Presentation
Course details
Presentation of attendees
 

Understanding Governance, Risk, and Compliance
What is GRC?

• There are two different defnitions of GRC. What are they and why are there differences?
• Examining the only defnition that makes sense, from OCEG
• Group discussion
   

Digging into Governance

• Is there a common, generally accepted defnition of governance?
• What does it mean in practical terms?
• Where do the more frequent governance failures arise?
• Leadership by ownership or representatives of the owners: the more common issues
• The role of a board; executive teamwork; shared objectives
• Vision, strategy, and objectives
• Measuring performance
• Ethics, whistle-blower lines, and investigations
• Oversight of the external auditor
• The role of the legal function
• Who is responsible for the culture of the organization?
• Group discussion
   

Understanding risk management

• Why do so many executives and board members see little value beyond compliance in risk management
• The relationship between risk management and decisionmaking
• How risk management enables success, not just avoiding failure
• Why do we take risk?
• How often is risk managed?
• Who manages risk? What is the ideal role of the risk practitioner?

Understanding risk management

• The value of a periodic review of risks
• Why heat maps fail to paint the right picture
• Risk appetite, tolerance, and taking the right level of the right risks
• Where does insurance ft?
• Providing useful information about risk to the executives and the board
• Group discussion

Compliance and audit fundamentals
The compliance function

• An effective compliance function starts with knowing with what you have to comply
• How can you ensure 100% compliance?
• How much compliance risk should you take?
• Policies, training, testing, and certifcation
• Monitoring compliance risk
• Fraud risk
• Who is responsible for compliance?
• Where does internal audit ft?
• Reporting non-compliance
• Group discussion
   

Internal audit fundamentals

• What is the role of internal audit? What is its purpose, its mission?
• Examining the defnition and principles for effective internal auditing
• Where should internal audit report?
• Independence and objectivity
• Group discussion
   

Moving to auditing the risks that matter and helping the organization succeed

• Is our job to help the organization succeed or to point out defciencies?
• What are the risks that matter? Are they the risks that internal audit traditionally audits?
• What is enterprise risk-based auditing? What are we trying to assess?
• How do we know what matters? What are techniques for fnding out?
• Can internal audit assess non-traditional areas of risk?
• Case studies/Group discussion/Exercises

The dynamic internal audit plan

• How often should the audit plan be updated? What is meant by an agile or dynamic audit plan?
• The concept of a rolling audit plan
• Explaining agile auditing to the audit committee or owners
• Who is responsible for the audit plan?
• Group discussion

Defning audit engagements that matter

• Reliance on ERM
• When to perform an assurance and when to perform a consulting/advisory engagement
• When does should internal audit not perform an audit?
• How many audits does it take to assess an area of risk?
• Understanding the relationship of IT general controls to business risk
• What if you don’t have the resources you need?
• Case studies/Group discussion/Exercises
   

Internal audit and GRC
Communicating audit results

• What is the purpose of an audit report?
• What needs to be communicated and to whom?
• The purpose of a closing meeting
• Selling audit fndings and recommendations – effecting change
• Attributes of an effective communication
• Should we move away from traditional audit reporting?
• Case studies/Group discussion/Exercises

How do you know when internal audit is world-class?

• What are the distinguishing characteristics of world-class internal auditing?
• Does passing a Quality Assurance review guarantee suffcient quality and value?
• What is the value of internal auditing? Who measures it?
• OK, you are world-class – what is next?
• Group discussion

Internal audit’s role in fraud and fraud risk assessment

• Is it internal audit’s role to prevent, detect, or investigate fraud?
• When does internal audit get involved?
• How do you assess the risk of fraud?
• The skills and competency required to address fraud
• An overview of a fraud investigation
• Group discussion

Auditing governance processes

• What is organizational governance? Is it limited to the board or owners?
• Why audit governance processes? Where is the risk?
• When to perform assurance and when to perform advisory work
• How to communicate the results of the audit
• Case studies/Group discussion/Exercises

Auditing risk management

• Why should internal audit assess the management of risk?
• Should the audit be against policies, a standard or framework, or something else?
• How to communicate the results of an audit?
• Group discussion

GRC

• Now we understand the pieces, let’s ft them together
• How is the sum greater than the parts?
• Silos and fragmentation
• How failures in GRC inhibit success
• Coordination among assurance functions
• GRC projects
• The value (or not) of software
• Group discussion
   

Closing thoughts

• Other topics of interest
• Closing discussion
• Awards and Recognition