Day 1 - Sunday 20 August, 2017
Opening Session
Presentation
Course details
Presentation of attendees
Session One
Understanding Governance, Risk, and Compliance
What is GRC?
- There are two different defnitions of GRC. What are they and why are there differences?
- Examining the only defnition that makes sense, from OCEG
- Group discussion
Tea Break & Networking
Session Two
Digging into Governance
- Is there a common, generally accepted defnition of governance?
- What does it mean in practical terms?
- Where do the more frequent governance failures arise?
- Leadership by ownership or representatives of the owners: the more common issues
- The role of a board; executive teamwork; shared objectives
- Vision, strategy, and objectives
- Measuring performance
- Ethics, whistle-blower lines, and investigations
- Oversight of the external auditor
- The role of the legal function
- Who is responsible for the culture of the organization?
- Group discussion
Lunch Break & Networking
Session Three
Understanding risk management
- Why do so many executives and board members see little value beyond compliance in risk management
- The relationship between risk management and decisionmaking
- How risk management enables success, not just avoiding failure
- Why do we take risk?
- How often is risk managed?
- Who manages risk? What is the ideal role of the risk practitioner?
Tea Break & Networking
Session Four
Understanding risk management
- The value of a periodic review of risks
- Why heat maps fail to paint the right picture
- Risk appetite, tolerance, and taking the right level of the right risks
- Where does insurance ft?
- Providing useful information about risk to the executives and the board
- Group discussion
Day 2 - Monday 21 August, 2017
Session One
Compliance and audit fundamentals
The compliance function
- An effective compliance function starts with knowing with what you have to comply
- How can you ensure 100% compliance?
- How much compliance risk should you take?
- Policies, training, testing, and certifcation
- Monitoring compliance risk
- Fraud risk
- Who is responsible for compliance?
- Where does internal audit ft?
- Reporting non-compliance
- Group discussion
Tea Break & Networking
Session Two
Internal audit fundamentals
- What is the role of internal audit? What is its purpose, its mission?
- Examining the defnition and principles for effective internal auditing
- Where should internal audit report?
- Independence and objectivity
- Group discussion
Lunch Break & Networking
Session Three
Moving to auditing the risks that matter and helping the organization succeed
- Is our job to help the organization succeed or to point out defciencies?
- What are the risks that matter? Are they the risks that internal audit traditionally audits?
- What is enterprise risk-based auditing? What are we trying to assess?
- How do we know what matters? What are techniques for fnding out?
- Can internal audit assess non-traditional areas of risk?
- Case studies/Group discussion/Exercises
The dynamic internal audit plan
- How often should the audit plan be updated? What is meant by an agile or dynamic audit plan?
- The concept of a rolling audit plan
- Explaining agile auditing to the audit committee or owners
- Who is responsible for the audit plan?
- Group discussion
Tea Break & Networking
Session Four
Defning audit engagements that matter
- Reliance on ERM
- When to perform an assurance and when to perform a consulting/advisory engagement
- When does should internal audit not perform an audit?
- How many audits does it take to assess an area of risk?
- Understanding the relationship of IT general controls to business risk
- What if you don’t have the resources you need?
- Case studies/Group discussion/Exercises
Day 3 - Tuesday 22 August, 2017
Session One
Internal audit and GRC
Communicating audit results
- What is the purpose of an audit report?
- What needs to be communicated and to whom?
- The purpose of a closing meeting
- Selling audit fndings and recommendations – effecting change
- Attributes of an effective communication
- Should we move away from traditional audit reporting?
- Case studies/Group discussion/Exercises
How do you know when internal audit is world-class?
- What are the distinguishing characteristics of world-class internal auditing?
- Does passing a Quality Assurance review guarantee suffcient quality and value?
- What is the value of internal auditing? Who measures it?
- OK, you are world-class – what is next?
- Group discussion
Tea Break & Networking
Session Two
Internal audit’s role in fraud and fraud risk assessment
- Is it internal audit’s role to prevent, detect, or investigate fraud?
- When does internal audit get involved?
- How do you assess the risk of fraud?
- The skills and competency required to address fraud
- An overview of a fraud investigation
- Group discussion
Lunch Break & Networking
Session Three
Auditing governance processes
- What is organizational governance? Is it limited to the board or owners?
- Why audit governance processes? Where is the risk?
- When to perform assurance and when to perform advisory work
- How to communicate the results of the audit
- Case studies/Group discussion/Exercises
Auditing risk management
- Why should internal audit assess the management of risk?
- Should the audit be against policies, a standard or framework, or something else?
- How to communicate the results of an audit?
- Group discussion
Tea Break & Networking
Session Four
GRC
- Now we understand the pieces, let’s ft them together
- How is the sum greater than the parts?
- Silos and fragmentation
- How failures in GRC inhibit success
- Coordination among assurance functions
- GRC projects
- The value (or not) of software
- Group discussion
Certifcate Distribution & Workshop Closure
Closing thoughts
- Other topics of interest
- Closing discussion
- Awards and Recognition