Event Overview It has become apparent from disclosures and failures that the way that many organisations deal with risk is ad-hoc, and it follows that there are powerful reasons for internal auditors to reappraise their approach to risk to ensure that it is appropriate, efficient and effective. Risk Based Auditing is recognised as the best way to deliver internal audit services within leading-edge organisations. The Institute of Internal Auditors UK and Ireland has recently issued directives that strongly endorse this principles based approach. This seminar demonstrates a better way of adding value to the audit process and draws ideas from the disciplines of risk management, audit planning, risk architecture and process engineering to deliver a superior risk-based internal audit product. The seminar is packaged to suit all-comers and takes delegates through the risk based audit process beginning with a better appreciation of risk concepts and risk terminology, through risk management and risk architecture, and then stepwise through audit planning to audit conclusions. The seminar will include a large number of practical exercises to ensure that on return to work that delegates will have a much improved understanding of risk and the risk based internal audit process.

Download PDF Brochure April 08-12, 2007, Dubai Event Overview Who Should Attend Benefits of Attending Seminar Outline About the Seminar Leader Venue and Pricing Register

Who Should Attend

• Auditors
• Chief Internal Auditors
• Members, Heads and Managers of Audit Committee
• Managers of Compliance
• Accountants
• Finance Directors and Managers
• Heads of Risk Assessment
• Chief Financial Officers
• Heads of Internal Control
• Operational Risk Managers

top

Attend this participative seminar and discover:

• Risk management foundations, concepts and terminology
  
  

• The Leading Edge processes that add extra value to any audit team
  
  

• How to create risk architectures that meet COSO ERM requirements
  
  

• How to audit the risk management processes of your organisation
  
  

• How to link organisational objectives into focused risk-driven audit plans and processes
  
  

• How to thread and embed risk into each activity performed by the audit team
  
  

• How to conduct audits keeping risk, consequence and cost of control in mind
  
  

• How to add better value to all audits and to the organisation through superior working methods

top

DAY – 1: Foundations of Risk

RISK AWARENESS

• Three definitions of risk: the insurable; the preventable; and the manageable
• The impact of risk
  

Practical exercise: the consequences of maturing threats

• What is risk awareness?
• Distinguishing personal risk from organisational risk
  

Practical exercise: revealing the differences between personal and organisational risk

• Business processes and risk
• Embedding risk around and within business processes
  

Practical exercise: examining a process and locating risk

• Risk capability models – maturity models for businesses
• Continuous risk improvement processes
  

FORMALISING RISK CONCEPTS

• Terminology and definitions – a quick primer
• Calculation of risk exposures
  

Practical exercise: simple risk calculations to gain a high-level view

• Why we use different ways of assessing risk in different situations
• Quantitative and semi-quantitative models
• Consequence based models
• Cause-effect models
  

Practical exercise: selecting and using the correct risk model – practice at using different risk models

DAY – 2: Risk Architectures and auditing Risk Management Systems

RISK ARCHITECTURE

• The notion of Enterprise Risk Management – example: the COSO ERM
  

Practical exercise: justifying a formal approach to the management of risk and creating enterprise risk architectures

• From mission statement to objectives
• From objectives to risk
• From risk to control

Practical exercise: turning business objectives into risk architecture – simple example

• Creating a Formal Enterprise Risk Architecture using analytical techniques
• Context – Objective – Logical Architecture – Physical Architecture
• Operational Architecture
• Integration of risk-control and risk-management processes
  

Practical exercise: creating an enterprise risk architecture from a cold-start

RISK MANAGEMENT AND THE AUDITOR

• The point of examining and auditing risk management processes
• Determining the maturity level of the risk management process
• The audit process – how to review the risk management system
  

Practical exercise: auditing a risk management system – this is a phased review and will be interspersed between the key elements of this session

DAY – 3: Risk Driven Audit Planning and Risk Driven Audits

THE MANDATE

• The audit charter and the audit universe
• The expectations of audit from legislators, management and stakeholders – the non-audit viewpoint
  

Practical exercise: review of the audit charter and stakeholder expectations

GATHERING DATA AND CREATING PLANS

• Risk assessment the key tasks
• Holding and managing self-assessment workshops
  

Practical exercise: hosting a risk workshop – a participative exercise

• Compiling risk registers – the purpose and the key elements
• Audit plans – the planning process
• Deriving audit plans from risk registers
  

Practical exercise: building out a plan of audit work from risk register data

USING RISK TO DRIVE AN AUDIT

• Basic principles
• Defining scope and risk-based objectives
• Defining key questions
• Early thoughts about testing and proof – reasonable assurance
• Drafting a management letter for a risk-based audit
  

Practical exercises: defining risk-based objectives

PERFORMING THE AUDIT

Major Practical: Delegates will conduct a partial review of an operational financial system using the principles and knowledge acquired earlier in this day.

