Advanced Risk Based Audit

Organization Challenges

This course provides practical guidance about improving organizational performance through better co-ordination between Risk Management and Internal Audit. Senior Management within the organization need concise, targeted information about what business exposures they face and how to mitigate them; traditionally they looked to Internal Audit to supply this information but more recently dedicated Risk Management functions have been established to supply some or all of this information.

In many cases these two, professional, functions have provided conflicting information; there is confusion about the connection between risk management, assurance  and  control  systems. This course removes that confusion by providing a strategy for Risk Management and Internal Audit to work from the same database of risk information; it provides practical guidance in best practices in risk based assurance work using relevant case studies.

Essentials of Risk Based Audit

This course is designed to take an experienced Internal Auditor through the various disciplines needed to consolidate the Operational Risk activities in their business with those of Internal Audit. The three basic elements requiring consolidation are:

  • Audit Planning;
  • Audit execution;
  • Audit reporting.

All aspects of the consolidation challenge are covered, both from the point of view of the Risk Manager and the Internal Audit Manager.

Key TakeAways

  • Gain an awareness of tools and techniques for planning and performing value added, risk based audits
  • Learn how to develop risk based audit tests at both compliance and substantive levels
  • Learn how to link audit findings to the risk-based environment thus helping in selling your recommendations
  • Learn  about risk-based IT auditing, fraud detection and prevention
  • Practice risk-based auditing techniques and control analysis using a generic case study
  • Understand the concept of Corporate Risks and how the unique control environment they require for mitigation can be audited
  • Contribute to controls improvement


The course utilizes Operational Risk software called CARE – Control And Risk Evaluation – and, whilst the techniques learned can be applied without the aid of software, CARE is the system recommended by the course providers.

The course is case study driven supported by traditional lectures; this allows delegates to put into practice the theory presented to them and ensures the maximum delegate involvement. Some evening work may be required to complete the practical examples.

At all stages of the course “model” answers are supplied so that each delegate is brought up to a common level of achievement at all points in the course-work.

Who should attend           

  • Internal Audit Senior Managers
  • Managers in Internal Audit
  • Risk Managers
  • Finance Managers

Course Schedule 

Introduction and Program Overview

  • Understanding objectives and expectations
  • History behind the need to blend Operational Risk Management and Internal Audit techniques
  • An overview of the 3 main elements involved in this blending process – Planning, Execution and Reporting

Coffee & Networking break

Organizational Risk Structures and the Internal Audit Link

  • We will look at the 3 most common risk structures; function, process and product; each has its own merits and demerits and we will explore these; particular emphasis will be placed upon how these structures link to the Internal Audit portfolio
  • How internal audit fits within the corporate governance framework of an organization – the role of internal audit in governance, risk and control
  • We will look at the basic elements needed in a risk-based Internal Audit system and how Operational Risk techniques can assist in fraud identification

Lunch & Networking Break

Case Study (Projects 1&2)

You will be provided with details of a large organization and will be required to recommend how the organization should be broken down should a risk-based Internal Audit program be introduced. In addition, from the case study data supplied, the delegates will be required to determine the control environment, from an Internal Audit Planning perspective, for each element of the portfolio

Refreshment & Networking Break

Corporate Risks

  • The concept of Corporate Risks; what they are, how they are identified.
  • How to identify and measure the control environment surrounding Corporate Risks

Case Study (Project 3)

  • Using the material in the case study the delegates will need to :
  • identify the Corporate Risks for the organization and highlight where the relevant controls are to be found
  • identify the Asset Types to be used in the Risk Profiles
  • identify the strategic elements to be used in the Risk Profiling exercise
  • identify the probability criteria to be used in the Risk Profiling exercise

The Audit Cycle

  • You  will discuss the concept of the Audit Cycle, this will be linked to Audit Man days
  • We will discuss  what the Audit Cycle is, how it is determined and whether it can and should be capable of change

Coffee & Networking break

Case Study (Project 4)

  • Using all of the material now available in the case study and from the previous projects the you will be expected to build a Risk Based Internal Audit Plan
  • Discussions on the above

Risk Based Audit Execution (1)

  • Internal Audit Compliance Testing will be contrasted with Control Risk Self Assessment tests relied upon by Risk Management

Case Study (Project 5)

Using the case study material delegates will be expected to write Compliance Tests for one Entity in the organization

Risk Based Audit Execution (2)

  • You will learn how to use the Risk Database to develop targeted Substantive Tests
  • The concept of refining Compliance Tests to be used  in a Substantive Testing capacity will be explored

Refreshment & Networking Break

Risk Based Audit Reporting

  • The most common Audit Rating Schemes will be discussed
  • You will learn how such schemes can be driven from the output of Compliance and Substantive test work as well as CRSA data
  • We will also see how to develop a “no surprises” reporting system
  • Additionally you will take away with them a template for such a reporting system.

  Key Risk Indicators

  • In groups we will discuss the need for Internal Audit Plans to be flexible and to change over time
  • What the drivers of such change should be; this will introduce a discussion on Key Risk Indicators (KRI’s); what they are and, particularly, what they are not.