Phew! We’ve had a surge in inquiries about Control Self Assessments lately! What’s more interesting is that, among the four clients that followed through with implementation in the last two weeks, each client had their own thoughts about how the process would best fit in their respective organizations.
Control Owners Complete a Detailed Page
For one of the clients that I worked with, the Control Self Assessment is a task or process whereby the Control Owner completes their own walkthrough of the Control. For this client, the configuration in policyIQ included the development of a new Control Self Assessment page template that very closely reflects the formal Test of the Control. The Control Owner completes one of these CSA pages each quarter and links it to the relative Control. The Internal Audit team can report on any or a combination of fields within the CSA pages.
Control Owners Responsible for Staying Up-to-date on Controls, Then Sign-off
A second example of the CSA process that I observed recently was one in which the Audit team was most concerned with holding Control Owners accountable for their Control documentation. For this implementation, a CSA Form Template including a few high level, generic questions was created. Additionally, the organization is providing Control Owners guidance regarding how to create an Advanced Search that helps Control Owners to easily pull up a list of their respective Controls. Form Activities are helpful in this type of process as they allow real-time monitoring of the status of responses.
Control Owners Review Relative Controls upon Sign-Off
In yet another CSA implementation within the last week or two, I worked with a client that wanted to record the sign-off of their Control Owners and, in doing so, wanted to make the process as straight forward as possible for the end users. We set up this process similar to the Form Template example above. Rather than direct Control Owners to create an Advanced Search to identify Controls, we added the Form Template to a Form List as many times as they have Control Owners. The Form Templates added to a List are then referred to as List Templates. This client customized each List Template with a link to the appropriate Control page(s) in policyIQ. So, there was only one Form Template with generic questions, but each Control Owner would see his/her own Controls linked to their CSA questionnaire. The bundling of all of the List Templates into one Form List per quarter makes it simple for the administrator of the process to roll-out the questionnaire and to monitor the responses.
In the fourth implementation that I supported recently, the team is following a process very similar to this one, but they are applying the process in their Operations department.
Why the surge? Do you need help, too?
With more than 40 different applications of policyIQ, I am accustomed to bouncing around from one solution to another (I have also presented policyIQ for Automation of Risk Assessment, Contract Administration, 302 Certification, Enterprise Risk Management, Internal Audit, Legal Documentation/Record Retention and Sarbanes Oxley within the last two weeks). What’s more unusual is a spike in inquiries about one particular application, such as Control Self Assessments. Is there something going on out there that I missed? Whatever the reason, if you would like to talk about the use of policyIQ for Controls Self Assessments, the topic is fresh on my mind and I’m happy to help.
Contact us for more information on automating this (or any other) process for your organization.
You may also read up on policyIQ for CSA in more detail in this blog post.