World-Class Internal Auditing & Risk Management

Course Schedule

Day 1 - Tuesday 24 May, 2016
Registration & Introduction

Understanding Risk and its Management

Opening Session
Course details
Presentation of all attendees

Session One

What is effective risk Management?
• Before talking about risk-based internal auditing, it is necessary to
agree on what is meant by ‘risk’. This topic will address how risk is
described in the major risk frameworks/standards (COSO ERM and
ISO 31000). It will then cover how the management of risk is essentialto
effective decision-making and achieving enterprise objectives.
• When can an organization’s management of risk be considered
effective? Is a periodic review of top risks sufficient? What does it
mean to integrate the management of risk into daily decision-making
across the enterprise?
• Who is responsible for the management of risk? Is it the CRO? What
is the relationship between owning risk and owning an objective? How
does an organization address the inter-relationship of risk?
• How much risk is enough? What is risk appetite and does it make
sense? What are risk criteria?
• How can the board or owner of the organization know whether the
desired level of risk is being taken?
• How much risk management is enough?
• Group discussion

Tea Break & Networking
Session Two

What is internal audit’s role in risk management?
• What is internal audit’s mission? What are the core principles for
effective internal auditing, and have they changed expectations?
• What is the difference between internal audit and risk management?
What are the three lines of defence?
• Can internal audit run risk management? Can risk management run
internal audit?
• What is internal audit’s obligation to the board and owners when it
comes to the management of risk?
• Is internal audit an evangelist for risk management?
• The best question to assess whether management understands
whether they are taking the desired level of risk
• Group discussion

Lunch Break & Networking
Session Three

Assessing the organization's risk management capability

• Should internal audit assess how management addresses risk?
• When should internal audit perform an assurance engagement
and when is consulting/advisory work of more value?
• What constitutes ‘adequate’ when assessing risk management?
Is compliance with policy sufficient?
• Do risk management maturity models help?
• How should internal audit communicate their assessment to the
• Group discussion

Tea Break & Networking
Session Four

Moving to auditing the risks that matter and helping the
organization succeed

• Is our job to help the organization succeed or to point out deficiencies?
• What are the risks that matter? Are they the risks that internal audit
traditionally audits?
• What is enterprise risk-based auditing? What are we trying to assess?
• How do we know what matters? What are techniques for finding out?
• Can internal audit assess non-traditional areas of risk?
• Case studies/Group discussion/Exercises

Day 2 - Wednesday 25 May, 2016
Session One

How to identify the risks that matter to the enterprise and its

The dynamic internal audit plan

• How often should the audit plan be updated? What is meant by an agile or
dynamic audit plan?
• The concept of a rolling audit plan
• Explaining agile auditing to the audit committee or owners
• Who is responsible for the audit plan?
• Case studies/Group discussion/Exercises

Tea Break & Networkin
Session Two

Defining audit engagements that matter

• Reliance on ERM
• When to perform an assurance and when to perform a consulting/advisory
• When does should internal audit not perform an audit?
• How many audits does it take to assess an area of risk?
• Understanding the relationship of IT general controls to business risk
• What if you don’t have the resources you need?
• Case studies/Group discussion/Exercises

Lunch Break & Networking
Session Three

Auditing governance processes

• What is organizational governance? Is it limited to the board or owners?
• Why audit governance processes? Where is the risk?
• When to perform assurance and when to perform advisory work
• How to communicate the results of the audit
• Case studies/Group discussion/Exercises

Tea Break & Networking
Session Four

Internal audit's role in fraud and fraud risk assessment

• Is it internal audit’s role to prevent, detect, or investigate fraud?
• When does internal audit get involved?
• How do you assess the risk of fraud?
• The skills and competency required to address fraud
• An overview of a fraud investigation
• Group discussion

Day 3 - Thursday 26 May, 2016
Session One

Addressing the potential for financial statement fraud

Communicating audit results

• What is the purpose of an audit report?
• What needs to be communicated, and to whom?
• The purpose of a closing meeting
• Selling audit findings and recommendations
• Attributes of an effective communication
• Should we move away from traditional audit reporting?
• Case studies/Group discussion/Exercises


Tea Break & Networking
Session Two

Building a world-class internal audit team

• Now that you have an audit plan, how do you staff it? What are the skills,
experiences, and competencies you need?
• Harnessing the capabilities of the audit team, motivating them to
• Where should the staff be based?
• When should internal auditors be allowed to join other functions?
• Group discussion

Lunch Break & Networking
Session Three

How do you know when internal audit is world-class?

• What are the distinguishing characteristics of world-class internal auditing?
• Does passing a Quality Assurance review guarantee sufficient quality and
• What is the value of internal auditing? Who measures it?
• OK, you are world-class – what is next?
• Group discussion

Tea Break & Networking
Session Four and Workshop Concludes

The future of internal audit

• The use of technology to enhance the value of internal audit
• Should internal audit report to the board/owner
• How can internal audit add value beyond traditional internal auditing?
• Is traditional thinking around independence good or a limitation?
• Group discussion
• Further Q&A, Discussion, Certificate Presentation, Course Close



Course Program
Time Topic
Day 1
08:00 to 08:30Registration & Introduction
Day 1-3
08:30 to 10:00Session One
10:00 to 10:15Tea Break & Networking
10:15 to 11:45Session Two
11:45 to 12:45Lunch Break & Networking
12:45 to 14:15Session Three
14:15 to 14:30Tea Break & Networking
14:30 to 16:00Session Four