Governance and Risk Academy

Our Governance and Risk Academy helps you navigate your strategic goals in an environment of evolving risks and constant regulatory change.

From risk assessments to internal audits, our industry experience in identifying, understanding, and managing risk day-to-day is integrated into our programmes, helping you balance risks and opportunities.

Our programmes

To register for preferred course(s), please contact us.

Cybersecurity awareness training

Increased security is the obvious reason why all businesses, big or small, should have employees of all levels learn the importance of protecting themselves and the company from "human exploits" and cyber-attacks. Many compliance regulations such as ISO, HIPAA, PCI, SOX, GDPR, and even some local regulations require cybersecurity training for all employees.

Objectives

The course aims to raise awareness about information security, good information security practices, and related policy in order to help prevent unintentional compromises of sensitive information and computing systems.

Outcome

By the end of this course, attendees will: 

  • Be confident in the decisions they make when creating new passwords, filtering through suspicious emails or browsing the internet.
  • Have raised awareness levels and the practical skills needed to better protect your business from the dangers of data breaches, network attacks and ransomware threats.
Agenda
  • Importance of security awareness
  • Avoiding social engineering
  • Using internet safely
  • Securing your devices

 1/2 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • Business managers/ End-users

Data privacy awareness training (focus on GDPR, PDPD)

Data privacy and data protection have become front-and-center issues around the world, as individuals demand more control of their personal information, and organisations face greater information security threats and risks. And with more people working remotely, it’s more critical than ever to ensure that employees understand the rules and guidelines for using and protecting data and avoiding costly data breaches. Information security focuses on keeping all kinds of nonpublic information and systems safe. The consequences for data breaches, mishandling personal information and violating data privacy laws are serious and can involve fines, damage to an organisation’s reputation and loss of customer trust.

Objectives

The course aims to teach:

  • Data privacy, with a focus on how personal information is collected and used.
  • How to apply privacy awareness best practices. Equip your employees with the right knowledge and skills to make data protection a default behavior.
Outcome

By the end of the course, attendees will:

  • Have broadened understanding of data privacy and the many rights and responsibilities it generates.
  • Know how to safely handle personal information.
  • Be able to support your organisation in fulfilling privacy obligations.
Agenda
  • Overview of GDPR and PDPD
  • GDPR and PDPD's detailed requirements
  • How to conduct GDPR and PDPD compliance audit

  1 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • Internal Audit team
  • Legal and Data protection team

Internal audit report writing

The success of an audit project is usually measured by its primary output: the internal audit report. Hence, it is essential that the report is easy to read, compelling and authoritative. If the report influences a reader to think differently or take action, it has met its purpose.

Objectives

This programme will help internal auditors learn what goes into an effective audit observation and how to organise reports that meet professional standards, elicit management action, and communicate crucial messages to auditee, senior and executive management and board-level readers. Participants will learn to produce reports that have impact and add value to the decision making within their organisation.

Outcome

By the end of this course, participants will be able to:

  • Understand what makes an effective internal audit report
  • Understand the report writing process from planning to delivery of a final audit report 
  • Identify and effectively articulate observation, associated risk(s), root cause and other internal audit report components 
  • Be more influential when writing an internal audit report
  • Manage relationship with auditee and ensure acceptance of the draft and final report

Agenda

  • Overview
  • The journey to an effective internal audit report writing
  • Key elements of draft internal audit reports
  • The Final Report
  • Reporting techniques
  • Tools and Techniques 
  • Exercise

  1 day

  Classroom / Virtual

Target audience
  • This course is valuable for internal auditors who are involved in or are responsible for preparation, review and approval of internal audit reports before issuance.
  • Senior internal audit professionals will stand to benefit from the course as a refresher in terms of knowledge and skills for writing an effective internal audit report.
  • The course is equally beneficial to internal audit juniors and professionals who are preparing to assume such responsibilities.

Introduction of Enterprise Risk Management

Today’s business world is constantly changing - it is unpredictable, volatile, and seems to become more complex every day. By its very nature, it is fraught with risk. Enterprise Risk Management is a comprehensive, systematic approach for helping the organisation to identify, measure, prioritise and respond to the risks challenging its most critical objectives and related projects, initiatives and day-to-day operating practices.

Objectives

This workshop is designed to help participants to:

  • Understand relevant concepts about ERM, COSO ERM Framework and ISO 31000.
  • Obtain knowledge about the steps in the risk management process
  • Understand the roles and responsibilities in ERM
  • Case studies
Outcome

By the end of this course, participants will:

  • Understand the ERM concepts
  • Be equipped with knowledge concerning the risk management process
  • Understand their roles and responsibilities in ERM

Agenda

  • Overview of ERM
  • Risk management process
  • Case study

  1/2 day

  Classroom / Virtual

Target audience
  • Risk management practitioners
  • Finance managers
  • Finance officers
  • IT staff 
  • Internal auditors
  • Operations staff at all levels

Introduction to internal audit

All internal audit professionals need to understand the background, standards, frameworks and leading practices in Internal Audit. This is fundamental to the success of any internal audit professional.

Objectives

The course covers the fundamentals and building blocks for the internal audit profession including key definitions, professional background and code of ethical conduct, international internal audit standards and leading risk and control frameworks such as COSO.

Outcome

By the end of this course, participants will:

  • Understand background and reasons why the internal audit profession exists
  • Know the definition, mission and key performance and attribute standards for the internal audit practice
  • Understand the ole of an internal auditor towards his organisation and acceptable behaviours
  • Know the proper governance structure of internal audit functions
  • Understand COSO Internal Control, ERM and Fraud Risk Management
  • Understand the relation between objectives, risks and controls.
Agenda
  • Day 1
    - History, evolution and prospects of the internal audit profession
    - International Professional Practices Framework (IPPF)
    - Internal audit function
  • Day 2
    - Introduction to COSO
    - Principals and attributes of COSO Internal Control

 2 days

  Classroom / Virtual

Target audience
  • The topics included in this course are the necessary building blocks for a professional career in internal audit.
  • This course is a must for junior and senior internal auditors who are relatively new to the internal audit profession. 
  • This course is also ideal for senior internal audit professionals who want to refresh their knowledge and stay up to date with the applicable standards and frameworks.

Introduction to PCI-DSS (Payment Card Industry Data Security Standard)

Knowledge of and compliance with data security standards can bring major benefits to your business, while failure to comply can have serious and long-term negative consequences. This course outlines the challenges surrounding payment card security and explains what the PCI Standards do to mitigate these issues.

Objectives

The course will teach:

  • Understanding of PCI compliance before you go through an assessment
  • Application of PCI DSS security principles across your business
Outcome

By the end of the course, attendees will be able to:

  • Build a secure payments environment
  • Support your organisation’s compliance efforts through your knowledge of how to apply PCI Standards
Agenda
  • Overview of PCI requirements, how they enhance data security, and support compliance with the PCI Data Security Standard
  • Roles and responsibilities of key players in the compliance process
  • Including overviews of the Internal Security Assessor (ISA), Qualified Security Assessor (QSA), and Approved Scanning Vendor (ASV) programmes
  • The need for PCI Data Security Standard (DSS) compliance
  • PCI DSS Overview
  • PCI DSS's requirements

  1/2 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • IT Security team
  • Card operations team

ISAE 3402/3000 (SOC 1/2) awareness training

An ISAE 3402/3000 (SOC 1/2) audit report provides detailed information and assurance about a service organisation’s internal controls based on their compliance with the ISAE (International Standard on Assurance Engagements) standards.
SOC 1 audits, which relate to organisations’ ICFR (internal control over financial reporting), are conducted against the assurance standards ISAE 3402.
SOC 2 audits, which are essential in regulatory oversight, vendor management programmes, internal governance and risk management, are conducted against the assurance standards ISAE 3000. It focuses on security, availability, processing integrity, confidentiality and/or privacy controls.

