“How to” guide to the Control Self Assessment (CSA) tool and process

“How to” guide to the Control Self
Assessment (CSA) tool and
process
Contents
1.
What is CSA?.................................................................................................................. 2
2.
Why CSA? ....................................................................................................................... 2
3.
Training and support ..................................................................................................... 3
4.
Processes ....................................................................................................................... 3
5.
Frequently asked questions (FAQ’s) ............................................................................ 4
6.
Contact List .................................................................................................................... 8
1. What is CSA?
Introduction
Control Self Assessment (CSA) provides the ability to deploy assessments into divisions / sites
enabling the appropriate staff to rate the control existence and effectiveness. The primary objective of
the CSA tool is to provide the business with a view of their controls and the benefits include:
► Enhanced accountability of control owners;
► Visible management monitoring and measurement of control effectiveness; and
► Oversight of control environment for smaller sites.
CSA is a tool for acquiring information about business process risks, while empowering the process
owners to take responsibility for identifying and mitigating those risks. It is a process that allows key
stakeholders in a company to look at the risks they face, examine the controls in place to deal with
those risks and assess their adequacy.
This web based tool has been designed to facilitate the assessment of control effectiveness within
Nampak. The primary objective of the CSA tool is to provide the business with a view of their controls
and their reliability.
Intended audience
The “How to guide” to CSA is an informative guideline document about the Control Self Assessment
tool. Please not that this guide is not intended to be training material. A copy of the ‘reference guide’ is
available online on CSA site on http://www.eyassess.co.za under the “Help” section.
The purpose of the guide is to act as a generic document for Nampak employees (internal audit and
control stakeholders) to refer to at any time to obtain required information about CSA. It has been
developed to assist with knowledge transfer for existing and new resources. It can be used as a quick
reference guide or as a comprehensive tool to facilitate the knowledge transfer process. This document
has a frequently asked questions section towards the back to be used when needing to access
information quickly and will provide answers to common questions about CSA, including technical
information.
2. Why CSA?
Benefits to the business
CSA provides the ability to deploy assessments into various divisions enabling people at the
appropriate responsibility levels to rate the control existence, effectiveness and reliability at their
specific location. The CSA tool can allow for the roll up of results through the hierarchy of the division to
provide a view of the health of the specific division’s controls.
“Faced with increased scrutiny of the corporate governance environment, companies are turning to an
internal audit tool to help them dig deep: Control Self Assessment. Turning up risk information that may
otherwise be overlooked, self assessment programs can provide the basis for annual audit plans and
help auditors expand their reach and effectiveness.”
Facilitate.com
2
3. Training and support
Who can you speak to?
All queries should be channelled through to the CSA support team at [email protected]
Some of the issues they assist with are:
► Assistance in accessing the web address;
► Difficulties logging onto the system; and
► Navigating inside the system and other related problems.
4. Processes
A change can be constituted by one or more of the following needs:
► Change in control owner;
► Change in process owner;
► Control description changes;
► New processes, control objectives or controls; and
► Base data structure changes.
Change control process
To be determined after the first run and will be workshopped with management.
3
5. Frequently asked questions (FAQ’s)
The following section is derived from the most frequently asked questions that have been asked from
previous experience with the CSA rollouts. The questions have been categorised for ease of reference.
CSA general
What is the CSA tool?
It is an automated web-based Controls Self Assessment tool which provides divisions with a view of
their controls and their reliability.
Why do we use the CSA tool?
The CSA tool is used for the testing of specific controls and provides an understanding of the
effectiveness of controls at a point in time.
Where can I view the completion date for the assessment?
Once you have logged into the CSA System, Click on “Self Assessments”, the end date for the current
assessment is indicated as the “Due Date”. The system will automatically shutdown at 00h00 on the
evening of that date.
Access
I have tried to logon to the system with my username and password but get an error,
what do I do?
Please contact the CSA support team at [email protected] to verify that you are using
the correct logon username and password.
What is the website address for completing my assessment?
The web address for the CSA assessment is: http://www.eyassess.co.za.
How do I get a username and password to access the system?
An automatic email will be sent to your email address when the CSA assessment is open. This email
will include your username and password. Should you be aware of your responsibility for completion of
the assessment and you do not receive your username and password prior to the start date of the
assessment, please verify your logon details with the CSA support team on
Akhona.[email protected]
I am not assigned as a user on the system and not required to complete the
assessment, how can I go about getting access privileges to view results?
Speak to your Divisional Finance Director (DFD)/ Human Resources Director (HRD) to obtain
permission to view CSA results for your division. Log a request for the change and have it approved by
your DFD/ HRD. This will be passed on to the project team via the formal change management
process. The requirement will be forwarded to the appropriate system administrator. Access will be
configured and the new user will be notified of his/her logon details and will be assisted on how to
navigate to the system reporting functionality.
4
5. Frequently asked questions (FAQ’s) (continued)
Assigned processes, control objectives and controls
I’m not assigned to the correct processes, control objectives or controls, what should I
do?
It is important that the correct people are assigned to the appropriate processes, control objectives and
controls during the business data gathering, in which the upload sheets are completed and prepared
for upload in the CSA system. It is very complex to apply these changes after the upload has been
completed as scoring for the overall cluster or division may be affected. Should an oversight have
occurred, the change should be directed via the relevant DFD/ HRD who will in turn provide the CSA
support team with the information required to make the necessary changes. The CSA support team will
inform the user when the configuration changes have been made.
