Certificate in Internal Audit 3

Transcription

1 Certificate in Internal Audit 3 Risk Based Auditing- the next level Who should attend? Heads of Audit, Audit managers and senior auditors Auditors responsible for developing or implementing a risk based approach Other assurance professionals such as those in Compliance and QA functions who are wanting to develop their Risk based approach Managers and Directors of business functions to aid their knowledge of a risk based audit approach. This course will be highly beneficial for delegates that have previously attended the Certificate in Internal Audit II The Developing Internal Auditor or Certificate in IA I Essentials of Internal Audit Course Level This is an intermediary level course and delegates should have at least 12 months experience in Internal Audit (or other assurance roles) to attend Delegates should have a good educational standard (Bachelors degree or above) and/or a professional qualification or be in the process of studying for such qualifications No advance preparation is required Delivery method Group-live (with exercises and case studies to provide practical application of the tools and techniques) A pre-course questionnaire will be sent out 2-3 weeks prior to the course date to obtain some information about the delegate s role and to provide an opportunity to indicate specific learning requirements Highlights A new 2 hour session step by step guide to completing a risk based audit New IIA professional guidance an approach to implementing RBA New IIA guidance on annual internal audit coverage plans Key RBA messages from the IIA annual conference in London Internal audit coverage of risks to achieving strategic objectives Risk Based Internal Audit Plan Example Risk management challenges and the IA impact New audit programme auditing ERM After completing this course you will be able to Take RBA to the next level

2 Advise management better on the methods of Identification, mitigation and control of risks Challenge management and sell the benefits of proactive risk management Audit major areas of risk for your business with confidence Add value to your organisation by the application of risk-based audit services Deliver more effective audit plans through developing the appreciation of risk Plan risk based assignments efficiently and effectively Measure success more effectively CPE credits Participants can earn up to 30 CPE credits ( 20 in the Auditing field of study and 10 in the Management Advisory Services field of study) Why you should attend The Institute of Internal Auditors in a professional guidance statement stated the following :- 'Internal Audit are being asked to provide much greater assurance to Senior Management than ever before. The Institute believes that the only way to provide such objective assurance is by means of risk based auditing'. Audit functions that are able to focus their efforts towards the significant risk in their organisations are able to concentrate their limited resources on the issues which drive business goals and aspirations. In consequence audit plans are directed at the issues, which really matter. This course provides all the latest developments. The 2015 course features a case study on the step by step approach to a risk based audit. Furthermore, a participative approach whereby auditors and managers work together to identify, assess and control business risks significantly enhances the level of assurance and reduces the chances of nasty surprises a huge benefit to most organisations Day 1 Risk and Internal Audit Developments in Risk Based Audit Worldwide trends Trends (from the BRM Internal audit best practice database) New RBA challenges The transitions in risk based audit to provide wider assurance How risk based audit has changed the face of auditing Audit s primary roles, objectives and concerns

3 Questions about the maturity of the audit process The role of the function policeman, risk assessor or consultant How to ensure you adopt best practice The need widen the coverage - to become more operationally based RBA in the different sectors in the GCC The steps needed to enhance the risk based approach Audit risks (what risks do you face?) The key challenges resulting Exercise 1 Challenges for Internal Audit The Nature of Risk The concept of Enterprise risk (ERM) The relationship between risk and objectives Why senior management may lack a full understanding of the risks Risk cultures Surprises and risk Measurement of risk: probability and impact (or likelihood and consequences) Categories of risk The most common critical risks Exercise 2: Analysing a disaster The developing risk agenda The wider business agenda understanding strategic risks How risk management has grown from being a useful tool to being the very pulse of the organisation Selling the need for a RBA approach Building an appreciation of your organisation s risk appetite The International Risk standard ISO A new paper on the audit implications of ISO will be shared Steps to take in establishing a business risk management programme Outline of a best practice process A new paper on Risk management challenges and the IA impact Risk Identification and Evaluation Approaches and techniques The IA role in risk identification Explanation of a risk workshop approach

4 The need for facilitation skills and the characteristics required How to identify, sift and group the risks The use of diagnostic questions and thought- provokers Measuring the consequences and the likelihood of occurrence of each key risk Inherent and residual risk The use of risk matrices to prioritise the risks Case study and identification techniques A new paper on auditing risk assessment will be provided Exercise 3: Risk based audit the risks Day 2 Risk Management and the Audit Role The Role of Internal Audit in Risk Facilitation Key requirements of the facilitator Risk workshop do s and don ts Selling the benefits of attendance The workshop process Exercise 4: Interactive Risk Workshop Assessment of Risk Mitigation The need for separate mitigation workshops How to assess risk mitigation Identification and evaluation of risk exposures Dealing with the exposures (The 4 Ts terminate, tolerate, treat or transfer) Exploiting opportunities Completing the risk register Establishment of action plans Exercise 5: Risk Exposures Risk and Internal Audit New IIA professional guidance an approach to implementing RBA Guidance on the links and differences between the audit and risk management roles (including the IIA position) Identifying, appraising and evaluation risk during the audit process Translating key risks from the business risk process into the basis of the audit programme Auditing the process

