ABSTRACT
Management is responsible for the organization's programs and processes, and their related objectives, risks, and controls. The CSA documents are distributed at least annually to process owners for completion and are collected in internal audit as documentary evidence for review and discussion. A main concern of CSAs is the lack of objectivity on the part of the document preparers. If the CSAs indicate that conditions are deficient, but the audit returns satisfactory results, that should also be communicated to the corresponding management. CSAs provide a mechanism for managers to demonstrate their ownership of the objectives, risks, and controls they are responsible for. The information contained in CSAs can be used to better understand a process while planning an audit, and as a key element during risk assessments. CSAs should have a feedback loop, so the information provided by process owners is compared to audit results, and the results used to calibrate the process.
