Understanding Risk and its Management
Opening Session
Presentation
Course details
Presentation of all attendees
What is effective risk Management?
• Before talking about risk-based internal auditing, it is necessary to
agree on what is meant by ‘risk’. This topic will address how risk is
described in the major risk frameworks/standards (COSO ERM and
ISO 31000). It will then cover how the management of risk is essentialto
effective decision-making and achieving enterprise objectives.
• When can an organization’s management of risk be considered
effective? Is a periodic review of top risks sufficient? What does it
mean to integrate the management of risk into daily decision-making
across the enterprise?
• Who is responsible for the management of risk? Is it the CRO? What
is the relationship between owning risk and owning an objective? How
does an organization address the inter-relationship of risk?
• How much risk is enough? What is risk appetite and does it make
sense? What are risk criteria?
• How can the board or owner of the organization know whether the
desired level of risk is being taken?
• How much risk management is enough?
• Group discussion
What is internal audit’s role in risk management?
• What is internal audit’s mission? What are the core principles for
effective internal auditing, and have they changed expectations?
• What is the difference between internal audit and risk management?
What are the three lines of defence?
• Can internal audit run risk management? Can risk management run
internal audit?
• What is internal audit’s obligation to the board and owners when it
comes to the management of risk?
• Is internal audit an evangelist for risk management?
• The best question to assess whether management understands
whether they are taking the desired level of risk
• Group discussion
Assessing the organization's risk management capability
• Should internal audit assess how management addresses risk?
• When should internal audit perform an assurance engagement
and when is consulting/advisory work of more value?
• What constitutes ‘adequate’ when assessing risk management?
Is compliance with policy sufficient?
• Do risk management maturity models help?
• How should internal audit communicate their assessment to the
board/owners
• Group discussion
Moving to auditing the risks that matter and helping the
organization succeed
• Is our job to help the organization succeed or to point out deficiencies?
• What are the risks that matter? Are they the risks that internal audit
traditionally audits?
• What is enterprise risk-based auditing? What are we trying to assess?
• How do we know what matters? What are techniques for finding out?
• Can internal audit assess non-traditional areas of risk?
• Case studies/Group discussion/Exercises
How to identify the risks that matter to the enterprise and its
leaders
The dynamic internal audit plan
• How often should the audit plan be updated? What is meant by an agile or
dynamic audit plan?
• The concept of a rolling audit plan
• Explaining agile auditing to the audit committee or owners
• Who is responsible for the audit plan?
• Case studies/Group discussion/Exercises
Defining audit engagements that matter
• Reliance on ERM
• When to perform an assurance and when to perform a consulting/advisory
engagement
• When does should internal audit not perform an audit?
• How many audits does it take to assess an area of risk?
• Understanding the relationship of IT general controls to business risk
• What if you don’t have the resources you need?
• Case studies/Group discussion/Exercises
Auditing governance processes
• What is organizational governance? Is it limited to the board or owners?
• Why audit governance processes? Where is the risk?
• When to perform assurance and when to perform advisory work
• How to communicate the results of the audit
• Case studies/Group discussion/Exercises
Internal audit's role in fraud and fraud risk assessment
• Is it internal audit’s role to prevent, detect, or investigate fraud?
• When does internal audit get involved?
• How do you assess the risk of fraud?
• The skills and competency required to address fraud
• An overview of a fraud investigation
• Group discussion
Addressing the potential for financial statement fraud
Communicating audit results
• What is the purpose of an audit report?
• What needs to be communicated, and to whom?
• The purpose of a closing meeting
• Selling audit findings and recommendations
• Attributes of an effective communication
• Should we move away from traditional audit reporting?
• Case studies/Group discussion/Exercises
Building a world-class internal audit team
• Now that you have an audit plan, how do you staff it? What are the skills,
experiences, and competencies you need?
• Harnessing the capabilities of the audit team, motivating them to
excellence
• Where should the staff be based?
• When should internal auditors be allowed to join other functions?
• Group discussion
How do you know when internal audit is world-class?
• What are the distinguishing characteristics of world-class internal auditing?
• Does passing a Quality Assurance review guarantee sufficient quality and
value?
• What is the value of internal auditing? Who measures it?
• OK, you are world-class – what is next?
• Group discussion
The future of internal audit
• The use of technology to enhance the value of internal audit
• Should internal audit report to the board/owner
• How can internal audit add value beyond traditional internal auditing?
• Is traditional thinking around independence good or a limitation?
• Group discussion
• Further Q&A, Discussion, Certificate Presentation, Course Close
Course Program | |
---|---|
Time | Topic |
Day 1 | |
08:00 to 08:30 | Registration & Introduction |
Day 1-3 | |
08:30 to 10:00 | Session One |
10:00 to 10:15 | Tea Break & Networking |
10:15 to 11:45 | Session Two |
11:45 to 12:45 | Lunch Break & Networking |
12:45 to 14:15 | Session Three |
14:15 to 14:30 | Tea Break & Networking |
14:30 to 16:00 | Session Four |