Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Audit Universe
Created On Wednesday February 25, 2009 5:41 PM
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe
  Audit Universe


musashi44


Posts: 262
Joined: Jul 2005

Wednesday February 25, 2009 5:41 PM

User is offline View thread in raw text format

I have been asked if I can share my Audit Universe I use for my audit planning and my CFO has said no. Do any of you have an audit universe for a manufacturing company I can pass on? If so my email is owatonnaroger@hotmail.com

Reply
Quote
Top
Bottom



Buddie


Posts: 475
Joined: Apr 2004

Thursday February 26, 2009 8:22 AM

User is offline View users profile View thread in raw text format

Not sure I totally understand your question. Start with your IA Charter, which should give you the right to look at everything related to your company and its processes. As for manufacturing, SOX and financial audits are important but I always found that performing operational audits usually bears a lot of fruit. APICS can also help with manufacturing and warehousing processes. Also, you should be reporting directly to the audit committee and not directly to the CFO. Good luck.

Reply
Quote
Top
Bottom



gmerkl


Posts: 724
Joined: Feb 2003

Thursday February 26, 2009 8:35 AM

User is offline View thread in raw text format

Buddie:

The audit universe is basically all types of audits (e.g. purchasing, sales, manufacturing, payroll, etc.) at all audit locations. Usually several risk factors are assessed annually for each audit type/audit location combination in order to arrive at an annual audit plan (i.e. which audits have the highest priority in a given year). I guess Musashi44 is looking for the annual audit plan schedule without the risk factor columns.

However, the audit universe will depend on the industry and the geographical diversity of the organization.

Reply
Quote
Top
Bottom



JanetFike


Posts: 554
Joined: Sep 2005

Thursday February 26, 2009 10:34 AM

User is offline View users profile View thread in raw text format

I think we have a semantics issue: for me, the audit universe is my list of potential auditable areas within an organization. From this universe, I choose locations and build my audit plan.

Given my definition, I would see no problem in sharing the audit universe with select individuals, but I would well have a problem to share my audit plan.

However, since the universe is specific to an organization (geographic locations, entities, operational units, etc.) I do not know where you would find a generic universe for a manufacturing org.

Musashi, can you provide more details on what you're looking for? Barring that, throw together a list of cycles for a mfg co and use that (procurement, conversion, inventory, fixed assets, etc.). You could build something in about 2 minutes...

Reply
Quote
Top
Bottom



musashi44


Posts: 262
Joined: Jul 2005

Thursday February 26, 2009 12:40 PM

User is offline View thread in raw text format

Hi All,

Thanks for your responses. A new CAE has to put together the audit plan and wants to start by determining the audit universe which is all the possible audits to perform. I have one at my company but the CFO says he will not allow me to share that with others outside the company. I do not know why and it seems odd to me, but I told her I would see if anyone from another manufacturing company has one that will send it on. I know these are specific but if you have one already done that could be a great start for her.

Thanks,

owatonnaroger@hotmail.com

Reply
Quote
Top
Bottom



musashi44


Posts: 262
Joined: Jul 2005

Friday February 27, 2009 9:36 AM

User is offline View thread in raw text format

OK so now that we all understand what the question was and what she wants, can anyone forward me their audit universe? Owatonnaroger@hotmail.com

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Friday February 27, 2009 6:01 PM

User is offline View users profile View thread in raw text format

The audit universe should be tailored to the organization and CAE's style. For example, I may break purchasing into six areas and another CAE break it into three. I may look at function and care less about geographic location while another would assign each separate geographic location as a seperate auditable entity.

Each CAE needs to analyze their organization and set an auditable entity universe that fits their organization's org chart and their CAE's method of risk assessment. Generally, the areas that are common to most manufacturers will include major support areas like HR, Security, Technology, Finance, Accounting, Sales, Purchasing, Raw materials management, manufacturing processes, waste/scrap, quality assurance/quality control, and final product management. Beyond that, how much you choose to break apart the major areas depends soley upon how your CAE wants to risk assess.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Edited: Friday February 27, 2009 at 6:02 PM by planoisdaudit

Reply
Quote
Top
Bottom



khurrmi


Posts: 1
Joined: Mar 2009

Tuesday March 03, 2009 7:11 AM

User is offline View thread in raw text format

Hello,
I have now registered myself in IIA, i want to prepare my paper what is the best option available

Reply
Quote
Top
Bottom



musashi44


Posts: 262
Joined: Jul 2005

Wednesday March 04, 2009 11:36 AM

User is offline View thread in raw text format

Just any sample of one I could give her would help her get a start. Surely someone has one they can just send me for her. My CFO is pretty strict about sharing mine - which I dont really understand.

