CONTROL SELF-ASSESSMENT POLICY

Prepared By:

Approved By:

Revision Date:

Effective Date:

The following sample outlines a set of policies and procedures for the control self-assessment process.

PURPOSE

The purpose of this policy is to assist control owners, process owners and internal audit with implementing and
executing the control self-assessment (CSA) process.

Self-assessment is an organized means of using the knowledge of those who are most familiar with a topic, such
as processes/controls. Self-assessments evaluate how effectively the organization manages its risks of not
achieving its stated objectives and executing the controls designed to mitigate them. Additionally, self-
assessments can be used to identify risk drivers, such as changes in the business, personnel and internal
controls, and reinforce accountability for controls.

EIGHT-STEP TESTING APPROACH

• Define the CSA control scope.

• Build test plans.
• Execute testing.
• Test QA/analyze test results.
• Provide documentation and retention.
• Close meetings.
• Remediate and manage action plans.
• Perform independent verification (internal audit only).

ROLES

The two key organizations are the SOX PMO (internal audit) and the IT organization.

RESOURCES

SOX Testing Template: This template is used for all self-testing efforts.

Quarterly Self-Assessment Survey: This survey is used to identify changes in the control’s environment.

1 Source: www.knowledgeleader.com
Controls Self-Assessment Program Overview: This document provides an overview of the program.

Close Meeting Form: This form is used after the self-assessment.

STEP 1: DEFINE CSA CONTROL SCOPE

Control scoping selects the controls to be assessed during a particular CSA testing period. The control scoping
also includes identifying the specific samples to be evaluated for that control.

CSA Scoping Process

Process and control owners should evaluate X% of super key controls over the first and second quarters. It is
recommended that control owners test controls by process and divide the processes between the first and second
quarters. Any control deficiencies identified in the prior quarter should be re-tested if corrective action has been
taken. Process owners will select secondary controls within each process to test throughout the year. The
secondary controls are evaluated on a three-year rotation. All scoping documentation should be validated with the
SOX PMO before CSA testing.

Determine the Sample Method

Use random sampling where practical. If other methods are used, the rationale should be documented.

Sampling methods include:

• Judgmental: A sample in which the tester uses their preferences to select the sample.
• Haphazard: A sample in which the tester selects the sample without following a structured technique.
• Random: A sample selected in such a way as to avoid presenting a biased view of the population; completely
random.

Determine the Sample Size

Control Sample Size: Control Frequency Matrix

Nature of the Frequency of

Sample* Test Deviation Deviation
Control Control

Systematic

Manual Daily

Manual Weekly

Manual Monthly

Manual Quarterly

Manual Yearly

*The sample size indicates the maximum sample size for a given frequency. To expedite testing, the tester should
consider requesting the full sample size. Tests would begin with the quantity indicated in the "Test" column and
increase accordingly based on the number of deviations encountered. Test one sample of each possible
systematic state for systematic controls (those without manual interactions).

2 Source: www.knowledgeleader.com
STEP 2: BUILD THE TEST PLAN

Utilize the SOX Testing Template

The SOX testing template contains all details for any test performed. It contains critical information such as:
• Process name
• Process owner name
• Test period
• Risk and control number and description
• Test method and sampling description
• Test steps performed and results
• Population
• Source of materials used for testing
• References to work papers related to the test
• Testing conclusion
• Name of the tester who performed the test and the date test was performed
• Action plans
• Tick mark legend
• Reviewer and approver name and title

Test Steps
The test steps will:
• Be developed by the SOX PMO.
• Be documented in the SOX testing template and within (Insert System).
• Describe test objectives as identified by the SOX PMO.

Test Population, Period, Source, Test Method, Sampling Selection, Results and Observations
Will
• Define the population, test period, source, sampling unit and sampling method.
• Identify the related data request.
• State the testing method and sample size to be evaluated.
• Document all results, reasoning and observations.

Test Period
• Test periods are determined by the SOX PMO.
• Testing samples are taken from the defined range.

