The Audit Universe

Conventional wisdom and common practice have resulted in the development of the … drum roll please … audit universe — the starting point for internal audit plan development. The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams. It is a big list, and we measure coverage against this list. Math can get a little tricky, but we forge forward nonetheless.

Now let me pose this question: What happens to the rest of the risk universe? Is the audit universe equal to the risk universe? Probably not. So, who is providing assurance over the rest of the population of risks — things like geopolitical risk, economic recession and recovery, and brand risk? As an internal audit function, is it our role to go find out? Maybe we just assume that it’s management’s role, not ours. Or maybe it’s the role of enterprise risk management, the legal team, or other assurance services within your company.

Is internal audit just assuming that someone else will point out that there are gaps between the audit universe and the risk universe? Perhaps it’s our role to shine light on the gaps, so our stakeholders know what’s not on our radar. I’m not suggesting that internal audit must provide assurance beyond the audit universe. We may not have the skills or resources to do so. But I am suggesting that we take a look, if we haven’t already, to make sure our company’s risk universe is covered. And if not, then that’s a good starting point for a conversation with management and the audit committee.

Posted on Jun 27, 2011 by Kiko Harvey

Share This Article:    

  Comments (7) un-categorized
  1. Comment by: Steve Katzman   (7/7/11 08:09 AM)   

    I agree with how you define the Audit Universe; however, you do have to look at how the Inherent Risks affect that audit universe.   These are two separate universes.  One denotes your responsible areas of concern (business and processes), and the second (risk universe) denotes the risks that affect each entity of the business (Audit Universe). 

    As I see it, the Geopolitical risks may not adversely effect a mom-and-pop grocery store in Brooklyn, NY or the lemonade stand set up in the neighborhood as much as it will effect the multi-national manufacturing firm or those businesses out-sourcing certain aspects in foreign ports.

    The Risk Universe and the Audit Universe are intertwined, but not one.  If you want you can also consider the Control Universe and inter-twine that into a Triad, maybe we should.  The Audit Universe is or can be affected by portions of the risk universe while the control universe items that have been activated tries to protect the audit universe from those risk universe risks.

    I can live knowing that there can be multiple universes, each intertwined at certain points.

    What do you think?

  1. Comment by: Sarah Marks   (7/7/11 12:03 PM)   

    As Internal Auditors we are required to provide an annual assessment on the adequacy and effectiveness of the organization's processes for controlling its activities and managing its risks.

    One organizational process for controlling risk should be an effective enterprise risk management program. I believe the analysis and strategizing to deal with external risks (geopolitical, economic, market) as well as opportunitites, is a management function that should be included in the ERM program. As auditors we should be assessing the adequacy and effectiveness of management's ERM process.
  1. Comment by: Jason Melnyk   (7/7/11 04:23 PM)   

    It would depend on how you build out your audit universe.  If you include both activities and functional driven areas, you should have all risks covered.  Taking your example, geopolitical risk could fall under a Corporate Governance activity, of which could be done any number of functions.  Some guidance is provided in practice advisory 2010-1, which state's that the audit universe can include component’s from the organizational strategic plan, which in short is saying that the CAE must consider all risk when compiling the audit universe.

  1. Comment by: Kaya Kwinana   (7/8/11 04:47 PM)   

     I would describe the risk universe as all those risks which could impact on the achievement of organisational objectives at the respective organisational levels.

    I would describe the audit universe as those significant risks asserted to be under control - that is with residual risk ratings equal or below their specified risk appetites - on which assurance should be provided.

    I would describe a third universe, the consulting universe, for  those significant risks asserted to be NOT under control - that is with residual risk ratings above their specified risk appetites - on which consulting should be provided.

    The assumption on all of the above is that management are competent in conducting the appropriate assessments and if not, then internal auditors should provide consulting services on those aspects management is not competent in so that they can rely on the management assessments.

  1. Comment by: Erick Martainez   (7/15/11 05:26 PM)   

    Interesting discussion about risk and and audit universes.  Risk universe usually is defined in the ERM and as someone else pointed out, it falls under the risk group ( if you have one) or senior management to assess the different internal and external risks that an organization is exposed to. 

    Our role, in my opinion, is assessing the logical process used to determine those risks, to identify their impact and likelihood.  Once the assessment is done, Internal Audit should also comment in any risk not included (gaps) in the universe and suggest, advise, and comment on what management should do in that respect.  Once the risk universe is defined, internal audit can and should develop its audit universe which would be a result of the first process.   

     

     

  1. Comment by: Kiko Harvey   (7/20/11 04:43 PM)   

    Great thoughts, everyone.  I agree that the universes are intertwined (risk, audit, and control). 

  1. Comment by: Rajen Kumar Shah   (1/27/12 05:33 AM)   

    Hello Kiko,

    Wow! Excellent! Superb!

    I appreciate the way you have interpreted Audit Universe. My two cents:

    - While mapping the Audit Universe, as an Internal Auditor, I do take a stock of various Risks;

    - Audit Universe mostly comprises of "auditable" areas, while I do agree that external factors are equally important but because of contingency in nature, these are not given priority.

    Your views please.

    Regards,

    Rajen

Leave a Reply