Balance Sheet

CSA in a financial services organisation

Vicky Kubitscheck,
Article information:
To cite this document:
Vicky Kubitscheck, (2000) "CSA in a financial services organisation", Balance Sheet, Vol. 8 Issue: 1, pp.22-26, https://
doi.org/10.1108/09657960010338436
Permanent link to this document:
https://doi.org/10.1108/09657960010338436
Downloaded on: 09 December 2018, At: 04:21 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 195 times since 2006*
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)

Users who downloaded this article also downloaded:

(2004),"Control self-assessment as a route to organisational excellence: A Scottish Housing Association case study",
Managerial Auditing Journal, Vol. 19 Iss 4 pp. 484-492 <a href="https://doi.org/10.1108/02686900410530493">https://
doi.org/10.1108/02686900410530493</a>
(2000),"Control Self Assessment. For Risk Management and Other Practical Applications20002. Control Self Assessment.
For Risk Management and Other Practical Applications. Wiley, 1999. 436 pp. £50", Managerial Auditing Journal, Vol. 15 Iss 5
pp. 253-255 <a href="https://doi.org/10.1108/maj.2000.15.5.253.2">https://doi.org/10.1108/maj.2000.15.5.253.2</a>

Access to this document was granted through an Emerald subscription provided by emerald-srm:551360 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 CONTROL SELF ASSESSMENT

CSA in a financial
services organisation
Control self assessment (CSA), the management technique that aims to contain
risk and ensure that control systems work effectively, is a highly topical issue. Here
Vicky Kubitscheck draws on her experience in developing CSA programmes to offer
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)

a guide to developing an approach for your own organisation

HIS ARTICLE AIMS to provide for the future. For nearly 200 years, are in danger of maintaining the ‘it

T an outline to my approach to
CSA and the considerations and
developmental processes that
are necessary for determining
the right approach for an organisation. To
be successful, the CSA programme must
recognise the ‘soft issues’ of the organisa-
insurance and banking organisations
have operated relatively unchanged, dic-
tating their services to consumers. Proud
of their tradition, almost to a point of
arrogance, the financial services industry
will initially need more than mere rec-
ommended practice contained in the
would not happen to us’ syndrome.

Financial services – a whole new

tion like its nature and culture, ie, it must
be specific to the organ-
isation and its people.
Also, by taking into
Many boards in the financial
account existing man-
agement processes and
services industry are in danger
tools already in place,
CSA can be more readi-
of maintaining the ‘it would not
ly integrated into the
organisation.
happen to us’ syndrome
It must be stressed
that CSA underlines sound management
practice and that in an organisation that
is already practising good governance,
CSA should merely be formalising man-
agement’s approach. This article pro-
vides the background and driving forces
that have influenced my present organi-
sation, AEGON UK, and others in the
same industry in implementing CSA. It
concentrates on the evaluation process
used to assist in the consideration and
design of a suitable approach.
Waking the sleeping giant
Logic dictates that organisations in the
financial services industry are well run
with almost an instinctive sense of pro-
priety. After all, they are handling and
being entrusted with someone else’s
assets and possibly nest egg investment
Cadbury report, new Combined Code or
COSO report to help shake it off its
podium (COSO stands for the
Committee of Sponsoring Organisations
of the Treadway Commission).
Early statistics have shown that
financial services organisations have, by
and large, been playing the catch-up
game in the corporate governance arena,
with some minor exceptions in those
involved with the banking industry. The
many international high-profile cases of
poor corporate governance, for exam-
ple, Nomura’s copper trade losses,
Morgan Grenfell Asset Management’s
difficulties, Barings’ breakdown of
controls and supervision, and the
Orange County ‘financial earthquake’,
may have highlighted the risks in defi-
cient systems of control. Yet many
boards in the financial services industry
ball game
Fortunately, strong undercurrents of
change have been tugging at the
feet of the financial services industry in
the 1980s and 1990s, which even the
most entrenched in cul-
tural demeanour cannot
fail to ignore. To do so
would result in the ulti-
mate penalty of being
extinguished. One could
identify four main dri-
ving forces of change
over the last two
decades: new consumer
behaviour; technology; competition and
globalisation; and regulatory and statu-
tory requirements.
New consumer behaviour
Consumers are more knowledgeable for
various reasons, such as improved
standards of education and awareness
of the economy, better communication
through the media and technology, and
more active consumer rights
organisations. Old reliable consumer
behaviour such as loyalty and
predictability will give way to choices of
economy and convenience. Expanding
markets and price-conscious consumers
will drive and have driven the financial
services industry to review its approach
to satisfying the demands of the new
breed of consumers.

