wolters kluwer

IIA Award in compliance audit and assurance

Presented by: Marian Silltow CFIIA CIA

The purpose of this course is to assist those who are working in a compliance or assurance role to understand their responsibilities. By compliance or assurance role we mean those who work in the second line of defence or those who have assurance responsibilities within the first line of defence.

Who should attend?

  • new entrants to a compliance or assurance role with little or no experience of how to ensure they are providing credible assurance
  • subject matter experts who join or are seconded to a compliance role who need to get up to speed quickly with the tools and techniques needed to provide assurance
  • those who work in a compliance or assurance role in their own organisation or those who undertake compliance/assurance reviews in third party organisations, for example audits of third-party compliance with outsourced contracts
  • internal auditors with a remit to provide oversight or review a compliance function.

What will I learn? 

Upon completion you will be able to:

  • confidently articulate the compliance role and its importance to your organisation
  • assess the framework by which the senior leadership team can encourage better understanding of risk, control and compliance across the organisation
  • understand where you fit within the IIA’s three lines model
  • compare your compliance structure to good practice
  • develop a risk-based annual / six monthly plan based on a defined compliance universe underpinned by an appropriate rationale
  • plan risk-based compliance reviews using the appropriate audit documentation and applying your knowledge of risk and internal control
  • design a compliance test programme that will enable testing of key controls and generation of appropriate sample sizes and evidence
  • evaluate the quality of the evidence collated, formulate findings and conclusions, and appreciate the techniques involved in preparing an effective compliance report
  • assess the quality of their own methodologies in providing credible assurance on their compliance universe.

Course programme

What is compliance audit?

  •  the different compliance roles

 Importance of the compliance role

  • why a compliance function is an integral part of the assurance framework
  • examples of organisational failures

 Accountability and culture

  • why culture plays a key role in helping to achieve a good control environment
  • ways of measuring cultural compliance
  • use of cultural indicators by the compliance team
  • defining accountabilities and responsibilities for assurance across the three lines model

 Establishing a compliance function

  • key issues that need to be resolved if the compliance team is to be established with appropriate support and resources
  • effective reporting lines

 Annual planning – putting the schedule of work together for the coming year / quarters

  • the compliance universe – the boundaries of the assurance activity for the compliance team
  • risk based planning – can you rely on the risk management framework?
  • risk based planning – where you can’t rely on the risk management framework
    • gathering information
    • analysing information / use of risk factors
    • impact / likelihood assessment
  • analysing the results of the assessment / prioritising work for the year
  • approval of the plan
  • continuous monitoring of the plan during the year

 Writing risk statements and internal control

  • how to write the risk statement
  • using the risk statement in individual compliance reviews
  • what is a control? What is the linkage between strategic objectives, processes, risks and controls?
  • the importance of control design, key controls and impact assessment to the compliance role

 Planning the compliance review

  • introducing the compliance review
  • agreeing a sponsor for the compliance review / agreeing roles and responsibilities during the review for stakeholders and the compliance audit team
  • collating key documents including statistical data
  • meeting stakeholders
  • completing a risk and control matrix / understanding key controls and types of control
  • control design effectiveness testing / walkthrough testing
  • test strategies / using testing procedures
  • terms of reference


  • types of test / compliance and substantive tests
  • writing a test programme to test controls
  • selecting samples based on the risk maturity of the activity under review
  • collecting evidence to test the operating effectiveness of controls
  • evaluating and assessing the quality of the evidence and how this has been documented in the draft report
  • root cause analysis


  • writing up issue, effect, root cause and context / has the risk been managed / is it in alignment with the defined risk appetite?
  • what should the executive summary look like?
  • challenging the report – what is the likely reaction of the reader?


  •  how confident are we in the quality of the assurance we are giving?

Pre-course work

There will be some pre-course preparation for this module which you will be advised on upon confirmation of your booking.

CPE competency areas covered

  • Performance (Internal control | Engagement planning | Engagement fieldwork | Engagement outcomes)

14 CPE points

All training courses are subject to our Fair Collection Notice and Privacy Policy