Risk-Based Auditing (Sep. 11-12, 2003)

Course Objective:

Introduce participants to the basics of Risk Management and explore with them the risk-based approaches so to enable them to apply these tools in carrying daily operations.


Internal auditors, external auditors, risk managers, compliance officers, human resources managers, facilities managers, information technology security officers, management, educators and any partaker in risk management identification, implementation and review.

Day One: Risk Management


Course Introduction


The Nature of Risk

  • The nature of risk-based auditing; definitions
  • Three aspects of risk-based auditing:
    • Use of "risk" factors in audit planning
    • Risk-based business process audits
    • Participation in risk management initiatives and processes
  • The concept of risk defined and explained
  • The relationship between risk and objectives, environment and control
  • Risk as a topical issue: external and internal drivers
  • Types of risk: system, control and audit risk
  • The elements of risk: probability and impact
  • Inherent and residual risk, and other terms; jargon-busting

Exercise: identifying risks within a particular organization/operation.


Coffee Break


Risk and Internal Audit

  • The development and contribution of internal audit
  • Audit's primary roles, objectives and concerns
  • the scope of modern audit work
  • IIA definition: achieving a balance between assurance and consulting roles
  • The reasons for a risk-focus
  • Approaches: conventional auditing techniques, use of CSA, IT-based audits
  • Audit methodology: the business process (systems) approach
  • Audit styles: working in partnership
  • Basic principles: independence and added value
  • Professional standards: latest IIA guidance


Exercise: selecting and planning a risk-based audit


Lunch Break


Business Risk

  • Business uncertainty: external and internal events
  • Taking and controlling risks: enterprise versus caution
  • Relating risks to company objectives
  • Generic risks and control objectives
  • Categories of risk
  • Risk assessment


Risk Management

  • Drivers: external requirements and internal needs
  • Approaches to risk management
  • The four levels of risk management
  • Establishing a risk management programme
  • Related developments, e.g. Control Self Assessment
  • The elements of a risk management process
  • Models and standards, e.g. AS/NZS 4360:1999, UK standard, new COSO Conceptual Framework


Coffee Break


Exercise: How can internal audit best contribute to the development and implementation of enterprise-wide risk management systems?


Internal Audit and Risk Management

  • Options: roles, opportunities, expectations
  • Relevant IIA Standards, Practice Advisories and other guidance
  • Strategic and operational roles

Day two: Applying the Risk-Based Approach


Day Review


Determining a Risk-Based Audit Framework

  • Determining policies, procedures, practices
  • Applying the three elements


Considering Risk in Audit Plans and Processes

  • Audit's traditional independent risk analysis
  • Considering risk in strategic audit plans
  • Considering risk in assignment planning
  • Linking audit plans and risk analysis to management's own risk assessments
  • Audit risk: controlling the audit process, setting an example

Exercise: identifying audit risks


  • Building on the systems-based approach
  • Operational and strategic level risk-based audits
  • High level audits of specific issues, e.g. overall control framework, financial control, fraud, environment, reputation
  • Auditing the control environment and "soft" issues
  • Use of control frameworks such as COSO
  • The audit process; stages of an assignment


Coffee Break


Worked example and exercise: planning and performing a risk-based audit


Lunch Break


Audit Participation in Risk Management Projects and Processes

  • Detailed analysis of each audit role
  • Examples of audit involvement in practice
  • Examination of the stages of a) implementing an enterprise-wide risk management systems, and b) the risk management cycle, and audit's contribution
  • Techniques available, e.g. CSA


Coffee Break


The Way Forward

  • Determining the role, responsibilities, scope and approach of a risk-based audit function
  • Practicalities and action plans

Group discussions and presentations


Course summary and close

[Information and help about this website.]