Question

What if a significant portion of the data is overseas and beyond the auditors’ jurisdiction or audit universe

Answer 1

With overall objectives to review and improve internal controls as well as to promote the effectiveness and efficiency of operations, an internal audit function is presented with a wide variety of areas and activities to include in its internal audit reviews. It can concentrate on reviews of financial process internal controls, all worldwide operational areas in the enterprise, safety and security issues, information technology (IT) systems–related controls, or any of a series of other areas. Given the broad scope of enterprise operations, management, and audit committees demand for internal audit attest services, most internal audit functions find that there are just too many areas to include within internal audit’s planning and performance scope given staff skill, budget, and timing constraints. Internal audit functions need to establish their own basis point or foundation to define the areas within their scope that they may consider for internal audits. This list of potential areas to audit is often called the audit universe.

An audit universe is the aggregate of all areas that are available to be audited within an enterprise. To define its audit universe, internal audit should review or understand the number of potential auditable entities in terms of both the business units or areas of operations within the enterprise and the number of auditable units or activities within and across those business units. These auditable entities can be defined in a number of ways, such as by function or activity, by organizational unit or division, or perhaps by project or program. Some examples of auditable activities include:

• Policies, procedures, and practices both on an enterprise level and specific to locations, such as at international units
• Manufacturing, distribution, or supply chain units
• Information systems on infrastructure and specific application levels
• Major contracts or product lines
• Social media activities, such as the use of Facebook or Twitter and others, that are common to enterprise personnel
• Functions such as purchasing, accounting, finance, marketing, and others

This list highlights some of the major processes that help drive the enterprise. Some may be centrally directed, while others are unique to a specific auditable entity. The idea is to define these in a manner such that specific internal audits can be planned and executed.

Every organisation is different with regards to structure, processes and risk maturity.
While an audit universe can be consistent with a risk-based approach, internal audit should not take
for granted that listing all auditable areas to form an audit universe will always be necessary or the
right thing to do. It would be beneficial to review, on a regular basis, whether you currently have or
decide to develop an audit universe, the purpose and value an audit universe adds to the planning
process and the outcomes.

Develop the Audit Universe
– Audit Universe – The sum of all auditable units.
– Auditable Unit – Parts of the organization that
are exposed to sufficient risks where controls
should be reviewed.
– Develop the methodology for gathering
information (I.e. who IA talks to, what
information is gathered and how risk is
identified.)
– The initial audit universe need not be complete
but should be verified and completed through
the risk assessment process.

Types of units: projects, IT systems, business
functions, departments, business processes and
sub processes, primary assets such as: physical,
financial, human, intangible
 Criteria for selecting Auditable Units
– Contribute to the organizations goals
– Sufficiently large to noticeably impact the
organization
– Sufficiently important to justify the cost of
control

Define the Objectives Universe

What are the key objectives for each
Auditable Unit?
– Risks only exist in the context of the
achievement of an objective. If you don’t
know what the objective is you can’t
identify the risk.

Categories of Objectives
 Achievement of the organization's strategic
objectives.
 Reliability and integrity of financial and
operational information.
 Effectiveness and efficiency of operations.
 Safeguarding of assets.
 Compliance with laws, regulations, policies,
procedures and contracts.

If you don’t identify it you can’t measure,
prioritize or manage it.
– Requirements for successful risk identification:
 Thorough understanding of operations of
Auditable Units.
 A process through which to generate a
reasonable list of possible risks. Common
methods include a combined use of:
– Risk framework
– Management questionnaires
– Management interviews

-Environmental Analysis: Risk from the
perspective of changes to the external
environments and their effects on
management processes and controls.
Environmental analysis works best in
service-oriented processes and those that
are highly regulated or competitive,
although nearly every auditable unit is
affected by environmental risk to some
extent.

Examples of Environmental Analysis:
 Physical environment such as location,
weather, access.
Economic environment such as
finances, interest rates, general
economy.
Governmental regulation such as laws,
policies, regulations, real or impending.
Competition
 Suppliers
Technology

The audit universe document is a general description of all of the audit units that an enterprise internal audit function may review or perform. It is a plan that defines the breadth and scope of an internal audit function’s activities. To some extent, if questioned after the fact why an internal audit group has never scheduled a review in some area, they can point out that the area was not included in annual internal audit plans but, more important, was never defined as part of their internal audit universe description. The universe is the big-picture map covering internal audit’s territories and boundaries. It should be used as a basis for communication with the audit committee and for planning ongoing internal audit activities.

The audit universe document is not something that should be changed on a constant and regular basis whenever there is some small enterprise change. However, internal audit should have processes in place to keep its audit universe current and updated with perhaps regular quarterly or annual update reviews. This is often a good time for the CAE to explain to the audit committee any changes in internal audit’s scope and operations. An effective audit universe defines internal audit annual planning and becomes a vehicle to describe an internal audit function’s activities.