If you audited an Audit Universe would you honestly say it was designed effectively?
NOTE: THE IIA guidance referred to in this post has been updated with a document that is a bit less punchy but still contains similar messages. The URL links to the updated document.
The audit universe…. I’ve spent many hours tinkering with large spreadsheets and trying to map an org structure and various processes into something that made some sort of sense. Then there was the risk rating, usually using some arcane ordinal scale without a clear definition to rate different areas across an arbitrary list of risk areas.
<Dramatic Reenactment>
Auditor 1: Hmm, what is the reputational risk of the property department? I’d say it’s probably low- medium maybe pushing into medium so let’s say 3. Now let’s multiply that by the 5 for BCM risk because the property team is all about the offices and a 3 for financial risk as they have a big budget.
Auditor 2: Cool, it looks like the property team need an audit this year as they are a red risk-rated entity.
Auditor 1: Hold on, we actually need to do an audit of the AML controls. But the AML team is only rated amber, Hmmm, looks like we need to adjust the score for AML team and bump it up the list.
Auditor 2: Hold on, our audit cycle rules say we have to audit Accounts Payable every 2 years.
Auditor 1: Hmmm, I guess we could defer the AML work as we can’t just ignore the cycle.
This is a bit of a caricature and we are usually a bit more obtuse and use more technical jargon to make it look like the audit universe and rating scales are doing something scientific. At the end of the day audit plans are generally derived based on the professional judgment of the audit teams and on-the-ground risk assessments with management.
Earlier on in my career, I didn’t think to question if what I was doing was any use. I filled in the ratings and tried to make them reflect the reality of the organisation and what audits we thought we needed to do.
But then I read Norman Marks’s brilliant books “Auditing That Matters” and “World-Class Risk Management”. These two fascinating books are full of brilliant guidance from someone who has a wealth of experience (I’m going to do a full post about lessons from Norman some time). Norman advocates audits that focus on the key risks to enterprise objectives to provide stakeholders with the information they need to manage the business for success. This changed my view totally and led me down a path of challenging everything I do through the lens of ‘How am I helping the organisation?’, ‘how much value does management gain from this work?, and ‘is the cost justifiable?’
If you were auditing your audit universe would you conclude that it was designed effectively in order to achieve the objective of “establish(ing) a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.”
The IIA in UK & Ireland has just published a document that provides some interesting thoughts on the use of an audit universe.
Firstly Do we need one at all?
No.
The IIA says:
‘The International Standards do not require internal audit activities to maintain an audit universe. The head of internal audit can choose whether or not to create and/or maintain an audit universe based on factors such as the organisation’s geographical reach, market sector volatility, activities, risks, and the assurance requirements of the audit committee, board, and other senior stakeholders.
Implementation Guide 2010 on planning says that:
“This review of the organisation’s approach to risk management may help the CAE decide how to organise or update the audit universe, which consists of all risk areas that could be subject to audit, resulting in a list of possible audit engagements that could be performed.
The audit universe includes projects and initiatives related to the organisation’s strategic plan, and it may be organised by business units, product or service lines, processes, programmes, systems or controls or by risk category/prioritisation.”
However, is it worth the time and effort to identify and keep up to date all the possible audits that can be done, when this may change from year to year, and when assurance is meant to be focused upon the most significant risks facing the organisation?
The IIA suggests we can have an audit universe if we like and that an audit universe may be organised in a number of different perspectives. The key point though is that we need to plan audits on a risk basis so any audit universe used as a planning tool needs to help us identify what audits we should be doing to address the key risks to the organisation.
Buried in the body of the guidelines is the following:
In other words, the risk universe is a key foundation of any audit universe, with limited additional work for internal audit other than identifying the specific auditable entities or processes relevant to the key risks.
This is referring to to organisations with a strong risk management capability that IA is able to rely on. I believe the IIA is providing a pretty strong steer here in favor of an audit universe that is focused on risks rather than organisational units or processes. Even if management does not have a reliable risk identification process the above should still stand based on the requirement for IA to perform their own risk assessment.
My key things to consider if you feel you need an audit universe…..
- Consider the value you get from it
If it doesn’t provide you with any valuable information when deciding what audit work to do its probably not worth having a universe
2. Don’t define a cyclical rotation of projects/ audits.
If you are doing true risk-based audit you will just spend all your time justifying why you haven’t kept to the schedule.
3. Place the organisations objectives and risks at the heart.
A universe broken down organisational structure with a separate risk assessment for each area introduces siloed thinking and doesn’t encourage a focus on the risks that matter. Risk doesn’t care about the org structure, you need to understand key risks and then audit the processes that are in place to mitigate those risks or where those risks may impact the enterprise objectives. Yes, fraud in the payroll processes is a risk but is the risk high enough in your organisation to actually impact the achievement of the strategic goals of the enterprise?
4. Use the audit universe to inform your thinking not to ‘Drive the Bus’
The universe can help you think about planning in a structured manner and but it should never be the sole driver of what audits you do.
5. Deriving overall Risk ratings for entities in an audit universe is fraught with issues.
Ordinal scales, risk matrices and weighting of risk types to create an overall risk ‘number’ have significant technical deficiencies and are not supported by evidence. Furthermore, significant levels of effort can be spent inventing scoring systems and ensuring they are used consistently. Finally, more often than not it just ends up with a tweak of the scores until the right Audit units hit the top of the list. Consider if spending a lot of time on ranking audit units with complex weighting scales is actually providing any real insight. Think about using a prioritisation approach like MoSCoW or RICE to determine which projects you should prioritise from all of the possible projects you have identified. Scoring the risk and then deciding what project to do risks putting the cart before the horse
For more on Audit Planning and Linking to objectives see:
