Skip to main content
Image coming soon

The Internal Risk Advisor's Second-Line ICFR Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Internal Risk Advisor's Second-Line ICFR Playbook

Run a defensible second-line risk advisory programme over ICFR, IT general controls, and process risk, with the working papers an external auditor will accept on the first pass.

The control owner says it runs. The policy says something slightly different. The IT general control evidence shows a third reviewer. Second line is the function that has to reconcile those three views, then defend the reconciliation to the external auditor and the audit committee, in writing, with working papers that hold up after the engagement partner rotates.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Second-line risk advisory is the function that owns the gap between what control owners describe in walkthroughs, what policy documents prescribe, and what the IT general control evidence actually shows. Methodology binders do not close that gap. They tell you to perform a walkthrough; they do not tell you what to write down when the walkthrough surfaces a quiet exception that the control owner did not flag. They tell you to assess design and operating effectiveness; they do not tell you how to aggregate three observed deficiencies into one memo that the audit committee can act on without overreacting. They tell you to coordinate with IT audit on general controls; they do not tell you what to do when the GITC owner pushes back on a finding because the privileged-access review was performed but not evidenced. Every quarter the second-line advisor builds those answers on the fly, then defends them when the external auditor walks in. This course is the written version of those answers.

What you walk away with

  • A control walkthrough template that captures the gap between policy, owner narrative, and IT general control evidence in one document.
  • A deficiency aggregation memo structure the audit committee can act on without overreacting to a single observation.
  • A SOX-equivalent quarterly attestation pack the external auditor accepts without follow-up clarification requests.
  • An IT general control evidence checklist that matches what external audit actually tests, not what methodology binders describe.
  • A second-line risk advisory operating model that survives engagement-partner rotation and audit-committee turnover.

The 12 modules

Module 1. The reconciliation second line owns
What the control owner says, what policy says, and what IT general control evidence shows are three different views. This module names the reconciliation document that holds those three views in one place, the headings that capture each view, and the explicit statement of difference that second line writes when the three views do not agree. The output is a one-page reconciliation that goes into every walkthrough binder.
Module 2. The walkthrough you can defend
Walkthrough notes that survive external audit challenge name the specific transaction, the specific reviewer, the specific evidence artefact, and the specific exception the owner did not flag. This module walks the structure of a walkthrough document the external auditor will accept without re-performance, including the standard questions, the evidence requests, and the exception-handling subsection that turns a quiet aside into a formal observation.
Module 3. IT general control evidence the external auditor will accept
Privileged access reviews performed but not evidenced. Change tickets approved but not linked to the change. Backup tests run but not signed. This module covers the IT general control evidence artefacts external audit actually tests, the format external audit accepts, and the GITC owner conversation that gets the evidence produced before the binder closes rather than after the audit walks in.
Module 4. Design effectiveness without methodology theatre
Design effectiveness is the question of whether the control, if it operates as described, would prevent or detect the risk. This module separates the design assessment from the operating assessment, names the specific design defects second line catches most often, and gives the language for the design conclusion that holds up under audit committee questioning. No methodology bingo card. Just the conclusion and its support.
Module 5. Operating effectiveness sample sizes and exceptions
Operating effectiveness fails most often on sample selection and on exception handling. This module covers the sample size that aligns with the control frequency, the random selection that external audit accepts as random, the documentation of the exception when one is found, and the second-line response when the control owner proposes to remediate retroactively. Includes the sample-tracker template every walkthrough binder needs.
Module 6. Deficiency aggregation that the audit committee can act on
Three observed deficiencies are not three findings. They are one finding with three instances, or they are evidence of a systemic control gap, or they are three unrelated issues. This module walks the aggregation logic, the memo structure, and the language second line uses when the deficiency is meaningful but not material. The audit committee reads the memo; the memo must let them act without overreacting.
Module 7. The SOX-equivalent quarterly attestation pack
Not every entity files SOX, but most run a SOX-equivalent quarterly attestation. This module covers the pack the CFO signs, the sub-certifications process owners sign, the supporting working papers that back each sub-certification, and the change-from-last-quarter narrative that the audit committee chair reads first. The pack is built so the external auditor can rely on it rather than rebuild it.
Module 8. Process risk assessment the business will sign
Process risk assessments fail when the business does not recognise the risks listed. This module covers the business-side interview that surfaces risks the process owner actually loses sleep over, the translation of those risks into the risk register language second line maintains, and the sign-off conversation that gets the business to own the risk rather than treat the assessment as a compliance exercise.
Module 9. Working papers that survive partner rotation
Engagement partners rotate. Audit committee chairs rotate. The working papers stay. This module covers the working paper standard that lets a new external auditor pick up the file and understand the prior conclusion without re-performing the work, the cross-references that link the walkthrough to the deficiency memo to the attestation pack, and the index that the new reviewer reads first.
Module 10. Coordination with IT audit and external audit
Second line sits between IT audit, process owners, and external audit. This module covers the coordination cadence with IT audit so general controls testing is not duplicated, the conversation with external audit about scope reliance, and the specific deliverables external audit will accept as second-line reliance evidence. The output is a coordination plan that cuts effective audit hours, not just scheduled hours.
Module 11. The audit committee briefing pack
Audit committee chairs read in a specific order: change from last quarter, material issues, items requiring decision, then everything else. This module covers the briefing pack that lets the committee chair land on the right conclusion in eight minutes, the appendix structure for the questioners on the committee, and the verbal briefing the second-line lead delivers in five sentences. Includes the briefing-pack template.
Module 12. The second-line operating model that scales
Most second-line risk advisory functions are organised around the methodology binder. This module covers the operating model organised around the reconciliation, the walkthrough, the deficiency memo, the attestation pack, and the audit committee briefing. Includes the role descriptions, the cadence calendar, the working-paper standards, and the hand-off checklist that lets a new joiner pick up a control universe in a quarter rather than a year.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Walkthrough finished, owner narrative and policy do not match: reconciliation document from Module 1 plus walkthrough structure from Module 2.
IT general control evidence missing or in wrong format: Module 3 checklist and GITC owner conversation script.
Three deficiencies observed, audit committee asks if material: Module 6 aggregation logic and memo structure.
External auditor proposing scope reliance discussion: Module 10 coordination plan and reliance evidence deliverables.

