A compliance-based CSA focuses on ensuring that the business unit follows the policies and procedures established by the enterprise, regardless of the actual risk level or impact of the controls.

A risk-based CSA focuses on identifying and evaluating the risks that may affect the business unit’s objectives, and designing and implementing controls that are appropriate to mitigate those risks.

A compliance-based CSA may not capture all the high-risk issues that exist in a business unit, especially if they are not aligned with the enterprise’s standards or expectations.

A risk-based CSA may identify more high-risk issues than a compliance-based CSA, because it considers both internal and external factors that may affect the business unit’s performance or security.

Therefore, a difference in results between a previous control self-assessment (CSA) and an audit indicates that either one of them was not risk-based, but rather compliance-based.

The references for this answer are:

Risk IT Framework, page 9

Information Technology & Security, page 3

Risk Scenarios Starter Pack, page 1