The first and simplest way to use the self-assessment process is to use it in determining your own internal audit function strategy and priorities. This is an excellent starting point, for numerous reasons:
Second Step: Use With an Auditee on an Annual Risk Assessment
Once your department is comfortable with the concepts of group process, facilitation, self-assessment and automated tools, it is time to adopt or develop a specific methodology for risk assessment sessions. These can be self-developed or can be developed with the assistance of experienced facilitation professionals in the field. Once the basic principles have been worked out, these meetings can be conducted with increasing effectiveness as the experience level of your people increases.
The control self-assessment technique, when applied to risk assessment, provides a structured discussion format that asks your audit customers for their estimation of business risks and controls; asks for suggestions on where controls should be implemented, improved or eliminated; and applies various tests to participant suggestions (to ensure that they are complete, identify acceptable levels of risk, and optimize benefits and cost). Your customers will understand their control environment better and will be better able to interact with you because you will understand their business better.
Later and More Advanced Uses: Audit Area Risk Assessment
A key advantage about process-based techniques is that often the process remains the same, while the specific questions (or context) or the experience and rank of the participants changes. This means that facilitation skills, once developed, can be focused on a wide range of problems and can be used with top executives once a facilitator has developed experience with employees at lower levels.
Similarly, the same approach as was used for higher-level risk assessment is also used in determining specific risks in functional business areas or for specific processes. This means that an entire audit—planning and company/divisional/departmental risk assessment—can be performed using the same basic approach. In fact, the use of an identical or similar process will improve the comparability of your results, as discussed further below.
Series of Self-assessment Sessions With Summary Report
In many situations, a single session is not sufficient for developing and substantiating audit results. In these cases, a series of similar sessions can determine whether there is a pattern across various departments or business processes. Cross-functional results will often develop highly valuable insights for management's attention.
For example, scanning across records of numerous self-assessment sessions, an auditor may identify a control issue such as, "human resources function not providing properly qualified candidates for open positions" because it was raised in nearly every session, even though no session voted it a high-priority concern. Based upon the frequency of the issue in numerous situations, the internal audit department is in a position to raise it for management's attention, not only as a control weakness but as a serious threat to the future competitive capability of the organization.
Creative Brainstorming for Strategic Planning
Another facilitation-based technique is strategic planning, using the group process to gather the most creative ideas for future business success. This involves a different meeting process than self-assessment; however, the session leadership skills are the same. Therefore, once your department has experience in self-assessment, it could make sense that your facilitators be trained in creativity-based processes.
The results of these meetings can often help process owners and top management identify new opportunities for the company. The consensus that can be developed in a short time—usually 1-2 days—can help turn around management teams that have been searching for solutions to difficult problems; that have been unable to agree on new strategic direction; or that are simply stuck in older management paradigms.
When your internal audit department is able to deliver such meetings, you can expect that your people will be called upon to deliver this capability at numerous levels of the company. As with self-assessment, this is a process that can be aimed at many different problems—strategic planning for the executive team, departmental and functional business planning, assessing business process performance, constructing business risk profiles, and even developing new product development strategies. The possibilities are endless, and your team will be a valued contributor to your company's business success. By this time, what was only control self-assessment in the beginning will have evolved to the larger scope of "business self-assessment" going beyond the original focus on risks and controls.
Here are a few example tools focused on the self-assessment process available on KnowledgeLeader:
Guide to Prioritizing Using the Nominal Group Technique