What you get with this course

  • Twelve written modules covering reconciliation through operating model.
  • Reconciliation, walkthrough, deficiency memo, attestation pack, and audit committee briefing templates.
  • IT general control evidence checklist matched to common external auditor test programmes.
  • Sample-tracker template for operating effectiveness testing.
  • Working-paper standard and cross-reference index.
  • Hand-built implementation playbook for the buyer's specific control universe, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: account in the Art of Service learning environment is provisioned, all written modules and templates accessible, hand-built implementation playbook for your specific control universe delivered alongside course access.

Before and after

Before

Walkthroughs reconciled in your head. Deficiencies aggregated in conversations. The audit committee briefing rebuilt every quarter. The external auditor finding things you already knew but had not yet written down.

After

Reconciliation in writing, walkthrough binders external audit accepts on first pass, deficiency memos the audit committee acts on without overreacting, attestation packs the CFO signs with confidence, an operating model that survives partner rotation.

What happens if you do not address this

The next external audit cycle re-opens the walkthroughs that were closed informally. A deficiency that should have aggregated to one memo arrives as three loose observations. The audit committee asks for a written second-line opinion and the team has to draft it under deadline pressure. None of these are catastrophic. All of them erode the audit committee's confidence in second line, and that confidence is the function's only durable asset.

Who it is for

Second-line risk advisors, internal risk advisory managers, ICFR coordinators, and SOX programme leads inside large enterprises. People whose name is on the working papers that go to the external auditor and the audit committee. People who own the reconciliation between control owners, policy, and IT general control evidence. People who carry the next external audit cycle in their head while running the current one.

Who this is NOT for. External auditors performing attestation engagements. First-line process owners. Junior staff who have not yet led a full walkthrough cycle. People looking for a generic Three Lines of Defence overview rather than the specific working papers a second-line advisor produces.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Six to eight hours of focused reading across the twelve modules. Templates are picked up as each module is read. The implementation playbook is built for the buyer's control universe and is meant to be used immediately on the next walkthrough cycle.

Why $199 is the right number

Methodology binders describe the steps; they do not give you the reconciliation, the deficiency memo, or the audit committee briefing pack. External audit firms publish thought leadership on SOX trends; they do not give you the working papers a second-line function produces. Generic GRC training covers Three Lines of Defence at a concept level; this course covers the specific documents the second-line risk advisor signs.

FAQ

Is this aligned to a specific framework?
It is aligned to the working-paper standards an external auditor under PCAOB AS 2201 or ISA 315 will accept. The templates are framework-agnostic enough to apply under SOX, J-SOX, K-SOX, UK SOX equivalents, and SOX-equivalent quarterly attestation regimes.
How tailored is the implementation playbook?
It is hand-built for the buyer's specific control universe and scoped to the buyer's organisation type, regulator, and current external auditor. Not generic. Built per buyer alongside course provisioning.
How current is the content?
Maintained against the current PCAOB, ISA, and IIA standard cycle. Updates are reflected in the learning environment as standards evolve.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!