session e4 audit universe - amazon s3 e4 audit universe ... sawyer’s internal auditing, 5th...

SESSION E4AUDIT UNIVERSEIDENTIFYING THE AUDIT UNIVERSE –FIND IT, DOCUMENT IT, USE IT

MARK P RUPPERTDIRECTOR, INTERNAL AUDITCEDARS-SINAI HEALTH SYSTEM

AHIA 35th Annual Conference – September 11-14, 2016

www.ahia.org

1

What is and why have an audit universe?

Current Audit Universe “Trends” Audit vs Risk Universe Identify your audit universe Document your audit universe Use your audit universe

2

Our Journey into the Audit Universe

Audit Universe - Defined

Definition of an audit universe varies; the actual IIA Standards do not mention the term “audit universe.”

Practice Advisory 2010-1, Item 1:“The audit universe is a list of all the possible audits that could be performed.”

“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.” ~Internal Auditing, Third Edition, by Reding, Sobel, Anderson, Head, Ramamoorti, Salamasick and Riddle

3


Yes, I also checked the Bible for a definition of audit universe…

4

Sawyer’s Internal Auditing, 5th

Edition, does not specifically define it but does reference “audit universe” on a couple of occasions, most notable in the context, “…the audit universe can be influenced by the results of the risk management process.”


IIA GTAG: Developing the IT Audit Plan – Intro, p3item 2.1, “auditors need to define the IT universe”

Page 9, item 4.0, “One of the first steps to an effective IT audit plan is to define the IT universe, a finite and all-encompassing collection of audit areas, organizational entities, and locations identifying business functions that could be audited to provide adequate assurance on the organization’s risk management level. At this initialphase, identifying potential audit areas within the IT universe is done independently from the risk assessment process. Auditors need to be aware of what audits could be performed before they can assess and rank risks to create the annual audit plan. Defining the IT audit universe requires in-depth knowledge of the organization’s objectives, business model, and the IT service support model.”

5

Audit Universe - Defined6

IIA Practice Advisory 2010-1, Item 2 “The audit universe can include components from the

organization’s strategic plan. By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business’ objectives. Strategic plans also likely reflect the organization’s attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. The organization’s strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk.”


IIA Practice Advisory 2010-1, Item 2 “The audit universe can include components from the

organization’s strategic plan. [Objectives] By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business’ objectives. [Risks] Strategic plans also likely reflect the organization’s attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. [Controls] The organization’s strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk.”

7


The Audit Universe is typically the collection of all “audit units” (also referred to as auditable entities) that are within the scope of a given internal audit function.

Yet, there is also no single definition of an “audit unit” or how the audit universe is constructed.

The IIA’s Standards (2010) require the CAE to “establish risk-based plans to determine the priorities of the internal audit activity,” notto identify audit units and establish an audit universe. However, most CAEs find an audit universe to be a useful tool.

An audit unit is generally a process, function, legal entity, or other separately identifiable part of the organization. For each audit unit, risk is assessed as the basis for developing the audit plan.

The collection of all audit units is referred to as an audit universe.

8


For the purpose of today’s discussion, I’d like to take the Internal Auditing definition:“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.”

and add…“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks and that could be subject to audit or audit-like processes.”

9

Audit Universe – The What and Why

The number of audit entities in any given audit universe varies greatly and there is no useful metric for universe size, even within industries.

Audit universes differ by organizational size, complexity, and/or factors driven by audit efficiency considerations (e.g., aggregating multiple risk areas into single audit unit or vice versa).

An audit universe is (or should be) somewhat dynamic to reflect organizational structure and risk changes.

Thus, an audit universe is best updated as organizational structure and risk changes occur.

An audit universe is not an audit plan, but audit plans are derived from the audit universe.

10


While internal audit is responsible for internal audit’s riskassessment and audit plans, tapping into the knowledge ofmanagement for this exercise can be extremely useful. Thus,CAEs often work with management to confirm theirunderstanding of risks and organizational factors that couldinfluence the most efficient manner to audit risks.

Caution: Internal audit has a specific responsibility under theStandards to develop risk-based audit plans.Internal audit is thereby responsible for assessing risk, not justblindly accepting management’s assessment of risk. Internalaudit must also determine its audit plan, based on its definitionof audit units and the audit universe.

11


Audit Universe Benefits to IA and the Organization: Inventory of Auditable Units or Entities Improved Organizational Understanding Risk Coverage Assurance

Support Board/Manage Risk Coverage Considerations

Supports Audit Plan Development & Maintenance(Practice Advisory 2010-1, item 3, “The CAE prepares the internal audit activity’s audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization.” and item 4, “The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus.)

Can Assess Extent of Organization Audited Audit History Tracking Auditor Training

(Practice Guide-Developing the Internal Audit Strategic Plan, Page 13, “Understand the necessary skills to deliver on the mission statement for all areas within the audit universe.”)

12

Recent Trends/Survey Data

IIA AEC Survey July 2016: 89% of respondents maintain an audit universe 87% who do, maintain a formal structured universe as

opposed to merely a list Audit Universe Structures: 46% based on departmental/functional org structure 35% based on functional processes 5% based on legal structure 14% other/combination of above methods

13


Frequency of Audit Universe Update: 61% Annually 28% Semi-Annually 9% more frequently than semi-annually Reminder less frequently than annually

Management Input/Impact on Audit Universe: 42% Significant 58% Insignificant

Audit Universe Format: 74% Spreadsheet 16% Specialized Software like GR, SAP, Teammate 5% Database (Access)

14


Number of auditable entities or audit units is driven by your organization, not by any industry metric.

15

Audit Universe Size: Size Doesn’t Matter

Audit vs Risk Universe

In general, the audit universe and risk universes are closely related, intertwined and often merged universes serving as a single universe for audit plan determination purposes.

Reminder: Sawyer’s Internal Auditing, 5th Edition, does not specifically define but does reference “audit universe” on a couple of occasions, most notable in the context, “…the audit universe can be influenced by the results of the risk management process.”

16

Audit vs Risk Universe

Audit Universe ≈ List of Potential Audits Focus on controls, processes,

etc. designed to mitigate risks to objectives

Easier to define and develop than a risk universe (defined by the Internal Audit Profession)

Audit Universes change over time as the organization changes

17

Risk Universe ≈ List of Potential Risks Focus on risks to corporate

objectives and strategy More complex than audit universe

due to the changing nature of risk, risk appetite, etc. (defined by more than one industry and profession) Not all risks can necessarily be

audited Getting agreement on the

definition of risk, risk appetite and risk severity can be difficult

Risk Universes can change regularly as the “environment” changes

Audit Universe – Is It A Necessity?

Has the risk focus eliminated the usefulness of an audit universe?

Is a risk universe sufficient? Can the audit and risk universe be combined? Should the audit/risk universe be combined? Do we audit risk? Can meaningful audits be applied to all areas of risk? How do we know if all risk is being addressed:

By the Board? By management? By our risk assessments and audit plans?

18

Audit/Risk Universe Benefits

Audit universe assessed for risk ≈ more meaningful planning tool: Provides an organized basis for organization-wide risk analysis

Provides basis for audit plan development

Can be sorted by risk, or any other attribute/ criteria maintained to support specific audit needs

Provides a basis for cyclical, periodic and emerging risk audit plan components

Provides a reference for Board/Executive discussions regarding what can be, should be and will be audited (Coverage Assurance)

Provides a basis for identifying those key areas of risk that can be audited that will not be audited in a coming cycle

Identifies the value of individual audits relative to the whole

19

Identify Your Audit Universe

Important Audit Universe Planning Components – Define Your: SOURCE: On what will you base your universe?

What is the most common reference for corporate planning and reporting – structure, function, etc.?

METADATA: What are the most important attributes to track: Audit Entity Title or Description Categories/Identifiers Location Responsible Executive(s) Other

STRUCTURE: How will it be maintained? Spreadsheet, AMS, etc.

20


SOURCE: Organization Structures Lines of Authority

(GTAG – Developing the IT Audit Plan, p6, item 1 “When establishing the IT audit universe, consideration should be given to aligning individual audits with the management function that has accountability for that area.”)

Legal Entities General Ledger / Cost Centers Business / Functional Processes Interviews (Board members, Executives, Management) Service Lines

21


SOURCE (continued): Centers of Excellence Product Lines ERM / Risk Universe Corporate Website Corporate Strategy, Business Models, etc. Major IT Systems Regulatory Compliance Matters (e.g., HIPAA GAP

Assessments and note IIA GTAG – Developing the IT Audit Plan, Page 7, Item 5, “The organization’s regulatory requirements, therefore, should be appropriately considered in the risk profile and IT audit universe.”)

22


METADATA: Start Simple – How might you need to

view/categorize/report the data? Organizational Divisions Executive Ownership (EVP, SVP, VP, etc.) Physical Location Risk Assessment / Score Frequency

Structural / AMS Limitations Define Metadata components to keep data clean

23


STRUCTURE: Choose your structure based on:

Ease of use Ease of Maintenance Flexibility to update/expand/contract

Plan for maintenance and update process Security/Back up Reminder: Audit Universe Format:

74% Spreadsheet 16% Specialized Software like GR, SAP, Teammate 5% Database (Access)

24

Document Your Audit Universe

Once you’ve determined your source, the information to gather for each audit entity, andthe tool for documenting… Set up your tool Start data collection Use a scribe for interviews if possible Assign source extraction (e.g., auditors for G/L, etc.) Record data as collected or

set up process to record routinely (staff support) Validate Data – upon completion and periodic update

The first time is daunting!A good update and validation process should make subsequent maintenance relatively easy.

25


IIA Practice Advisory 2010-1, Item 4.“The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus.”

IIA Practice Advisory 2120-2, Item 5.“Periodic Review of the Audit Universe: Review the methodology to determine the completeness of the audit universe by routinely evaluating the organization’s dynamic risk profile.”

26


Information Gathering – Regardless of your chosen sources, three key procedures will be necessary: Analysis:

Like planning an audit, obtain available data, such as: Organization Charts Web Site: Identify Services Provided, Service Locations, etc. General Ledger/Trial Balance/Chart of Accounts

Interviews: Key Board/Audit Committee Key Executives/Management

Confirmation: Executive Agreement for Completeness

27


GTAG – Developing the IT Audit Plan, Page 3, Figure 2

28

Document Your Audit Universe29

Source : Moss Adams

Use Your Audit Universe

Apply Risk Analysis /Assessment Develop Audit Plans Train Team Members Update Periodically or As Applicable Track Trends Track Control Analyses to

Support Overall Internal Control Opinions Identify Second Lines of Defense

45

??? Questions ???

“I never learn anything talking. I only learn things when I ask questions.”

~ Lou Holtz

Any question is better than no questions. Ask and I’ll either Give or Seek an Answer. Don’t Ask and leave AHIA 2016 less informed.

46

Save the DateAugust 27-30, 2017

36th AHIA Annual Conference

session e4 audit universe - amazon s3 e4 audit universe ... sawyer’s internal auditing, 5th...

Documents