Test Method
Four test methods can be used:
• Inquire about process and control owners or key management team members. Inquiry-based testing should be
extremely limited and only utilized for secondary controls.
• Inspect relevant control documentation required of all super vital controls.

3 Source: www.knowledgeleader.com
• Observe the control process or procedure in action.
• Analyze or re-perform the operation of the control using selected transactions. This method provides the
greatest level of evidence.

STEP 3: EXECUTE TESTING

Testing is evaluating a control’s operating effectiveness by examining relevant evidence. This also includes the
documentation of testing performed and the evidence evaluated.

To execute testing:
• Determine sample size based on frequency (see Step 1 and subprocess C).
• Submit the data request to the appropriate person who can provide the information (DBA, change control
administrator, etc.) to gather the required documentation.
• Perform the test, document evidence as required within the work papers (annotations or tick marks, source,
system, etc.), and record the results within the SOX testing template.

Four testing conclusions can result:

• Pass: No exceptions were noted during testing.
• Fail: An exception was noted during testing.
• Insufficient Evidence: Activity to be evaluated during the next quarter testing due to lack of adequate
population size or other timing-related issues.

Note: Only one exception is required for a test to fail.

What is an exception?
• An exception is when testing results are inconsistent with the documented control.
• Exceptions occur when:
− Evidence of the control's operation cannot be provided.
− Evidence indicates that the control is not operating as designed.

What do I do if I find an exception?

• Determine the root cause (if possible).
• Document the exception(s) and the explanation in the SOX testing template.
• Determine whether the exception is explained or unexplained.

Exceptions are a confirmed breakdown of the tested control or one for which management cannot support why
the exception occurred.

Example: If user access forms were not signed at all, this would be an exception.

Test results will:

• Be documented in the SOX testing template.
• Facilitate management/process owner conclusions on control operation effectiveness.

Note: If you have any questions, contact the process owner or SOX PMO.

Action plans will:

• Be documented within the SOX testing templates when an ineffective control is identified.
• Define a due date, which the process owner should monitor.
• Be reviewed and approved by the SOX PMO for appropriateness and timeliness.

4 Source: www.knowledgeleader.com
STEP 4: TESTING QUALITY ASSURANCE (QA)/ANALYZE TEST RESULTS
Testing QA reviews completed testing documentation to ensure that it meets quality standards, clearly documents
testing performed and the appropriate operating effectiveness conclusion. Testing QA is performed by the
process owners and by internal audit.

Control operation effectiveness conclusions will:

• Be documented in the SOX testing templates and loaded into a repository by the SOX PMO.
• Lead to the generation of an action plan for ineffective controls.

STEP 5: DOCUMENTATION AND RETENTION

• All audit documentation will be maintained per standard procedures.
• Control and process owners need to retain the following for sufficient evidence:
− SOX testing templates must be detailed and completed.
− Evidence of all control evidence must be reviewed (binder or e-repository with sign-off list)
− Each control exception must be reflected within the SOX testing template and have a documented action
plan.

STEP 6: CLOSE MEETING

The close meeting will be conducted at the end of the quarterly testing. The SOX PMO will organize the meeting
once the respective process owners have completed all testing.

The purpose of the close meeting is for the SOX PMO and the process owner to reach a consensus on the
effectiveness of the controls evaluated. A sign-off form will be the evidence of the close meeting approval.

During this meeting, the process owner will report their process's CSA audit results and metrics. The metrics will
include the following:
• Number of super key and secondary controls in the process
• Number of super key and secondary controls that were evaluated during the period and the number that is
deferred
• Number of super key and secondary controls evaluated that had unexplained exceptions (i.e., failures)

The process owner will have action plans, an action plan owner and a due date assigned for all noted control
deficiencies.

STEP 7: ACTION PLAN MANAGEMENT AND REMEDIATION

Action planning is the process of accounting for issues stemming from control exceptions. It includes
understanding the number of issues per test cycle, monitoring remediation steps and tracking remediation
progress.