Objectives

The course aims to provide:

  • Understanding of the differences between ISAE 3402 and 3000
  • Understanding of how an ISAE audit is performed
  • Understanding of how to prepare for an ISAE audit report
Outcome

By the end of the course, attendees will be able to:

  • Choose the proper types of ISAE audit
  • Understand all related internal controls in scope
  • Prepare an ISAE 3402/3000 audit report properly

Agenda

  • An overview of ISAE 3402/3000 (SOC 1/2) for IT Security risk assurance.
  • SOC 1, 2 readiness assessment health check for SOC (Type 1 and 2) audits.
  • SOC 1, 2, 3 – audit reporting overview.
  • SOC 1, 2 internal controls overview.

  1 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • IT/Business Operations team
  • IT Security team

ISO 27001 Information Security Risk Assessment Methodology

Risk assessments are one of the most important parts of an organisation’s ISO 27001 compliance project. ISO 27001 requires organisations to demonstrate evidence of information security risk management, risk actions taken and how relevant controls have been applied.

Objectives

The course will:

  • Provide the general concepts specified in ISO 27001 
  • Assist with the satisfactory implementation of information security based on a risk management approach.
  • Enable participants to conduct an information security risk assessment in accordance with the requirements of ISO 27001.
Outcome

By the end of the course, attendees will understand:

  • How to identify and assess IT security risk quantitatively
  • Risk likelihood and the consequences for the business
  • How to establish a priority order for risk treatment
  • How to complete the risk assessment report according to ISO 27001's requirements
Agenda
  • Identifying IT assets
  • IT security risk assessment
  • IT security risk treatment
  • IT security risk residual
  • A case study

  1/2 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance teams
  • ISO/ISMS teams
  • IT/Security teams

ISO 27001 Internal Audit

This training enables you to develop the necessary expertise to perform an Information Security Management System (ISMS) audit by applying widely recognised audit principles, procedures and techniques.

Objectives

This course will:

  • Help attendees acquire the knowledge and skills to plan and carry out internal audits in compliance with ISO 19011 process.
  • Enable attendees to master audit techniques and become competent to manage an audit program, audit team, communication with parties, and conflict resolution.
Outcome

By the end of this course, attendees will be able to:

  • Explain the fundamental concepts and principles of an information security management system (ISMS) based on ISO/IEC 27001
  • Interpret the ISO/IEC 27001 requirements for an ISMS from the perspective of an auditor
  • Plan, conduct, and close an ISO/IEC 27001 compliance audit, in accordance with ISO 19011 guidelines, and other best practices of auditing
  • Manage an ISO/IEC 27001 audit program
Agenda
  • Summary of ISO 27001 requirements
  • Basics of Internal Auditing Principle
  • Managing the audit programme
  • Perform an Internal Audit Process
  • Essential attributes of a successful auditor

 1 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • IA/ISO/ISMS team
  • IT Security team

ISO 27001 IT Risk Treatment and Security controls

This course will provide guidance on best practice for information security management to help you select, implement, and manage controls, policies, processes, procedures, and organisational structures’ roles and responsibilities.

Objectives

The course will:

  • Help individuals be familiar with the guidelines needed to initiate, implement, maintain, and improve information security management in an organisation.
  • Help select the controls needed for implementing an ISMS based on ISO/IEC 27001.
Outcome

By the end of the course, attendees will:

  • Be able to demonstrate comprehensive knowledge and the ability to assess information security risks based on a formal risk assessment approach and select appropriate risk treatment options by applying relevant controls.
  • Have the knowledge to implement information security controls based on ISO 27002
  • Understand the process of performing periodic risk assessments and selecting the appropriate risk treatment options to help an organisation improve its information security approach
Agenda
  • IT Security risk treatment options
  • IT Security controls

  1 day

  Classroom / Virtual

Target audience
  • IT Risk and Compliance team
  • ISO/ISMS team
  • IT Audit/Security team

Process Intelligence and Mining

Process mining and intelligence allows organisations to gather insights into their processes and controls to detect inefficiencies, overrides or non-compliance. The solution adopts a data analytics foundation to allow users to simulate their transactions for a duration to identify where variants occurred. Hence it allows users to identify root causes, determine where existing efficiencies can be utilised as well as improve their internal control environment or transform their business processes to optimise their efficiencies and controls.

