ccsa指导加试题.doc

Course OverviewThe CCSA exam can cover a broad spectrum of topics. In addition, the questionsand topics on the exam are changed periodically.The objectives of this course are to help participants become more familiar withthe material that may be tested on the CCSA Examination and to become morecomfortable dealing with multiple-choice questions. The wording of multiplechoicequestions can often be a greater challenge than the actual material beingtested. Therefore, throughout this workbook there will be opportunities to reviewboth the technical material that may appear on the CCSA examination as well asclarifying the wording used in questions.The workbook material contains extensive discussion of the technical topics thatmay be present on the CCSA examination. In addition, there are samplequestions related to the topics at the end of each chapter. These sections containthe correct answer to each question along with an explanation, which oftenexamines the wording of the question. At the back of the workbook there are asubstantial number of advanced questions. These questions are probably moretypical of what will appear on the examination. These advanced questions arepresented in two parts. The first part provides the question only. The second, partis more comprehensive with questions and their answers highlighted, along withan explanation of the correct answer. Periodically throughout the workbook,there will be extractions from these advanced questions to examine their wordingcontent, keyword traps, and the technical content of the questions.Although the workbook contains substantial material, it is advised that theparticipants review both the end of chapter questions and the advanced questionsin the back of the workbook with their explanations. Most often reviewingpractice questions and becoming familiar with the wording of multiple-choicequestions can be a great aid in preparation for a multiple-choice format test.CSA: The BasicsThe objective of this module is to acquaint tile participant with the concepts ofControl Serf-Assessment (CSA). The module will demonstrate how theparticipant may use CSA as a tool to help clients and to gain confidence in orderto train clients so they may help themselves.At the end of this module, the participant will: understand the concepts of Control Self-Assessment. understand how other control and risk models work with Control Self Assessment. earn how to present this material so that the client may use it as anongoing business tool. be more comfortable addressing the CCSA exam questions related to basicCSA concepts.Control Self-Assessment-What is it?Control Self-Assessment is a process by which an individual assesses themselves.To put this in perspective, lets think about taking ones own blood pressure. In orderto complete this task we attach the blood pressure device and the device and devicereads the results. If the results were 280/250 we could say we have just performed aself-assessment. However, there may be an issue.In simplest terms, this could be called a blood pressure self-assessment. But thereare lessons to be learned here. The first lesson is that we have performed a physicaltask of self-assessment by measuring the blood pressure. The next issue isdetermining what this means. What does 280/250 mean? Considering this, there arethree things that need to be included in a self-assessment process. The first is thephysical task of the self-assessment, the second involves understanding the results,and the third is what could be done to control the results.In this example, we call our self-assessment process a blood pressure selfassessment.Control Self-Assessment is, therefore, measuring the adequacy of riskand control management in ones own process and taking appropriate correctiveaction.Just as in our blood pressure example, the physical task is necessary whenperforming a self-assessment process. In a Control Self-Assessment process thephysical tasks are often in the form of questionnaires /surveys or workshops. Theseare the physical tasks of performing the control Self-Assessment process. However, itis not only important to perform the physical task of the self-assessment process butto also understand the results and act on them appropriately.Action must be taken to correct any deficiencies. Self-assessment /Control Self-Assessment is a methodology to systematically document and evaluate risk controlsand the achievement of objectives. This concept can be applied in most areas.As we can see from our first example, the process can be applied in testing ourOwn blood-pressure. In business, it can be applied to test the blood pressure ofthe business process.Action is probably the most important task of a Control Self-Assessment process.Performing a self-assessment process without a commitment to action is merely awaste of time.From a business perspective, the Control Self-Assessment process is a method bywhich the people who are responsible for the business process evaluate theadequacy of their risk and control management. From common business stance, thismakes sense.The owners of the business process are in fact responsible for their own risk andcontrol management. Unfortunately, in many cases, this is not widely accepted inthe business environment. Control Self-Assessment can help broaden theacceptance of risk and control management within the business community. Itcan help eliminate the confusion, misunderstanding, and fear of risk and controlmanagement by expanding an understanding of these concepts.A Control Self-Assessment process in the business environment simply meansthat employees responsible for performing the work evaluate the adequacy oftheir risking controls. Further, this Control Self-Assessment