GUEST BLOG POST
There’s such a huge difference between basing the continuously updated audit plan on an “audit universe” (essentially a comprehensive list of all the potential audit activities that an internal audit function might undertake) and from using a “risk universe” (a comprehensive list of all potential risks that could affect an organization) that I want to spend some time explaining it.
Let’s start with the premise that our job is to provide our customers on the board and in top management with reasonable assurance that the system of internal controls over the more significant risks to the enterprise and its objectives is effective.
In my opinion, this is actually going a necessary step further than the Institute of Internal Auditor’s Purpose Statement: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
The extra step is to distinguish assurance on random risks from assurance on the risks that matter to the success of the organization – as the Global Internal Audit Standards say, “Internal auditing enhances the organization’s… successful achievement of its objectives.”
Audit Universe vs. Risk Universe
While we can add value by auditing risks to individual processes and business units, the resulting assurance is more relevant to the managers of those business units (often “middle management”). It only has serious value to top management and the board if they can translate our micro assurance on individual parts of the organization to their macro impact on the whole of the organization and the achievement of its objectives.
When we base our audit plan on an “audit universe” we are building audits of the entities in that universe rather than audits of risks to the enterprise as a whole. However, when we base the audit plan on a “risk universe” we are focused on assurance over enterprise risks in that universe.
Auditing Procurement
To illustrate, I will use an example from my time as Chief Audit Executive at Solectron Corp. At the time, this was a company with about $12 billion in revenue with very slim profits slipping into losses at times.
The ability to procure vital components for its more than 100 manufacturing operations was absolutely critical if it was to be profitable. Yet there was uncertainty about the quality of procurement processes around the globe. Recognizing this as a significant enterprise risk, I had to determine how to audit it.
This was my process:
- Identify the significant risk to enterprise objectives. In this case, it was the risk of being unable to obtain quality materials from a reliable source (in terms of delivery) at an acceptable price.
- Determine the source(s) of that risk, where events or situations might arise that would have a significant effect. For example, in addition to direct controls in each factory’s procurement function, there might be IT-related issues or issues related to ethics, hiring practices, and other factors.
- Determine where the controls lie that would be relied upon to address the risk, and where those controls are more likely to fail (in other words, the control risk).
- Build a strategy to audit the system of internal control over the enterprise risk. How could we gain the most assurance and insight, providing advice as needed to top management and the board? For example, options might include a single audit of all the key controls regardless of where they are; a series of smaller audit projects focused on sub-sets of the key controls over the enterprise risk, with a review project to pull everything together for an overall opinion on the management of the risk; or, combining the above sub-sets of key controls with sub-sets of key controls over other enterprise risks in audits of individual business units or processes, also with review projects to enable an overall assessment of the management of the enterprise risks.
While this was an enterprise risk, the related processes and the controls relied on to manage the risk were in multiple places including:
- The corporate team negotiated corporate contracts and discounts with the primary suppliers of the critical components.
- They also monitored compliance with the corporate contract by each factory (using analytics they maintained themselves).
- Specific purchasing contracts and purchase orders independently issued by each of the factories.
- The corporate ethics and code of conduct policy, with training provided locally. This was subject to a separate audit, but I considered the results of that audit in providing my opinion on procurement risk.
The reliance on IT and ITGC for this risk was minimal. (The analytics were essentially self-controlling, as defects in the code would be exceptions they would investigate.)
This is what I included in Auditing that Matters (my seminal book on internal auditing):
“I decided that the best approach would be to staff the audit with my most senior people: the internal audit directors for Americas and Asia/Pacific, and my contracts audit manager.
- The first step was to obtain an understanding of the corporate contracting process (which covered a limited number of purchased components) and the monitoring by the corporate Chief Procurement Officer.
- Then the team visited, in turn, the locations I had selected for an on-site audit: the two largest in Asia (which included the site that appeared to have the most effective procurement function), the location in the Americas that had the best reputation, and the largest site in Europe.
- Then, the team sat back and assessed how effective procurement of materials was overall – looking at the organization as a whole.
Our report assessed the overall effectiveness of procurement as an opportunity for improvement that could be material to the profitability of the company. We pointed out that the Penang, Malaysia operation was best-in-class. The fact that they were frequently able to obtain better prices when negotiating just for Penang than the corporate function had been able to negotiate for the whole company was not only a concern but pointed to an opportunity.
Our report mattered.”
