Risk Assurance™ (Value Added Auditing)

Risk Assurance Workshop is a comprehensive and practical two-day workshop, that introduces participants to the frameworks, principles, and application of process risk management and assurance based on Value Added Auditing®.   Value Added Auditing (VAA) is a risk-based methodology for managing, planning, conducting, and reporting audits.  VAA is also a method for determining process effectiveness based on Government Accountability Office (GAO) Generally Accepted Government Auditing Standards (GAGAS) and Institute of Internal Auditors (IIA) Red Book standards..

The workshop follows the audit and risk assurance principles and practices outlined in ISO 19011 and Yellow Book standards.  The reference book (380 pages) for Program/Project/ Risk Management is: Value Added Auditing.

US Department of Homeland Security (DHS) has certified Value Added Auditing under the Safety Act as a Critical Infrastructure Protection: Forensics, Assurance, Analytics® ‘Qualified Anti-Terrorist Technology.’ Each workshop participant receives the 400-page, step-by-step,  Value Added Auditing manual.

Risk Assurance (Value Added Auditing) follows a 1. Risk based approach; 2. Is compliant and harmonized to critical federal and state statutes; and 3. Can be used to offer a professional opinion and/or attestation.

Quality + Engineering risk management experts will introduce participants to critical risk management regulations (ISO, NIST, DOE, FDA, FAA, etc.) and employment opportunities that are arising in many professions.

In this workshop, Q+E will present its risk based methodology for conducting supplier risk audits.  Q+E risk based methodology, Value Added Auditing(R) has been approved by the US Department of Homeland Security.  More information on the Value Added Auditing can be found at:

Methodology:
Value Added Auditing(R) workshop
Articles:
Value Added Auditing article

Workshop Objectives
The objective of this workshop is to provide an understanding of the specific process risk management frameworks that can be used to evaluate critical infrastructure, such as cyber security, power grid, and SCADA systems.  The workshop provides participants with principles, techniques and tools that will help them to address and mitigate process risks.

Upon completion, participants will be able to lead and/or actively participate in teams to audit/evaluate enterprise, programmatic, process, transactional, and product risks.  Participants will learn various risk management and process management frameworks, processes, techniques, and tools.  Participants will learn how to audit for risk and understand where attestation and opinions must meet today’s higher threshold of due diligence and assurance.  More often, federal, state, and commercial clients want this level of due diligence of operational, IT, and security assessments.

Workshop Format and Methodology
The workshop emphasizes process risk management and risk assurance.  The workshop is delivered though lectures, class discussions, individual and group case studies, and exercises.  The topics to be covered include following a well-accepted methodology of process auditing including planning, fieldwork, and reporting.  The workshop will help participants to understand and to develop process risk management, forensics, analytical, and assurance skills that they can apply on real-life projects.

What are the major benefits of Risk Assurance Workshop (Value Added Auditing)?  Risk Assurance Workshop (Value Added Auditing) provides the following benefits: 1. Complies with many federal/state assurance and auditing statutes and standards; 2. Can be used for an in-depth forensics analysis; 3. Follows a risk based and process approach; 4. Can be used for a high level of operational assurance and investigation if required.  5. Can be used for homeland security and other high level ‘due care and ‘due proficiency assessments.

Workshop Time Frame
The workshop is designed to be delivered in two days. The first day covers general planning and organizing risk audits and assessments.  The second day covers risk controls, fieldwork and reporting modules for forensics and assurance.

Who Should Attend
ISO is developing new standards, such as ISO 28000 (supply chain security), ISO 27000 (information security) and many other families of risk based standards.  ANSI, NIST, and ASTM are similarly developing risk-based standards.  Engineering, quality, supply management and operational professionals need to understand how to conduct risk assessments if they want to expand their career opportunities.

Risk Assurance Tools
Participants will take home a process risk management toolbox. The toolbox is a collection of process checklists and tools.  Tools include: process plans, heat maps, specific checklists, scope of work templates, process risk templates, fleld work templates, and reporting procedures.  This toolbox will be used extensively during the workshop to give participants sufficient practice during the workshop.  As an additional bonus value, each participant obtains the 400-page Value Added Auditing book, a $79.00 retail value.

Learning Objectives

  • Learn how to identify risk and determine when to use a risk based, process approach to conduct an audit.
  • Learn how to determine which publicly held companies, Federal agencies, and States are requiring risk- based, operational process assessments.
  • Learn how to conduct risk-based audits that comply with federal and state requirements.
  • Use GAO Yellow Book and IIA Red Book standards to develop internal controls to manage risks.
  • Apply a step-by-step approach to plan a risk-based audit.
  • Learn how-to conduct a successful risk based audit.
  • Report audit findings and if required issue an opinion.

Workshop Outline

  • Value Added Auditing and Risk Assurance Fundamentals
  • Today’s Competitive Marketplace
  • Governance and Auditing
  • Value Added Auditing 101
  • Enterprise Risk Management 101
  • Process Management 101
  • Exercise: Discussion on the history and development of process assessments and operational auditing
  • Casestudy: Differences between Yellow Book and Red Book auditing
  • Casestudy: Differences between ISO and risk auditing

Managing Value Added Auditing

  • Managing the Value Added Audit
  • Exercise: Examples of Red Book and Yellow Book auditing and their differences
  • Casestudy: Critical Infrastructure Protection audits and assessments
  • Casestudy: Discuss Capability Maturity Model articles for conducting audits

Planning the Value Added Audit

  • Step 1: Understand audit and business objectives
  • Step 2: Notify/visit auditee
  • Step 3: Understand auditee’s system, process and product documentation
  • Step 4: Develop audit plan
  • Step 5: Develop audit survey
  • Exercise: Developing a scope of work and audit plan
  • Casestudy: NERC CIP audits

Conducting the Value Added Audits

  • Step 1: Assess organizational maturity
  • Step 2: Assess process capabilities
  • Step 3: Assess system/process risks
  • Step 4: Evaluate control effectiveness
  • Step 5: Assess evidence
  • Step 6: Issue opinion
  • Step 7: Conduct exit meeting
  • Exercise: ‘Plan the work’ and ‘Work the plan’
  • Exercise: Implement plan for risk-control evaluations

Reporting Value Added Audit Results

  • Step 1: Communicate audit results
  • Step 2: Decide audit report format
  • Step 3: Correct – Prevent – Predict – Preempt
  • Step 4: Maintain audit file
  • Exercise: Report on the audit and results of fieldwork
  • Casestudy: Attestation/Assurance/Opinions; Providing professional assurance

Future of ISO Risk Standards and Operational Auditing

  • ISO 28000
  • ISO 27000
  • ISO 14000
  • Discuss how to risk assess various standard criteria
  • Future of operational auditing

Your Next Steps

  • Develop plan for implementing process risk management
  • Exercise: Discuss and evaluate project risk plans

Greg Hutchins PE CERM
Greg@800Compete.com
503.233.1012 or 800.COMPETE (US)