(2013 Sample Lecture)

Brain Friendly Lecture Notes Internal Auditor Role in RISK MANAGEMENT (CIA Students)
READ CAST by Hafiz Muhammad Adnan Rana Professional Accountant/Auditor Trained with A.F.Ferguson & Co Chartered Accountants Author of following for CIA/Internal Auditing Proession Raising Above Personalities (Internal Control) Travel to Chitral (Urdu Story based) Keeping the SOX on (Corporate Governance) Real Life Examples Missing Millions (Fraud) Travel to Dubai (Urdu Story based) Souls are Weak, They are Liability (Risk Management / ERM) Travel to London (Urdu Story based) Chief Inspiring Officer @ Accurate Consultants, Sialkot Socialprenuer @ The Student College, Research and Training Centre, Sialkot

This lecture valid till 30 April, 2013 after that new syllabus prevails. B1 Establish a framework for assessing risk B2 Use the framework to
a. Identify the sources of potential engagements (audit universe, management request, regulatory mandate) b. Assess organizational wide risk c. Solicit potential engagement topics from various sources d. Collect and analyze data on proposed engagements e. Rand and validate risk priorities

C5 Discuss areas of significant risk C6 Support board in enterprise wide risk management

C7 Review positioning of the internal audit function within the risk management framework within the organization C13-Assess compliance with policies in specific areas D2 Risk Management
a. Develop and implement an enterprise wise risk and control framework b. Coordinate enterprise wide risk management c. Report corporate risk assessment to board d. Review business continuity planning process

E4 Risk Management Techniques

Exam Context CIA candidates should understand risk management to apply knowledge to assessing the adequacy of the risk management process. Qualification Context The IIA may ask candidates questions with circumstances that require application of their knowledge of risk management.

Business Context Being highly volatile environment facing industries of Pakistan and given the fact that very few rarely apply RM/ERM. Lets kick off in our respective organizations as value added being iA/iAA.

Based on Syllabus Given above following are relevant documents to read and understand Standard S2120 Practice Advisories PA 2120-1 Position Paper The Role of internal auditing in Enterprise Wide Risk Management Practice GuideAssessing adequacy of Risk Management using ISO 31000

Internal Auditor is required to give judgment about effectiveness of risk management. And this judgment is based on certain factors that will be remember with the word: OSTRICH: Internal Auditor can not hide head under the sand leaving all Org at risk.

O Objectives of Organization support its mission. S Significant risk in achieving objectives identified. T Tabloid (a sort of newspaper with big heading with pix) of risk information is communicated across org. R Responses are selected while adhering to risk appetite. Forget !!! ich (Source Interpretation to Standard 2120)

This assessment is not that fun. Being judgment, Internal Auditor normally comes to the conclusion after multiple engagements which provides auditor with understanding of overall system of organization. Lets begin Practice Advisory 2120-1
Description Lets first define responsibilities Board Para 1 Board has oversight responsibility Senior Management Para 6/7 Implementation responsibility of RM rests with management which decides RM on the basis of many factors to be: Internal Auditor Para 2/3/4 As consultant iA/CAE can help Board and Management in RM. (but in this lecture we are after Assurance Role of iA) whether org has formal RM or not.
Para 5 There are stages of RM within the Org and CAE needs to be aware first work as consultant and then assurance provider on RM without involving actually into implementation of RM that is threat to Independence and iA can defense itself by having formal iA Charter approved by Board.

-Formal/Informal (Informal in small org) -Quantitative/Subjective (Quantitative in large org with Financial Instruments) -Embed in Departments or /Centralized

In forming an opinion besides the factors we cover at the top there are Audit Procedures that are used by Internal Auditor on Risk Management which we will remember with the word TWILIGHT SAGA Internal Auditor never follow 9-5 job.
Twilight refer to the darkness just before the sun rises, or just before the sun sets. SAGA means story.

T-Trends, recent developments in industry (research by iA) posing risk/exposures and Org what procedures Org develpoed to identify risks and how org adress. W-Weaknesses in risk management practices discussed with Board/SM. I-Interview with business heads regarding risk/controls in respective deptt. L-Lines of reporting regarding risk monitoring are appropriate. I-Independent review of Org policies (board mintures) regarding RM, appetite and business strategies. G-Give due consideration to previous reports of management, iA, External Auditor H-Hail (shout in order to attract attention) imporvements. T-Timeliness of reporting on risk management results is appropriate. S-Self assessment process of management are checked with observation, test of controls etc. A-Actions taken (Risk Response) are appropriateto complete risk management cycle. G-(Gad-Go around and around) means monitoring of risk mitigation (control activities) is appropriate. A-Agile (quick) c ommunication of risk and control activities.

(Source Practice Advisory 2120-1 Para 8)

We have read condensed contents of PA 2120-1

Please read carefully the contents of PA 2120-1 now for your clear understanding. Please also have to go at the followings.
Position Paper The Role of internal auditing in Enterprise Wide Risk Management Practice GuideAssessing adequacy of Risk Management using ISO 31000

BEST WISHES Hafiz Muhammad Adnan Rana Stuco786@gmail.com www.stuco786.com 0346-538-8-538 Sialkot Pakistan