Objectives

This course aims to teach controls optimisation through data and process mining technology.

Outcome

By the end of this course, attendees will understand how process mining can be utilised to support a client’s compliance, process improvement and audit reviews. 

Agenda
  • Introduction of process mining
  • How process mining achieves intended process or controls optimisation objectives.
  • Differences between process mining and data analytics.
  • Example of how process mining works and is applied in actual industry and with clients.

  1/2 day

  Classroom / Virtual

Target audience
  • Internal Audit
  • Financial controllers
  • Risk Management

Reshaping your Business with Effective Financial Management

Unforeseen risks lead to many businesses including SMEs being badly affected, depending on which industry they are in. In ensuring business sustainability, productivity and employee’s employability, SMEs and their employees must consider action plans & initiatives which include managing the business finances effectively.

Objectives

The course aims to provide SMEs better understanding of how to read and interpret financial terms presented and disclosed in a set of financial statements as well as how to analyse some of the common key financial performance ratios to be able to make informed business decisions. The course also covers cashflow management, investment appraisal and monitoring budgets.

Outcome

By the end of this course, attendees will:

  • Understand the significance of financial statements and their components
  • Be able to perform financial analysis
  • Understand cash operating cycle and how to manage it
  • Understand how to perform inventory costing
  • Understand how to appraise investments and what are some of the investment appraisal tools
  • Be able to manage foreign currency exposures
  • Understand how to do good budgeting and monitor it
  • Recognise some of the potential warning signals that may arise from financial statements
  • Understand other impacts of Covid-19 on financial reporting
  • Understand tax considerations
Agenda
  • What are cash and cost levers that impact a Business performance
  • How can we baseline cash and cost levers for An organization (qualitative and quantitative)
  • What are benchmarks and performance indicators that indicate sub-optimal Financial management
  • What are Assessment dimensions to articulate Financial performance improvement for An organization
  • How can we enable improved Financial performance management through focused initiatives
  • How do we prioritize Key initiate to ensure short to medium term improvement
  • Elements/Constituents of action plan for improvement

  1/2 day

  Classroom / Virtual

Target audience
  • SME owners / directors
  • SME Finance senior management
  • SME Finance and tax managers/executives
  • Regulators, academics and accountancy students

Risk-based internal audit planning

Today, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks. To add value and improve an organisation’s effectiveness, internal audit priorities should align with the organisation’s objectives and should address the risks with the greatest potential to affect the organisation’s ability to achieve those objectives.

Objectives

This course provides participants with the knowledge to develop a risk-based internal audit plan. During this course, you will participate in interactive activities and real-life scenarios. Be prepared to walk away with concepts and tools to develop a value-added risk-based audit plan.
This course is also designed for senior internal audit practitioners who want to build on their knowledge and increase their value to the organisation by developing effective risk-based audit plans that address emerging risks.

Outcome

By the end of this course, attendees will:

  • Be able to establish a true risk based internal audit plan, covering the risk theories and frameworks
  • Understand the benefits of risk management and how to align work with the risk appetite of the Board.
Agenda
  • Overall concepts
  • Planning the risk assessment
  • Conducting the risk assessment
  • Bringing it all together – developing the internal audit plan

 1 day

  Classroom / Virtual

Target audience
  • This course is valuable for senior internal auditors and internal audit managers who are involved or are responsible for developing an annual risk-based planning.
  • The course is equally beneficial to internal audit juniors and professionals who are preparing to assume such responsibilities.

Secure development for web applications (focus on OWASP)

Security on the web is becoming an increasingly important topic for organisations to grasp. Recent years have seen the emergence of the hacktivist movement, the increasing sophistication of online career criminals and now the very real threat posed by nation states compromising personal and corporate security. The Open Web Application Security Project gives us the OWASP Top 10 to help guide the secure development of online applications and defend against these threats.