Why is one or more of my assigned processes not showing?
The process may have been assigned to a different user resulting in the process not being displayed
as part of your responsibility when you log into the system. (This is because the system will only
display the processes, control objectives and controls that have been assigned to you.)
How do I view which processes, control objectives or controls are assigned to me?
Use the logon credentials provided to you to log into the CSA system. On the ‘Home Menu’, select the
‘Answer Assessment’ under the ‘Assessment’ tab on the menu on the left hand side of the screen. All
processes, control objectives and controls assigned to you will be reflected on the right hand side.
What should I do if a process, control objective or control is not applicable?
Should a process, control objective or control have been assigned to you incorrectly during the
information gathering process, you may suggest to the relevant process owner in your division that a
different person should be completing the assessment for a particular process, control objective or
control. The process owner may then request assistance from the CSA support team to assist with the
query.
How can I change my assessment after the completion date (system cut-off date)?
You can’t. The system will automatically shutdown at 00h00 on the evening of the due date.
Can I go back and change my answers?
Yes, provided the system has not been closed or the processes have not been signed off.
As a process owner, how do I change a rating that I disagree with?
The process owner can contact the control owner that answered the part of the assessment that you do
not agree with and ask them to explain their rationale on using that particular value. If both parties
agree ONLY the control owner can change the rating. However once the process owner has signed off
the assessment NO changes can be made.
5
5. Frequently asked questions (FAQ’s) (continued)
Training
How do I complete the assessment?
A copy of the reference guide is available online on CSA site on http://www.eyassess.co.za under the
“Help” section. This reference guide will be emailed to all new users. Once you have worked through
the reference guide, log into the system, select “Assessment” then select “Answer Assessment” from
the sub-menu. Click on the relevant process in the table, and then select the appropriate control
objective to view the controls. Rate the controls on a scale of 0 – 2 and then click the complete button
when completed.
The assessment scale is defined as follows:
·
·
·
0 = No transactions for the assessment period;
1 = Controls is in place and operating effectively;
2 = Control not in place and/or not operating effectively.
Progress
How do I view the progress of my assessment?
Use the logon credentials provided to you to log into the CSA system. On your ‘Home Menu’, select the
“Assessment” tab on the menu on the left hand side of the screen. The percentage of completion will
be displayed on the right hand side for all processes that have been assigned to you to complete. The
start and due date of the current assessment are also displayed.
Alternatively, click on the “Reports” tab on the ‘Home Menu’ and select “Answer Sheet (not
completed)”. This is a report for all controls that have not been rated. Select the report period you want
to view (run type and run date) and download the report in Excel format.
Sign off (this section is only applicable for process owners)
How do I sign off on the processes assigned to me as the process owner?
Use the logon credentials provided to you to log into the CSA system. On your ‘Home Menu’, select the
“Assessment” item on the menu on the left hand side of the screen. From the “Assessment” sub-menu
select the “Sign-off” option. Select the processes displayed on this screen and upon review click the
“Set to Complete” button to finalise the sign-off of the relevant process.
Why can’t I sign off the processes listed?
Processes will only be displayed on the “Sign-off” screen if all controls for that process have been
assessed. At such a time the system will display the processes as ready for sign-off. Select the process
and click on the “Set to Complete” button. Should you experience any problems during this process,
please contact the CSA support team immediately and they will attempt to resolve the issue as a
matter of urgency.
6
5. Frequently asked questions (FAQ’s) (continued)
User details
What should I do if my name is incorrectly spelled?
Contact the CSA support team on [email protected] They will rectify this and send you
a communication after resolving this. They will also request that you login again to ensure that the
matter has been resolved.
My e-mail address is incorrect, how can I have it corrected?
If your e-mail address is incorrect, you will experience problems logging into the CSA system. Contact
the CSA support team on [email protected] They will rectify this and send you a
communication after resolving this. They will also request that you login again to ensure that the matter
has been resolved.
My name isn’t on the user list sent out, what should I do?
Contact the CSA support team on [email protected] They will investigate the matter by
firstly referring to the base data provided by the division to confirm if you have been specified as part of
the system configuration. If you have been configured on the system, the CSA support team will supply
you with your logon details and ask you to log in to ensure that you can access the CSA website.
Should your details not have been included in the initial configuration information; the call will be
escalated to the relevant DFD/ HRD for clarification.
Delegation
I am no longer responsible for answering the assessment, what should I do?
Should the responsibilities in your area have changed after the CSA system has been configured for
the next CSA run, the process owner of the relevant process in your location/region may re-assign
either the process or the control objective to another user.
What should I do if I am unable to answer the assessment for a temporary period of
time?
Check the due date for the current assessment on the CSA system. If are aware that you will not be
available during this time and not be in a position to complete the assessment online from where you
are; inform the relevant DFD/ HRD and consult as to what can be done to accommodate your
constraints.
Suggestions
What should I do if I have a suggestion for enhancements to the tool?
Contact the CSA support team on [email protected] The CSA support team will send
your suggestions to the technical and project teams. They will review the suggestions and assess how
and when your request/suggestion can be accommodated in the upcoming enhancements or future
releases of the system functionality.
7
6. Contact List
CSA support – [email protected]
8