The Control Self-Assessment Process: Proactive Versus Reactive Risk Management
The compliance burden on critical IT staff can be crippling. Tracking the moving target of regulatory requirements is a full-time job for some, and seems to be a game of catch up rather than the proactive approach preferred by auditors and examiners.
There is a process that can facilitate early identification of emerging or changing risks in order to more effectively manage compliance requirements; the control self-assessment process. Properly implemented, the CSA process is an extremely effective risk management tool.
Implementing a CSA process is highly recommended by the FFIEC, earning plenty of regulatory support with 43 mentions in seven of the 12 FFIEC IT Examination Handbooks. But the Information Security Handbook makes the most compelling argument for utilizing CSA in your risk management program:
Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks.
All of the major auditing standards bodies (IIA, AICPA, ISACA) also address the importance of internal control reviews. Most auditors say institutions with an internal CSA process in place demonstrate a more-evolved risk management process, resulting in fewer and less severe audit findings. This stands to reason, as a dedicated internal CSA process identifies and corrects control weaknesses prior to audit, as opposed to waiting for the auditor to identify them.
From the examination perspective, credit unions should institute a CSA process in order to maximize their IT composite ratings. One of the biggest differentiators between a “1” and a “2” is an institution’s ability to identify weaknesses promptly and take appropriate corrective measure to resolve the concerns.
Granted, the last thing you need is another resource-draining committee. Fortunately, the framework could already be in place through your IT or Tech Steering Committee. Chances are this committee already consists of members representative of all functional units within the organization.
The committee has the support of senior management, and is empowered to report on all risk management controls. All that’s needed is a standardized agenda to follow. The only possible difference between this agenda and the standard IT committee agenda is that any and all findings in the gap analysis must be assigned to a responsible party for remediation.
IT Enables the Process
Credit unions should look to automate IT reporting systems to seamlessly incorporate the CSA process. Automated systems aren’t subject to human error or inconsistencies, and they don’t take vacations or sick days, making them more accurate, consistent and up to date.
Both auditors and examiners prefer automated reporting because they have a higher degree of confidence in the accuracy and integrity of the data. According to the FFIEC, IT systems should be designed and managed to “provide accurate, timely reports to management. These reports serve as the basis of major decisions and as an effective performance-monitoring tool.”
The FFIEC strongly encourages a control self-assessment process, and for most institutions it’s not too difficult to implement and administer. Simply add an automated IT reporting capability and you have a very powerful toolset to achieving higher URSIT scores.
Since higher URSIT scores contribute to higher CAMEL scores (and potentially lower deposit insurance assessment rates), everyone from your examiners to your board of directors and shareholders will see the benefits.