Professional Documents
Culture Documents
Control Self-Assessment Policy
Control Self-Assessment Policy
Control Self-Assessment Policy
Prepared By:
Approved By:
Revision Date:
Effective Date:
The following sample outlines a set of policies and procedures for the control self-assessment process.
PURPOSE
The purpose of this policy is to assist control owners, process owners and internal audit with implementing and
executing the control self-assessment (CSA) process.
Self-assessment is an organized means of using the knowledge of those who are most familiar with a topic, such
as processes/controls. Self-assessments evaluate how effectively the organization manages its risks of not
achieving its stated objectives and executing the controls designed to mitigate them. Additionally, self-
assessments can be used to identify risk drivers, such as changes in the business, personnel and internal
controls, and reinforce accountability for controls.
ROLES
The two key organizations are the SOX PMO (internal audit) and the IT organization.
RESOURCES
SOX Testing Template: This template is used for all self-testing efforts.
Quarterly Self-Assessment Survey: This survey is used to identify changes in the control’s environment.
1 Source: www.knowledgeleader.com
Controls Self-Assessment Program Overview: This document provides an overview of the program.
Systematic
Manual Daily
Manual Weekly
Manual Monthly
Manual Quarterly
Manual Yearly
*The sample size indicates the maximum sample size for a given frequency. To expedite testing, the tester should
consider requesting the full sample size. Tests would begin with the quantity indicated in the "Test" column and
increase accordingly based on the number of deviations encountered. Test one sample of each possible
systematic state for systematic controls (those without manual interactions).
2 Source: www.knowledgeleader.com
STEP 2: BUILD THE TEST PLAN
Test Steps
The test steps will:
• Be developed by the SOX PMO.
• Be documented in the SOX testing template and within (Insert System).
• Describe test objectives as identified by the SOX PMO.
Test Population, Period, Source, Test Method, Sampling Selection, Results and Observations
Will
• Define the population, test period, source, sampling unit and sampling method.
• Identify the related data request.
• State the testing method and sample size to be evaluated.
• Document all results, reasoning and observations.
Test Period
• Test periods are determined by the SOX PMO.
• Testing samples are taken from the defined range.
Test Method
Four test methods can be used:
• Inquire about process and control owners or key management team members. Inquiry-based testing should be
extremely limited and only utilized for secondary controls.
• Inspect relevant control documentation required of all super vital controls.
3 Source: www.knowledgeleader.com
• Observe the control process or procedure in action.
• Analyze or re-perform the operation of the control using selected transactions. This method provides the
greatest level of evidence.
To execute testing:
• Determine sample size based on frequency (see Step 1 and subprocess C).
• Submit the data request to the appropriate person who can provide the information (DBA, change control
administrator, etc.) to gather the required documentation.
• Perform the test, document evidence as required within the work papers (annotations or tick marks, source,
system, etc.), and record the results within the SOX testing template.
What is an exception?
• An exception is when testing results are inconsistent with the documented control.
• Exceptions occur when:
− Evidence of the control's operation cannot be provided.
− Evidence indicates that the control is not operating as designed.
Exceptions are a confirmed breakdown of the tested control or one for which management cannot support why
the exception occurred.
Example: If user access forms were not signed at all, this would be an exception.
Note: If you have any questions, contact the process owner or SOX PMO.
4 Source: www.knowledgeleader.com
STEP 4: TESTING QUALITY ASSURANCE (QA)/ANALYZE TEST RESULTS
Testing QA reviews completed testing documentation to ensure that it meets quality standards, clearly documents
testing performed and the appropriate operating effectiveness conclusion. Testing QA is performed by the
process owners and by internal audit.
The purpose of the close meeting is for the SOX PMO and the process owner to reach a consensus on the
effectiveness of the controls evaluated. A sign-off form will be the evidence of the close meeting approval.
During this meeting, the process owner will report their process's CSA audit results and metrics. The metrics will
include the following:
• Number of super key and secondary controls in the process
• Number of super key and secondary controls that were evaluated during the period and the number that is
deferred
• Number of super key and secondary controls evaluated that had unexplained exceptions (i.e., failures)
The process owner will have action plans, an action plan owner and a due date assigned for all noted control
deficiencies.
Remediation is the process of correcting problems identified during the testing process. This activity primarily
focuses on improving the operation of existing controls or creating new controls.
If a control fails, remediation steps are taken with the controlling owner and the control will either perform as
documented or the control wording will be amended to more accurately reflect the control that is occurring,
ensuring that the design remains effective. Remediation can also be accomplished by altering the process to
ensure greater compliance.
Remediation items must be evaluated within the subsequent quarter unless there is an insufficient sample size or
population.
5 Source: www.knowledgeleader.com
If the appropriate sample size or population does not exist, a control may be deferred to the next quarter with the
process owner and SOX PMO approval.
6 Source: www.knowledgeleader.com
HOW LONG DO I HAVE TO COMPLETE MY CSA TESTING EACH QUARTER?
Each control owner will have three weeks from the beginning of the self-assessment process to complete the
CSA.
7 Source: www.knowledgeleader.com