(2013 Sample Lecture)

Brain Friendly Lecture Notes

Internal Auditor Role in RISK MANAGEMENT
(CIA Students)
READ CAST by Hafiz Muhammad Adnan Rana
Professional Accountant/Auditor
Trained with A.F.Ferguson & Co Chartered Accountants
Author of following for CIA/Internal Auditing Proession
Raising Above Personalities (Internal Control) Travel to Chitral (Urdu Story based)
Keeping the SOX on (Corporate Governance) Real Life Examples
Missing Millions (Fraud) Travel to Dubai (Urdu Story based)
Souls are Weak, They are Liability (Risk Management / ERM) Travel to London (Urdu Story based)
Chief Inspiring Officer @ Accurate Consultants, Sialkot
Socialprenuer @ The Student College, Research and Training Centre, Sialkot

This lecture valid till 30 April, 2013 after that new syllabus prevails.
B1 Establish a framework for assessing risk
B2 Use the framework to
a. Identify the sources of potential engagements (audit universe, management request, regulatory mandate)
b. Assess organizational wide risk
c. Solicit potential engagement topics from various sources
d. Collect and analyze data on proposed engagements
e. Rand and validate risk priorities

C5 Discuss areas of significant risk

C6 Support board in enterprise wide risk management

C7 Review positioning of the internal audit function within the risk management framework
within the organization
C13-Assess compliance with policies in specific areas
D2 Risk Management
a. Develop and implement an enterprise wise risk and control framework
b. Coordinate enterprise wide risk management
c. Report corporate risk assessment to board
d. Review business continuity planning process

E4 Risk Management Techniques

Exam Context
CIA candidates should understand risk management to apply
knowledge to assessing the adequacy of the risk management process.
Qualification Context
The IIA may ask candidates questions with circumstances that require
application of their knowledge of risk management.

Business Context
Being highly volatile environment facing industries of Pakistan and
given the fact that very few rarely apply RM/ERM. Lets kick off in our
respective organizations as value added being iA/iAA.

Based on Syllabus Given above following are relevant documents to read and understand
Standard S2120
Practice Advisories PA 2120-1
Position Paper The Role of internal auditing in Enterprise Wide Risk Management
Practice GuideAssessing adequacy of Risk Management using ISO 31000

Internal Auditor is required to give judgment about effectiveness of risk

management. And this judgment is based on certain factors that will be remember with the
word: OSTRICH: Internal Auditor can not hide head under the sand leaving all Org at risk.

O Objectives of Organization support its mission.

S Significant risk in achieving objectives identified.
T Tabloid (a sort of newspaper with big heading with
pix) of risk information is communicated across org.
R Responses are selected while adhering to risk
appetite.
Forget !!! ich (Source Interpretation to Standard 2120)

This assessment is not that fun. Being judgment,

Internal Auditor normally comes to the conclusion after
multiple engagements which provides auditor with
understanding of overall system of organization.
Lets begin Practice Advisory 2120-1
Description

Board

Lets first define

responsibilities

Para 1
Board has
oversight
responsibility

Senior
Management
Para 6/7

Internal Auditor

Implementation
responsibility of
RM rests with
management
which decides RM
on the basis of
many factors to
be:

As consultant
iA/CAE can help
Board and
Management in
RM. (but in this
lecture we are
after Assurance
Role of iA)
whether org has
formal RM or not.

-Formal/Informal
(Informal in small org)
-Quantitative/Subjective
(Quantitative in large org
with Financial
Instruments)
-Embed in Departments or
/Centralized

Para 2/3/4

Para 5
There are stages of RM
within the Org and CAE
needs to be aware first
work as consultant and
then assurance provider
on RM without
involving actually into
implementation of RM
that is threat to
Independence and iA
can defense itself by
having formal iA
Charter approved by
Board.

In forming an opinion besides the factors we cover at the top there are
Audit Procedures that are used by Internal Auditor on Risk Management which we will
remember with the word TWILIGHT SAGA Internal Auditor never follow 9-5 job.
Twilight refer to the darkness just before the sun rises, or just before the sun sets. SAGA means story.

T-Trends, recent developments in industry (research by iA) posing risk/exposures and Org what
procedures Org develpoed to identify risks and how org adress.
W-Weaknesses in risk management practices discussed with Board/SM.
I-Interview with business heads regarding risk/controls in respective deptt.
L-Lines of reporting regarding risk monitoring are appropriate.
I-Independent review of Org policies (board mintures) regarding RM, appetite and business strategies.
G-Give due consideration to previous reports of management, iA, External Auditor
H-Hail (shout in order to attract attention) imporvements.
T-Timeliness of reporting on risk management results is appropriate.
S-Self assessment process of management are checked with observation, test of controls etc.
A-Actions taken (Risk Response) are appropriateto complete risk management cycle.
G-(Gad-Go around and around) means monitoring of risk mitigation (control activities) is appropriate.
A-Agile (quick) c ommunication of risk and control activities.

(Source Practice Advisory 2120-1 Para 8)

We have read condensed contents of PA 2120-1

Please read carefully the contents of PA 2120-1 now for your clear understanding.
Please also have to go at the followings.
Position Paper The Role of internal auditing in Enterprise Wide Risk Management
Practice GuideAssessing adequacy of Risk Management using ISO 31000

BEST WISHES
Hafiz Muhammad Adnan Rana
Stuco786@gmail.com
www.stuco786.com
0346-538-8-538
Sialkot Pakistan