Control Self Assessment. For Risk Management and Other Practical Applications

This is a balanced, definitive and encyclopaedic treatment of a topic which has been crying out for some time for such a book to be written. Indeed, this is the most significant and useful internal audit‐related text to be published for many a year. Control Self Assessment has taken on almost cult status, akin to that accompanying the latest fads and fancies of management gurus. This is indicated in part by the diverse acronyms and definitions that have grown up around it, plus the single routes to salvation claimed by this and that adherent. One of these definitions is paraphrased from an IIA Research Foundation Study:

A workshop‐based approach using facilitated group processes to examine business risks and controls and gain commitment through shared responsibility to action and improvement.

In its essence it is nothing new – British Petroleum was practising it in the early 1980s, albeit with varying degrees of company recognition and success. Keith Wade’s introduction is, as always when he writes, both a literary gem, and a provocation to thought and action. Certainly the technique is here to stay, although it has not always become an integral part of corporate governance, nor is it widely mentioned in management texts, and its relationship to internal audit is tricky, given that it is a line management function. There is a danger that internal audit be sucked in and take over, which would be self‐defeating. The problems, opportunities and issues are fully explored, and Keith outlines 12 stages of maturity in understanding and, where relevant, applying CSA. He also provides a map of the various possible approaches, and where they may be found within the book.

In the finale, Andy Wynne dampens down enthusiasm by stating that the benefits of CSA may have been exaggerated, and that it is not so revolutionary in its impact on internal control and risk management. It is simply cited as being a useful tool. One can take issue with his comment that the stages outlined can be viewed as the gradual transfer of responsibility for internal control from internal auditors to operational managers. Since operational managers always had it, there is nothing to be transferred. In the bulk of the book are to be found chapters from almost all those who run courses or provide conference presentations on the subject. Indeed, the book at £50, is considerably cheaper than attending an external workshop or conference, and so is undoubtedly a sound investment. The reader is treated to the state‐of‐the‐art across a catholic range of organisational types, and the book is a highly satisfying read which is a must for every corporate library.