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Wednesday March 04, 2009 4:39 PM

User is offline View users profile View thread in raw text format

She can find a good sample from any college text on internal auditing. The value is goingthrough the process of gathering and analyzing the information on YOUR organization.

As an aside, I agree with your CFO. There's a mountain of information in a completed audit universe - think Trade Secrets.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Monday March 09, 2009 10:38 AM

User is offline View thread in raw text format

I also agree with the CFO. Audit Universe should be customized.

The CAE can develop the Audit Universe from scratch - starting with Enterprise Risk Assessment.

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Wednesday March 11, 2009 5:00 PM

User is offline View users profile View thread in raw text format

Would I be wrong if I defined the audit universe as all risks (whether positive or negative) whose inherent risk score is above an organisation's risk appetite?

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Friday March 13, 2009 9:26 AM

User is offline View users profile View thread in raw text format

That would not be a good definition of the audit universe. The audit universe would be all the possible areas that you can audit in your organization. This listing would be regardless of risk.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Crash


Posts: 1770
Joined: Jun 2004

Friday March 13, 2009 9:44 AM

User is offline View thread in raw text format

An audit universe is unique for every org. We all have fingerprints that are similar, but they are also very different. AP and accounting are in every audit universe. Other areas may be exclusive to certain businesses or industries - hedging, shipping, federal compliance, etc. The audit universe should also be as dynamic as the business. Any CAE who sits on their universe for more than 12 months without looking at it is asking for trouble. I say the universe changes every time someone gets hired or fired!

-------------------------
Do the right things for the right reasons.

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Monday March 16, 2009 11:56 AM

User is offline View users profile View thread in raw text format

Crash is right. In addition to different fingerprints, we may break details down differently. I may have three entries in my audit universe related to AP while you may need 10. The level of detail depends upon how you are organized, whether some or all of the function is outsourced, and a myriad of other factors.

Crash is also absolutely right on re-evaluation. We must re-evaluate our audit universe for changes at the beginning of every annual planning cycle

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Wednesday March 18, 2009 4:16 PM

User is offline View users profile View thread in raw text format

Thursday March 12, 2009 12:00 AM
Would I be wrong if I defined the audit universe as all risks (whether positive or negative) whose inherent risk score is above an organisation's risk appetite?

Friday March 13, 2009 4:26 PM
That would not be a good definition of the audit universe. The audit universe would be all the possible areas that you can audit in your organization. This listing would be regardless of risk.

I think we attach different meanings the term "audit universe", Plano. I would say that what you are describing is actually the "risk universe".

I think what we as internal auditors should be concerned with is "significant risks", those risks which if not managed are unacceptable to the organisation. These would be those risks whose inherent risk scores are above the organisation's risk appetite. These are the risks which are candidates for either assurance or consulting, depending on their residual risk scores.

These are the risks which, to my mind, comprise the audit universe, derived from the risk universe which is all the risks as you have described.

The reason the "audit universe", as I have described it, is important, in my view, is because the audit committee has an interest in what is happening with them - have they been managed to within the risk appetite, if not, what is management doing about it.

I would venture that of interest to the audit committee is all those risks which were initially above the risk appetite and those which still are.

So, I feel that the risk universe would be ALL the risks and the audit universe would be those risks which have an inherent risk score higher than the risk appetite.


-------------------------
Honeybadger

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Wednesday March 18, 2009 4:53 PM

User is offline View thread in raw text format

I agree with Plano that the audit universe is all the possible areas that one can audit. There are so many ways to justify this. Here is one of them.

You have to have completed some tasks such as risk assessment to determine that certain auditable areas are out of scope. The truth, however, is that there is no operation that is not auditable. If you deem an operation matured and the internal control over the operation strong, then the risk of non compliance to financial, compliance or operations control requirements will be low. And, should something go wrong, the impact might be insignificant. In that case, the Audit Committee will not be so concerned.

If however, the factors that made it possible to have strong operations drop in value – such as training, change in staff, governance, systems, expertise; accounting, regulatory compliance or business requirement, etc. the risk rating for the operation will no longer remain low. Hence, the need to review the audit universe, at least, annually.

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Wednesday March 18, 2009 6:21 PM

User is offline View users profile View thread in raw text format

Flo

I am saying that the audit universe is a subset of the risk universe.

You are not going to audit everything, Your mandate as an internal auditor is to "audit" the significant risks. That is why your audit plan has to be risk based. You do not have time to waste on insignificant risks.

Which are the significant risks? Those which in the absence of comtrols pose an unacceptable risk to the organisation's objectives.

How do you identify these risks? By doing the risk assessment, not by "auditing".

And the product of the risk assessment? The risk universe.

If the risk assessment is done properly, which is what you check on in your pre;liminary assessment, then the assessed scores are legitimate.

