Internal control self-assessments

Testing, validating and verifying a control self-assessment

Internal control self-assessments are evaluations of an organization's internal controls and processes that are conducted by the organization's management. These assessments are designed to identify any weaknesses or areas of improvement in the organization's internal control systems and ensure that its financial reporting is accurate and reliable and can meet its strategic objectives.

Introduction

Internal control self-assessments are an important tool for organizations to evaluate the effectiveness of their internal controls and identify areas for improvement. The 3rdRisk platform includes some handy features to ease the life of business, risk, and audit teams:

  • Define the level of testing. You can decide whether the self-assessment should only be tested by the business (1st LoD) or needs to be validated by risk management (2nd LoD) and verified by the audit team (3rd LoD).
  • Include videos. You can include videos when you initiate a control self-assessment. You can use these videos to explain the self-assessments' importance or how the control should be tested.
  • Chat with key stakeholders about the self-assessment. The platform allows you to chat with other stakeholders involved with (testing) the control. All communications about the self-assessment are stored.
  • Copy and access previous assessment activities. Would you like to look up what you did last time or build on it? The platform contains many useful features that save you a lot of time
  • Send back or overrule self-assessments. As the control validator or control auditor, you can send back the self-assessment to the control tester (advised) or overrule the testing conclusion in case of a dispute.

Process

We created a diagram to visualise the internal control self-assessment process.

Initiate control self-assessment

The first step in the internal control self-assessment process is to initiate the assessment. There can be various triggers for conducting a control self-assessment, such as the testing schedule, as part of implementing a new control, an audit project, or an incident that signals a deficiency.

Level of testing
During the control self-assessment configuration, you need to define the level of testing. Based on the level of testing, the internal control self-assessment will go through 1, 2, or 3 stages:

  • Stage 1 - Testing: The control self-assessment is performed by the business (1st LoD) without validation by risk (2nd LoD) and verification by internal audit (3rd LoD). After completion by the business, the control assessment will be closed.
  • Stage 2 - Validation: The control self-assessment is performed by the business (1st LoD) including validation by risk (2nd LoD).
  • Stage 3 - Verification: The control self-assessment is performed by the business (1st Lod), validated by risk (2nd LoD), and verified by internal audit (3rd LoD).

The level of testing is reflected in the menu of the platform:

Single or bulk assessment
The 3rdRisk platform allows you to initiate a control self-assessment of a single (sub)control or many (sub)controls at once (bulk assessment).

Perform control self-assessment

The second step in the control self-assessment process is performing the control self-assessment (i.e., testing the control). This includes documenting the results and attaching the evidence. By default, as part of the platform's blueprint configuration, the control owner and control executor are invited by the platform's virtual officer to perform the control self-assessment.

Validate control self-assessment

The third step in the control self-assessment process is validating the results and conclusion of the control self-assessment. Validation is an optional step and is dependent on the level of testing that was configured during the control self-assessment initiation. The control validator is responsible for validating the conclusion of the control self-assessment. This is usually somebody working in a risk management function.

Verify control self-assessment

The fourth step in the control self-assessment process is verifying the validation by the control validator. Verification is an optional step and is dependent on the level of testing that was configured during the control self-assessment initiation. The control auditor is responsible for performing the final verification check. This is usually somebody working in an internal or external audit function.

Follow-up on control self-assessment

At every stage of the control self-assessment - whether the control self-assessment is in testing, validation, or verification stage - one or more Issues and Action plans can be linked to the control self-assessment.

  • Issues can be used to document control deficiencies. You can link an existing issue or create a new one.
  • Per issue you can add one or more action plans to track and resolve the deficiency.

Initiate control self-assessment

1. To initiate a control self-assessment in the 3rdRisk platform, go to [left menu] Compliance, Control library and click on the Actions menu (the [...] in the last column of the data table) of the control that you want to test. To start the control self-assessment configuration, select the Initiate control self-assessment option.

2. To initiate a bulk control self-assessment, you must select the checkboxes of the controls you want to test and use the Bulk actions menu at the right side above the data table. To proceed, click Initiate control self-assessments.

3. A window will pop up which allows you to configure the control self-assessment. You have to provide the following details:

FieldsDescription
Assessment name*Provide the name of the assessment such as "Internal Control Self-Assessment Q1 2023".
Description*Provide a description of the control self-assessment, such as "Annual assessment in line with the schedule"
Test period start*The first day of the testing period, such as the beginning of the previous quarter
Test period end*

The last day of the testing period, such as the last day of the previous quarter

 

The platform will give a warning message in case the testing period overlaps with a previous testing period.

Due date*The due date for the control owner and/or control executor to perform the test
Level of testing*

The number of stages of the control self-assessment:

 

Stage 1 Self-assessment: the control is tested by the control owner and/or executor without validation and verification

 

Stage 2 Self-assessment with validation: the control self-assessment is validated by the control validator (2nd LoD).

 

Stage 3 Self-assessment with validation and verification: after validation, the control self-assessment is verified by the control auditor (3rd LoD)

4. After providing the necessary details, click on Next to get an overview of the control self-assessment.

5. Click on Submit to send the control self-assessment to the control owner and control executor.

Perform control self-assessment

Upon initiating a control self-assessment, the control self-assessment will be submitted for testing. By default, the control owner and control executor are invited by the platform's virtual officer to start the control self-assessment testing activities.

To access all control self-assessments in the testing phase, go to [left menu] Internal Control and click Testing. You will see a page with all control self-assessments in the testing phase.

To open a control self-assessment and start testing, go to the Actions menu [...] in the data table and click Open control self-assessment.

You will get a new window showing you all the relevant information about the control self-assessment and the expected testing activities. This window is shown below:

Let's discuss the various sections:

A. This shows the stage of the control self-assessment. In this example, the assessment is in the testing stage. The subsequent stages are validation and verification. These are dependent on the level of testing that was configured during the control self-assessment initiation.

B. To retrieve more information about the control and previous control self-assessment results, use the Show more details slider button. In case a control is tested before with a negative testing conclusion, this button will be colored amber.

C. Here you can describe your testing activities. You have a rich text editor at your disposal to include text. You can also copy/paste screenshots in the text editor. In addition, you have the following options:

  • Copy previous test activity: This will copy/paste the described activities from the previous assessment.
  • Add evidence: Use this button to attach evidence of the control test such as a sample, a policy document or an internal data set.
  • Create issue: Use this button to link an existing or add a new Issue - e.g. in case you conclude that a control is not effective.

D. Use this dropdown to indicate your conclusion. You have four options: Effective, not effective, new control or not tested during this period. Based on your conclusion, you will be kindly nudged to perform certain activities.

E. If you have completed the form, you can use the Submit button and send the control self-assessment to the next stage. Based on the level of testing that was configured during the initiation, this can be validation or finish assessment.

Evidence

The Evidence tab gives an overview of all the evidence attached to the control self-assessment during the testing, validation and verification stages. You can easily add evidence at every stage of the control self-assessment process.

 

In the example above, a data management policy was added as evidence. The badges 'policy' and 'testing' indicate that it is a policy document that was uploaded during the testing stage by LR. You can use the mouse-over to retrieve the name of the uploader.

To add new evidence, use the Add evidence button on the Assessment or Evidence tab. Upon clicking the button, you will see a new window in which you can provide the filename, file type, creation date, valid til date (e.g., in case of a certificate), comment and file.

Communication

The Communication tab allows you to chat with your colleagues about the control self-assessment within the 3rdRisk platform.

 

All representatives that are associated with the control - such as the control owner, control validator and control auditor - are listed in the 'Who should be notified in this message' box. Simply click on one or more of the representatives and type a message. Please note that all communications around a control self-assessment will remain visible in this tab.

Issues

The Issues tab gives an overview of all issues that are linked to the control self-assessment. By using the Add issue button, you can link an existing or add a new issue.

 

In the example above, you see two issues: an occurrence (ISS-23 with criticality low) and a vulnerability (ISS-31 with criticality critical).

To view or edit an existing issue, click on the three dots [...] and select View/edit issue. You also have the option to copy the direct link to the issue to the clipboard. You can share this link with colleagues, e.g., through e-mail or chat.

Validate control self-assessment

To access all control self-assessments in the validation phase, go to [left menu] Internal Control and click Validation. You will see a page with all control self-assessments in the validation phase.

To open a control self-assessment and start validating, go to the Actions menu [...] in the data table and click Open control self-assessment.

You will get a new window showing you all the relevant information about the control self-assessment and the performed testing activities. This window is shown below:

Let's discuss the various sections:

A. This section shows the testing results and conclusion. You can use the Show more details slider to get more information on the performed testing activities during the testing stage.

B. As control validator, you can adjust the testing conclusion. Read more about adjusting the test conclusion below.

C. Here you can notice that the control self-assessment is currently in the validation stage.

D. You have a rich text editor at your disposal for describing your validation activities. You also have the option to copy/paste screenshots in this field. Based on your validation, you have two options:

  • Add evidence: Use this button to attach evidence of the control test such as a sample, a policy document or an internal data set.
  • Create issue: Use this button to link an existing or add a new Issue - e.g. in case you conclude that a control is not effective.

E. To conclude your validation, you can indicate whether the control self-assessment was correct and complete ('yes', 'no', 'not checked') and whether you agree with the conclusion ('yes', 'no', 'no opinion').

F. Upon completing the required fields, you have two options: return the control self-assessment to the testing stage or submit the control self-assessment for verification.

  • Return to <name> for testing: Use this button to send back the assessment to the testing stage. You will get a new pop-up in which you can provide an explanation for sending back the assessment.
  • Submit to <name> for verification: Use this button to send the control self-assessment to the verification stage. If validation is the final stage, the control assessment will be finished.

Adjust test conclusion

In the validation stage, you can adjust (overrule) the testing conclusion. Click the Adjust button next to the conclusion. A new window will appear in which you can change the conclusion. You need to provide a justification for why the conclusion is adjusted.

Please note that the control owner and executor will not be automatically notified when a conclusion is adjusted. From a internal control process perspective, we would always recommend using the "Return to <name> for testing" button instead, as preferably the control owner or executor need to change the conclusion.

If you use the Adjust button, the 'Do you agree with the conclusion?' dropdown will be disabled.

Verify control self-assessment

To access all control self-assessments in the verification phase, go to [left menu] Internal Control and click Verification. You will see a page with all control self-assessments in the verification phase.

To open a control self-assessment and start verifying, go to the Actions menu [...] in the data table and click Open control self-assessment.

You will get a new window showing you all the relevant information about the control self-assessment, the performed testing activities, and the performed validation. This window is shown below:

Let's discuss the various sections:

A. This section shows the testing results and conclusion. You can use the Show more details slider to get more information on the performed testing activities during the testing stage.

B. As control auditor, you can adjust the testing conclusion when the control is at the verification stage. 

C. This section shows the documented validation activities and conclusion. You can use the Show more details slider to get more information on the performed validation activities during the validation stage.

D. You have a rich text editor at your disposal for describing your verification activities. You also have the option to copy/paste screenshots in this field. Based on your verification, you have two options:

  • Add evidence: Use this button to attach evidence of the control test such as a sample, a policy document or an internal data set.
  • Create issue: Use this button to link an existing or add a new Issue - e.g. in case you conclude that a control is not effective.

E. Upon completing the required fields, you have two options: return the control self-assessment to the validation stage or finish the assessment.

  • Return to <name> for validation: Use this button to send back the assessment to the validation stage. You will get a new pop-up in which you can provide an explanation for sending back the assessment.
  • Finish self-assessment: Use this button to finish the assessment.

Finished control self-assessments

Overview table and filtering

Go to [left menu] Internal control and click on Finished to get an overview of all finished control self-assessments.

Re-open finished assessment

To re-open a finished assessment, go to the Actions menu [...] of the respective control and click View control self-assessment. The control self-assessment will open in a new window.

Use the button Re-open self-assessment to push back the assessment to the previous phase. Based on the level of testing, this can be verification, validation, or testing. In the example shown above, the assessment will be returned to the verification phase.