If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it? How about if it virtually assured better audits and examinations? OK, you’re interested, but the last thing you need is to implement another complicated process, right? What if the framework is probably already in place at your institution, and all you need to do is fine-tune it a bit?
I’m referring to the Control Self-Assessment (CSA), and let’s first make the regulatory case for it. The FFIEC Operations Handbook says:
If you’re familiar with “FFIEC-speak”, then you know that “should” really translates to “must”. But the Information Security Handbook makes the most compelling argument for utilizing the CSA in your risk management program:
Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.
So there is plenty of regulatory support for the CSA process, what about the audit and exam benefits? All of the major auditing standards bodies (IIA, AICPA, ISACA) address the importance of internal control reviews. Indeed most auditors say that institutions with an internal CSA process in place generally demonstrate a much more evolved risk management process, resulting in fewer, and less severe, audit findings. This stands to reason, as they tend to identify, and correct, control weaknesses prior to audit, as opposed to waiting for the auditor to identify them. And since one of the first things the examiner wants to see when they come in is your most recent audit, this often results in fewer examination findings as well.
One more reason to implement a CSA process from the examination perspective is something I touched on here…for those institutions trying to maximize their CAMELS IT composite ratings, one of the biggest differentiators between a “1” and a “2” is that in institutions rated a “1” “…management identifies weaknesses promptly (i.e. internally) and takes appropriate corrective action to resolve audit and regulatory concerns”. Conversely, in those institutions rated a “2” “…greater reliance is placed on audit and regulatory intervention to identify and resolve concerns”. A CAMELS “3” rating speaks directly to the CSA, stating that “…self-assessment practices are weak…“.
OK, so there are certainly lots of very good reasons to implement a CSA process in your institution. How can this be done with minimal disruption and the least amount of resource overhead? Chances are you already have a Tech Steering Committee, right? If the committee consists of members representative of all functional units within the organization, it has the support of senior management, and is empowered to report on all risk management controls, all that’s needed is a standardized agenda to follow. The agenda should address the following concerns:
- Identification of risks and exposures
- Assessment of the controls in place to reduce risks to acceptable levels
- Analysis of the gap between how well the controls are working, and how well management expects them to work
As you can see, this is not substantially different from what you are probably already doing in your current Tech Steering Committee meetings. In fact, this list is really only a sub-set of your larger agenda…the only possible difference is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.
In summary; the FFIEC strongly encourages it, the auditors and examiners love it, and for most institutions it’s not too difficult to implement and administer. But if you only need one good reason to consider the CSA process, it should be this: