“Words are flowing out like endless rain into a paper cup
They slither while they pass
They slip away across the universe”
When I first read fellow blogger Norman Mark’s latest entry (“A Word on Audit Universe”)
I admit it brought the knee-jerk reaction from me that Norman was getting it wrong. That reaction comes from seeing far too many people totally refute the concept of audit universe in favor of a complete risk-based approach to audit planning – an overcompensating pendulum swing away from the “schedule of audits” concept (whereby audits are repeated on an annual, bi-annual, tri-annual, etc. basis) to the “audit the biggest risks” approach (whereby the plan is developed based on a lot of discussions about potential risk.)
Part of that knee-jerk reaction comes from a time when I was involved in an environment where audit plan was driven completely by the analysis of risk. We threw out, entirely, our audit universe. We found good things, we had good feedback, and it helped us reformulate our priorities in a way which seemed to hit the important aspects. But, after a while, we stepped back and realized that, no matter how many people we talked to, no matter how successfully we worked with other assurance providers, no matter how comprehensive our analysis, we had left blind spots – big blind spots – in our plan. We found that “smaller” segments of the company (ones with perceived risks so low they fell off the radar; you know, the ones that wind up in that lower left corner of the risk matrix if they wind up anywhere at all) had a more profound impact than anyone had expected. In other words, we found that our focus on what we thought were Damoclean knives hovering over the company’s head had resulted in us forgetting the death of a thousand cuts.
Upon re-reading Norman’s post (as well as the others he referenced) I think he and I may be in agreement on the role of risk and “audit universe” in determining an audit plan – we just have a different set of terms. Over the years I’ve struggled with trying to sort out and explain the interaction between these two facets, and I think I’ve finally come up with a decent visualization. Unfortunately, I don’t have the graphic skills to represent it (nor do I know, off-hand, how to attach them to this blog.) Therefore, let me try and explain the way I think audit universe and risk universe work together by describing my visualization. (And, Norman, you can tell me if you think we’re saying the same things.)
Imagine a globe. Eliminate all the countries and oceans, but keep the lines for longitude and latitude. Imagine longitude represents processes working their way through the company. Next, imagine latitude represents entities and business units and physical locations and any other organizational or physical distinction your company may have (similar to the very basic concepts of audit universe). This interplay of the longitude with latitude mirrors the interplay of broad processes across the various entities. (Important thing to remember. I am just painting a picture here, not trying to draw an analogy. Don’t read any more into this than it is a picture.)
Now at the center of this globe, embedded within that company is risk. (Yes, risk can come from the outside also, but that’s not what I’m talking about here – work with me. Think of it this way, even if the risks originate from the outside, the pressures of all risks work from within to break up the complex interweaving that is the company.) The risk constantly pushes out in an attempt to blow the company apart. (Of course there is good risk. But, uncontrolled, it still can shatter the company’s framework.)
The risk is embedded in this network of processes and entities. But, by themselves, the processes and entities cannot hold the risk at bay. Yes, they have some role in it (of course, controls are part of the process, but again, hang in there with me), but without some other glue they are merely pieces of a Jenga cage that is susceptible to the pressures being put on it by risk. A punch to one piece too many and the entire thing falls apart.
Hence, the roll of governance. It wraps itself around the cage of processes and entities and, when properly built, pushes back against the forces that risk is bringing to bear toward destroying the company. Good governance is loosely tight – that is, it allows risk to stab at the cage just enough to allow new strengths and, in some instances, enough to change that structure (new opportunities).
The final picture in your mind should show the processes and entities as the globe, the risks as the core, and governance as the atmosphere. (They don’t act like cores and atmospheres, this is just a picture. Remember that part where I said this isn’t an analogy?)
So, how does an audit department use this to evaluate where to spend it’s time? Well, if all an audit departmetnt does is focus on the traditional definition of audit universe – auditable entities – it may find itself focusing on entities and processes without an understanding of the risks/weaknesses in that structure. On the other hand, if it focuses on those risks that are prodding at the structure, it may miss a weakness that risk hasn’t had the chance to attack yet. (I’ll throw in the argument that many of the large business failures we’ve experienced would not have been identified by using some of the definitions of risk-based auditing I’ve seen. Hint: Does anyone ever audit success?)
The right answer is a proper focus on both. I believe that advocates of each side of this pendulum are not really saying that the other side should be ignored. Rather, I think each is assuming they already understand the other side well enough. In other words, I focus on an audit universe based on entities and processes because I think I know the risks; I focus on the risks that can most directly and adversely affect the company because I already know the entities and processes that make it up. On such assumptions do empires crumble. The best approach is a methodical re-examination of both aspects on a regular basis. (And I can already hear the risk advocates saying that risks change much faster. Well, maybe yes, and maybe no. I don’t know of a company out there that doesn’t have a bunch of major initiatives being implemented that could fundamentally change the way business is done. And, for the ones that don’t, well kiss those companies goodbye right now. Because, just as the risk is indeed changing at unbelievable speed, so should the company.)
My apologies for the length of this post. I thought about splitting it up into separate entries, but I think it is better to lay it all out in one shot. So, my thanks to all of you who made it this far. Norman, if we still don’t agree, let me know. And to everyone else, does any of this make sense?
And by the way, this can easily turn into a discussion of how many auditors can dance on the head of an audit committee. I’m not saying that the understanding that evolves from the discussion isn’t important, but that too much time can easily be wasted by endless talking about the perfect approach. And that’s why the song quote at the beginning. (Besides, how can you have a discussion of audit universes and NOT mention the Beatles song.)