Professional Documents
Culture Documents
This lecture valid till 30 April, 2013 after that new syllabus prevails.
B1 Establish a framework for assessing risk
B2 Use the framework to
a. Identify the sources of potential engagements (audit universe, management request, regulatory mandate)
b. Assess organizational wide risk
c. Solicit potential engagement topics from various sources
d. Collect and analyze data on proposed engagements
e. Rand and validate risk priorities
C7 Review positioning of the internal audit function within the risk management framework
within the organization
C13-Assess compliance with policies in specific areas
D2 Risk Management
a. Develop and implement an enterprise wise risk and control framework
b. Coordinate enterprise wide risk management
c. Report corporate risk assessment to board
d. Review business continuity planning process
Exam Context
CIA candidates should understand risk management to apply
knowledge to assessing the adequacy of the risk management process.
Qualification Context
The IIA may ask candidates questions with circumstances that require
application of their knowledge of risk management.
Business Context
Being highly volatile environment facing industries of Pakistan and
given the fact that very few rarely apply RM/ERM. Lets kick off in our
respective organizations as value added being iA/iAA.
Based on Syllabus Given above following are relevant documents to read and understand
Standard S2120
Practice Advisories PA 2120-1
Position Paper The Role of internal auditing in Enterprise Wide Risk Management
Practice GuideAssessing adequacy of Risk Management using ISO 31000
Board
Para 1
Board has
oversight
responsibility
Senior
Management
Para 6/7
Internal Auditor
Implementation
responsibility of
RM rests with
management
which decides RM
on the basis of
many factors to
be:
As consultant
iA/CAE can help
Board and
Management in
RM. (but in this
lecture we are
after Assurance
Role of iA)
whether org has
formal RM or not.
-Formal/Informal
(Informal in small org)
-Quantitative/Subjective
(Quantitative in large org
with Financial
Instruments)
-Embed in Departments or
/Centralized
Para 2/3/4
Para 5
There are stages of RM
within the Org and CAE
needs to be aware first
work as consultant and
then assurance provider
on RM without
involving actually into
implementation of RM
that is threat to
Independence and iA
can defense itself by
having formal iA
Charter approved by
Board.
In forming an opinion besides the factors we cover at the top there are
Audit Procedures that are used by Internal Auditor on Risk Management which we will
remember with the word TWILIGHT SAGA Internal Auditor never follow 9-5 job.
Twilight refer to the darkness just before the sun rises, or just before the sun sets. SAGA means story.
T-Trends, recent developments in industry (research by iA) posing risk/exposures and Org what
procedures Org develpoed to identify risks and how org adress.
W-Weaknesses in risk management practices discussed with Board/SM.
I-Interview with business heads regarding risk/controls in respective deptt.
L-Lines of reporting regarding risk monitoring are appropriate.
I-Independent review of Org policies (board mintures) regarding RM, appetite and business strategies.
G-Give due consideration to previous reports of management, iA, External Auditor
H-Hail (shout in order to attract attention) imporvements.
T-Timeliness of reporting on risk management results is appropriate.
S-Self assessment process of management are checked with observation, test of controls etc.
A-Actions taken (Risk Response) are appropriateto complete risk management cycle.
G-(Gad-Go around and around) means monitoring of risk mitigation (control activities) is appropriate.
A-Agile (quick) c ommunication of risk and control activities.
BEST WISHES
Hafiz Muhammad Adnan Rana
Stuco786@gmail.com
www.stuco786.com
0346-538-8-538
Sialkot Pakistan