Creating the Right Audit Universe
The Audit Universe is the Key to Successful Risk Based Auditing
Dec 16, 2008
The audit executive should ensure that all options have been analyzed: pros and cons weighed, and decisions made that facilitate the overall organizational vision. There is no wrong way to create an entity, nor is there a universally accepted right way. Examining the various methods will allow the executive to select that method most appropriate for his/her situation.
Process Level
A typical approach for entity development is to align oneself to key processes found throughout the organization. For example, a specific regulation, the application process, etc. An approach of this type will provide the audit team with detailed information related to how a business may or may not be managing the risks associated with that specific process. The value here is in the detail that can be gathered by the audit team for a specific and finite purpose. A challenge to this though is that the audit team may not determine how a specific process impacts, or is impacted by, the rest of the organization. Often, it is those impacts that provide deep insight into existing or emerging multilevel risks.
Functional Level
If entities are created at the functional level, results are easily reported to the manager who can actually resolve any issue. The benefit is that instead of having to navigate the treacherous waters of multi-level organizations and the ultimate finger pointing accountability tactic, the auditor can speak directly to those who own the issue. This facilitates discussions around severity of the issues reported and dramatically increases the odds of the issue actually being resolved. However, similar to the process level approach, the auditor may miss connection points between functions or worse, not even know that there are no connections between the various functions of the organization.
Product Level
Utilizing the product level assures the auditor of understanding the vertical (product) and the horizontal (process) attributes that impact key products of an organization. This is the first level of pure risk based entity creation because it incorporates, to a basic degree, a dual look approach. Because products often touch more than one business function and always touch more than one process, the auditor will be able to determine what are the direct and indirect impacts of each process step. If product development is included in this entity then the auditor can feel comfortable that for that product the risks and controls are well known and adequately audited. However, in organizations that have many different products that use the same processes, this approach may not highlight process shortfalls caused by business focus on one product or the other.
Business Level
By using a business level approach to creating the audit entity, the auditor can ensure that all process, function and product interrelationships are addressed. The auditor can also add value by providing management with recommendations over synergies and efficiencies that the other levels may not provide. Here the auditor can also ensure that all processes, products and structures align to overall business strategies and direction. Unfortunately, this level does not allow for the detail that many businesses expect out of their audit function. So the auditor must either rely on other internal control functions to provide that information, or modify his/her approach and incorporate detailed testing in some areas.
The recommended approach is to use a modified business level focus. The auditor must evaluate what key processes, products and/or functions drive risk for the organization. Then the audit process must ensure that detailed testing is completed on those items. Faliure to do so would negate the very basis of risk based auditing.
