|
Whether
it's Sarbanes Oxley, Clerp 9, APRA, COSO, CoCo, Cobit, Basel
or any other regulatory compliance requirement, visibility on the integrity
and deployment of your Control Self Assessment Framework is critical for risk management. eCSA3 is a risk management solution that provides full visibility of your Control Self Assessment Framework for managing your regulatory and control item risk. It is designed to ensure that line managers execute
the control items and sign off on them. Internal Audit are
able to provide full visibility and reporting of the Risk Control
Framework to the CEO, CFO, Internal Audit Committee, Board
and External Auditors.
Using
eCSA3, Internal Audit can react instantly to risk management controls that
have not been executed correctly, need changes made or have
not been attended to. Without visibility, Internal Audit can
only assume controls are being adhered to and executed in
the manner expected. How can your CEO and CFO sign off on controls, which they don't know are:
- Functional
- Tested
- Spot
Checked
Defining
the Risk Management Framework is not enough.
[Click to enlarge]
How
do you know the controls are working ?
eCSA3
makes managers accountable for sign off of the controls they
are responsible for, just as your CEO and CFO have to sign
off. You can see who has and who has not completed their controls.
How
do you know the controls are executed ?
It
is not enough to embed accountabilities in a Position Description.
What happens if the person does not execute their controls
? When do you find out ? With eCSA3 you know when someone
has not executed the controls they are accountable for. You
have instant visibility.
How
can you substantiate that controls were executed and tested
?
Without
reporting how do you know which controls were executed and
tested ? From a spreadsheet ? From Paper Questionnaires ?
eCSA3 gives you reporting on every control, whether or not
it was executed, spot checked and any known problems with
the control.
Move
risk management execution and validation to where it belongs - management.
Management
have the skills and know how to execute the controls. Don't
rely on accountabilities in Position Descriptions, make managers
accountable for specific controls and get managers to sign
off on the controls.
How
will you pass your Sarbanes Oxley S404 Audit ?
If you cannot substantiate effective execution of controls
during the year how will you pass your S404 audit ? How will
you know if you have control deficiencies, after there is
a problem in reporting ? To pass your audit you must be able
to demonstrate effective operation of controls with no deficiencies.
How can you do this without visibility ?
CSA
Methodology
eCSA3
uses the traditional Control Self Assessment methodology.
Management are asked to sign off on the controls they are
responsible for at intervals appropriate to the control. In
addition, controls are scheduled for spot checks that can
be completed by other parties or Internal Audit.
Scalable
This
methodology is scalable, designed to be used in Global geographically
dispersed organisations with centralized reporting.
|