process can be alearning device, It can help the business community and business professionalsbetter understand the concepts of risk and control management, In addition, it canhelp evaluate the accuracy of risk and control management related to soft controlsand soft, issues. The soft issues are often the foundation for good business process.They include such things as attitude, morale, ethical values, tone at the top, andcommunications. Lack of adequate controls in these areas are often the root causefor many other business issues and areas of concern.The internal audit department often plays a vital role in the implementation andInitiation of the Control Self-Assessment process. This is often because of theperception that internal auditors have an in-depth understanding of risking controlmanagement. In addition, it is perceived that internal auditors are familiar withaddressing groups of people and upper-level executives. Because of this perceptionthe internal auditors are often called upon to facilitate the Control Self-Assessment workshops. In the next chapter, we will discuss the facilitatorsresponsibilities and how they play a key rote in the successful outcome of abusiness workshopsAlthough internal auditors are often called upon to perform the role of facilitatorin the CSA process, it is not necessary that they be part of the process, in rant, astime passes, the ultimate goal is that the business professionals conduct their own,workshops. Depending upon the current levels of experience, this transition maytake place in varying degrees of time.The Control Self-Assessment process in the business community has anotheradvantage; the advantage of ownership. It is a known fact that there is a certainamount of pride, possessiveness, and acceptance of responsibility that comes withownership. This ownership active participation in risk and control decisions willresult in a more solid foundation with a greater long-term effect on the risk endcontrol process. An alternative is to dictate the management of the risk endcontrol process. This approach may result in a weaker foundation with weakerlong-term effects.Some Points That Make CSA What It Is Employees performing the work evaluate controls and risks It can be done without internal audit It utilizes tools that may be new to auditorsAudits role is that of facilitatorCSA helps evaluate soft controlsWorkshops or management may issue the reportsCSA can be a learning deviceGreater probability of buy-in of the issues.Business professionals are more involved with CSA than with traditional audits.Clients like the involvementCSA ties the concerns, the issues, and the change for improvement back to thepeople doing the work.There are three basic components in any business process, like those involved ineveryday life. They occur in this order: objective, risk, and control. Simplystated, the objective is what is trying to be accomplished. The next component ofour foundation is risk. Risk is simply the barrier that will stop or slow down theachievement of the objective. The third component is control. Control is thepolicy, procedure, and action that will diminish or eliminate the barrier of risk.In todays business environment and everyday life it is virtually impossible toprotect 100% against all possible risk Generally, protection against risk is withsome reasonable assurance This is often called acceptance of risk, risk appetite,or risk tolerance.Consider this: in everyday life, commuting to work, going shopping, or investing,we accept risk. With these everyday events, the acceptance of risk may meandifferent things to different people. We all accept risk in everyday life and inbusiness processes. The problem is not with the acceptance of risk, butunderstanding the consequences of what has been accepted.Sometimes it is difficult to capture all the consequences. There are often tworeasons for this vagueness and excepting the risk. One is that the world changesrapidly. When a certain risk has been addressed and as action has begun, the risksituation may change introducing new risks. The other reason is a lack ofunderstanding the consequences. It is important to think of the end. The endholds the consequences that may have to be dealt with in a reactionary mode.Should the risk of driving to work with bald tires on snow and ice be accepted?Some risk would be accepted, but what are the consequences of the acceptedconditions? The same thought process can be applied in business.In todays business environment the consequences of accepting risk are far moredrastic than they were even a few years ago. Addressing laws and regulations,embarrassment and reputation in various news media have substantially increasedthe consequences of accepting risk. The risk and control professional can helptheir clients become better equipped to accept risk and its consequences byhelping them to better understand the contemporary consequences of a riskassessment.Back to basics; risk and control management begins with three basic concepts.These three concepts are objectives, what is trying to be accomplished; risks,what will stop or slow down the process from achieving the objectives; andcontrols, the policies, procedures, and tools and techniques and action to diminishor eliminate the barrier of riskThe Control Self-Assessment process can address these basic conceptsindividually or in concert with each other. How the Control Self-Assessmentprocess is designed, should be driven by the needs and the objectives of theindividual business process.Control Self-AssessmentControl Self-Assessment is a way to help organization improve their ability tomeet objectives.Organizations that use CSA have a formally documented process to evaluate theircontrols and risks.CSA