Why would one then audit risks which, even without controls, are acceptable to the organisation? What do you say to management, who have already assessed, with your concurrence, that these particular risks are within the board approved risk appetite? You will have just wasted time, money and effort even looking at them after you yourself had confirmed that they were assessed properly.

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Wednesday March 18, 2009 8:41 PM

User is offline View thread in raw text format

We might be saying the same thing. You are looking at the glass half full and I am looking at the glass half empty.

In risk-based audits, there is no need to audit risks that are accepted – supported by cost benefit analysis, likelihood of occurrence and perhaps insignificance of impact, materiality for the EA. Transferred risks, as in Insurance, may be looked into to ensure that premiums are promptly paid and risks remain transferred. I am familiar with reviewing low risk-rated audits every three years.

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Thursday March 19, 2009 4:24 AM

User is offline View users profile View thread in raw text format

Flo

We unfortunately still are not in agreement.

I think the distinction between a risk universe and an audit universe is important enough to make.

I have suggested that only the significant risks (above risk appetite) are in the audit universe, whereas the risk universe contains all risks.



I should have commented earlier on the characterisation of the audit universe as "all the possible areas that you can audit ", a term repeated many times since.

One might sort the same audit universe by area, by risk category, by geographical area, by function, or by risk owner.

It follows then that the area, risk category, geographical area, function, or risk owner do not define the audit universe.

The audit universe is defined by the fact that it contains ALL the risks assessed to be above the organisation's risk appetite. However sorted, that characteristic must be there. It defines the audit universe.

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



gmerkl


Posts: 724
Joined: Feb 2003

Thursday March 19, 2009 4:33 AM

User is offline View thread in raw text format

I would say that the individual items in the audit universe are also driven by the geographical diversification of the subsidiaries/offices/plants in the group and by the geographical diversification of the internal audit offices and the related internal audit travel expenses. If travel expenses are a major item different functional/process audits at the same location may be combined into one audit. In practice, I have rarely seen one big functional audit in the same area that was simultaneously or sequentially conducted at different locations.

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Thursday March 19, 2009 10:26 AM

User is offline View users profile View thread in raw text format

HB,

Assessing what it is possible to audit and assessing risk in each one of those areas are two different thngs. It seems to me that you are trying to blend them into one and I see danger in that. Risk assessment and annual planning is something that I teach. Let me see if I can persuade you.

Before you can begin the process of risk assessment, you've got to know what items are in the population of possible audits. That population is the audit universe. You identify the population without regard to risk, this is an important first step. It's like taking a statistical sample. If I'm to perform a statistical sample of say birds, I've first got to identify the population. Am I talking all bird species in the world? Am I talking all bird species in North America? Am I talking a single speices of birds in a particualr wildlife reserve? As you can see those are very different groups of birds.

It's the same with the audit universe. You have to define the methods you will use to identify that universe. Is it every program that we have a policy and procedure for? Is it every program that we expend monies on? Is it every program that has a manager or director assigned to it? Is it every geographic location? Is is some mix of these?

The reason I want to know the total population without regard to risk is to be able to make some sort of professional judgement on whether I have enough resources to complete the coverage I'm being tasked with. That is one of the reuqirements of the Standards, that the CAE inform senior management and the board on the sufficiency of IA coverage.

Then, after I have identified everything that there is to possibly audit; I use risk assessment to pair down the list to those things I should audit. After all, IA resources are limited. We can't possibly go look at all programs and geographic locations of our organization. THerefore we use risk assessment to pair that list down to the highest impact areas. By not including the extreme low risk areas, we may fail to recoginze an area where a program change may significantly raise the risk and therefore need to be audited. Let's say we've had a reorganization of the Treasury function, a previously low risk area, and that reorganization does away with some very important segregation of duties. The risk for fraud in treasury just went up significantly. But, if I excluded Treasury from my original audit universe because I preceived residual risk as within the appetite of the organization; I may fail to pick up on this important change that increases residual risk well beyond the organization's risk appetite.

I hope that explination helps clarify why identifying the population of all possible audits and the risk associated with those are two seprate steps in the exercise. And why blending those steps may increase your audit risk - the risk that you will not detect a material change in operations that would increase residual risk beyond the risk appetite of the organization and therefore fail to consider that area for audit.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Edited: Thursday March 19, 2009 at 10:35 AM by planoisdaudit

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 20, 2009 10:37 AM

User is offline View users profile View thread in raw text format

Plano

Our basic disagreement on the audit universe is where I say it comprises only of significant risks and you say it comprises of all risks (which I term the risk universe).

If the audit universe comprises of all risks, what does the risk universe comprise of? My view is that the audit universe is a subset of the risk universe.