DAY – 4: Risk Driven Audits – Projects, IT Systems and Service Delivery

RISK DRIVEN PROJECT AUDITING

• What is different about project risk?
• Risk strategies for projects: a risk checklist
  

Major Practical: Delegates will conduct a partial review of a major project using the principles and knowledge acquired earlier in this session.

RISK DRIVEN IT AUDITING

• What is different about IT risk?
• Application reviews: turning business objectives into risk drivers for the audit
• Security reviews: turning security objectives into risk drivers for the audit
  

Major Practical: Delegates will conduct a partial review of an IT infrastructure using the principles and knowledge acquired earlier in this session.

RISK DRIVEN SERVICE DELIVERY

• The difference between a service delivery and operational audit perspective
  

Major Practical: Delegates will conduct a partial review of a service delivery process using the principles and knowledge acquired earlier in this session.

DAY – 5: Control Evaluation and Reporting

PERFORMING A RISK-BASED AUDIT – EVALUATION OF CONTROLS

• Major risk-controls: segregation; accountability; effectiveness; integrity; transparency; currency; registration; identification; authentication; authorisation; completeness; accuracy; reconciliation; traceability
  

Practical exercise: evaluating controls and tracing risk back to objectives - demonstrating impact on organization

• Defining testing strategies – reasonable assurance
• Compliance testing - weakness probing - substantive testing
  

Practical exercise: designing and performing tests to gain reasonable assurance

• Documentation: notifying control weaknesses
  

Practical exercise: notification of control weaknesses and the risk linkage - demonstrating connection to risk register

THE DRAFT AUDIT REPORT

• Structuring of draft reports and embedding risk concepts: risk management implications and conclusions
  

Practical exercise: a draft report based on risk

THE FINAL AUDIT REPORT

• Structuring of final reports – the risk message
• Sign off – getting agreed risk action – escalating critical risk issues
• Follow up of risk-based audit reports
  

Practical exercise: the final audit report

top

Stan Dormer

Stan Dormer, BSc FIIA, is a world recognised expert in the field of auditing, risk, information systems technologies and governance.

The Director of Education and Training for MindGrove Ltd, UK Stan's career spans more than three decades. Stan's work has included research, risk and project management, IT security, compliance and auditing and the development of training and learning systems. Internationally respected, Stan is highly regarded for his innovation, knowledge and enthusiasm within his subject areas.

An elected fellow of the Institute of Internal Auditors and cofounder of the Institute's COMPACS series of conferences that ran for 21 years, Stan continues to run annual training programmes on the Institute's behalf.

Stan is the author of numerous IT articles and publications, as well as several primary distance learning programmes supporting professional level qualifications (MIIA, PIIA, QiCA) for auditors. With his in-depth knowledge and expertise,

Stan has been asked to run Master-Classes at numerous conferences. These include SOPAC Australia/NZ, Europe's biggest computer security event - COMPSEC, the Institute of Chartered Accountants' IT specialist forum - CHARTAC, the all-Ireland series of Computer Audit and Security Conferences - COSAC, the pan-African information security and control conferences - ISM, the member meetings of The Open Group and the ACE Audit Automation series of conferences.

Stan was the inventor of the first practical Resident Continuous Audit Monitoring system embedded in an operating system. His developments include a novel audit methodology, a formal approach to Risk Architectures, and more recently, Risk Based and Process Modelling approaches to Audit.

top

Venue: Crowne Plaza, Dubai, UAE

Fees: USD 2900/- per delegate

Early Bird Discounts:

Register for USD 2700/- on or before March 08, 2007 and get USD 200 OFF!

Register for USD 2500/- on or before February 08, 2007 and get USD 400 OFF!

Group Discounts:

Register 3 delegates from your organization and the Fourth goes FREE!

In-house Option:

This course can also be delivered as In-house / On-site option. Please contact us if you have a group of employees to be trained at a location of your choice.

top