is a process through which internal control effectiveness is examined andassessed. R is a tool that provides reasonable assurance that all businessobjectives will be met.CSA is a process where management and/or workshops, not internal auditors,perform the assessment of internal controls.Generally, the process covers a broad spectrum of objectives. Integrated controlframeworks can help in this effort.CSA Begins With The Objectives.Control Self-AssessmentManagement evaluates their own controls and identifies opportunities fbrimprovement.Two primary tools: Facilitated workshops Surveys / QuestionnairesThese tools may be used by management to evaluate their control processes.However, management may not know what to do. Therefore, auditors can takeadvantage of an opportunity to work with management and facilitate the CSAprocess.Integrated Control Frameworks are important tools when using CSA. COSO,CoCo, and COBIT are examples of Integrated Control Frameworks. They canhelp keep the CSA effort focused and help make sure that all the dimensions ofthe business are addressed.CSA Approaches Control framework usage Internal auditing role Reporting Attendance Quality assurance Relationship to internal auditThe use of COSO, CoCo, COBIT, and other control frameworks can be vital in aneffective CSA process.In the internal audit role, auditors are sometimes the owners of the results andprocesses and sometimes they are not. It depends. It depends on the businessculture, the objectives, and the concerns.Sometimes audit may follow-up after the workshop effort. Other times hey maynot. Again, it depends.The role of the auditor and the question of independence and objectivity is often aconcern in a CSA effort. Under the new IIA standards, auditors are allowed tocome closer to the line of objective and independence.However, common sense should prevail. The auditors should be used to the bestadvantage in a CSA effort, without compromising their Objective andindependence guidelines.CSA Benefits CSA helps with the understanding of objectives, risks, and controls CSA develops ownership of results CSA provides a broader coverage CSA improves communications CSA helps with the appropriate analysis and reporting of controlsCSA helps employees understand and assume responsibility and accountabilityfor effective control and risk management. Education of the CSA process, as wellas the concepts of risk and control management, is a vehicle to this end.Corrective action is more effective and longer lasting because of the ownership ofthe issues and the corrective actions.By using integrated control tools as part of the CSA process, all parts of thebusiness are analyzed and addressedCSA improves communications on all levelsCSA helps employees understand how to analyze, address, and report on theadequacy of controls.CSA Concerns Internal Audit may not be skilled facilitators Resistance to change. Lower level staff is often not trained to address controls Experiential, political, and cultural differences among, participants Organization not candid enough to reveal root cause Legal implicationsPeople generally resist change. CSA, as a tool, is a different way of doingbusiness. Therefore, to be more successful with a CSA exercise it is important tominimize the unknowns from the participants minds. Some tools that helpfacilitate change are communications, participation in the change effort, andtraining of the new process.It is important to first understand the atmosphere, culture, and politics where theCSA exercise will be conducted. By its nature the CSA is participatory and willbe much more successful when used in this type of environment. Typically, themore empowered or more participatory the management style is the moresuccessful the CS, A effort will be.Conducting a CSA workshop is different from conducting a meeting, a trainingsession, or a presentation. Internal auditors are often called upon to facilitateCSA workshops because of their expertise with risk and control management,along with their experience conducting meetings and presentations. Althoughthese professionals may be perceived as having the basic platform skills toconduct training sessions, presentations, and meetings, they may not be trained inspecific facilitation techniques. It is recommended that anyone facilitating aworkshop attend appropriate facilitator training.Pre-workshop or CSA education efforts may be required to help the participantsfeel more at ease and less resistant to change. These efforts will also addresslower level staffs that have not been trained to identify controls. These trainingsessions may include the topics of risk and control management or the CSAprocess in general. Additionally, they may include interviews with potentialparticipants to gain an understanding of their issues and concerns.It is the obligation of the facilitator to identify the extent and the need for thesepre-CSA efforts. CSA is not cookie-cutter! Therefore, the extent and need forthese pre-CSA exercises should be driven by the experience, exposure, concerns,politics, culture, and variations in communications of the potential participants.The facilitator will need to identify the components, design, and address the pre-CSA engagements appropriately.In some CSA workshop cases, discussions are not candid enough to get to theroot cause. The more at ease the participants are during the CSA exercise, themore candid they will be. It is the responsibility of the facilitator to put thepotential participants at ease. The more candid the participants are about theirprocesses, identifying both positives and negatives, the more likely weaknessesWill be addressedDiscussion of legal and/or security issues in an open forum may not beappropriate. These are e