22 | BALANCE SHEET | VOL 8 NO 1

 Technology
The technological revolution has
affected not only the way customers are
serviced but also the way products are
distributed. The advent of modern
telecommunications via automatic
telephone sales systems and the Internet
will continue to impact on the tradition-
al methods of management controls.
Competition and globalisation
From the number of mergers and
takeovers occurring in the financial
services industry over the last ten years,
companies not wanting to lose out are
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)
under pressure to lower distribution
costs and increase productivity. Being
more cost-efficient and customer-
focused has been a preoccupation in a
number of organisations in the drive to
attain financial strength and to gain
organic growth. The new breed of man-
agers who are ‘empowered’, who are
more aware of corporate objectives and
whose accountabilities are more trans-
parent, is growing.
Regulatory and statutory
requirements
An overwhelming influence on control
self assessment (CSA) in the insurance
industry has been the introduction and
extension of regulatory requirements.
Regulation relating to investment advice
was introduced in the late 1980s, one of
its contributing factors being the outcry
from consumers for more accountability
by product providers and financial
advisors. The need to comply with the
1986 Financial Services Act prompted
the growth of a new business function
with specialist compliance officers and
compliance auditors being trained with
the aim of ‘protecting the investor’.
The transformation of statutory
regulation in the financial services
industry has remained under scrutiny as
Wherever possible, senior
management should front the key
stages of implementation to
demonstrate ownership and buy-in
Without support from the
top, implementing CSA
would be almost impossible
or limited in application
a continuing sign of the complexities
involved in controlling the whole gambit
of financial services and satisfying the
consumer. Pensions mis-selling is one
such example of complexity which
arose, some may say, through a
combination of political and economic
issues. Changes in the various statutory
regulations relating to the banking
industry, building societies, insurance
companies and investment management
companies appear to contain elements of
the new corporate governance culture.
For example, the European
Commission’s Third Life and Non-life
Insurance Directive requires companies
to be managed ‘in accordance with the
principles of sound and prudent man-
agement’. The Department of Trade and
Industry reinforced these principles by
specifying requirements for directors to
make certain disclosures in their annual
returns and by issuing a series on
Prudential Guidance, for example, Note
1994/6, on controls over investments
and derivatives. This regulatory function
has now been taken over by HM
Treasury. The Financial Services
Authority (FSA) has recently been creat-
ed as a ‘super-regulator’ of most forms
of financial service, and the Labour
Government has announced its intention
to ‘clean up the City’.
Design approach
During my research and development of
a CSA methodology, I found that organ-
isations approach CSA in very different
ways, though the principles and
objectives remain similar. It is therefore
not surprising to see a convergence in
the detailed practices, with differences
remaining in the way CSA is introduced
and implemented in an organisation. I
summarise below those factors that have
influenced my approach to implement-
ing CSA.
Executive sponsorship
■ Is CSA being sponsored at the top?
Experience from many organisations
indicates that, without support from the
top, implementing CSA would be almost
impossible or limited in application. The
need for genuine approval and
sponsorship from the top is almost a
prerequisite for introducing a full
CSA programme in an organisation.
■ Will support from the top be visible?
Senior management and the executives
not only need to sponsor the programme
but also must be seen to support the
effort to ensure that appropriate
resources and priorities are committed.
Wherever possible, senior management
should front the key stages of
implementation to demonstrate owner-
ship and buy-in of the initiative. This
visibility is vital to ensure that CSA is
owned by management, by the business
and not the facilitators, especially if the
facilitators are Internal Audit. Involving
management at all levels is also
necessary to reinforce the educational
aspect of CSA, ie, sound management
practice.
■ Is there a business driver for CSA?
Implementing CSA for a specific
business objective that has been
identified by senior management is a
powerful lever in designing approach.
The business drivers that motivated the
boards in the respective organisations in
which I have implemented CSA included
VOL 8 NO 1 | BALANCE SHEET | 23
 CONTROL SELF ASSESSMENT
the need to meet HM Treasury
regulatory requirements, the recognition
for sound systems of controls to
minimise errors and loss, and as
part of a continual improvement
programme.
Control culture or continuum
■ Is awareness of controls high,
acceptable, low or indifferent?
The level of awareness of controls or
the understanding of the concept of
controls determines the level of initial
educational content of the CSA
implementation process. It is likely that
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)
some business areas are more aware
than others, while some are more ready
to accept controls than others.
Consequently, one needs to be flexible in
addressing these differences between
different parts of the organisation.
Nevertheless, it is prudent to introduce
CSA to all parts of the business by
explaining the ‘concept of control’,
‘business risks’ and ‘business objectives’.
In my approach, I have sold the ‘con-
cept of control’ as ‘best management
practice’ while stressing that controls are
not obstacles but ways in which we
manage ‘business risks’ to ensure the
achievement of ‘business objectives’.
This approach recognised the control
continuum in my organisation at the
time, which was going through several
changes, for example, business process
re-engineering and consolidation of
practices throughout the group on an
international basis.
Cost and affordability
■ Is the budget large, small or
undefined?
A limited budget will impact on the
implementation process (for example,
use of consultants and training of
facilitators) and the solution (for
example, software for maintaining
CSA can be successfully
implemented with a limited budget
but not with limited commitment
from the organisation
24 | BALANCE SHEET | VOL 8 NO 1
Key stages for starting the CSA programme
Figure 1
CSA). In my last organisation, CSA was
treated on a par with other projects,
requiring cost and benefit analyses for
funds to support the project. It is my
opinion that CSA can be successfully
implemented with a limited budget but
not with limited commitment from the
organisation.
Size and complexity of the
organisation
■ Is CSA to be implemented through-
out the organisation?
■ Are there great variations in
business disciplines within the group,
such as general insurance, life
insurance, investment management,
offshore business, estate agencies,
banking?
■ Are they located across the country
and internationally?
These factors will influence the level of
resources required as well as the
approach where a consideration of local
control environment should be taken
into account. Also, if the control contin-
uum and work culture is different in
each entity, the way CSA will be imple-
mented in each entity may need to be
adapted, for example, through more
clarification or recognition of local
practices.
Availability of resources
■ Are there sufficient resources to
facilitate the process?
■ Has management committed suffi-
cient resources to the process?
■ Has management committed
resources for the on-going maintenance
of CSA?
There is no doubt that implementing
CSA is a time-consuming and, initially, a
resource-intensive process. Momentum
can be lost if resources are not properly
prioritised and are pulled away from the
process. The process of implementing
CSA must be managed like a project,
with clear objectives, timescales, dead-
lines and resources.
Supporting systems
■ Will CSA be maintained manually or
assisted by software?
The CSA process generates a tremen-
dous amount of data and information.
Manual processing of the information
may limit the approach for reporting
purposes, for example, critical analyses
of exposure to risks and progress
achieved. Efficient capture of such data
and ease of maintenance will affect the
ongoing success and effectiveness of
CSA.
 Operating principles and key design features of a CSA programme
Principles
Ownership must lie with
management
Objectives and deadlines must be
clearly stated
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)
Design features of the programme
■ A ‘statement of intent’ or mission statement is issued by the chief executive.
■ Divisional co-ordinators representing each area of the business are appointed by the
respective director. Co-ordinators are part of the management team, whose seniority is
necessary to indicate the board’s commitment as well as to co-ordinate the development of the
programme within their areas.
■ The data and information are maintained by the business area, with assistance from Internal
Audit, as facilitators.
■ The annual reports or ‘self-assessments’ should be issued to the chief executive.
■ Objectives and deadlines of the programme as they are rolled out are documented and issued
to the co-ordinators.
■ Presentations are provided to the co-ordinators at the outset to reinforce the message.