I think your last paragraph is a fair indication of where you think I am mistaken.
“I hope that explanation helps clarify why identifying the population of all possible audits and the risk associated with those are two separate steps in the exercise. And why blending those steps may increase your audit risk - the risk that you will not detect a material change in operations that would increase residual risk beyond the risk appetite of the organization and therefore fail to consider that area for audit.”

Possible audits! Elsewhere you talk about “should audit”. Anyway ...

Why audit in the first place? There are only two reasons in my view
• to verify that the residual risk really has been managed to below risk appetite or
• to provide skills and advice to do so.

The only risks which are candidates for possible audit therefore are those with inherent risk scores above the risk appetite. I call these significant risks because they are of interest to the organisation. This is the audit universe.

Any other risks are therefore not possible to audit. Risks with inherent risk scores below the risk appetite do not need any management to have residual risk scores below the risk appetite and are therefore not candidates for possible audit.

Why look at all risks when you have a risk register from which to extract the risks which are candidates for audit?

I hope it is clear that what I am talking about here is the result of risk assessment, not risk assessment itself. I am saying that from the results of the risk assessment, those risks with inherent risk scores comprise the audit universe.

You raise the fear of changes in risk exposure not being taken into consideration “for audit”. That is a risk identification issue, not an audit universe issue. I am positively disdainful of audits being relied on for risk identification. As such, I encourage continuous risk identification. Any concerns about risk identification and assessment should be addressed through facilitation of risk identification and assessment.

What is required all the time, is an up to date risk register, from which to simply extract the audit universe. The challenge is getting that message out there, at every opportunity. One cannot wait until the annual risk assessment before identifying risks and start managing them. The whole risk identification and risk assessment thing should not be done just for the purpose of the annual audit planning or the audit universe. If this is what is happening, then internal audit has some work to do to convince management that this is a continuous processes.

So, for the audit universe, extract the significant risks from the risk register.

Any issues relating to the production of the risk register, address them as such, they have nothing to do with the audit universe.

Audit areas? Once you have separated your audit universe into those risks with residual risks above and below the risk appetite, you may find a way of consolidating the risks into more substantial groupings, which may be audit arears.


-------------------------
Honeybadger

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 20, 2009 10:55 AM

User is offline View users profile View thread in raw text format

Typo!

I hope it is clear that what I am talking about here is the result of risk assessment, not risk assessment itself. I am saying that from the results of the risk assessment, those risks with inherent risk scores comprise the audit universe.

Should be

I hope it is clear that what I am talking about here is the result of risk assessment, not risk assessment itself. I am saying that from the results of the risk assessment, those risks with inherent risk scores ABOVE THE RISK APPETITE comprise the audit universe.



-------------------------
Honeybadger

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Friday March 20, 2009 12:12 PM

User is offline View thread in raw text format

Honeybadger,

Again, you are looking at the glass half full and I am looking at the glass half empty.

I am convinced you are looking at the subject matter from management’s point of view. I, like Plano, are looking at it from the internal auditor's point of view.

The key point here is that risk management is, primarily, the responsibility of management. Internal audit, as a control function, provides value in risk management by corroborating management’s assertion that risks are monitored.

Also, materiality is for the EA; not particularly for the IA. IA is charged with ensuring that all risks are controlled. After all, you may not be able to quantify the risk of lack of segregation of duties.

From management’s point of view, you are advising that auditors should only audit significant risks. That’s what EA’s do when they audit internal controls such as in SOX. EAs rely on IAs in ensuring that the rest of the risks are controlled.

There is more than one factor to consider in risk assessment. It appears you have been missing out the likelihood of a risk event occurring and have been focusing on significance which may tend to reflect monetary impact when an identified risk occurs. I don’t think risk-based auditing suggests that IAs should not pay attention to risks that are not significant. For example, for the sake of checks and balances, in a three year audit plan, low risk-rated areas may be audited one time while a high risk rated audit would be audited annually. Medium risk rated audit would be audited every 18 or 24 months. Deciding the frequency of audit is a consequence of risk-based audit. If all risk are not reviewed, IAs will not be performing their control function and will fail to provide assurance over risk management.

Flo

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 20, 2009 2:53 PM

User is offline View users profile View thread in raw text format

Flo

"Why audit in the first place? There are only two reasons in my view
• to verify that the residual risk really has been managed to below risk appetite or
• to provide skills and advice to do so."

If a risk has been properly assessed as, even in the absence of controls, below the risk appetite, why would you audit it?

Just for the sake of auditing?

Let us say you find that there are no controls for it and management says they will not do anything about it.

What do you do?

You cannot take the issue to the audit committee because even there the question is why should they do anything about it.

Why then audit it?

If you feel that any risk is worth doing something about it, then you are saying the risk is actually significant. Why is it not rated as such? Your solution lies in addressing the risk rating system or risk identification if it was not identified.