5 Exercise 6: Risk and reward (the not so buried treasure) Embedding the Process Integrating the risk output with business plans Risk owners Annual statements from risk owners The risk register as a decision skeleton Quarterly board reporting to review progress in addressing the exposures Risk Management Committee reporting Bi-annual evaluation of key risks to ensure new risks identified and included Exercise 7: Interactive Risk Workshop Mitigation Day 3 Practicalities of Risk Based Auditing The Internal Audit Role A strategic vision for Internal Audit The audit charter and terms of reference Measuring success and adding value Meeting management expectations Exercise 8: Success Measures Strategic Audit Planning Strategic audit planning How to decide which areas to audit The audit universe new IIA guidance Determining the level of assurance New IIA guidance on annual internal audit coverage plans The RBA audit plan preparation Risk Based Internal Audit Plan Example Demonstration of a best practice audit risk planning model (an electronic version will be provided) Exercise 9: Developing a strategic audit Plan using the model Tactical Audit Planning Audit programme development Sources of audit work Assignment planning and control Managing audit requests

6 Use of technology CAATS, audit automation, etc. Audit coverage geographic and business units How to cover specialist areas Fieldwork techniques Types of fieldwork Compliance Transaction testing Analytical review Statistical sampling Process reviews Flowcharting Questionnaires Workshops How to decide what techniques to use How to determine the depth of testing required New IIA advice on audit sampling Audit testing Working papers Exercise 10 The challenges of audit testing Day 4 Risk Based Auditing in Practice Planning a Risk based audit A worked example of a risk based audit Brainstorming the functional objectives Building a picture of the risks Consider threats and opportunities Building the details of the controls Planning the assignment Determining the types of test and techniques to use Determining the threats to success Exercise 11. Specific audits will be chosen for the purpose by the delegates and the functional objectives and risks brainstormed in groups The Risk Based Audit step by step A risk based programme example will be walked through Reviewing the business objectives o Are the objectives comprehensive and SMART? Do the risks in the register relate properly to the objectives? o Are they specifically linked to the objectives and recorded? Are the inherent risks correctly evaluated?

7 Are any key risks missing? Are the causes of the event identified? Have mitigating actions been recorded for each risk? o Is such mitigating detailed enough? Are there any actions in progress to deal with risk? o Assess the status of such actions o Are there any management decisions pending? o Has a target risk been established? o Assess confidence level in the potential for such actions to reduce the risk required o Is the target risk realistic? Audit testing o Test each mitigating control by means of walk through tests o Extend testing as required to obtain sufficient evidence Determining an audit risk and control assessment o Evaluating and recording such assessments o Presenting the evidence to management o How to ensure consistency Exercise 12: The RBA in practice using audits selected by you The RBA deliverables The need to assess the risk maturity of the function Commitment to risk management The questions to ask Assessing risk appetite Reviewing the effectiveness of the risk management process adopted Determining which risks should be concentrated on in the audit Reviewing risk ownership and identifying gaps Identifying residual risks above the risk appetite Assessing the 4 T s Monitoring of action plans Evaluation and reporting of actual versus perceived controls Determining which key risks are not readily auditable New audit programme auditing ERM Exercise 13: Challenges of the RBA group discussion Day 5 Developing the RBA role to engage management Relationships with the Board and Audit Committees Board requirements of internal audit

8 Developing regular contact with the chief executive Role of the Audit Committee The Audit Committee relationship how to develop this Evaluating the audit committee requirements How to anticipate requests Audit Committee oversight paper Questions the Audit Committee should ask How to develop effective audit committee reports Developing an annual report for the Board or Audit Committee Exercise 14: The Audit Committee or Board report The need to engage senior management Senior management are extremely busy Risks and controls may not be top of their agenda. The tone at the top will influence everyone else The need to demonstrate the positive benefits of managing risk and having effective controls Present the benefits of better risk management in ways which management can identify. Hold a meeting with the CEO and influential members of the Board (with a clear but short agenda). Go prepared with a succinct presentation and some practical recommendations. Use the opportunity to argue for the importance of tone from the top. Point out the key risks facing the organization, and show how a well-designed control structure can help Don t expect everything to be achieved with just one meeting. Be prepared to keep going back with the same messages until they are not only accepted, but also acted on. Exercise 15 The senior management meeting (role play) The Converging Roles of the Assurance Providers The increasing emphasis on governance, assurance and control How should the various assurance providers rise to the risk challenge? Synchronising regulatory compliance with internal audit and the risk management functions The need to coordinate quality assurance, security, insurance and the health and safety functions in relation to risk management Linking external auditors into the process Exercise 16: Coordinating your efforts with other assurance providers

9 How can a better understanding of the RBA role by gained? How can the profile be enhanced? What do management think of the IA service? Ways to promote your function better Communication strategies New IIA guidance What every Director should know about IA Opportunities for Internal audit