A compliance-based CSA focuses on ensuring that the business unit follows the policies and procedures established by the enterprise, regardless of the actual risk level or impact of the controls.
A risk-based CSA focuses on identifying and evaluating the risks that may affect the business unit’s objectives, and designing and implementing controls that are appropriate to mitigate those risks.
A compliance-based CSA may not capture all the high-risk issues that exist in a business unit, especially if they are not aligned with the enterprise’s standards or expectations.
A risk-based CSA may identify more high-risk issues than a compliance-based CSA, because it considers both internal and external factors that may affect the business unit’s performance or security.
Therefore, a difference in results between a previous control self-assessment (CSA) and an audit indicates that either one of them was not risk-based, but rather compliance-based.
The references for this answer are:
Risk IT Framework, page 9
Information Technology & Security, page 3
Risk Scenarios Starter Pack, page 1
