Course outline, format of the various days and session, timetable and administration.
Class Discussion and Ice-Breaker: Introduce the course instructor and the delegates and their backgrounds. Share challenges and experiences as Chief Internal Auditors.
Outline course programme. Agree and prioritise the course objectives.
The role and position of the Chief Internal Auditor (Part 1)
- The role of the Chief Internal Auditor and how this is perceived across a range of organisations. Example Role Profiles
- The CIA and access to the Executive Committee, the Audit Committee and the Board. What challenges does a separate Board Risk Committee introduce?
Class Exercise: List and prioritise all key stakeholder relationships and go through examples of how (or whether) the Chief Internal Auditor should report in each case.
Reporting Lines for the Chief Internal Auditor and how to maintain independence.
Class Discussion: Discuss typical FS corporate structures and where does internal audit feature and report. For key executive committees, should Chief Internal Auditors attend or just receive (or present) papers?
The Chief Internal Auditors role in meeting Professional Standards documentation: Key documentation a Chief Internal Auditor must be familiar with and have at your fingertips?
- Authority the role of the IA charter and the Audit Committee charter.
- Planning the role of the audit universe, the annual audit plan and the importance of reflecting alignment with the organisations own risk framework.
- Fieldwork the methodology and principles behind sample selection and testing.
Example IA Charters (IA lines) and Audit Committee Terms of Reference (IA focus)
Group Discussion: To consider the administration requirements and how to ensure they are a help and not a hindrance or a burden.
Audit Planning, the Audit Universe and other Critical information? What is the CIA role in audit planning and what management information (MI) should the Chief Internal Auditor and his/her team receive and what do you do with it?
Class Exercise: Analyse examples of the MI which is likely to be essential to the effective delivery of the audit plan.
- Important/Nice to have/On request?
- What do you see at your organisations?
- Consider internal and external/industry sources of MI
Recap Day 1 Roles, Position, Stakeholders, Critical MI, Sound bites
The role and position of the Chief Internal Auditor (Part 2)
- Independence and Building Relationships:
- Non-Executive Directors (NEDs), Executives, Senior Management
- Visibility at the top table and the relationship with the Audit & Risk Committees
- Operating within the traditional three lines of defence model
- Other lines of defence e.g. How to build on the role of the 1½ line? Should external auditors and regulators be seen in 4th and 5th line roles?
- Co-source partners, professional bodies and peers
Class Discussion: Relationship building tips and tricks. Examples of success stories + failures.
Class Discussion: With an enhanced relationship with the Audit Committee, how does the Chief Internal Auditor avoid being seen as too close to the NEDs?
The IPPF and the Standards
The relevance of the Standards and the changes in July 2015 and October 2016 and what they mean for CIAs.
The CIIA Financial Services Code (2013 and the 2017 update)
In the UK, how has the FS Code affected Chief Internal Auditors and their key stakeholders?
- Is it guidance or is it required practice?
- How can the code really improve your role as Chief Internal Auditor?
- What impact has it had on executive and non-executive directors?
Class Discussion: Discussion on the Code. How has it changed the role of the Chief Internal Auditor? How valuable is the code outside the UK? Fit with IPPF/Standards?
Case Study: Looking at real life examples of Chief Internal Auditors experiences with the code
The Changing shapes of Internal Audit functions
How can the Chief Internal Auditor build the most effective team structure with access to the required breadth and depth of skills and experience and at the right price?
Class Discussion: Consider the pros and cons of different structures centralised v decentralised; aligned by geography or line of business; in-house skills or co-source?
- Substantial growth in co-source arrangements, way beyond traditional IT audit space
- Increased range of co-source providers and their skills base.
- Increased expectations by Audit Committees as to how to access & use specialist skills.
- The pros and cons of guest auditors and secondments.
- Understanding the relative costs to your internal audit budget.
Group Discussion: IA function staffing and skills requirements to best serve your organisation.
Case Study: How can CIAs best use co-source arrangements? Consider the selection process, performance assessment, team integration and how to get the best bang for your buck.
Recap Day 2
Attributes of a World Class Internal Audit function
- Definition of world class and how it can be applied to internal audit
- Examples of applying guidance from experts; e.g. Kobayashi, Drennan & Pennington
- Views of IIA/Firms/IA evangelists
- Understanding the key capabilities that distinguish world class internal audit
- Performance; particularly process productivity, stakeholder satisfaction, strategic alignment and reporting for impact
- Use of balanced scorecards and other KPIs to measure performance
Group Discussion: Covering a range of examples of measures/KPIs and their relative advantages and disadvantages.