Objectives

The course aims to:

  • Enable attendees to incorporate security into the software development life cycle. Move security into your design and build phases by identifying common insecure code issues and embracing the mindset of a security professional.
  • Teach understanding of your attackers and risks and mitigate issues at critical junctures in your code, including client, and server interactions.
  • Teach how to prevent unauthorised access and data leaks with authentication and cryptography.
Outcome

By the end of the course, attendees will be able to:

  • Describe each of the OWASP Top 10 risks and the common activities that might lead to the introduction of these vulnerabilities
  • Explain how the issues can be exploited, as well as the security vulnerabilities they create for both standard and emerging technologies
  • Understand how the OWASP top 10 threats may be mitigated
Agenda
  • Web application security
  • OWASP Top 10
  • Threat modelling and Risk management
  • Application mapping
  • Authentication and authorisation attacks
  • Session management attacks
  • Application logic attacks
  • Data Validation
  • AJAX attacks
  • Code review and security testing
  • Web app penetration testing
  • Secure SDLC
  • Cryptography

 3 days

  Classroom (including hands-on labs)

Target audience
  • IT Security team
  • IT Application Development/Software team
  • IT Risk and Compliance team

The fundamentals of great Business Continuity Management (BCM) & Business Continuity Planning (BCP)

In an increasingly interconnected world, it’s imperative for companies to rethink contingency planning. This programme will help participants understand the principle elements of great Business Continuity Management (“BCM”) and equip participants with skills and knowledge for Business Continuity Planning (“BCP”).

Objectives

You will learn business planning methodologies, recovery strategies and how to apply the Business Continuity Management Framework to improve Business Continuity Planning.
Real-life case studies will be featured to give you a better understanding of the critical importance of Business Continuity Planning.

Outcome

By the end of this course, participants will be able to:

  • Understand how to use a Risk Analysis Framework
  • Be equipped with knowledge concerning organisational survival and resilience using the Business Continuity Management Framework.
  • Identify and analyse potential threats and corresponding potential impact
  • Identify functions that are critical to business operations and have appropriate alternative business continuity strategy options
Agenda
  • What a good BCM is Framework
  • What a BCP is
  • Breakdown of a BCP
  • Crisis management vs Business Recovery
  • Case studies

 1/2 day

  Classroom / Virtual

Target audience
  • Business Leaders, C Suites, Enterprise Risk Management (ERM) Professionals and Audit Professionals.
  • Finance and non-finance professionals wanting to update their awareness levels of BCM and BCP will also benefit from this workshop.

Third party assurance and risks

A more integrated and connected business environment means more businesses outsource many of their activities and functions to third party However, the rise in security threats means all parties must provide a high degree of security and assurance over the controls, including third party providers.
Hence it is important that organisations should be aware of their responsibilities and obligations regarding third parties and the solutions available to handle them.

Objectives

The course aims to:

  • Provide detailed knowledge of risks and obligations when using third parties
  • Give an introduction to the solutions available
Outcome

By the end of this course, attendees will:

  • Understand how to manage the organisation’s third party service provision risks
  • Understand the risks of using third parties
  • Be aware of the assurance solutions which are available
Agenda
  • Understanding third party risks and obligations
  • Implications of third party risk exposures for the organization, particularly regarding IT controls.
  • Introduction to the third party assurance solutions that are available and have been adopted by organisations.
  • Summary of existing 3rd party obligations from a regulatory perspective.

 1/2 day

  Classroom / Virtual

Target audience
  • Financial controllers
  • Internal audit
  • Risk Management

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Get in touch

Quach Thanh Chau

Quach Thanh Chau

Partner, PwC's Academy Leader, PwC Vietnam

Tel: +84 28 3823 0796

Tran Thu Huong

Tran Thu Huong

L&D Leader, PwC's Academy, PwC Vietnam

Tel: +84 24 3946 2246, ext. 4607

Nguyen Tran Minh

Nguyen Tran Minh

Business Development Manager, PwC's Academy, PwC Vietnam

Tel: +84 24 3946 2246, ext.4613

Hide