Auditing Governance, Strategy and Risk Management - UK-OAP341


Strategy, governance, risk management and other boardroom processes have historically been "no-go" areas for internal audit. Today, this is no longer the case and objective, independent assurance on governance is now seen as crucial. The latest IIA Standards are explicit in making these areas integral to the scope of Internal Audit.

Over three days you will:

  • Learn how to provide assurance on risks and controls to strategic objectives
  • Establish which governance areas to audit - and how to do it
  • Develop the business case for internal audit involvement
  • Become a catalyst for improvement - without compromising your independence
  • Take-away practical checklists and sample audit programmes

What you will learn

You will learn how to provide assurance on risks and controls to strategic objectives, which areas to audit and how, ways to build the case for audit involvement, and how to retain your independence and become a catalyst for change.


Session 1: Understanding the background

  • Internal audit’s focus: past, present and future
  • Key causes of corporate success and failure
  • Case study
  • Lessons from recent crises
  • Does internal audit have a legitimate role?
  • Implications of the latest IIA standards and guidance
  • The case for internal audit involvement

Session 2: Potential audit areas

  • Defining corporate governance
  • The core components of corporate governance
  • What should be audited?
  • Exercise

Session 3: Exploring the options and developing your approach

  • Leveraging internal audit’s dual roles: assurer and adviser
  • The impact of governance maturity on internal audit’s role
  • Understanding the context
  • Focusing on the ‘bigger picture’
  • Integrating into the annual planning process

Session 4: Assuring the governance framework

  • Understanding your organization’s governance arrangements
  • Clarifying roles and responsibilities
  • Board accountability and reserved powers
  • Board committee structures
  • Reviewing board effectiveness
  • Oversight, audit and assurance: the audit committee’s role
  • Recruitment, training and succession planning: the role of the nomination committee
  • Pay and incentives: remuneration committee responsibilities

Session 5: Auditing governance processes

  • Delegations to management
  • Performance management and the links to strategy
  • Stakeholder engagement and communication
  • Internal reporting and disclosure to stakeholders External reporting examples
  • Business continuity and crisis management arrangements
  • IT and project governance: some considerations
  • Internal audit: a catalyst for improvement
  • Internal audit’s focus: the 3Ps
  • Sample audit program

Session 6: Auditing strategy

  • Vision, mission and strategy: defining terms
  • Impact of the latest IIA standards and guidance
  • Auditing strategy: possible approaches
  • Exercise
  • Key stages in the strategic planning/implementation process
  • Internal audit’s potential role at each stage
  • Environmental scanning/development of strategic options: PESTLE and
  • SWOT analysis
  • Evaluation and selection of strategic options
  • Case study
  • Identifying and managing strategic risks: establishing
  • Key Risk Indicators (KRIs)
  • Exercise
  • Communication and gaining ‘buy in’ – internally and externally
  • Effective implementation: SMART target setting and operational alignment with strategic goals
  • Monitoring strategy execution: selecting the right KPIs and tracking KRIs
  • Reporting to stakeholders
  • Avoiding ‘tunnel vision’ and ‘group think’
  • Assuring and enhancing strategy processes

Session 7: Auditing risk management

  • Clarifying roles and responsibilities for risk management
  • Acceptable – and unacceptable – roles for internal audit
  • Case study
  • A review of IIA guidance: the three lines of defence
  • Understanding risk management maturity
  • Assessing the risk management maturity of your organisation
  • Exercise
  • The implications for risk-based internal auditing
  • Defining and auditing risk appetite
  • Exercise
  • Auditing the key components of the ERM framework (risk leadership, risk identification and assessment, risk response, risk monitoring and assurance, risk reporting)
  • Assurance mapping and integrated assurance
  • Things to watch out for: typical weaknesses
  • Internal audit’s role in stimulating improvement
  • Refining your approach as risk management matures
  • Sample audit programme

Gaining buy-in from the Board and Audit Committee

  • Making the business case
  • The 3Ps versus content
  • Dealing with objections
  • Role play: Managing risks to internal audit
  • The implications for independence and objectivity
  • Typical risks and how to manage them
  • Exercise
  • Learning to say no
  • Resource implications
  • Plugging resource gaps
  • Getting started
  • Identifying quick wins to build confidence
  • The role of pilot assignments
  • Communicating success
  • Dos and Don’ts
  • Conclusions and action planning

Further information

ACI Learning
ACI Learning
2 Days
Scheduled dates
Course type:
Amsterdam, Atlanta, GA, Bandar Seri Begawan, Boston, MA, Burlington, MA, Cape Town, Charlotte, NC, Chicago, IL, Dallas, TX, Denver, CO, Dubai, Dublin, Dublin, OH, Hong Kong, Houston, TX, Las Vegas, NV, London, Manila, New York, NY, Oman, Orlando, FL, Philadelphia, PA, San Antonio, San Diego, CA, San Francisco, CA, Seattle, WA, Singapore, Virtual Training Room Only, Washington, DC

Contact Information

ACI Learning

6855 S. Havana St.
Suite 230
80112 USA