Control self-assessments validate the adequacy and effectiveness of the control environment. They also facilitate early identification of emerging or changing risks. Management should base the frequency of controls self-assessments on the risk assessment process and should coordinate the self-assessments with the internal audit plan. Control self-assessments are not a substitute for a sound internal audit program. The audit function should review the self-assessments for quality and accuracy. Internal audit also may reference the self-assessments as a part of the audit risk assessment process and may use them to plan the scope of audit work.
Depending on the size and complexity of the institution, the content and format of the controls self-assessment may be standardized and comprehensive or highly customized, focusing on a specific process, system, or functional area. IT operations management should collaborate with the internal audit function in creating the templates used. Typically, the self-assessment form combines narrative responses with a checklist. The self-assessment form should identify the system, process, or functional area reviewed, and the person(s) completing and reviewing the form. In general, the form should address the broad control topics in this booklet, including policies, standards, and procedures, as well as the specific controls implemented. Management review and analysis of reported events is an important supplement to the control self-assessment process. Forensic review of events and their resolution provides valuable insight into the effectiveness of the control environment and any need for additional controls.
Appendix A: Examination Procedures