The CSA can be used by the IT internal audit team or IT management to assess, and afterwards, to monitor and report the compliance level in relation to control recommendations or regulatory requirements. Reports can be shown for certain business units or departments to allow working on business strategy on corporate level too.

CSA focuses on following areas:

Management Assessment (MA) - CSA helps organization to manage total business risks and controls. MA can help better understand business risks so organization can take steps to minimize risks impact by implementation of controls such as procedures, policies, standards, instruction, new systems functionality, change in organisation chart, etc. It gives more than conventional risk-based approach because method addresses risks, controls, management areas and processes to allow evaluate analyses like e.g. SWOT. Method underlines strengths and weaknesses of controls helping to find cost-effective ways to mitigate risks and improve management safety margin.

Process Assessment (PA) is similar to MA but focuses mainly on a particular business process than on entirely organization. It is more detailed because touches certain activities of a business unit or process. PA is cross functional and can be used for silos businesses. It emphasis processes functionality and effectiveness and references them to risks and controls related to the working environment.

back