The audit universe is built of individual auditable entities (or segments) that make up everything within the organisation that may be subject to internal audit activity. The Chartered IIA’s Effective Internal Audit in the Financial Services Sector (FS Code) states, 'In setting its scope, internal audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the organisation.' And, 'In setting out its priorities and deciding where to carry out more detailed work, internal audit should focus on the areas where it considers risks to be higher.'
The audit universe should enable the internal audit function, through the delivery of audit work, to form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. This guidance will explain key points to consider when preparing and segmenting the audit universe to support internal audit’s risk assessment, the prioritisation of audit activities and monitoring of internal audit’s coverage of the audit universe.
The audit universe represents the legal entities, regulatory entities, jurisdictions, processes, business lines, products and functions that together comprise the set of auditable entities in an organisation. The internal audit function must determine its approach to segmenting the audit universe in such a way that supports audit prioritisation and coverage monitoring.
The number of auditable entities in the audit universe and the way it is constructed will vary between audit functions. A more complex organisation with, for example, multiple business lines or entities may require a higher number of auditable entities to cover the full extent of the organisation. A smaller, simpler organisation may require less auditable entities.
The internal audit function’s approach to audits will also help dictate the number of auditable entities, for example if there is a preference for larger scope audits then fewer auditable entities may be more appropriate, or if audits are usually smaller more focused pieces of work – then more entities may be appropriate.
Internal audit should use its cumulative knowledge of the organisation to construct an audit universe that is complete and covers all aspects of the organisation. Internal audit should assess its audit universe against other sources for completeness, such as finance records, cost centres, HR organisation structures or other lists of the organisation’s departments.
In constructing the audit universe internal audit may use an organisational model developed by other areas of the organisation. In such cases, internal audit must take steps to ensure that the organisational model is complete and is structured in such a way as to support its risk assessment and audit plan construction.
The internal audit function should review the construction of the audit universe following material changes in the organisation such as new business areas or products, and at a minimum on an annual basis to ensure that the universe continues to reflect the organisation.
A risk assessment should document the internal audit function’s understanding of the organisation's business activities and the associated risks. This is often referred to as a ‘bottom-up’ assessment of risks. A risk assessment should be completed for each auditable entity.
A comprehensive risk assessment should analyse key risks applicable to each of the auditable entities and may also include an assessment of second line risk functions within the organisation. The risk assessments should also consider thematic control issues, risk tolerance, and governance within the organisation. The audit team should ensure that where third parties are involved in a process or control which mitigates risk this is considered in the same amount of detail as if the process or control was internal to the organisation.
In addition, internal audit should identify thematic control issues which are common across different auditable entities as part of its risk-assessment processes and determine the overall impact of such issues on the organisation's risk profile.
Risk assessments should be documented and supported with an analysis of risks. Documentation should include dates and results of previous audits, any open issues raised in previous audits. Internal audit’s independent view should be informed, but not determined, by the views of management and the risk function. So, for example, the results of a review by a second line function may be considered as part of the risk assessment but should not be the only input to the risk assessment.
Risk assessments typically will be completed with regard to the impact and likelihood of an event occurring in order to produce an overall inherent risk rating for each auditable entity. The results of risk ratings should be summarised with consideration to business performance, risk indicators, control effectiveness and prior audit results and open audit issues to identify the residual risk for each auditable entity.
The risk assessment process should be viewed as a ‘live’ document, being updated on a regular basis (at least annually although more often is recommended) to reflect changes to processes, controls, systems, changes in the business model, laws and regulations. Further, changes in the business environment and/or market conditions may also require re-assessment of risks the business is exposed to.
When the risk assessment shows a change in risk for an auditable entity, planned audit coverage should be reviewed to determine whether the current planned coverage should be increased or decreased to address the revised assessment of risk. Additional audit coverage would be expected in business activities that present the highest risk to the organisation.
Where appropriate, continuous monitoring of key audit risk factors (as determined by the internal audit team) should help to inform decision making over changes to the audit plan and universe as they occur. Continuous monitoring can be completed by an assigned audit group or individual and standards and procedures should be incorporated into the audit methodology.
Continuous monitoring should utilise data analytics where appropriate in order to provide information on key trends and metrics for larger data sets. Continuous monitoring results can include management reporting, metrics, periodic audit summaries, and updated risk assessments to substantiate that the process is operating as designed. Critical issues identified through the monitoring process should be communicated to the audit committee.
The internal audit function should determine its coverage strategy suitable to the risk profile and complexity of the organisation it audits. The coverage model should be documented and presented to the audit committee. Internal audit functions will generally operate coverage models including some or all of the following coverage model types:
That establish an audit cycle based on an assessment of the inherent risk and control environment of the auditable entities or its constituent elements (eg processes or risks). So, for example, higher risk-rated auditable entities may be subject to an annual audit, medium risk-rates entities may be subject to an audit every two or three years and lower risk-rated entities may be subject to an audit every four years.
That assess the highest audit need, incorporating time since last audit. In this scenario, only those entities with the highest residual risk would be covered each year.
That assess audit need and adapt planned coverage on a frequent/ongoing basis. There is no defined audit cycle, judgement is used to determine audit coverage.
In all cases the coverage model should be confirmed with the audit committee.
In addition to using the results of the audit universe risk assessment to determine the audit plan, consideration should be given to using a ‘top-down’ assessment to ensure that, at a high level, the audit plan focuses on, and is aligned to, the organisation’s objectives, key risks, external business and regulatory challenges and recognises emerging risks. This may be done by identifying potential risks, themes and topics that present the highest risk to the organisation based on industry or regulatory hot topics; internal or external events, and other information that is available. Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment.
Whichever model or combination of models is used, it is expected that higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements. Internal audit should make a risk-based decision as to which auditable entities within its scope should be included in the audit plan – it does not necessarily have to cover all of the scope areas every year. Its judgement on which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle).
Those auditable entities that have the highest risk, and those that have not been subject to audit activity for a pre-determined period, should be included in the audit plan. Certain internal audit functions may determine that very low risk activities of the organisation will not be subject to any structured audit coverage.
There may be regulatory expectations or requirements for internal audit to undertake specific audit work. These topics would typically be included in the audit plan regardless of the results of the risk assessment.
The overall output is a prioritised list of audits for the next planning period (often the next 12 months, but some audit functions use different timelines) bringing together the top down and bottom up analysis and setting out common themes and risks and internal audit’s proposed audit coverage in response.
A summarised audit plan should be discussed with business stakeholders with the purpose of obtaining their feedback on the plan and providing a check as to its alignment with management’s view of major risks. While the final approval of the plan lies with the audit committee, internal audit should ensure that management’s views are understood and any differences in viewpoints as to priorities are clearly explained.
A final audit plan is then produced for presentation to the audit committee.