Course outline, format of the various days and session, timetable and administration.
Class Discussion and Ice-Breaker: Introduce the course instructor and the delegates and their backgrounds. Share challenges and experiences as Chief Internal Auditors. Agree and prioritise the course objectives.
The role and position of the Chief Internal Auditor (Part 1)
- The role of the Chief Internal Auditor and how this is perceived across a range of organisations.
- The Chief Internal Auditor and access to the Executive Committee, the Audit Committee and the Board. What challenges does a separate Board Risk Committee introduce?
Class Exercise: List and prioritise all key stakeholder relationships and go through examples of how the Chief Internal Auditor should report in each case.
- Reporting Lines for the Chief Internal Auditor and how to maintain independence.
Class Discussion: Discuss typical corporate structures and where does internal audit feature and report. For key executive committees, should Chief Internal Auditors be members or attend or just receive papers?
- Critical information flows? What management information should the Chief Internal Auditor and his/her team receive and what do you do with it?
Class Exercise: Analyse examples of the management information which is likely to be essential to the effective delivery of the audit plan.
The role and position of the Chief Internal Auditor (Part 2)
Independence and Building Relationships:
- Non-Exec Directors, Executives, Senior Management
- Visibility at the top table
- Operating within the traditional three lines of defence model:
- The first line senior and executive management
- Second Line Chief Risk Officer (CRO), Compliance, other assurance functions
- External external auditors, regulators, co-source partners, professional bodies and peers
Class Discussion: Relationship building tips and tricks. Examples of success stories.
Class Discussion: With an enhanced relationship with the Audit Committee, how does the Chief Internal Auditor avoid being seen as too close to the NEDs?
The CIIA Financial Services Code
The Code concluded that much of the guidance was relevant outside Financial Services. How has the code affected Chief Internal Auditors and their key stakeholders?
- Is it guidance or is it required practice?
- How can the code really improve your role as Chief Internal Auditor?
- What impact has it had on executive and non-executive directors?
Class Discussion: Discussion on the Code. How has it changed the role of the Chief Internal Auditor? How valuable is the code outside financial services? How does the Code fit with the International Standards?
Case Study: Looking at real life examples of Chief Internal Auditors experiences
The Changing shapes of Internal Audit functions
How can the Chief Internal Auditor build the most effective team structure with access to the required breadth and depth of skills and experience and at the right price?
Class Discussion: Consider the pros and cons of different structures centralised v decentralised; aligned by geography or line of business; in-house skills or co-source?
- The substantial growth in co-source arrangements, way beyond the traditional IT audit space
- Increased range of co-source providers and their skills base.
- Increased expectations by Audit Committees as to how specialist skills should be accessed.
- The pros and cons of guest auditors and secondments.
- Understanding the relative costs to your internal audit budget.
Group Discussion: Internal Audit function staffing and skills requirements to best serve your organisation.
Case Study: How does a Chief Internal Auditor best use co-source arrangements? This will consider the selection process, performance assessment, how well they integrate and how to get the best bang for your buck.
The Chief Internal Auditors role in meeting Professional Standards documentation
This will look at a selection of the key documentation a Chief Internal Auditor must be familiar with and have at your fingertips?
- Authority the role of the Internal Audit charter and the Audit Committee charter.
- Planning the role of the audit universe, the annual audit plan and the importance of reflecting alignment with the organisations risk framework.
- Fieldwork the methodology and principles behind sample selection and testing.
Group Discussion: To consider the administration requirements and how to ensure they are a help and not a hindrance or a burden.
- Reporting how individual reports and executive and Audit Committee summaries fit together
Group Discussion: To consider the relative merits of what to report, where to report it and who should receive full reports, executive summaries, etc.
- Follow-up and tracking issues and actions
Grading audit reports and issues
High/Medium/Low? Red/Amber/Green? join the debate to discuss the pros and cons and how the Chief Internal Auditor must take the lead
Group discussion: Looking at diverse examples of definitions at issue and report level
External Quality Assessments (EQAs)
EQAs are becoming more popular, particularly as regulators are looking for them to be done more frequently (in Financial Services) and as Audit Committees are looking to support their sign off on effectiveness under the Corporate Governance code. As a Chief Internal Auditor, what should you look out for and how can you influence them?
Case Study: Undertaking an External Quality Assessment Who does them, how are they structured and what are the most common findings?
How to set up and maintain an effective internal audit Quality Assurance programme
- How to assess your own teams effectiveness and your own effectiveness.
