Internal control self-assessments are evaluations of an organization's internal controls and processes that are conducted by the organization's management. These assessments are designed to identify any weaknesses or areas of improvement in the organization's internal control systems and ensure that its financial reporting is accurate and reliable and can meet its strategic objectives.
Internal control self-assessments are an important tool for organizations to evaluate the effectiveness of their internal controls and identify areas for improvement. The 3rdRisk platform includes some handy features to ease the life of business, risk, and audit teams:
We created a diagram to visualise the internal control self-assessment process.
The first step in the internal control self-assessment process is to initiate the assessment. There can be various triggers for conducting a control self-assessment, such as the testing schedule, as part of implementing a new control, an audit project, or an incident that signals a deficiency.
Level of testing
During the control self-assessment configuration, you need to define the level of testing. Based on the level of testing, the internal control self-assessment will go through 1, 2, or 3 stages:
The level of testing is reflected in the menu of the platform:
Single or bulk assessment
The 3rdRisk platform allows you to initiate a control self-assessment of a single (sub)control or many (sub)controls at once (bulk assessment).
The second step in the control self-assessment process is performing the control self-assessment (i.e., testing the control). This includes documenting the results and attaching the evidence. By default, as part of the platform's blueprint configuration, the control owner and control executor are invited by the platform's virtual officer to perform the control self-assessment.
The third step in the control self-assessment process is validating the results and conclusion of the control self-assessment. Validation is an optional step and is dependent on the level of testing that was configured during the control self-assessment initiation. The control validator is responsible for validating the conclusion of the control self-assessment. This is usually somebody working in a risk management function.
The fourth step in the control self-assessment process is verifying the validation by the control validator. Verification is an optional step and is dependent on the level of testing that was configured during the control self-assessment initiation. The control auditor is responsible for performing the final verification check. This is usually somebody working in an internal or external audit function.
At every stage of the control self-assessment - whether the control self-assessment is in testing, validation, or verification stage - one or more Issues and Action plans can be linked to the control self-assessment.
1. To initiate a control self-assessment in the 3rdRisk platform, go to [left menu] Compliance, Control library and click on the Actions menu (the [...] in the last column of the data table) of the control that you want to test. To start the control self-assessment configuration, select the Initiate control self-assessment option.
2. To initiate a bulk control self-assessment, you must select the checkboxes of the controls you want to test and use the Bulk actions menu at the right side above the data table. To proceed, click Initiate control self-assessments.
3. A window will pop up which allows you to configure the control self-assessment. You have to provide the following details:
Fields | Description |
Assessment name* | Provide the name of the assessment such as "Internal Control Self-Assessment Q1 2023". |
Description* | Provide a description of the control self-assessment, such as "Annual assessment in line with the schedule" |
Test period start* | The first day of the testing period, such as the beginning of the previous quarter |
Test period end* | The last day of the testing period, such as the last day of the previous quarter
The platform will give a warning message in case the testing period overlaps with a previous testing period. |
Due date* | The due date for the control owner and/or control executor to perform the test |
Level of testing* | The number of stages of the control self-assessment:
Stage 1 Self-assessment: the control is tested by the control owner and/or executor without validation and verification
Stage 2 Self-assessment with validation: the control self-assessment is validated by the control validator (2nd LoD).
Stage 3 Self-assessment with validation and verification: after validation, the control self-assessment is verified by the control auditor (3rd LoD) |
4. After providing the necessary details, click on Next to get an overview of the control self-assessment.
5. Click on Submit to send the control self-assessment to the control owner and control executor.
Upon initiating a control self-assessment, the control self-assessment will be submitted for testing. By default, the control owner and control executor are invited by the platform's virtual officer to start the control self-assessment testing activities.
To access all control self-assessments in the testing phase, go to [left menu] Internal Control and click Testing. You will see a page with all control self-assessments in the testing phase.
To open a control self-assessment and start testing, go to the Actions menu [...] in the data table and click Open control self-assessment.
You will get a new window showing you all the relevant information about the control self-assessment and the expected testing activities. This window is shown below:
Let's discuss the various sections:
A. This shows the stage of the control self-assessment. In this example, the assessment is in the testing stage. The subsequent stages are validation and verification. These are dependent on the level of testing that was configured during the control self-assessment initiation.
B. To retrieve more information about the control and previous control self-assessment results, use the Show more details slider button. In case a control is tested before with a negative testing conclusion, this button will be colored amber.
C. Here you can describe your testing activities. You have a rich text editor at your disposal to include text. You can also copy/paste screenshots in the text editor. In addition, you have the following options:
D. Use this dropdown to indicate your conclusion. You have four options: Effective, not effective, new control or not tested during this period. Based on your conclusion, you will be kindly nudged to perform certain activities.