You do not audit risks which are acceptable to the organisation. Why should you?

You say, "IA is charged with ensuring that all risks are controlled."

Why should ALL risks be controlled? Even those which do not need controlling?

How much control is enough?

I am saying you control risks to the level where the residual risk is below the risk appetite. If the inherent risk score was higher than the risk appetite, then you audit to assure that the controls to keep it there are still effective. But if the inherent risk score was below the risk appetite, what do you audit the risk for?

The IA is charged with ensuring that all risks are IDENTIFIED. Only thereafter are they assessed for inherent risk, which is compared to the risk appetite. If the inherent risk score is higher than the risk appetite, then management have to implement controls to bring it down within the risk appetite. But if the inherent risk score is below the risk appetite, then the APPROPRIATE RISK RESPONSE IS TO DO NOTHING.

I am not missing likelihood or impact. That is why I have been trying to refer to a score, implying the product of likelihood and impact.

I think I have exhausted this topic. I have tried to explain it as simply as I can but you keep misunderstanding and misinterpreting what I am saying.

For example, you say, "If all risks are not reviewed, IAs will not be performing their control function and will fail to provide assurance over risk management."

If a risk does not need controls to bring it to acceptable levels, what control function are you performing auditing it?

What assurance over risk management are you failing in. You have not confirmed that a risk requiring no controls actually has no controls over it? But everybody knew that.

Maybe someone will educate me as to why a risk, properly assessed to be acceptable without any management thereof, should still be audited.

I have explained my definition of "significant" and stand by it until someone convinces me that it is wrong.

The only risks you audit (verify that they are well managed, or provide advice on on how to manage) are those with inherent risk scores above the risk appetite. These are the only candidates for audit.

Your role as IA, on the consulting side, is to pass on the skills to the staff and management, of ensuring that all risks to the objectives are identified firstly, properly assessed secondly, the proper response chosen, required controls implemented and the effectiveness of the actions taken monitored by management. Unless of course one enjoys pointing out mistakes.

Why audit risks which require no controlling? Why even consider them?

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Friday March 20, 2009 3:13 PM

User is offline View users profile View thread in raw text format

ERM is a management process. If it exists and if there is a valid ERM risk register; the entire program including the risk register is subject to audit by IA. Why in the world would I base my annual audit plan on something that is a part of my audit universe?

If all you want to do is argue your point of view, you will get very little value out of this forum. As for me, this is probably the last time I will waste my time answering your posts directly as you seem to want to argue rather than listen to the advice given to you by many very experienced IA practicioners.

Those convinced against their will, are unconvinced still.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Edited: Friday March 20, 2009 at 3:17 PM by planoisdaudit

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 20, 2009 4:31 PM

User is offline View users profile View thread in raw text format

Plano

I have welcome your views on many occassions as well informed and reflective of the experience you mention.

On this topic, however, your main point seems to be that I should not look at the merits of what you but accept merely it because it is you who is saying whatever.

I have tried responding directly to points raised, but am not getting the same back.

How are you going to convince me when you do not respond to my queries?

I have said that in my view, the audit universe is a subset of the risk universe. If as you say the audit unverse contains all risks, how do you then define the risk universe? Is it the same? You have not answered me.

I have asked, why audit in the first place? If management may safely ignore any recommendations you make on controlling a particular risk, why target and audit it in the first place? You have not answered me.

I have said the risk register is where you get your audit universe, that you may have to audit it to ensure that it is reliable. If it is not, then you facilitate proper risk identification and assessment. That is your IA role. Unless you are new in the position why would there be no risk register a year on? That is your IA role. Why would the risk register be not up to date? It is your IA role to get management to do these basics. What else would they listen to from you if you cannot convince them to do the basics? If these basics are done, why would you want to start afresh to identify risks which are there already?

I doubt from your responses that you have paid any attention to what I have been saying other than look for my conceding the point.

I honestly would like to concede if I felt I could see merit in what you have been saying. Normally, I can see a lot of merit in what you say, but till recently, have not seen you hide behind experience to try to browbeat someone to see things your way, instead of appealing to the merits of your case. I find that regrettable as I really do respect you.

Does your experience preclude you from changing your mind or looking at things differently if contrary evidence becomes available? There is absolutely no reason to be person in our discussions. That is totally unacceptable, from whomever.

For all you know I am a 22 year old, one year in the profession, (I am not saying I am), that is irrelevant. The merits of whatever are what is relevant.

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



bigkell


Posts: 2448
Joined: Oct 2003

Friday March 20, 2009 7:22 PM

User is offline View thread in raw text format

Here is my goofy observations.

1. You will never truly know the size of your "audit universe" (it's ever expanding -- like the real one).

2. Your "universe" is generally that which is mandated by management, in conjunction with the resources you've been provided.

