A Lot of Words on Audit Universe (or Nothing's Going to Change My World!)


“Words are flowing out like endless rain into a paper cup
They slither while they pass
They slip away across the universe”


When I first read fellow blogger Norman Mark’s latest entry (“A Word on Audit Universe”) I admit it brought the knee-jerk reaction from me that Norman was getting it wrong. That reaction comes from seeing far too many people totally refute the concept of audit universe in favor of a complete risk-based approach to audit planning – an overcompensating pendulum swing away from the “schedule of audits” concept (whereby audits are repeated on an annual, bi-annual, tri-annual, etc. basis) to the “audit the biggest risks” approach (whereby the plan is developed based on a lot of discussions about potential risk.)
Part of that knee-jerk reaction comes from a time when I was involved in an environment where audit plan was driven completely by the analysis of risk. We threw out, entirely, our audit universe. We found good things, we had good feedback, and it helped us reformulate our priorities in a way which seemed to hit the important aspects. But, after a while, we stepped back and realized that, no matter how many people we talked to, no matter how successfully we worked with other assurance providers, no matter how comprehensive our analysis, we had left blind spots – big blind spots – in our plan. We found that “smaller” segments of the company (ones with perceived risks so low they fell off the radar; you know, the ones that wind up in that lower left corner of the risk matrix if they wind up anywhere at all) had a more profound impact than anyone had expected. In other words, we found that our focus on what we thought were Damoclean knives hovering over the company’s head had resulted in us forgetting the death of a thousand cuts.
Upon re-reading Norman’s post (as well as the others he referenced) I think he and I may be in agreement on the role of risk and “audit universe” in determining an audit plan – we just have a different set of terms. Over the years I’ve struggled with trying to sort out and explain the interaction between these two facets, and I think I’ve finally come up with a decent visualization. Unfortunately, I don’t have the graphic skills to represent it (nor do I know, off-hand, how to attach them to this blog.) Therefore, let me try and explain the way I think audit universe and risk universe work together by describing my visualization. (And, Norman, you can tell me if you think we’re saying the same things.)
Imagine a globe. Eliminate all the countries and oceans, but keep the lines for longitude and latitude. Imagine longitude represents processes working their way through the company. Next, imagine latitude represents entities and business units and physical locations and any other organizational or physical distinction your company may have (similar to the very basic concepts of audit universe). This interplay of the longitude with latitude mirrors the interplay of broad processes across the various entities. (Important thing to remember. I am just painting a picture here, not trying to draw an analogy. Don’t read any more into this than it is a picture.)
Now at the center of this globe, embedded within that company is risk. (Yes, risk can come from the outside also, but that’s not what I’m talking about here – work with me. Think of it this way, even if the risks originate from the outside, the pressures of all risks work from within to break up the complex interweaving that is the company.) The risk constantly pushes out in an attempt to blow the company apart. (Of course there is good risk. But, uncontrolled, it still can shatter the company’s framework.)
The risk is embedded in this network of processes and entities. But, by themselves, the processes and entities cannot hold the risk at bay. Yes, they have some role in it (of course, controls are part of the process, but again, hang in there with me), but without some other glue they are merely pieces of a Jenga cage that is susceptible to the pressures being put on it by risk. A punch to one piece too many and the entire thing falls apart.
Hence, the roll of governance. It wraps itself around the cage of processes and entities and, when properly built, pushes back against the forces that risk is bringing to bear toward destroying the company. Good governance is loosely tight – that is, it allows risk to stab at the cage just enough to allow new strengths and, in some instances, enough to change that structure (new opportunities).
The final picture in your mind should show the processes and entities as the globe, the risks as the core, and governance as the atmosphere. (They don’t act like cores and atmospheres, this is just a picture. Remember that part where I said this isn’t an analogy?)
So, how does an audit department use this to evaluate where to spend it’s time? Well, if all an audit departmetnt does is focus on the traditional definition of audit universe – auditable entities – it may find itself focusing on entities and processes without an understanding of the risks/weaknesses in that structure. On the other hand, if it focuses on those risks that are prodding at the structure, it may miss a weakness that risk hasn’t had the chance to attack yet. (I’ll throw in the argument that many of the large business failures we’ve experienced would not have been identified by using some of the definitions of risk-based auditing I’ve seen. Hint: Does anyone ever audit success?)
The right answer is a proper focus on both. I believe that advocates of each side of this pendulum are not really saying that the other side should be ignored. Rather, I think each is assuming they already understand the other side well enough. In other words, I focus on an audit universe based on entities and processes because I think I know the risks; I focus on the risks that can most directly and adversely affect the company because I already know the entities and processes that make it up. On such assumptions do empires crumble. The best approach is a methodical re-examination of both aspects on a regular basis. (And I can already hear the risk advocates saying that risks change much faster. Well, maybe yes, and maybe no. I don’t know of a company out there that doesn’t have a bunch of major initiatives being implemented that could fundamentally change the way business is done. And, for the ones that don’t, well kiss those companies goodbye right now. Because, just as the risk is indeed changing at unbelievable speed, so should the company.)
My apologies for the length of this post. I thought about splitting it up into separate entries, but I think it is better to lay it all out in one shot.  So, my thanks to all of you who made it this far. Norman, if we still don’t agree, let me know. And to everyone else, does any of this make sense?
And by the way, this can easily turn into a discussion of how many auditors can dance on the head of an audit committee. I’m not saying that the understanding that evolves from the discussion isn’t important, but that too much time can easily be wasted by endless talking about the perfect approach. And that’s why the song quote at the beginning. (Besides, how can you have a discussion of audit universes and NOT mention the Beatles song.)

Posted on Jul 11, 2010 by Mike Jacka

Share This Article:    

  1. I think it is good to remember the Internal Audit is part of the entity's control environment and part of the overall risk assessment process. We need to visit the lower risk assessed units periodically to test and confirm the risk assessment. The most significant issues sometimes come from the smaller units due to lack of oversight.
  1. Mike,

    Thank you, first, for taking the time to respond  - and which such a graphic picture. Some points for your consideration:

    1. Audit committee members generally have large heads, so many of us will have the opportunity to dance
    2. If you don't understand risks to the enterprise, you are highly likely to audit the wrong stuff in individual entities and processes
    3. Risks may rely on controls within a combination of entities and processes; you can't get a good picture of the whole globe by focusing on one quadrant at a time
    4. Risks are greatest where change exists. Focusing on a relatively static universe is highly likely to miss change - or the need for change
    5. Changes in risks or their levels can change the objectives of entities and processes (but don't always, perhaps because of a failure to link strategy and risk - but that's another story). The audit plan needs to allow for the fact that the process may no longer be effective in managing the changed/about-to-change risks of the enterprise


    1.  While I advocate a top-down, risk-based approach I also recognize that failures at the activity level can affect multiple top-level business risks. I agree that a combination of both approaches is best, with the bottoms-up approach being a 'double-check", rather than the driver
    2. We never have enough time to cover everything, so let's not spend much time on risks that are unlikely to have much impact (x) and are also unlikely to occur (y). Low risk (x * y) should mean very low audit attention. As time goes by and the higher risk areas get attention, their risk level should decrease and the previously lower risks become more likely to be addressed
    3. Our success should be measured by our contribution to assurance, and effecting change that helps the business succeed

    Good stuff

  1. Norman, first, let me say that, in spite of the rhetoric we are throwing back and forth, I’m not convinced we are disagreeing. (For our new viewers, this is something Norman and I have been known to do before. Just ask anyone who had to sit on a committee with both of us.) I am just trying to indicate that a focus on risk at the risk (pardon the pun) of not understanding the enterprise is just as bad as focusing on the enterprise at the risk of not understanding the risk. 

    Your quotes – my thoughts
    “If you don’t understand risks…you are likely to audit the wrong stuff in individual entities and processes.” Do not disagree. That is why it is important to understand both the risks and the entities and processes.
                “…You can’t get a good picture of the whole globe by focusing on one quadrant at a time.” For determining the overall picture of the company, I agree. However, if you are indicating that an audit of just one quadrant is inadequate, I disagree IF sufficient work has been done to show that is where the greatest exposure resides.
  1. (My apologies for the bold - can't quite figure out editing on the comments section.)

    “…Focusing on a relatively static universe is likely to miss change.” Again, agreed. I have no use for the concept of “cycle of audits”. However, my contention is that, in most companies, the processes are changing as quickly as the risks, and this requires a reaffirmation that audit understands how they work. No, that doesn’t mean operations will constantly be moving (thinking in terms of geographic audit universes), and it doesn’t mean the name of processes will change. I work in insurance – we will always have an underwriting process. It does mean reaffirming that you understand how that underwriting process has changed in relation to the risks and objectives the company has established (even to the point of, perhaps, redefining what audit understands the process to be.)

                “…The audit plan needs to allow for the fact that the process may no longer be effective in managing the changed/about-to-change risks of the enterprise.” Actually, this makes my point. You cannot determine if a process is effective if you don’t understand what those processes are, as well as how they work within the company and within the risk environment.
  1. (My, we get windy, but I think I win the verbosity contest.)

    And so, to your final three points where. If I am reading them correctly, we are more assuredly saying the same thing. Your concept of bottoms-up double-check is, I think, a much better articulation of what I’ve said in a lot of words. Not spending time on low risks is (I hope) an obvious choice. (As I indicated, I have a knee-jerk reaction when I feel someone is pushing for only a risk-based approach, and I see in your comment a similar reaction when it looks like someone is advocating a focus on processes and damn the risks – not that there aren’t still some of those out there.) 

    And, of course, it is impossible to argue with your final point. “Our success should be measured by our contribution to assurance, and effecting change that helps the business succeed.” That is the key to what we, as auditors, do.
    In conclusion, I still think we are saying the same things, just in different ways (and coming from different situations.) You may lean toward risk more than I do; I may lean toward processes more than you. Ultimately, it is the marriage of concepts of risk with the understanding of processes that leads to the best audit plans. 
  1. this is what I posted on Norman's blog: "Norman, I think your approach works if your auditors are smart, experienced, have deep industry/company specific knowledge, good partners with businesses and know the risks well. If not, the audit universe approach is absolutely necessary. Because it provide more context to someone who may be new to the company or is a co-sourcing consultant. Do external auditors go into a auditee and do a risk assessment without considering the audit universe (these firms all have some kind of auditable areas for different industries)?? I don't think so. But I would say they do both. "
  1. Well put anon.  (By the way, your middle initial wouldn't happen to be Y. with a last name Mouse would it?)  In a few words you have expressed what I think I am trying to say.  No one solution is the answer, but rather, a combination.

Leave a Reply