A Word on Audit Universe

I just responded to a LinkedIn question about Audit Universe.

Audit universe contain all the auditable areas. Is it defined anywhere in how many years the entire Audit universe should be covered i.e., all the areas should be audited at least once? Is it defined in any IIA standard or any other pronouncement? what is the best practice?

This is what I had to say:

The concept of "audit universe" is outdated.

Instead, internal audit should be focused on providing assurance on the organization's governance, risk management, and related controls. We do that by focusing our engagements on the more significant risks to the business — as a whole, not at a lower level.

We should be working with management to ensure there is a robust risk management program, and that should then be the driver for a risk-based (top-down) audit program.

Building the audit plan based on an audit universe instead of the top risks to the organization is likely to result in auditing risks that are not significant.

See "What is 'Risk-based' Auditing?", "Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls", and "What Is Assurance? Does Your Department Provide It?"

Are you ready to leave this universe?

Posted on Jul 8, 2010 by Norman Marks

Share This Article:    

  Comments (9) un-categorized
  1. Comment by: Norman Marks   (7/8/10 11:37 AM)   

    I used to work for a company with $15b in revenue. Initially, we took an 'audit universe' approach. We listed all the auditable entities (>100 locations), corporate processes, and IT systems/centers. They were risk-ranked on a number of counts: revenue, margin, earnings volatility, time since last audit, severity of prior findings, management and staff stability, etc. That gave us a risk-prioritized list.

    Each top risk areas was then subject to an audit, where we focused on the more significant risks to the objectives of that entity.

    I switched to an approach where I worked with management and the board to identify the top risks to the company as a whole. We then took the top 10-20 risks and identified where in the business were the sources of greater risk. When it came to revenue, we identified the top locations and our related systems. When it came to supply chain, we identified regionalized activities.

    We also identified some 'systemic' risks, such as certain aspects of compliance, the adequacy of information to run the business (e.g., on cash flow), IT strategy and network reliability, etc.

    The individual engagements in the audit plan were designed to address the top risks to the organization and included audits at the major locations - but they focused on those aspects of corporate risks that were managed at the location; materiality was corporate materiality, not the local one.

    We ended up doing about as many audits. However, the assurance we obtained was better and I believe (and they agreed) provided management and board with a higher quality level of service.

    Did we end up providing assurance on lower risk areas, perhaps important to an individual entity? No - but, that's just fine. We provided assurance on what mattered.

  1. Comment by: Mike Jacka   (7/12/10 02:30 PM)   

    Norman, I can't decide if we're in agreement.  My first reaction was no, my next was yes, and my final is I just don't know.  So, rather than fill up this space, I've put together a reply in my blog.  Interested in what anyone thinks - is this an argument or not?  The link is over there on the side.

  1. Comment by: anon   (7/16/10 08:49 PM)    Norman, I think your approach works if your auditors are smart, experienced, have deep industry/company specific knowledge, good partners with businesses and know the risks well. If not, the audit universe approach is absolutely necessary. Because it provide more context to someone who may be new to the company or is a co-sourcing consultant. Do external auditors go into a auditee and do a risk assessment without considering the audit universe (these firms all have some kind of auditable areas for different industries)?? I don't think so. But I would say they do both.
  1. Comment by: Norman Marks   (7/16/10 08:53 PM)   

    Dear Anon,

    My point is that using the risk universe concept drives you to a middle-down and not a top-down risk assessment process, and an audit plan that is focused at risks at the middle and not the risks to the business as a whole.

    I advocate this when building the periodic plan, when clearly the CAE and the most experienced auditors should be involved.

  1. Comment by: anon   (7/17/10 09:11 PM)    thanks, Norman. You are absolutely right. These are just tools. Good auditors and CAEs are the key ingredients of an effective and efficient IA group.
  1. Comment by: Mustafa   (12/1/11 10:43 AM)    I read the article carefully but I wanna ask a question.It is possible to have risk based internal audit for the company as a whole. Because we know that the companies (especially board of directors) have limited budget and time. so how can we solve this problem?
  1. Comment by: Norman Marks   (1/6/12 04:22 PM)   

     Mustafa, my apologies for not responding earlier.

    Yes, companies can and should have a risk-based approach for the company as a whole. When you have limited resources, this actually becomes even more important.

    Once you have identified the more critical risks, then you allocate your resources to them.

    See this post for more: http://normanmarks.wordpress.com/2012/01/05/tips-from-norman-on-a-lean-audit-function/

  1. Comment by: Todd Davies   (9/2/12 04:33 AM)   http://todddavies.businesscatalyst.com/_bpost_4851/All_Gone_to_Custard_–_Another_take_on_Assurance_Maps

     I think you need both.  I'm reviewing audit plans at the moment for a range of organisations, and in the absence of an audit unvierse I really struggle to answer the question "is this plan adequate, have we missed anything important".  Risk-based is important, but I never cease to be amazed at how many CAEs and providers can't answer the question - what are we not auditing.

    For my mind, I'm keen for risk-based, but also keen for some good old fashioned audit universes to be brought back.

    Here's a few thoughts on risk-based audit universes, although I think this methodology and approach is contrary to the latest IIA Practice Guide, which I fear pushes people further away from being able to answer that question.

     http://todddavies.businesscatalyst.com/_bpost_4851/All_Gone_to_Custard_–_Another_take_on_Assurance_Maps

    The by-product is that as an audit committee member I feel exposed, which is not a good outcome.

     

  1. Comment by: Rose (student)   (4/18/13 12:39 PM)    This is Resourceful, though i need guidance on this question. i have a problem with question interpretation, will i be able to pass my paper?

Leave a Reply