The overall goal of each of the formats may be to evaluate control effectiveness, but the starting point for the discussion is different and will often be determined by the organization's culture and how well management understands the control environment. For relatively new organizations, or for those groups in which management has not been educated in risk and control concepts, it may be best to start with process- or objective-based workshops. These formats will better enable a more educational slant to the workshop. For more experienced management teams, the risk- or control-based workshops may work just as well. In the end, going through the processes, objectives, risks, and controls with management in an engaging workshop setting can have some surprising secondary benefits:
- Management will walk away with a better understanding of their business
- Management will gain an education on the nature of risk and control environments
- The burden of evaluating controls will be shifted to the control owners
- Internal Audit and Compliance teams will be viewed more as a business partner and less as policy enforcement
With the introduction of the updated COSO Framework, now is the perfect time to revisit RCSA and the Facilitated Workshop. In 2014, most organizations went through painstaking exercises to map their internal controls to the principles outlined in the updated framework. The conversations about COSO have tended to remain at the senior management level, with compliance teams presenting to Controllers, CFOs, and external audit/accounting firms. The information is just as relevant to the process and control owners. With the information still fresh in our minds, we should take the opportunity to bring the process and control owners into the conversation, and a great way to accomplish this task is through the Facilitated Workshop.
Process based RCSA facilitated workshop example
To help you understand how these self-assessment workshops work, consider these basic steps:
Step 1 - Choose the right attendees
Probably the most important part of organizing the facilitated workshop is choosing the right people to include in the meeting. You need to choose attendees who can contribute to the conversation, and you also need to invite people who are willing to speak in front of each other. Bringing in accounting managers from the expense group might be the right idea, but if you also include the controller, the rest of the group might be too nervous to participate.
Step 2 - Plan the agenda
If you are facilitating the workshop, this is your meeting. You set the agenda, and it's your job to keep everyone on track. As with most exercises, planning is crucial for success. Based on the plan, there might be some work to do up front. For example, if you want to review survey results during the session, you'll need to plan time to send the survey and compile results.
Step 3 - Execute the workshop
During the workshop, there are a number of methods for getting the group to engage in the conversation. You might try one the following:
- Reviewing survey results
- Building out and discussing process maps
- Maps should include the process, risks, and ultimately the controls
- Documenting the process together is very useful for inexperienced management teams
- Drawing out the group with questions, such as:
- How do you do this? (process)
- What could go wrong? (risk)
- What would stop you from getting this done? (risk)
- How do you make sure this gets done? (control)
Remember as you go through this process, your job is to facilitate. You are not there to feed the participants answers, so don't take over.
Another big aspect of the workshop is documentation. The literature on facilitated workshops usually discusses polling devices and electronic ways to capture data. Most of us will not have access to this particular technology, so just capturing the information is the goal. As a best practice, have a second person in the room to document the session. You'll probably be too busy to do this yourself.
Step 4 - Update the participants
Once the session is complete, you'll start processing all of the information you obtained during the workshop. If this is done as part of an audit, you may need to perform additional follow up and testing. In this case, the workshop is essentially your walkthrough prior to testing. In any case, you should provide detailed documentation back to the workshop participants. If you made flowcharts during the session, clean these up and get them back to the group. If you created any charts or tables with the data, these should be provided as well. Out of respect for the team, you should provide the documentation that they helped produce. Treating them all with a high level of respect will go a long way in planning future workshops.
For each of the steps, there are variations and details that will make the difference between a good workshop and a great workshop. For more details, The IIA bookstore has a few good resources like Control Self-Assessment: A Practical Guide and the Certification in Control Self-Assessment (CCSA®) Study Guide.
If you are planning to try any RCSA techniques, technology can help. Earlier I mentioned the use of polling devices. If you do have access to polling tools, the effect can be profound. You can move a workshop from an open discussion to one with anonymous responses captured by software that can be used to create a statistical analysis.
Audit Management software and applications made for SOX Compliance Management will often have both survey capability and self-assessment tools built in a standard features. You may already have more tools at your disposal for performing an RCSA than you even realize. Take advantage of them.