Risk Based Internal Audit Training (RiBIA)
This course is designed to take an experienced Internal Auditor through the various disciplines needed to implement a fully operational Risk Based Internal Audit (RiBIA) approach.
The three basic elements of RiBIA are covered:
- Introduction to methodology terms and definitions;
- Using CARE system features;
- A brief on Risk Based Audit Planning;
- Risk Based Audit execution;
- Risk Based Audit reporting;
The course utilizes CARE (Control And Risk Evaluation) Risk Management software
and, whilst the techniques learned can be applied without the aid of software, CARE
is the system recommended by the course providers.
The course is case study driven supported by traditional lectures; this allows delegates to put into practice the theory presented to them and ensures the maximum delegate involvement. Some evening work may be required to complete the practical examples. At all stages of the course â€œmodelâ€ answers are supplied so that each delegate is brought up to a common level of achievement at all points in the course-work.
Case study Preparation
The Tailored material / case study will be developed to ensure:
- Participants can easily use the methodology in the audit of other units (particularly other branches)
- Controls, weaknesses identified, and recommendations made are relevant to the organization
- The training material is detailed enough to become a future guide/reference for new auditors
- Common exceptions (frequent problems) are raised in the case study.
The day starts with an outline of the Risk assessment methodology to cover the definitions of the following terms:-
- Risk assessment
- Linking controls to Risks
- Risk Management
Project 1: The delegates will need to read the manual procedure for one of the departments to identify Risks and to highlight the relevant controls.
The delegates will learn how to enter the Risks and Controlsâ€™ Data into CARE system, Build the risk matrix and to assess the control environment for each risk.
Introduction to reports generated by the system. This would include the following reports:-
- Risk Reports
- Control Reports
- Test Schedule
- Workshop Summary Reports
- Recommendation Reports
Introduction to system features and generating reports. This would include the following:-
- Working papers module
- Event tracking module
- Recommendation follow-up
The day starts with an outline of the history behind RiBIA and shows the delegates the 3 main elements Planning, Execution and Reporting.
A presentation on the first element of RiBIA – Risk Based Audit Planning; this will cover the basic elements needed in a Risk Based Internal Audit Planning system.
The concepts of Corporate Risks will be dealt with, particular emphasis will be placed upon where the controls for these risks reside.
Project 1: The delegates will need to discuss Corporate Risks for the organization and highlight where the relevant controls are to be found.
Overall feedback will be given (in general terms) and a â€œmodelâ€ answer will be provided
The concept of Risk Based Audit Execution will be discussed; this involves making use of the data in the Risk Database of the organization. Internal Audit Compliance Testing will be contrasted with CRSA and the two systems brought together.
Project 2: using the case study material (which will be based a selected branch CRSA data), delegates will be required to write the IA Compliance Tests program
Project 2 (continued): Delegates will continue writing compliance tests
The instructors will review a sample of delegate groups' printed output; overall feedback will be given (in general terms) and a â€œmodelâ€ answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
Next, delegates will address the issue of Substantive Testing in a risk-based environment; the concept of using Risk Profiles to determine initial Substantive Testing work will be addressed as will refining Compliance Test work for use in Substantive Testing.
Project 3: Using a the same business unit as the case study, delegates will be expected to design and write the required Substantive Tests
Overnight the instructors will have reviewed the delegate groupâ€™s printed output; overall feedback will be given (in general terms) and a â€œmodelâ€ answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level
The concept of Risk Based Audit Reporting will be discussed; this will include Audit Rating schemes. Delegates will learn how such schemes can be driven from the output of Compliance Test work, Substantive Test work and CRSA. How to develop a â€œno surprisesâ€ reporting system.
Project 4: using the case study material delegates will be required to write a risk-based audit report for the selected Business Unit.
The instructors will review the delegate groupâ€™s printed output; overall feedback will be given (in general terms) and a â€œmodelâ€ answer will be provided to all delegates to ensure that everyone starts the next phase of the course at the same level.
Delegates will next discuss the need for risk-based Internal Audit plans to be flexible and be capable of change over time; they will discuss what the drivers of such change would be, this will involve a discussion of Key Risk Indicators (KRIâ€™s).
Project 5: Delegates will be required to develop 3 KRIâ€™s for the organization in the case study.
Note: This exercise might not be covered in case more time is required Reporting
SUMMARY AND CLOSING REMARKS