3. Money runs businesses. Your paycheck is money. Audit to protect the money -- work upward from the base of the "money pyramid."

4. Demonstrations of failure to understand the extent of your universe are frauds, embezzlments, thefts, cash leaks....anything that negatively effects the bottom line. Small stuff -- oh well. Big stuff -- hope you included it in the plan at least.

5. Do your best to cover "effectively" as much as you can.

6. Hope you didn't miss anything of consequence.

7. Relax, life is short -- auditing isn't everything.

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Monday March 23, 2009 9:42 AM

User is offline View users profile View thread in raw text format

Honeybadger, whether you are 22 and fresh out of college or 52 with as many years experience and certifications as I have doesn't matter. What does matter is you willingness to listen. I'm not trying to browbeat you. You are free to run your shop any way you see fit. But, you appear to be terribly niave or misinformed on how modern IA views risk assessment and long range planning.

First of all there is no such term as "risk universe" in modern internal auditor literature that I am aware of. Per Sawyers Internal Auditing, 5th Edition the long range audit schedule should contain certain basic elements:

(1) All the operations of the organization should be analyzed for auditability and potential risks
(2) Each organizational component should be analyzed as to specific objectives, performance standards, and controls. Proposed audit hours should be allocated to each of the identifieanble elements constituting and audit project.
(3) Relative fisks should be assessed, taking into account the objectives of internal control set forth in Standard 2120.A1

You seem to want a bullet-by-bullet answer to your questions. So, I will attempt that as well:

I have said that in my view, the audit universe is a subset of the risk universe. If as you say the audit unverse contains all risks, how do you then define the risk universe? Is it the same? You have not answered me. I am not aware of the term risk universe used in modern internal auditing liturature. As I have tried to explain, the audit universe is the population of all possible areas that you can audit according to the access given to you by your audit charter. That means, all programs, functions, and geographic locations are included, before any assessment of risk is considered. This is a standard IA practice designed to ensure that we consider all operations of the organization as a part of our annual planning process.

I have asked, why audit in the first place? If management may safely ignore any recommendations you make on controlling a particular risk, why target and audit it in the first place? You have not answered me. Because our clients are the board and senior administration. We are to identify where internal controls may not be working or are improperly designed as a part of our audit assurance services. Now, that being said, you do have to consider management's risk appetitie. For example, if a work order system does not contain materials costs (which it should in a well designed system) you should consider why management instituted the work order system in the first place and evaluate other evidence to tell you if the design deficiency is significant before you put it in a report.

I have said the risk register is where you get your audit universe, that you may have to audit it to ensure that it is reliable. If it is not, then you facilitate proper risk identification and assessment. That is your IA role. Unless you are new in the position why would there be no risk register a year on? That is your IA role. Why would the risk register be not up to date? It is your IA role to get management to do these basics. What else would they listen to from you if you cannot convince them to do the basics? If these basics are done, why would you want to start afresh to identify risks which are there already? My risk register as a CAE is DIFFERENT from management's. When I design a risk register for IA, it is for one purpose: to determine the risk of internal control failures occuring that will negatively impact the organization. Management's risk register, IF IT EXISTS, is to identify all possible events that will cause an impact on the organization, decide what risk response is appropriate, and execute that risk response. Those are two completely different types of risk assessments. There is great danger in subsituting one for the other. Besides, as I've stated before, management's risk assessment process is one of the auditable areas in our IA audit universe. Therefore, we cannot and should not rely on management's risk register as a part of our risk assessment process.

Now, I challenge you. Do some personal research. Understand the differences between the IA risk assessment process and the ERM risk assessment process. Understand how few organizations actually have implemented and ERM model in the first place. Of those that have and ERM process in place, understand how few of the ERM models are actually complete and effective. Find the term "risk universe" in modern internal auditing liturature and give me a cite so that I may see what literature may be out there that I am unaware of.

Honeybadger, my mind is flexible and I'm willing to consider and try new things. But, please consider the fact that I spend approximately 20-30 hours per year teaching risk assessment to auditors and ERM to managers. I have researched college textbooks, professional standards (IIA, GAO, AICPA, and others), and read thousands of articles in this area. I have not come to my professional opinion in this matter lightly. Please, do me and others in this forum the courtesy of doing the same level of personal research and professional development.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Crash


Posts: 1770
Joined: Jun 2004

Monday March 23, 2009 10:45 AM

User is offline View thread in raw text format

Multi point queries and responses do not flow well in a written forum. It is often better to address them in seperate posts to avoid frustration and the feeling of generalized answers.

Risk Universe/Risk Register - Every risk faced by an organization.
Audit Universe - Every audit that could possibly be done for an organization.
Significant Risk - Any risk deemed worthy of an audit.

