|
Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes. A "control process" is a check or process performed to reduce or eliminate the risk of error. Since its introduction the technique has been widely adopted in the United States, European Union and other countries. There are a number of ways a control self-assessment can be implemented but its key feature is that, in contrast to a traditional audit, the tests and checks are made by staff whose normal day-to-day responsibilities are within the business unit being assessed. A self-assessment, by identifying the higher risk processes within the organisation, allows internal auditors to plan their work more effectively.〔(【引用サイトリンク】title=Control Self-assessment: An Introduction )〕 A number of governmental organisations require the use of control self-assessment. In the United States it is a requirement of the FFIEC that control self-assessments are performed on IT systems and operational processes on a regular basis.〔(【引用サイトリンク】title=FFIEC IT Examination Handbook )〕 Benefits claimed for control self-assessment include creating a clear line of accountability for controls, reducing the risk of fraud and the creation of an organisation with a lower risk profile.〔 In certain circumstances control self-assessment is not always effective. For example, it can be difficult to implement in a decentralised environment, in organisations where there is high employee turnover, where the organisation goes through frequent change or where the senior management of the organisation does not foster a culture of open communication. ==Development and worldwide adoption== Control self-assessment was developed by Gulf Canada in 1987 when the company's General Auditor, Bruce McCuaig was dissatisfied with the standard auditing techniques in use following the impact of the Watergate affair on the parent company, Gulf Oil Corporation. The decision to fully implement control self-assessment at Gulf Canada was driven by a number of factors. These included the presence of a consent decree requiring the company to report on its internal controls and the difficulties it was facing in estimating its oil and gas reserves using more traditional audit measures. Over the next ten years Gulf Canada developed a framework to support the analysis and evaluation of control processes by operational staff. This included anonymous voting to ensure there was no impediment to staff expressing their views. The approach was first published in ''Internal Auditor'' in December 1990. Gulf Canada discontinued this facilitated meeting approach in 1997 although it continued with control self-assessment using different techniques.〔 Following Gulf Canada's introduction of control self-assessment many private sector organisations implemented similar techniques. In the United States several states made reviews based on control self-assessment practices mandatory as did the Federal Deposit Insurance Corporation and the Canadian Deposit Insurance Corporation.〔 Initially external auditors ignored the benefits of control self-assessment even though it was effective at providing audit evidence around the "soft" areas (such as staff morale) that are critical to the effectiveness of internal control systems. After a number of financial scandals, notably the collapse of Robert Maxwell's publishing empire, the United Kingdom government commissioned Adrian Cadbury to chair an investigation into corporate governance. The committee published its report ''The Financial Aspects of Corporate Governance'' in 1992. In section 4, Reporting and Controls, Cadbury made a number of recommendations that led to the increased adoption of control self-assessment in the UK. In particular section 4.5 of the Code of Practice contained within the report required that the directors of a company should report on the effectiveness of the company's system of internal control in each annual report. In March 2000 the European Commission approved a white paper on reform that led to a major change in the way the Commission was managed. These changes included recommendations for each department to establish an effective internal control system. To support the implementation of the internal controls the Directorate-General for Budget's Central Financial Service developed a control self-assessment process. This first control self-assessment identified several areas for improvement in internal control across the Commission most notably the need to implement a more systematic approach to risk management. The outcome of this first self-assessment was the implementation of the requirement for every Directorate General to perform a control and risk self-assessment annually. In 2007 the United States implemented the Sarbanes-Oxley Act. In order to comply with section 404 of the Act the company had to perform a top down risk assessment which necessitated the production of an "internal control report" that affirmed "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." . This report has to include an evaluation of the effectiveness of the internal controls and procedures that are related to financial reporting. To meet this requirement organisations increasingly began to perform a control self-assessment using a recognised standard methodology. The organisation's external auditors, who are required to sign-off the internal control report, typically became more deeply involved in the control self-assessment process as it facilitated their later review of the internal control report. In the United Kingdom in 2011 the Financial Services Authority recognised in its recommendations for the improvement of operational risk management that the assessment of risks through a control self-assessment may be an important means of identifying risks. It also noted that for the assessment to be fully effective it had to be fully integrated into the financial organisation's risk-management process. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Control self-assessment」の詳細全文を読む スポンサード リンク
|