Many references or acronyms are used today to describe this empowerment movement underway. Most often one hears of control self-assessment or "CSA." In fact, a great deal of intent behind the so called Sarbanes-Oxley legislation embodies this theory. As a point in fact, most auditors who are involved in CSA are actually involved in some form of control co-assessment, or "CCA." That is, some form of auditor facilitated assessment of internal control risk by the internal control owner.

To become, or remain, relevant to internal control owners, the audit function must transition to an integral component of the internal control process - rather than maintaining the more traditional role of corporate monitor or policeman. In effect, these "old school" internal auditors are camped onto the shell of an organization's internal control process. CCA can be a very effective path by which the internal auditor can regain relevance in an organization.

Ultimately, the goal of such a journey is not to circle about and practice forms of CCA in the audit function, but rather to transfer various forms of control self-assurance -- true "CSA," which are embedded into the routine practices of each business process, with ownership of assurance assigned to the internal control owners as part of the organizational design.

The starting point for obtaining this level of assurance is to achieve a sound grasp of an organization's objectives --both strategic and operational. Objectives drive an organization towards certain risks and away from other risks. Controls are designed to mitigate those risks identified to within tolerances that are acceptable to the owners of such internal controls. Assurance then follows where internal control owners deem such a need to exist. This cycle is never-ending, and is frequently recalibrated to address the ever-changing challenges and opportunities in the marketplace.

The most effective form of assurance is strategic assurance - a forward looking point of view. This is a mind set not easily achieved by many auditors as their traditional education and training has been focused on historical assurance - a look back in time. However, as we all know, the pace of change perpetually quickens, and so does the need for assurance over those events happening here and now, or those events which will happen tomorrow! Remember, with each new mile traveled, those events appearing in our rear view mirror diminish in relevance to the future.

Requisite skill sets today for the world-class internal auditor are many. They are also different from those valued in the past. Sound knowledge of company dynamics, business process and information systems, internal control objectives, risk and mitigating control techniques are critical factors in the successful introduction of CCA. Just as important, however, the auditor should possess polished change management, communication, training, facilitation and assessment skills. In other words, traditional skill sets long cherished in the auditing profession will no longer support the profile of a world-class auditor in the future.

Strategic Linkage

In our view, strategy drives design of an internal control process. Strategies employed drive a business toward certain risks and away from other risks. Consequently, mission-critical strategic issues must be considered prior to evaluating more traditional internal control matters normally associated with ongoing operation of a business.

Issues that must be considered at the outset of any evaluation entail understanding key strategic objectives and critical success factors. Ask yourself the following questions as a starting point to understanding your assurance needs.

Have objectives and goals been clearly defined and communicated?
Has ownership been assigned?
Is authority and responsibility properly granted?
Are timelines for execution established and realistic?
Have resource requirements been adequately planned for?
Have significant threats to achievement been identified and planned for?
Have performance metrics for critical success factors been established to measure progress?

Linkage of key strategic objectives to such control/risk considerations is essential for delivery of world-class strategic assurance.Strategic analysis should drive risk assessment and development of correspondent assurance programs.

Auditors can communicate assurance, either in verbal or written form, but reporting on internal controls should be a responsibility held by internal control owners. This level of ownership can only be accomplished if internal control owners possess the resources necessary to derive sufficient assurance.

In order for the auditor to be successful, he or she must learn how to communicate in a common language. Very little nuance understood amongst auditors is equally understood by non-auditors simply through a "wink and a nod." Avoid the use of "auditese."

Consider helping your customers develop assurance frameworks for their own use -- as management tools, not as tools for the auditors. Once a credible framework has been established, management's assertions as to the effectiveness of their internal control process can be supported.

An example of wording that would be used for reporting on internal controls is as follows:

"We have established an internal control process which we believe reasonably assures that assets are safeguarded; financial and operating information is reliably reported; the Company is in compliance with ABC policies and external laws and regulations; and operations are conducted on an effective and efficient basis. Inherent in all internal control processes are limitations based on the recognition that the cost of such processes should be related to the benefits to be derived. The internal control process is routinely challenged by management, "External Auditors", and ABC Internal Audit to determine whether the internal control process continues to function effectively. Significant auditor recommendations have been reviewed and adopted where appropriate.

We have met periodically with "External Auditors" and ABC Internal Audit to discuss the scope and findings of audit work performed, the impact of financial reporting issues and the effectiveness of our internal control process. "External Auditors" and ABC Internal Audit have been given full access to the Company's President, with and without the presence of other Company management, to discuss any appropriate matters.

In the following sections of this Report on Internal Controls you will find summaries of our monitoring and evaluation of internal controls."

One should attempt to promote enterprise-wide ownership of internal controls by obtaining signatures to such reports from all officers of an organization. Remember, all roads do not lead to the CFO, one should emphasize acceptance of ownership and opining on internal controls by each process owner - manufacturing, sales, engineering, etc.

For further guidance, the Institute of Internal Auditors has additional information which may be helpful in developing appropriate language for reporting on internal controls.

From our experience, don't get too hung up in trying to tailor the software to your "only-one-in-the-world" needs, as all of the software is designed as an audit tool - designed by external auditors or consultants, rather than a management tool - designed by management. CCA tools will help enhance internal control, but they will never be substitutes for management's interactive monitoring and assessment of the business on a day-to-day basis.

Pros	Cons
1. CCA tools can heighten the assurance management has toward achievement of their objectives. Business risks tend to be isolated and addressed in a more focused manner.	1. CCA tools have been designed for auditors, Not management. They typically contain biases in systems design that are not closely married to practical needs.
2. CCA tools can serve to support the empowerment trend underway in organizations today. As "command and control" practices continue to wane, understanding of authority and responsibility can be reinforced through CCA.	2. CCA tools are full of "Auditese." They contain thought patterns and nomenclature that the rest of the world has some difficulty understanding.
3. As greater employee empowerment / involvement is encouraged, goals and objectives need to be clearly assigned -- CCA is a tool that can reinforce this assignment.	3. CCA tools are generally designed to support an external or project-oriented review of some aspect of the business -- a "one-time" drill-down. They do not easily lend themselves to a systemic form of assurance.
4. An organization's internal control process can assume greater structure. A framework begins to emerge that is more easily understood and managed. The notion of an organization's internal controls being some amorphous mass should no longer apply.	4. Current CCA tools are fairly cumbersome in terms of linking to other information resources; including data tables, maps, etc.
5. CCA tools can capture "Best Practices" and serve as an efficient means of sharing "Best Practices."	5. CCA, when properly applied, consists of "front-end" assessment in the form of surveys, electronic voting, workshops, etc. Yet, the "front-end" is not easily linked on an automated basis to the "back-end," where the repository of knowledge and assurance resides.
6. CCA tools can promote effective communications, as well as efficient knowledge transfer.	6. Most CCA software products come with an annuitized cost -- the Consultant! In most cases, the consultant's role should be minimal, despite what you hear from the consultants!
7. CCA tools can embed assurance into an organization as simply generally accepted good business practice, thereby reducing the need and cost for augmentive auditor support.