P3 Development and focus - 1.2

Tranactional > assess adherence to systems  and process to prescribed policies, plans, proecedure, laws and contract e.g. IA adopted to assess org's compliance with the UK Data Protection Act

Systems based >asses how well systems and internal control operate in delivery org objectives - key is expressing what controls achieve and reflection on org objectives thus actual operation versus prescription

Risk based> allow assurance to board that risk management process are managed effectively Encouraged by IIA as links IA process to org risk management framework e.g. 

• documened in risk register
• operational re: risk affectivng business operation
• control and risk are recognised - system methodology using control to measure effectiveness of risk - IA provide assurance which add value on management of key business risk and effectiveness of how risk management frameworks and internal controls operate.

VALUE :objective  and indepedent assurance on governance , risk management and control process

Board and SM able to trust as signed up to discrete knowledge and skill in IA compentency framwork

Our principals and value are set out in definition, code of ethics and standard for professional practice of internal auditing

PROMOTE CONTROL, ASSURANCE TO BOARD, PROCESS IMPROVEMENT , SUPPORT DIRECTORS REPORTING, EXTERNAL AUDIT RELIANCE, CHALLENGING ACCEPTED PRACTICE, COMMUNICATED GOOD PRACTICE, ID RISK, EXPOSURES AND TAKE ADVANTAGE OF RISKS

PURPOSE:

Protect assets and reputation of org providing assurance over RM control and governance, but also consultancy

PURPOSE - reporting defined by org

• assurance biz operating effecitively>provide IA opinion>set of recs agreed by mgmt

 reporting annual - overall state risk management, control and governance process

• HIA deliver opinion as part of annual report and accounts regarding whether risk managed sufficiently within limites

formal report to SM and Board usually thorough audit committee

• result of individiual engagment activity
• follow up in year
• work of other assurance provided 
• limitation on scope
• considers major recommendation not accepted

result  of structured audit assurance programme

• Consider Board defined requirement in strategic planning

Assurance provided on risk managment framework in 3 area:

• risk managemet process - design and effectiveness
•  manageme of risk regarding effectiveness of controls and responses
• reliable assessment of risks and reporting risk and control status

Also consultancy 

• make tools and technique IA use to analyse risk and control 
• champion ERM, expertise and knowldege
•  faciltation workshop
• support id of risk by managemen e.g. siting and advising on project boards

IA NOT TAKE ROLE OF BUSINES

• E.G SET  RISK APPETITE
• IMPOSE RISK MANAGEMENT
• DETERMINE RISK RESPONSE

IA WORK WITH OTHERS TO DETERMINE

• WHO REQUIRE ASSURANCE IN AND OUT OF ORG
• AREAS WHERE ASSURANCE REQUIRED
• WHO PROVIDE ASSURANCE
•  FIT OF ASSURANCE
• GAPS AND OVERLAPS
• WHETHER ASSURANCE COSTS BE CONTROLLED

STAKEHOLDER HAVE VESTED INTEREST IN BEH IN ORG WHERE INTERNAL - DIRECTLY INVOLVED OR EXTERNALLY - NOT INVOLVED BUT AFFECTED

MANAGING RELATIONS HELPS - raise IA profile>negotiate resource and objs>co-ordinate sharing of inform and opinion>convince need for change>effective working>manage expectations>developm IA knowledge

STAKEHOLDER HAVE VESTED INTEREST IN BEH IN ORG WHERE INTERNAL - DIRECTLY INVOLVED OR EXTERNALLY - NOT INVOLVED BUT AFFECTED

• discussion hel confirm value of shared priorities
• encourage engagment that improves operations
• shows IA prepared to listen
• IA set criteria for evaluation

MANAGING RELATIONS HELPS -

• raise IA profile
• >negotiate resource and objs
• >co-ordinate sharing of inform and opinion
• >convince need for change
• >effective working>manage expectations
• >develop IA knowledge

BUT - IA MUST BE FREE FROM INTERFERENCE

Importance of clarifying the different roles that contribute to the provision of assurance over the management of risks.

Many have documented the various responsibilities using what is sometimes called the “three lines of defence” model.

Such models typically state the responsibilities of management / management control functions (as the first line of defence), risk management functions (second line) and internal audit (third line).

These models depict the roles that are unique in each organisation and clearly provide a good starting point for defining the specific relationships required.