- The benefits and pitfalls of feedback forms and peer reviews.
State of the internal audit profession in 2015
- Understanding what the major global consulting firms are saying/predicting
- Sources of guidance from within your industry
- Use guidance from other professional bodies (CIIA, COSO, IRM, ISACA, ICAEW)
Global hot spots for internal audit in 2015/2016
Audit Committee priorities
Guest Speaker Presentation by Malcolm Zack, formerly Head of Internal Audit at the Post Office
Malcolm Zack has operated in the risk, audit and governance arena for close to 30 years. Malcolm set up and developed the Operational Review function for Visa Europe, was Group Audit Director with responsibility for audit and risk management for the Brakes Group, Europes leading foodservice company and latterly was the Post Offices first Head of Internal Audit after its separation from Royal Mail.
How to audit complex areas, such as governance, culture and strategy?
All audits conducted should include aspects of governance and risk and control culture within their scope. In addition, there may be an opportunity to carry out overarching organisation-wide reviews of governance and/or culture.
Group Discussion: Key principles of how to perform these types of reviews and what guidance is readily available.
Case Study: The audit of governance.
Attributes of a World Class Internal Audit function
- Definition of world class and how it can be applied to internal audit
- Examples of applying guidance from the experts; e.g. Kobayashi, Drennan & Pennington
- Understanding the key capabilities that distinguish world class internal audit
- Performance; particularly strategic service, process productivity, stakeholder satisfaction, strategic alignment and reporting for impact
- World class vs best in class Where should internal audit aim?
- Use of balanced scorecards and other key performance indicators (KPIs) to measure performance
Group Discussion: Covering a range of examples of measures and KPIs and their relative advantages and disadvantages. Includes a Case Study to review and critique a sample internal audit MI pack.
Guest Speaker Presentation by Nicola Rimmer, Internal Audit Director at Barclays and a past President of the Chartered Institute of Internal Auditors
Nicola Rimmer is Past President of the Chartered Institute of Internal Auditors, having held office for two years to November 2014. She is currently a Director at Barclays, responsible for assisting the Managing Director in running the Audit Team and taking a lead role in the strategic direction of the team.
The updated FRC Corporate Governance code What does it mean for the Chief Internal Auditor?
The latest update (September 2014) by the Financial Reporting Council (FRC) puts pressure on boards to enhance disclosure in their annual report and focuses on two areas of particular interest for Chief Internal Auditors:
- Companies should robustly assess their principal risks and explain how they are being managed or mitigated
- Companies should monitor their risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report.
Group Discussion: Understanding the enhanced impact that the code is having on the scope and nature of reporting by the Chief Internal Auditor to the Audit Committee and the Board as a result of the updated code.
Thematic Audit Reporting
Building on the Group Discussion on Day 3, this session covers how to best identify themes and how to best present them at individual audit level and to the Audit Committee and the Board.
Writing for Impact tips and tricks for quicker and more impactful reporting
Case Study: Understanding how the Audit Report can be the greatest barrier to getting things fixed
Managing the internal audit function across multiple locations
- Managing the challenges of teams or individuals based overseas or elsewhere in the UK
- Aligning with the organisations matrix reporting where possible; by geography, by line of business or by legal entity
- Strategies to deal with different languages, cultures and jurisdictional regulations
- An insight to the world of project management and the challenge of auditing projects in-flight.
- Understanding the Chief Internal Auditors critical role in major projects and initiatives that are key to organisations objectives.
- Understanding project language and how to use the project infrastructure to challenge, report and escalate issues. Benefits and pitfalls of being involved early. Avoiding being asked to sign off. The role of post mortems and how to go about them.
Case Study: Using a real life example of a major systems implementation, some typical issues and challenges and an innovative reporting template which can fit multiple projects.
Building a more efficient internal audit function
Management and the Board frequently look for more and ideally without increasing long term costs. There are an increasing range of tried and tested techniques and systems in place to help deliver these efficiencies. These include:
- Continuous auditing
- Data Analytics
- Integrated Assurance and the use of Assurance Maps
- Internal Audit administrative and working paper systems
- Control Risk Self-Assessment
- Risk & Control workshops
Group Discussion: Each of these techniques and systems are often the subject of a full day course. The Group discussion will therefore focus on examples and the extent to which these are operating within the delegates own organisations.
Case Study: To review, critique and redesign an assurance map
Summary of main areas covered throughout the programme
Questions and aspects for further discussion
Course Evaluation by participants and close