(2013 Sample Lecture) Brain Friendly Lecture Notes Internal Auditor Role in RISK MANAGEMENT (CIA Students) READ CAST by Hafiz Muhammad Adnan Rana Professional Accountant/Auditor Trained with A.F.Ferguson & Co – Chartered Accountants Author of following for CIA/Internal Auditing Proession Raising Above Personalities (Internal Control) – Travel to Chitral (Urdu Story based) Keeping the SOX on (Corporate Governance) – Real Life Examples Missing Millions (Fraud) – Travel to Dubai (Urdu Story based) Souls are Weak, They are Liability (Risk Management / ERM) – Travel to London (Urdu Story based) Chief Inspiring Officer @ Accurate Consultants, Sialkot Socialprenuer @ The Student College, Research and Training Centre, Sialkot
Transcript
(2013 Sample Lecture)Brain Friendly Lecture Notes
Internal Auditor Role in RISK MANAGEMENT
(CIA Students)READ CAST by Hafiz Muhammad Adnan Rana
Professional Accountant/Auditor
Trained with A.F.Ferguson & Co – Chartered Accountants
Author of following for CIA/Internal Auditing Proession
Raising Above Personalities (Internal Control) – Travel to Chitral (Urdu Story based)
Keeping the SOX on (Corporate Governance) – Real Life Examples
Missing Millions (Fraud) – Travel to Dubai (Urdu Story based)
Souls are Weak, They are Liability (Risk Management / ERM) – Travel to London (Urdu Story based)
Chief Inspiring Officer @ Accurate Consultants, Sialkot
Socialprenuer @ The Student College, Research and Training Centre, Sialkot
This lecture valid till 30 April, 2013 after that new syllabus prevails.
B1 – Establish a framework for assessing riskB2 – Use the framework toa. Identify the sources of potential engagements (audit universe, management request, regulatory mandate)b. Assess organizational wide riskc. Solicit potential engagement topics from various sourcesd. Collect and analyze data on proposed engagementse. Rand and validate risk priorities
C5 – Discuss areas of significant risk
C6 – Support board in enterprise wide risk management
C7 – Review positioning of the internal audit function within the risk management frameworkwithin the organizationC13-Assess compliance with policies in specific areasD2 – Risk Managementa. Develop and implement an enterprise wise risk and control frameworkb. Coordinate enterprise wide risk managementc. Report corporate risk assessment to boardd. Review business continuity planning processE4 – Risk Management Techniques
Business Context
Being highly volatile environment facing industries of Pakistan andgiven the fact that very few rarely apply RM/ERM. Lets kick off in ourrespective organizations as value added being iA/iAA.
Qualification Context
The IIA may ask candidates questions with circumstances that requireapplication of their knowledge of risk management.
Exam Context
CIA candidates should understand risk management to applyknowledge to assessing the adequacy of the risk management process.
Internal Auditor is required to give judgment about effectiveness of riskmanagement. And this judgment is based on certain factors that will be remember with theword: OSTRICH: Internal Auditor can not hide head under the sand leaving all Org at risk.
O – Objectives of Organization support its mission.
S – Significant risk in achieving objectives identified.
T – Tabloid (a sort of newspaper with big heading withpix) of risk information is communicated across org.
R – Responses are selected while adhering to riskappetite.
Forget !!! ich (Source – Interpretation to Standard 2120)
Based on Syllabus Given above following are relevant documents to read and understand
Standard – S2120
Practice Advisories – PA 2120-1
Position Paper – The Role of internal auditing in Enterprise Wide Risk Management
Practice Guide–Assessing adequacy of Risk Management using ISO 31000
This assessment is not that fun. Being judgment,Internal Auditor normally comes to the conclusion aftermultiple engagements which provides auditor withunderstanding of overall system of organization.
Lets begin Practice Advisory 2120-1
Description Board SeniorManagement
Internal Auditor
Lets first defineresponsibilities
Para 1
Board hasoversightresponsibility
Para 6/7
Implementationresponsibility ofRM rests withmanagementwhich decides RMon the basis ofmany factors tobe:-Formal/Informal(Informal in small org)-Quantitative/Subjective(Quantitative in large orgwith FinancialInstruments)-Embed in Departments or/Centralized
Para 2/3/4
As consultantiA/CAE can helpBoard andManagement inRM. (but in thislecture we areafter AssuranceRole of iA)whether org hasformal RM or not.
Para 5There are stages of RMwithin the Org and CAEneeds to be aware firstwork as consultant andthen assurance provideron RM withoutinvolving actually intoimplementation of RMthat is threat toIndependence and iAcan defense itself byhaving formal iACharter approved byBoard.
In forming an opinion besides the factors we cover at the top there areAudit Procedures that are used by Internal Auditor on Risk Management which we willremember with the word TWILIGHT SAGA – Internal Auditor never follow 9-5 job.
Twilight refer to the darkness just before the sun rises, or just before the sun sets. SAGA means story.
T-Trends, recent developments in industry (research by iA) posing risk/exposures and Org whatprocedures Org develpoed to identify risks and how org adress.
W-Weaknesses in risk management practices discussed with Board/SM.
I-Interview with business heads regarding risk/controls in respective deptt.
L-Lines of reporting regarding risk monitoring are appropriate.
I-Independent review of Org policies (board mintures) regarding RM, appetite and business strategies.
G-Give due consideration to previous reports of management, iA, External Auditor
H-Hail (shout in order to attract attention) imporvements.
T-Timeliness of reporting on risk management results is appropriate.
S-Self assessment process of management are checked with observation, test of controls etc.
A-Actions taken (Risk Response) are appropriateto complete risk management cycle.
G-(Gad-Go around and around) – means monitoring of risk mitigation (control activities) is appropriate.
A-Agile (quick) c ommunication of risk and control activities.