Guidance for adopting and
maintaining the programme must be
clear
The programme must be simple
to understand, implement and
maintain
The programme must be an
integral part of management
practice
Ongoing support and advice must
be available
■ Regular contact with the co-ordinators is maintained to ensure deadlines are met.
■ A ‘Manager’s Guide’ is written by Internal Audit and issued to each co-ordinator. The details
of the guide and underlying working principles are reinforced in the presentations or at
workshops.
■ The concept is introduced as simply as possible, using best management practice as the key
approach. Fundamental questions include ‘What are my key responsibilities?’, ‘What are my
objectives?’, ‘What risks am I facing in my area?’, ‘What procedures have I implemented to
mitigate these risks?’ and ‘How am I ensuring that I carry out my responsibilities satisfactorily?’
■ Simple proformas are used.
■ Local practices are identified and, wherever possible, the process is integrated with local
management practice, for example, reference to existing procedure manuals, quality control
checks, and discussion of controls to be included as a regular item at management team
meetings.
■ Existing communication channels, such as a network system or LANs, are used to maintain
documentation and facilitate monitoring of progress by the managers as well as Internal Audit.
■ Internal Audit, as facilitators, maintain regular contact with the co-ordinators, on a formal and
informal basis. This ensures that progress is sustained and reporting deadlines are achieved.
■ Support from Internal Audit must be constant, consistent and available according to the
individual needs of the co-ordinators.
■ Board’s expectation and call for annual reports from each business area helps to reinforce the
continual implementation of the CSA.

