Upload
dinhhuong
View
226
Download
1
Embed Size (px)
Citation preview
SESSION E4AUDIT UNIVERSEIDENTIFYING THE AUDIT UNIVERSE –FIND IT, DOCUMENT IT, USE IT
MARK P RUPPERTDIRECTOR, INTERNAL AUDITCEDARS-SINAI HEALTH SYSTEM
AHIA 35th Annual Conference – September 11-14, 2016
www.ahia.org
1
What is and why have an audit universe?
Current Audit Universe “Trends” Audit vs Risk Universe Identify your audit universe Document your audit universe Use your audit universe
2
Our Journey into the Audit Universe
Audit Universe - Defined
Definition of an audit universe varies; the actual IIA Standards do not mention the term “audit universe.”
Practice Advisory 2010-1, Item 1:“The audit universe is a list of all the possible audits that could be performed.”
“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.” ~Internal Auditing, Third Edition, by Reding, Sobel, Anderson, Head, Ramamoorti, Salamasick and Riddle
3
Audit Universe - Defined
Yes, I also checked the Bible for a definition of audit universe…
4
Sawyer’s Internal Auditing, 5th
Edition, does not specifically define it but does reference “audit universe” on a couple of occasions, most notable in the context, “…the audit universe can be influenced by the results of the risk management process.”
Audit Universe - Defined
IIA GTAG: Developing the IT Audit Plan – Intro, p3item 2.1, “auditors need to define the IT universe”
Page 9, item 4.0, “One of the first steps to an effective IT audit plan is to define the IT universe, a finite and all-encompassing collection of audit areas, organizational entities, and locations identifying business functions that could be audited to provide adequate assurance on the organization’s risk management level. At this initialphase, identifying potential audit areas within the IT universe is done independently from the risk assessment process. Auditors need to be aware of what audits could be performed before they can assess and rank risks to create the annual audit plan. Defining the IT audit universe requires in-depth knowledge of the organization’s objectives, business model, and the IT service support model.”
5
Audit Universe - Defined6
IIA Practice Advisory 2010-1, Item 2 “The audit universe can include components from the
organization’s strategic plan. By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business’ objectives. Strategic plans also likely reflect the organization’s attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. The organization’s strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk.”
Audit Universe - Defined
IIA Practice Advisory 2010-1, Item 2 “The audit universe can include components from the
organization’s strategic plan. [Objectives] By incorporating components of the organization’s strategic plan, the audit universe will consider and reflect the overall business’ objectives. [Risks] Strategic plans also likely reflect the organization’s attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. [Controls] The organization’s strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk.”
7
Audit Universe - Defined
The Audit Universe is typically the collection of all “audit units” (also referred to as auditable entities) that are within the scope of a given internal audit function.
Yet, there is also no single definition of an “audit unit” or how the audit universe is constructed.
The IIA’s Standards (2010) require the CAE to “establish risk-based plans to determine the priorities of the internal audit activity,” notto identify audit units and establish an audit universe. However, most CAEs find an audit universe to be a useful tool.
An audit unit is generally a process, function, legal entity, or other separately identifiable part of the organization. For each audit unit, risk is assessed as the basis for developing the audit plan.
The collection of all audit units is referred to as an audit universe.
8
Audit Universe - Defined
For the purpose of today’s discussion, I’d like to take the Internal Auditing definition:“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.”
and add…“A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks and that could be subject to audit or audit-like processes.”
9
Audit Universe – The What and Why
The number of audit entities in any given audit universe varies greatly and there is no useful metric for universe size, even within industries.
Audit universes differ by organizational size, complexity, and/or factors driven by audit efficiency considerations (e.g., aggregating multiple risk areas into single audit unit or vice versa).
An audit universe is (or should be) somewhat dynamic to reflect organizational structure and risk changes.
Thus, an audit universe is best updated as organizational structure and risk changes occur.
An audit universe is not an audit plan, but audit plans are derived from the audit universe.
