…seriously, my clients are understaffed and struggling to do twice as much with half the staff. Getting them to have quarterly tech committee meetings can be a challenge.
The traditional course of events as follows – go out and do the IT general controls review (IT audit), maybe a GLBA review and Internet banking, remote deposit capture or whatever the risk based audit plan calls for.
At the conclusion of field work, the findings are presented to senior management which is usually includes the CFO and COO or EVP/SVP/VP of Operations. I submit a draft report and go through a review process with whatever officer was the person responsible for the IT audit. Submit a final report and then make a formal presentation to the audit committee at their next meeting.
In the never ending quest to provide my clients with better service and maintain a closer relationship, what if we altered the process slightly – when the draft report is ready, instead of just meeting with one bank officer, I meet with the entire tech committee. We review the findings and all the key controls that are in place and discuss my recommendations for remediating the findings.
In six months, I facilitate a meeting with the tech committee. We review the status of the remediation of the audit findings; any incidents in the last six months; any changes in business processes; acquisitions; examinations; new and emerging threats; discuss any changes that have occurred in controls; review key controls to make sure that they are still functioning; and review and update the risked based audit plan.
This insures that the tech committee meets at least twice a year, and while the first meeting is not exactly a CSA, it is close.
Thoughts?
April 5, 2011
Michael –
You are absolutely right. Sadly, risk management in general (and audit functions in particular) are still considered an intrusion into normal daily procedures, instead of an integral part of them. Until management evolves to embrace this, audit personnel will struggle with acceptance. However, there is much anecdotal evidence that examiners are becoming much more active in the scrutiny of management’s involvement in the overall risk management process, particularly at the strategic level. Virtually every consent order I’ve seen lately mandates increased participation of the Board and senior management in the compliance process. Still, it can be a challenge to convince them of that preemptively.
I think your approach is spot on, and definitely meets the requirements of a CSA, with you as the facilitator. Let me know how you make out with your goal of greater management involvement!
March 20, 2012
Tom –
Asking for some guidance on a particular self assessment. We have performed all risk assessments globally and at the product level under the guidance of the FFIEC IT Exam handbook for the last several years – from ACH to RDC to IT in general. I have been looking for and have yet to find a self assessment document specifically targeting wire transfers (domestic and international / in and out). Have you ever come across one that you could refer me to?
Thanks in advance.
March 21, 2012
Curtis – I don’t have one specifically for wire transfers, but it shouldn’t be too difficult to create. Are you trying to perform a risk-based or control-based self assessment? A control-based assessment would evaluate the effectiveness of the existing risk management controls by reviewing reports that validate that your controls are working. For example if one of your controls is to require bank employee verification for all wires over $50,000, you can pull a report for all wires that meet that criteria (or a statistical sample), and the corresponding verifications.
However if you want to perform a risk-based self assessment, you need to validate the adequacy of the controls. This is a more thorough but also more different process because it requires you to validate both risks and controls.
March 21, 2012
We are looking to perform a risk based self assessment. We found these for ACH and RDC, but no luck on the wires. We do perform conrol based self assessments already for all high risk transactions. Thanks.
March 22, 2012
Here is how I would approach it. Think about risk management as a linear process that starts with the item to be assessed, and progresses through the risks, identifies inherent risk, then proceeds to layered controls, and arrives at residual risk. A self-assessment that wishes to assess both control adequacy and effectiveness would essentially focus on the accuracy of both the inherent risk value and the residual risk value. So each time the management team meets, they ask the questions “are we satisfied that the inherent risk value accurately reflects all known risks”, and “are we satisfied that the residual risk value accurately measures control effectiveness”. As the facilitator, your job is to make sure management has all the information they need to answer those 2 questions.
March 23, 2012
Thank you. I am going to take the ICQ section of the FDIC examiners manual along with some from the FRB manual and transpose that into Excel. From there i will set up a weighted repsonse to each question that factors in a value. Similar to the ones on the NACHA site for ACH and RDC. We shall see how it goes.
March 23, 2012
That should work, after all the ITOQ section states “The following chart can be used as a guide in conducting self assessments”. The section is not specific to wires, but would be an excellent guideline for all InfoSec related assessments. For something a little more specific, you may also want to incorporate elements from Appendix A of the FFIEC E-Banking Handbook. Objectives 4 & 5 are especially well suited to assessing wire transfer risks and controls. Good luck!