The Audit Universe cannot be a subset of the Risk Universe. Audits are work plans designed to test the effectiveness and efficiency of risk control. Audits address risks, but they are not risks themselves (usually!).

Some audits are done in areas that are not considered Significant Risks to assess character, competency, and/or fraud.

Risk based auditing is not a science. Any statement by any auditor claiming 100% consideration of their entire Risk Universe is a lie. There are not enough man hours to break down the areas of risk to small enough components for complete consideration. Risks are grouped to allow for consideration of the group. The same way audits often assess multiple risks. Boards and executives will not spend the time to do much more. It is the artful and scientific consideration of risk by an audit group that results in the best coverage.

-------------------------
Do the right things for the right reasons.

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Monday March 23, 2009 12:37 PM

User is offline View users profile View thread in raw text format

Thank you Crash! As usual you can say something much more effectively in 10 words than I can in 100. Very susinct and on point.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



kyyee


Posts: 746
Joined: Oct 2002

Tuesday March 24, 2009 3:01 PM

User is offline View users profile View thread in raw text format

I'll echo Plano's comment; Crash's comment is pretty much all that needs to be said.

Reply
Quote
Top
Bottom



Zoid


Posts: 32
Joined: Jul 2007

Tuesday March 24, 2009 3:17 PM

User is offline View users profile View thread in raw text format

So why didn't you just say so in the first place? -------> an attempt at humor.

I wanted all of you to know that this was not a futile exercise. However heartfelt anyone's opinion and statements, there were more than enough tidbits of information for all of us to learn from in this thread. Thank you all for a lively and entertaining discussion for us onlookers.

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Thursday March 26, 2009 5:42 PM

User is offline View thread in raw text format

I have extracted the article below for your read only (hopefully, you haven't already read about it). I thought it had some relevance to the subject ......

Internal auditors focusing on portfolio of recession-related risks
Summary: An IIA survey of 354 internal auditors found increases in coverage of various types of risks related to the current market downturn. Auditors said this focus is only going to increase going forward, especially in areas related to general financial risks (56%) and operational risks (56%).

Internal auditors are redirecting resources to cover recession-related risks, according to a recent survey by the Institute of Internal Auditors (IIA). The survey of 364 internal auditors, including 34 chief audit executives at Fortune 100 companies, found increases in coverage of:
o Operational risks (47%),
o Cost/expense reduction (47%),
o Third parties in financial distress (39%), and
o Assessment of the effectiveness of risk management (35%).
Internal auditors also spent more time reviewing compliance and credit risks (33%), liquidity risks (27%) and reputational risks (20%).
The survey found that internal auditors plan to focus even more heavily these risk areas over the next 12 months, especially in areas related to general financial risks (56%) and operational risks (56%). The only area of organizational risk that is expected to experience a significant decrease in audit coverage is testing internal controls as required under Section 404 of the Sarbanes-Oxley Act of 2002 or related support, with 20% less coverage in the next year.

IIA President Richard Chambers said other surveys have confirmed that most internal auditors had developed effective internal controls testing by 2005, so now internal auditing is returning to a more normal state where auditors “don’t focus on one kind of risk, but a portfolio of risks.” “The current crisis has led to a very clear focus on internal auditing, so internal auditors are redirecting those resources from SOX coverage,” he said. “They are focusing attention to where risks are the greatest.”
The survey also found that the economic recession has had an effect on internal audit activities and personnel. Respondents said they had to reduce traveling (79%), and training (69%) to accommodate budget decreases. In addition, organizations have frozen or reduced internal audit staff compensation (63%), imposed hiring freezes (45%), and laid off internal audit staff (33%).

Source: WG&L Accounting & Compliance Alert Checkpoint 3/26/09

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Thursday March 26, 2009 6:40 PM

User is offline View users profile View thread in raw text format

Firstly let me apologise to everybody for my part in allowing this discourse to get personal. It was unprofessional of me to allow the discussion to reflect on us rather than the issues, which are actually rather important.

Plano, I am not persuaded, and it is not through stubbornness. I think it is for the best if we accept the other’s bona fides rather than doubting them.

The term “risk universe” is actually used, not only in modern internal audit literature but universally. In the IIA position paper, Risk Based Internal Auditing, issued by the IIA (UK & Ireland) in August 2003, the term is used. All 4 of the Big Four auditing firms even, in USA, use it. Protiviti (2006) designed a risk universe framework to help properly scan the risk universe. You’ll find it in the book, Auditor’s Risk Management Guide: Integrating Auditing and ERM (2007), by Paul J. Sobel and K. H. Spencer Pickett’s book, Audit Planning: A Risk-based Approach (2006). American universities use, Canada uses, the UK uses it, and Australia and New Zealand also use it.