10
Audit Universe – The What and Why
While internal audit is responsible for internal audit’s riskassessment and audit plans, tapping into the knowledge ofmanagement for this exercise can be extremely useful. Thus,CAEs often work with management to confirm theirunderstanding of risks and organizational factors that couldinfluence the most efficient manner to audit risks.
Caution: Internal audit has a specific responsibility under theStandards to develop risk-based audit plans.Internal audit is thereby responsible for assessing risk, not justblindly accepting management’s assessment of risk. Internalaudit must also determine its audit plan, based on its definitionof audit units and the audit universe.
11
Audit Universe – The What and Why
Audit Universe Benefits to IA and the Organization: Inventory of Auditable Units or Entities Improved Organizational Understanding Risk Coverage Assurance
Support Board/Manage Risk Coverage Considerations
Supports Audit Plan Development & Maintenance(Practice Advisory 2010-1, item 3, “The CAE prepares the internal audit activity’s audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization.” and item 4, “The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus.)
Can Assess Extent of Organization Audited Audit History Tracking Auditor Training
(Practice Guide-Developing the Internal Audit Strategic Plan, Page 13, “Understand the necessary skills to deliver on the mission statement for all areas within the audit universe.”)
12
Recent Trends/Survey Data
IIA AEC Survey July 2016: 89% of respondents maintain an audit universe 87% who do, maintain a formal structured universe as
opposed to merely a list Audit Universe Structures: 46% based on departmental/functional org structure 35% based on functional processes 5% based on legal structure 14% other/combination of above methods
13
Recent Trends/Survey Data
Frequency of Audit Universe Update: 61% Annually 28% Semi-Annually 9% more frequently than semi-annually Reminder less frequently than annually
Management Input/Impact on Audit Universe: 42% Significant 58% Insignificant
Audit Universe Format: 74% Spreadsheet 16% Specialized Software like GR, SAP, Teammate 5% Database (Access)
14
Recent Trends/Survey Data
Number of auditable entities or audit units is driven by your organization, not by any industry metric.
15
Audit Universe Size: Size Doesn’t Matter
Audit vs Risk Universe
In general, the audit universe and risk universes are closely related, intertwined and often merged universes serving as a single universe for audit plan determination purposes.
Reminder: Sawyer’s Internal Auditing, 5th Edition, does not specifically define but does reference “audit universe” on a couple of occasions, most notable in the context, “…the audit universe can be influenced by the results of the risk management process.”
16
Audit vs Risk Universe
Audit Universe ≈ List of Potential Audits Focus on controls, processes,
etc. designed to mitigate risks to objectives
Easier to define and develop than a risk universe (defined by the Internal Audit Profession)
Audit Universes change over time as the organization changes
17
Risk Universe ≈ List of Potential Risks Focus on risks to corporate
objectives and strategy More complex than audit universe
due to the changing nature of risk, risk appetite, etc. (defined by more than one industry and profession) Not all risks can necessarily be
audited Getting agreement on the
definition of risk, risk appetite and risk severity can be difficult
Risk Universes can change regularly as the “environment” changes
Audit Universe – Is It A Necessity?
Has the risk focus eliminated the usefulness of an audit universe?
Is a risk universe sufficient? Can the audit and risk universe be combined? Should the audit/risk universe be combined? Do we audit risk? Can meaningful audits be applied to all areas of risk? How do we know if all risk is being addressed:
By the Board? By management? By our risk assessments and audit plans?
18
Audit/Risk Universe Benefits
Audit universe assessed for risk ≈ more meaningful planning tool: Provides an organized basis for organization-wide risk analysis
Provides basis for audit plan development
Can be sorted by risk, or any other attribute/ criteria maintained to support specific audit needs
Provides a basis for cyclical, periodic and emerging risk audit plan components
Provides a reference for Board/Executive discussions regarding what can be, should be and will be audited (Coverage Assurance)
Provides a basis for identifying those key areas of risk that can be audited that will not be audited in a coming cycle
Identifies the value of individual audits relative to the whole
19
Identify Your Audit Universe
Important Audit Universe Planning Components – Define Your: SOURCE: On what will you base your universe?