Case Study to review and critique a sample internal audit MI pack.
Class discussion: Where are you on the maturity scale? Examples of good practice. Best opportunities for early quick wins?
External Quality Assessments (EQAs)
EQAs are becoming more popular, particularly as standards require them to be performed every 5 years and regulators are looking for them to be done more frequently (in Financial Services). Audit Committees are looking to support their sign off on effectiveness under the Corporate Governance code. As a Chief Internal Auditor, what should you look out for and how can you influence them?
Case Study: Undertaking an External Quality Assessment Who does them, how are they structured and learning from the most common findings.
How a CIA should set up and maintain an effective internal audit Quality Assurance & Improvement programme?
- How to assess your own teams effectiveness and your own effectiveness.
- The benefits and pitfalls of feedback forms and (internal) peer reviews.
State of the internal audit profession in 2016
- Understanding what the major global consulting firms are saying/predicting
- Sources of guidance from within your industry
- Use guidance from other professional bodies (CIIA, COSO, IRM, ISACA, ICAEW)
Global hot spots for internal audit in 2017
- Including key areas such as Culture, Conduct and Cyber
Audit Committee priorities
Guest Speaker Malcolm Himsworth, formerly HIA at British Arab Commercial Bank and the Derbyshire Building Society and Audit Committee member for CAF Bank.
Recap Day 3
Writing for Impact tips and tricks for quicker and more impactful reporting.
How best to identify themes and present them at exec and Audit Committee level.
How to build and present opinions and how to balance exec and Boards expectations.
Case Study: How the Audit Report can (at times) be the greatest barrier to getting things fixed review and discuss a sample of real audit reports and Committee papers.
Group Discussion: To consider the relative merits of what to report, where to report it and who should receive full reports, executive summaries, etc.
Action Tracking follow-up and tracking of issues, actions and, most importantly, outcomes
Grading audit reports and issues - High/Medium/Low? Red/Amber/Green? join the debate to discuss the pros and cons and how the Chief Internal Auditor must take the lead
Group discussion: Looking at diverse examples of definitions at issue and report level
How to audit complex areas, such as governance, culture and strategy?
All audits conducted should include aspects of governance and risk and control culture within their scope. In addition, there may be opportunities to carry out overarching organisation-wide reviews of governance and/or culture.
Group Discussion: Key principles of how to perform these types of reviews and what guidance is readily available.
Case Study: How to approach the audit of governance.
The updated UK FRC Corporate Governance code What does it mean for the CIA?
In the UK, the latest relevant updates (Sept 2014 and April 2016) by the Financial Reporting Council (FRC) put pressure on boards to enhance disclosure in their annual report and focuses on two areas of particular interest for CIAs:
- Companies should robustly assess principal risks and how they are being mitigated
- Companies should monitor their risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review.
Group Discussion: Understanding the enhanced impact that the code has had on the scope and nature of reporting by the Chief Internal Auditor to the Audit Committee and the Board as a result of the updated code. Early feedback/examples and assess the impact outside the UK.
Recap Day 4
Auditing Change Projects
- An insight to the world of change management and the challenge of auditing change projects in-flight.
- Understanding the CIAs critical role in major projects and initiatives that are key to organisations objectives.
- Understanding project language and how to use the project infrastructure to challenge, report and escalate issues. Benefits and pitfalls of being involved early. Avoiding being asked to sign off. The role of post mortems & how to go about them.
Case Study: Using a real life example of a major systems implementation, some typical issues and challenges and an innovative reporting approach which can fit multiple projects.
Building a more effective and efficient internal audit function
Management and the Board frequently look for more and ideally without increasing long term costs. There are an increasing range of tried and tested techniques and systems in place to help deliver these efficiencies. These are not new but are still not common and include:
- Continuous auditing
- Data Analytics
- Combined Assurance and the use of Assurance Maps
- Control Risk Self-Assessment
- Risk & Control workshops
Group Discussion: Each of these techniques and systems can be the subject of more extensive courses. The Group discussion will therefore focus on a selection of relevant examples and the extent to which these are operating or could be introduced within the delegates own firms.
We will also look at the key sources of guidance and how to keep up to date with developments in these important initiatives.
Case Study: To review, critique and help redesign an assurance map
- Summary of main areas covered throughout the programme
- Review course objectives
- Questions and aspects for further discussion
- Next steps
- Course Evaluation by participants and close.