In any case, when I used the term I defined it, to differentiate it from the term “audit universe” which to me has its own special meaning, so that everyone could know what I was referring to, and the term fitted what I wanted to convey.

Now...

I am saying the organisation’s risk register would contain ALL the risks they have identified, significant or not. It is only after assessment that one can speak of significant risks and insignificant risks. What the internal auditor is interested in is the significant risks.

“Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that ...Significant risks are identified and assessed” Interpretation to ISSPIA 2120.

That significance is with reference to the risk appetite, approved by senior management and the Board. Therefore, the only risks which the internal auditor should be concerned with or even consider providing assurance or consulting on, are the significant risks. It is possible to audit any risk, but to what end? My definition of audit universe is those risks which I really should (resources permitting) assure or consult on because they are significant – their inherent risk rating is above the risk appetite. These are extracted from the organisation’s risk register.

There is actually a risk that the risk register may be unreliable and not up to date. Given that this is where efforts to manage the risks to the organisation’s objectives are centred, this is a significant risk (or I‘ll get senior management to set a separate risk appetite for it so that it is one). So, it is managed just like any other risk.

Now you and others have provided examples as to why you would provide assurance on what I would call insignificant risks. Remember, the significance is always with reference to the risk appetite. The IIA recognises that one risk appetite level may not be suitable for the whole organisation. So, in ISSPIA 2010, they say, “The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization.”

The option (obligation) is there for the internal auditor to provide advice on the assessment of those risks felt to be significant, but are classified as insignificant by a current rating system. Whatever system is used, will determine which risks one should be concerned about.

I am surprised you say IF management have a risk register. How do they manage the risks without one? I would have thought that this would be one of a CAE’s priorities - to get them to establish one.

There is mention of internal auditors being there to identify where internal controls may not be working or are inadequately designed and of your risk register being for the sole purpose of determining “the risk of internal control failures occurring that will negatively impact the organization” As you know, this takes us back to the risks because the “internal controls” we talk about are not in isolation, they are there to manage risks and the only risks worth looking at are the significant risks, just as the risks themselves have to be risks to organisational objectives.

My approach to internal audit is that the internal auditor duty is not to confine myself only to “internal controls” but to “evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.” ISSPIA 2100. All three processes. Nothing more, nothing less. Evaluate in assurance engagements and make improvement contributions in consulting. I earlier expressed the above as verifying that the residual risk really has been managed to below risk appetite and providing skills and advice to do so.

Due professional care (ISPPIA 1220.A1 & 1220.C1) requires that one weighs the cost vs. benefit of assurance and consulting engagements. Providing assurance on insignificant risks is not cost beneficial, nor is providing assurance where management has already said that the particular risks are not under control yet. This is why I believe that consulting is the best way an internal auditor can help the organisation, and warn against those who want to make assurance the first and sometimes only priority. I honestly cannot relate to auditees fearing or loathing an internal auditor as a fault finder. In such cases, it is always the internal auditor’s fault.

I am not confused about the ERM-IF. Early this year the IIA standards were revised to align them to the ERM-IF, (the definition has not changed the order but the standards, e.g. ISPPIA 2100, have). I also find the framework very useful in explaining all three processes which are my responsibility to help the organisation on – governance, risk management and control processes – much more so than the IC-IF. So, together with the mandatory requirements of the standards, it forms the heart of my work programs and consulting efforts.

On Sawyer’s basic requirements for establishing a strategic audit plan, my list would be, in the order:
1. Organisational objectives established (all activities)
2. Risk appetite established for ever risk
3. Reliable, up to date risk register available.


-------------------------
Honeybadger

Reply
Quote
Top
Bottom



bigkell


Posts: 2448
Joined: Oct 2003

Thursday March 26, 2009 8:58 PM

User is offline View thread in raw text format

I sort of like succinctness in my verbal/written discourse.

It's easier to follow, in my estimation -- but I'm old !

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 27, 2009 3:52 AM

User is offline View users profile View thread in raw text format

Point taken!

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Friday March 27, 2009 3:35 PM

User is offline View users profile View thread in raw text format

Honeybadger,

We are going to have to agree to disagree.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday March 27, 2009 5:05 PM

User is offline View users profile View thread in raw text format

I respect that, Plano, as I do the insights I get from your inputs.

We learn most not from similar experiences, but from different ones. I did.

I am sorry I let this get out of hand.



-------------------------
Honeybadger

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Tuesday March 31, 2009 11:34 AM

User is offline View users profile View thread in raw text format

Honeybadger,

Thank you, I too owe you an apology. I am learning to accept people where they are at. I did not do that with you. I'm sorry if any of what I said appeared to be a personal attack. It was not meant to be.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org