My predecessor used an audit universe when building his audit plan, and he included procurement and information security in every audit of every factory. But while he was able to determine whether there was compliance with local control design, he was not able to see the big picture and assess the enterprise-wide risk.
The approach I described above enabled us to identify additional opportunities for control and risk management upgrade. The additional information security issues identified when we used an enterprise risk approach were even more significant! There was no enterprise-wide risk assessment, no coordination among the security functions – where there was one – and the corporate InfoSec team was understaffed and buried deep in the IT organization chart.
Considering a Potential Material Weakness
Here’s another example, this time from Tosco Corp.
Our external auditors’ IT audit manager (from my old firm PwC) decided that they needed to audit the systems at our more than 6,000 Circle K convenience stores. They selected a sample of stores that they visited. They “found” (as if we didn’t know, because we needed this for operational reasons) that the store managers had access to the computers at their store and could change the data to cover up thefts and other problems.
The IT audit manager called me. He said there was a material weakness because all the managers could manipulate the accounts and our revenue could be understated by a material amount. (He ignored the fact that hundreds or more would have to collude to make this “material.”)
I called a meeting with the head of Corporate Financial Reporting, the CIO, the divisional CFO, the PwC engagement partner, and the PwC lead engagement manager. The IT audit manager was the last to arrive and he had hardly taken a seat before the lead engagement manager started in on him.
He pointed out that the divisional stores accounting team captured all the store data and ran a lot of analytics looking not only for trends but also potential errors. His team, he was proud to state, had audited these “entity-level” detective controls over the completeness and accuracy of the data submitted by the thousands of individual stores for the last several years. They were excellent and any issues such as outlined by the IT audit manager would have been detected and corrected promptly.
The enterprise-level risk was low, even if the risk at the “activity level” (at each store) seemed high. In other words, while there were controls at each store, there were also controls at divisional HQ that were better. I would say that the IT audit manager took an audit universe approach, whereas the engagement manager took an enterprise risk approach.
PwC had wasted their time auditing the store systems.
I hope the difference between enterprise risk-based auditing and the auditing of entities in an audit universe is clearer.
If you agree that “our job is to provide our customers on the board and in top management with (reasonable) assurance that the system of internal controls over the more significant risks to the enterprise and its objectives is effective,” you need an approach that is built on an enterprise risk universe. Not an audit universe with entity risk auditing (even if mandated by the IIA’s Global Internal Audit Standards).
I welcome your thoughts. (Please share them in the comments section below.)
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
Thank you very much for this insightful write up. However, i believe there is need to have a balance with a combination of the two methods. This could be probably done by assessing how the key identified risks in the risk universe impacts the identified audit universe. It can be a complex ant tedious exercise especially in the beginning, after it is set up it becomes easier or simpler.
Thank you very much for your insightful article. It is an opener on why concentrate should not be exclusively on the unit universe if assurance and advise on risks that matter is going to be provided to management. However, my view is to take into account a combination of both aspects that is audit universe and the risk universe. The idea would be to create a framework which can be used to assess how the key identified risks in the ERM impacts the identified audit universe. This by be complex and tedious in the beginning but I believe will produce balanced and better results. None the less always it is of paramount importance to always take into account the identified risk universe as reflected in the ERM.
Great examples. Thanks as always for opening this discussion up – this article should be mandatory reading.
I agree entirely with your premise. I wish more IA functions would adopt this as a starting point.
It’s then a question of how you get there.
Two quick reactions on the audit universe vs risk universe debate::
1. The sort of issues you raise is why end-to-end audits have been so popular over the last 25 years. Your first example is a great illustration on how to focus and chunk these. I’d argue that E2E audits are part of the audit universe, and we don’t need to wait for a problem to emerge before going after them. Just get them done would be my view.
2. In the 2nd example as an ARC member I’d want to know about this. While the head office controls are enough to “stop a truck being driven through” in terms of fraud, realistically a lot of small lorries could go through undetected, which puts this in the systemic and cultural bucket for me. and a priority 1 issue from the perspective of the audit committee. Sure, potentially less material by $, but definitely material by nature.
A lot of your article goes to the piecemeal and patchwork nature of audits and how to bring this together as an integrated view. Our work together on the IIA’s Opinions practice guide attempted to go after this, but this still remains a work in progress for many. For me being able to visualise this on an audit universe is really helpful.
Perhaps we can agree that the risk universe is the North Star and the audit universe is a useful and possibly necessary backstop.
Again, thanks for opening this up. The case studies are valuable to get clarity on different ways to go after this and focus on what really matters.