Table 1

Implementing CSA
Of the considerations outlined above, I
feel that priority should be given to
addressing issues relating to ownership,
commitment from the business, and
resources.
CSA co-ordinators – a key feature
The key feature of the CSA programmes
I have implemented, and generally con-
tinue to advocate, lies in the appoint-
ment of divisional or business risk
co-ordinators. They play a key role in
rolling out the programme in their
respective areas and obtaining real
management buy-in and ownership. By
acting as focal points, they help provide
a more efficient channel of communica-
tion and co-ordination with individual
managers. Their appointment by top
management should be visible. Ideally,
these individuals know and are known
within that business entity, and have the
‘right attitude’ towards ‘doing things
right first time’.
Buy-in from these co-ordinators
from the outset is vital. This can be
achieved by Internal Audit, as facilita-
tors, providing initial training or
introductory sessions at the formal
appointment of the co-ordinators. A
close working relationship between
Internal Audit and the co-ordinators is
necessary to help ensure the smooth and
sustained operation of the programme.
During the initial implementation
stages of the CSA programme, the
co-ordinators are expected to spend a
fair proportion, at least 20–30%, of
their time on the programme. It is
expected that this proportion will
decrease to no more than 10% as
managers embed the programme in their
‘tool box’. In this respect, it is important
to consider the tools that managers are
already using when designing one’s
approach to CSA to ensure that it can be
integrated with existing management
techniques. The key stages for starting
the programme are illustrated in
Figure 1 (see previous page).
Operating principles and design
features
The operating principles and key design
features of my CSA programme, which
take into account an assessment of the

VOL 8 NO 1 | BALANCE SHEET | 25

 CONTROL SELF ASSESSMENT

business environment and constraints as

outlined, are contained in Table 1. Key stages for the CSA programme
The programme
The CSA programme I advocate is simi-
lar in principle to most models in the
market. The difference is in the ‘deliv-
ery’, ie, via the co-ordinators in the busi-
ness areas.
The programme consists of six key
steps, as illustrated in Figure 2. Internal
Audit, as facilitators, assist the risk co-
ordinators in the review of each step and
in producing or updating of the various
‘Risk & Control Maps’ and ‘Self
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:21 09 December 2018 (PT)

Assessments’. The auditor will readily

note that these documents form a useful
source of information and starting
‘benchmarks’ for the conduct of internal
audits in the respective business areas.

Conclusion: maintaining the

momentum
During implementation
Figure 2
Maintaining the momentum for
implementing CSA is a familiar
challenge to internal auditors acting as
facilitators. There is no easy solution.
The integrated CSA programme
The principles outlined above, in
particular, top management commit-
ment together with strong monitoring
and feedback, are most important.
Building strong allies in the co-
ordinators is extremely useful although,
without commitment from the top,
conflicting priorities will soon arise. The
bottom line is that Internal Audit must
drive the programme and demonstrate
enthusiasm unfailingly, via strong
marketing, negotiation and PR
initiatives. Yesterday’s internal auditor
would not have anticipated the need for
skills such as those required in today’s
business environment. Figure 3

Ongoing maintenance
It is the role of the co-ordinators to
review and update the ‘Risk & Control
Maps’ on an ongoing basis. The need for
formal reporting to senior management
and the board helps ensure that the
process is carried out, hence the need for
the commitment and support from the
top at outset.
The continual input and monitoring
from Internal Audit will reinforce the
principles of the CSA programme.
Internal Audit can actively monitor and
integrate CSA in their own process by
feeding back findings arising from audits
to the respective co-ordinators for input
into the Risk & Control Maps. Through
this process, CSA in the organisation
will be truly ‘holistic’ and integrated
into the business environment. (See
Figure 3). ■
This article is taken from Control Self
Assessment For Risk Management and
Other Practical Applications, edited by
Keith Wade and Andy Wynne, and
published by John Wiley & Sons, Ltd
(see book review on page 42).
Vicky Kubitscheck is group chief internal
auditor at AEGON UK. She has over 13
years’ experience in the auditing
profession in the financial services
industry, and is the chairperson of the
Insurance Internal Audit Group (IIAG) in the
UK. Previously she was head of Internal
Audit at AXA Equity & Law.

26 | BALANCE SHEET | VOL 8 NO 1