E. If you have completed the form, you can use the Submit button and send the control self-assessment to the next stage. Based on the level of testing that was configured during the initiation, this can be validation or finish assessment.
The Evidence tab gives an overview of all the evidence attached to the control self-assessment during the testing, validation and verification stages. You can easily add evidence at every stage of the control self-assessment process.
In the example above, a data management policy was added as evidence. The badges 'policy' and 'testing' indicate that it is a policy document that was uploaded during the testing stage by LR. You can use the mouse-over to retrieve the name of the uploader.
To add new evidence, use the Add evidence button on the Assessment or Evidence tab. Upon clicking the button, you will see a new window in which you can provide the filename, file type, creation date, valid til date (e.g., in case of a certificate), comment and file.
The Communication tab allows you to chat with your colleagues about the control self-assessment within the 3rdRisk platform.
All representatives that are associated with the control - such as the control owner, control validator and control auditor - are listed in the 'Who should be notified in this message' box. Simply click on one or more of the representatives and type a message. Please note that all communications around a control self-assessment will remain visible in this tab.
The Issues tab gives an overview of all issues that are linked to the control self-assessment. By using the Add issue button, you can link an existing or add a new issue.
In the example above, you see two issues: an occurrence (ISS-23 with criticality low) and a vulnerability (ISS-31 with criticality critical).
To view or edit an existing issue, click on the three dots [...] and select View/edit issue. You also have the option to copy the direct link to the issue to the clipboard. You can share this link with colleagues, e.g., through e-mail or chat.
To access all control self-assessments in the validation phase, go to [left menu] Internal Control and click Validation. You will see a page with all control self-assessments in the validation phase.
To open a control self-assessment and start validating, go to the Actions menu [...] in the data table and click Open control self-assessment.
You will get a new window showing you all the relevant information about the control self-assessment and the performed testing activities. This window is shown below:
Let's discuss the various sections:
A. This section shows the testing results and conclusion. You can use the Show more details slider to get more information on the performed testing activities during the testing stage.
B. As control validator, you can adjust the testing conclusion. Read more about adjusting the test conclusion below.
C. Here you can notice that the control self-assessment is currently in the validation stage.
D. You have a rich text editor at your disposal for describing your validation activities. You also have the option to copy/paste screenshots in this field. Based on your validation, you have two options:
E. To conclude your validation, you can indicate whether the control self-assessment was correct and complete ('yes', 'no', 'not checked') and whether you agree with the conclusion ('yes', 'no', 'no opinion').
F. Upon completing the required fields, you have two options: return the control self-assessment to the testing stage or submit the control self-assessment for verification.
In the validation stage, you can adjust (overrule) the testing conclusion. Click the Adjust button next to the conclusion. A new window will appear in which you can change the conclusion. You need to provide a justification for why the conclusion is adjusted.
Please note that the control owner and executor will not be automatically notified when a conclusion is adjusted. From a internal control process perspective, we would always recommend using the "Return to <name> for testing" button instead, as preferably the control owner or executor need to change the conclusion.
If you use the Adjust button, the 'Do you agree with the conclusion?' dropdown will be disabled.
To access all control self-assessments in the verification phase, go to [left menu] Internal Control and click Verification. You will see a page with all control self-assessments in the verification phase.
To open a control self-assessment and start verifying, go to the Actions menu [...] in the data table and click Open control self-assessment.
You will get a new window showing you all the relevant information about the control self-assessment, the performed testing activities, and the performed validation. This window is shown below:
Let's discuss the various sections:
A. This section shows the testing results and conclusion. You can use the Show more details slider to get more information on the performed testing activities during the testing stage.
B. As control auditor, you can adjust the testing conclusion when the control is at the verification stage.
C. This section shows the documented validation activities and conclusion. You can use the Show more details slider to get more information on the performed validation activities during the validation stage.
D. You have a rich text editor at your disposal for describing your verification activities. You also have the option to copy/paste screenshots in this field. Based on your verification, you have two options:
E. Upon completing the required fields, you have two options: return the control self-assessment to the validation stage or finish the assessment.
Go to [left menu] Internal control and click on Finished to get an overview of all finished control self-assessments.
To re-open a finished assessment, go to the Actions menu [...] of the respective control and click View control self-assessment. The control self-assessment will open in a new window.
Use the button Re-open self-assessment to push back the assessment to the previous phase. Based on the level of testing, this can be verification, validation, or testing. In the example shown above, the assessment will be returned to the verification phase.