INSTITUTE FOR BANKING AND FINANCE

Risk-Based Auditing (Sep. 11-12, 2003)

Course Objective:

Introduce participants to the basics of Risk Management and explore with them the risk-based approaches so to enable them to apply these tools in carrying daily operations.

Participants:

Internal auditors, external auditors, risk managers, compliance officers, human resources managers, facilities managers, information technology security officers, management, educators and any partaker in risk management identification, implementation and review.

Day One: Risk Management

09.00

Course Introduction

09.15

The Nature of Risk

  • The nature of risk-based auditing; definitions
  • Three aspects of risk-based auditing:
    • Use of "risk" factors in audit planning
    • Risk-based business process audits
    • Participation in risk management initiatives and processes
  • The concept of risk defined and explained
  • The relationship between risk and objectives, environment and control
  • Risk as a topical issue: external and internal drivers
  • Types of risk: system, control and audit risk
  • The elements of risk: probability and impact
  • Inherent and residual risk, and other terms; jargon-busting

Exercise: identifying risks within a particular organization/operation.

10.45

Coffee Break

11.00

Risk and Internal Audit

  • The development and contribution of internal audit
  • Audit's primary roles, objectives and concerns
  • the scope of modern audit work
  • IIA definition: achieving a balance between assurance and consulting roles
  • The reasons for a risk-focus
  • Approaches: conventional auditing techniques, use of CSA, IT-based audits
  • Audit methodology: the business process (systems) approach
  • Audit styles: working in partnership
  • Basic principles: independence and added value
  • Professional standards: latest IIA guidance

12.00

Exercise: selecting and planning a risk-based audit

12.45

Lunch Break

13.45

Business Risk

  • Business uncertainty: external and internal events
  • Taking and controlling risks: enterprise versus caution
  • Relating risks to company objectives
  • Generic risks and control objectives
  • Categories of risk
  • Risk assessment

14.15

Risk Management

  • Drivers: external requirements and internal needs
  • Approaches to risk management
  • The four levels of risk management
  • Establishing a risk management programme
  • Related developments, e.g. Control Self Assessment
  • The elements of a risk management process
  • Models and standards, e.g. AS/NZS 4360:1999, UK standard, new COSO Conceptual Framework

15.15

Coffee Break

15.30

Exercise: How can internal audit best contribute to the development and implementation of enterprise-wide risk management systems?

16.15

Internal Audit and Risk Management

  • Options: roles, opportunities, expectations
  • Relevant IIA Standards, Practice Advisories and other guidance
  • Strategic and operational roles

Day two: Applying the Risk-Based Approach

09.00

Day Review

09.15

Determining a Risk-Based Audit Framework

  • Determining policies, procedures, practices
  • Applying the three elements

09.30

Considering Risk in Audit Plans and Processes

  • Audit's traditional independent risk analysis
  • Considering risk in strategic audit plans
  • Considering risk in assignment planning
  • Linking audit plans and risk analysis to management's own risk assessments
  • Audit risk: controlling the audit process, setting an example

Exercise: identifying audit risks

10.15

  • Building on the systems-based approach
  • Operational and strategic level risk-based audits
  • High level audits of specific issues, e.g. overall control framework, financial control, fraud, environment, reputation
  • Auditing the control environment and "soft" issues
  • Use of control frameworks such as COSO
  • The audit process; stages of an assignment

11.00

Coffee Break

11.15

Worked example and exercise: planning and performing a risk-based audit

12.30

Lunch Break

13.30

Audit Participation in Risk Management Projects and Processes

  • Detailed analysis of each audit role
  • Examples of audit involvement in practice
  • Examination of the stages of a) implementing an enterprise-wide risk management systems, and b) the risk management cycle, and audit's contribution
  • Techniques available, e.g. CSA

15.00

Coffee Break

15.15

The Way Forward

  • Determining the role, responsibilities, scope and approach of a risk-based audit function
  • Practicalities and action plans

Group discussions and presentations

17.00

Course summary and close



[Information and help about this website.]