What is the most common reference for corporate planning and reporting – structure, function, etc.?
METADATA: What are the most important attributes to track: Audit Entity Title or Description Categories/Identifiers Location Responsible Executive(s) Other
STRUCTURE: How will it be maintained? Spreadsheet, AMS, etc.
20
Identify Your Audit Universe
SOURCE: Organization Structures Lines of Authority
(GTAG – Developing the IT Audit Plan, p6, item 1 “When establishing the IT audit universe, consideration should be given to aligning individual audits with the management function that has accountability for that area.”)
Legal Entities General Ledger / Cost Centers Business / Functional Processes Interviews (Board members, Executives, Management) Service Lines
21
Identify Your Audit Universe
SOURCE (continued): Centers of Excellence Product Lines ERM / Risk Universe Corporate Website Corporate Strategy, Business Models, etc. Major IT Systems Regulatory Compliance Matters (e.g., HIPAA GAP
Assessments and note IIA GTAG – Developing the IT Audit Plan, Page 7, Item 5, “The organization’s regulatory requirements, therefore, should be appropriately considered in the risk profile and IT audit universe.”)
22
Identify Your Audit Universe
METADATA: Start Simple – How might you need to
view/categorize/report the data? Organizational Divisions Executive Ownership (EVP, SVP, VP, etc.) Physical Location Risk Assessment / Score Frequency
Structural / AMS Limitations Define Metadata components to keep data clean
23
Identify Your Audit Universe
STRUCTURE: Choose your structure based on:
Ease of use Ease of Maintenance Flexibility to update/expand/contract
Plan for maintenance and update process Security/Back up Reminder: Audit Universe Format:
74% Spreadsheet 16% Specialized Software like GR, SAP, Teammate 5% Database (Access)
24
Document Your Audit Universe
Once you’ve determined your source, the information to gather for each audit entity, andthe tool for documenting… Set up your tool Start data collection Use a scribe for interviews if possible Assign source extraction (e.g., auditors for G/L, etc.) Record data as collected or
set up process to record routinely (staff support) Validate Data – upon completion and periodic update
The first time is daunting!A good update and validation process should make subsequent maintenance relatively easy.
25
Document Your Audit Universe
IIA Practice Advisory 2010-1, Item 4.“The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus.”
IIA Practice Advisory 2120-2, Item 5.“Periodic Review of the Audit Universe: Review the methodology to determine the completeness of the audit universe by routinely evaluating the organization’s dynamic risk profile.”
26
Document Your Audit Universe
Information Gathering – Regardless of your chosen sources, three key procedures will be necessary: Analysis:
Like planning an audit, obtain available data, such as: Organization Charts Web Site: Identify Services Provided, Service Locations, etc. General Ledger/Trial Balance/Chart of Accounts
Interviews: Key Board/Audit Committee Key Executives/Management
Confirmation: Executive Agreement for Completeness
27
Document Your Audit Universe
GTAG – Developing the IT Audit Plan, Page 3, Figure 2
28
Document Your Audit Universe29
Source : Moss Adams
Document Your Audit Universe30
Document Your Audit Universe31
Document Your Audit Universe32
Document Your Audit Universe33
Document Your Audit Universe34
Document Your Audit Universe35
Document Your Audit Universe36
Document Your Audit Universe37
Document Your Audit Universe38
Document Your Audit Universe39
Document Your Audit Universe40
Document Your Audit Universe41
Document Your Audit Universe42
Document Your Audit Universe43
Document Your Audit Universe44
Use Your Audit Universe
Apply Risk Analysis /Assessment Develop Audit Plans Train Team Members Update Periodically or As Applicable Track Trends Track Control Analyses to
Support Overall Internal Control Opinions Identify Second Lines of Defense
45
??? Questions ???
“I never learn anything talking. I only learn things when I ask questions.”
~ Lou Holtz
Any question is better than no questions. Ask and I’ll either Give or Seek an Answer. Don’t Ask and leave AHIA 2016 less informed.
46
Save the DateAugust 27-30, 2017
36th AHIA Annual Conference