Remediation is the process of correcting problems identified during the testing process. This activity primarily
focuses on improving the operation of existing controls or creating new controls.

If a control fails, remediation steps are taken with the controlling owner and the control will either perform as
documented or the control wording will be amended to more accurately reflect the control that is occurring,
ensuring that the design remains effective. Remediation can also be accomplished by altering the process to
ensure greater compliance.

Remediation items must be evaluated within the subsequent quarter unless there is an insufficient sample size or
population.

5 Source: www.knowledgeleader.com
If the appropriate sample size or population does not exist, a control may be deferred to the next quarter with the
process owner and SOX PMO approval.

STEP 8: INDEPENDENT VERIFICATION (INTERNAL AUDIT ONLY)

Independent verification testing is the process of re-performing tests previously executed by control owners to
ensure the integrity of the test effort and testing conclusions.

Independent verification testing will:

• Consist of X percent re-performance of documented CSA results for a given control.
• Consist of X percent new samples to be selected given the entire population.
• Have all results documented within (Insert System).

CONTROLS SELF-ASSESSMENT FAQ

WHAT IS A CONTROLS SELF-ASSESSMENT (CSA)?

Self-assessment is a recognized best practice and has been applied to risks and controls for many years.
Systematically applied across the organization at the entity and process levels, self-assessment is a pre-
determined approach whereby individuals self-review or self-audit the controls for which they are responsible
AND communicate the results to appropriate management.

Self-assessment is an organized means of:

• Using knowledge of those who are most familiar with a topic, such as the following processes/controls:
− Evaluate how effectively the organization is managing its risks of not achieving its stated objectives and
executing the controls designed to mitigate those risks.
− Identify risk drivers, such as changes in the business, personnel and internal controls.
• Reinforcing accountability for controls.

WHY IS COMPANY X ENGAGING IN THIS PROCESS?

• Company X’s board of directors has made this a priority.
• Reinforcing accountability has a direct, positive impact on the quality of control execution.
• Compliance costs are reduced.
• The number of control deficiencies outstanding at year-end is reduced.
• Internal controls are enhanced.
− Drive “tone at the top.”
− Create a “control-conscious culture” by building compliance into business processes.
− Reinforce accountability for internal controls.
− Shift the internal audit’s role in SOX compliance to monitoring and quality assurance, increasing the internal
audit’s resources available to help the business achieve its objectives.

HOW OFTEN WILL WE COMPLETE A CSA?

Company X will complete a quarterly CSA for the first two quarters of the fiscal year, in which X percent of super
key and a portion of secondary controls will be tested based on the process owner and the SOX PMO’s scoping.
Further, any control which failed in a prior quarter will be re-tested if corrective action has been taken.

6 Source: www.knowledgeleader.com
HOW LONG DO I HAVE TO COMPLETE MY CSA TESTING EACH QUARTER?
Each control owner will have three weeks from the beginning of the self-assessment process to complete the
CSA.

WHAT IS MY ROLE IN THE CSA PROCESS?

Responsibilities are identified between the internal audit, the process owner, the controlling owner and the tester.

HOW DO I KNOW IF I AM CONDUCTING TESTING CORRECTLY?

Follow the documented test steps by internal audit. Ask the process owner or SOX PMO if you have questions or
need assistance.

WHAT DO I DO IF A PROCESS FAILS?

Document the results within the SOX testing template and alert the process owner. If in doubt, ask!

WHERE ARE TEST RESULTS DOCUMENTED?

All results are documented within the SOX testing template, and an internal audit will load them into a repository.

WHO DO I NOTIFY WHEN TESTING IS COMPLETE?

Once the process owners complete, review and approve the testing, the SOX PMO should be notified.

WHERE CAN I GET MORE INFORMATION ON CSA?

You can find more information at the control self-assessment center at www.theiia.org or contact the SOX PMO.

7 Source: www.knowledgeleader.com