Audit Programs and Establishing

the Audit Universe

ALIFIA NUR UMAYRAH (A31116803)

WISNU MAHARDIKA R (A31116812)
IZHAK ADE ARIDZA S (A31116814)

HASANUDDIN UNIVERSITY

FACULTY OF ECONOMY AND BUSSINESS

INTERNATIONAL CLASS

2017/2018
 Audit Programs and Establishing
the Audit Universe
Preliminary

With overall objectives to review and improve internal controls as well as to pro-mote the effectiveness and
efficiency of operations, an internal audit function has a wide variety of areas and activities to include in its reviews.
It can concentrate on reviews of financial process internal controls, operational areas in the enterprise, safety and
security issues, controls related to information technology (IT) systems, or any of a series of other areas. Given the
broad scope of enterprise operations and management and audit committee demands for internal audit attest
services, many internal audit functions find that there are just too many areas to include within their scope, given
staff, budget, and timing constraints. Internal audit functions need to define the areas within their scope that they
may consider for internal audits. This list of all of the potential areas to audit is often called the audit universe.

This chapter looks at the concept of establishing and maintaining an audit universe for an enterprise’s internal audit
function as well as using that universe as a basis for outlining high-level internal audit procedures, performing risk
assessments, and establishing an effective internal audit program. Our common body of knowledge (CBOK) concept
here is that internal auditors at all levels should understand the importance of having an enterprise-specific internal
audit universe as a basis to guide their internal audit activities. That audit universe will help internal audit to
better present planned activities to the audit committee, as discussed in and to more effectively plan risk-based
internal audits

Defining the Scope and Objectives of the Internal Audit Universe

An audit universe is the aggregate of all areas that are available to be audited within an enterprise. To define its audit
universe, internal audit should review or understand the number of potential audible entities in terms of both the
business units or areas of operations within the enterprise and the number of auditable units or activities within and
across those business units. This auditable entity can be defined in a number of ways, such as by function or activity,
by an organization's unit or division, or perhaps by a project or program. Some examples of activities that can be
audited include:

 Policies, procedures, and practices both on an enterprise level and those specific
to locations, such as at international units
 Manufacturing, distribution, or supply chain units
 Information systems on infrastructure and specific application levels
 Major contracts or product lines
 Functions such as purchasing, accounting, finance, marketing and mothers
The second way of looking at these entities is by business unit. In today’s environment, an enterprise may have
several lines of business with operations across theglobe and may exhibit a myriad of authority/responsibility
and reporting structures.In order for an internal auditor not to get lost in the complexity of corporate structures,
an organized “inventory” of all significant auditable units should be compiled.

The definition of auditable entities units depends on specific organizational characteristics and whether the
enterprise is functionally organized or product centered.

The idea is not to get too big or—an even greater problem—too small in these definitions. We should define
auditable entities in a manner where individual internal audits will be cost effective. Some examples include:

 Consider a multiplant manufacturing facility with many small production units.

It might make sense to define all manufacturing processes at each of these
smaller production units as potential auditable units. These production plant
potential audits would include all manufacturing activities at each facility, such
as purchasing, receiving, factory floor routing, quality assurance, shipping, and
other individual internal audits. An audit team would not review individual
processes, such as receiving, at just one production plant. Internal audit would
more typically cover all plant-by-plant manufacturing activities.
 For a multirestaurant chain with many small units, it might be best to define
each individual small restaurant as an auditable unit, with no plans to schedule
specific processes at each of those restaurants as a separate audit. An internal
audit team here might review all operations at a particular restaurant rather than
a common process, such as cash control procedures for all of the restaurant
units.
 In many instances, it may be most efficient to designate a common process
covering all units as an overall auditable entity, particularly if common policies
and procedures cover all individual units.

The internal audit team should also define several audit focal points to ensure consistency in their execution
of all potential internal audits. These focal points, which serve as a general outline for audit planning
documents and audit work programs, help produce trending reports regarding the status of controls in the
enterprise’s controls environment.

For example, four typical audit focal points for an information security universe
are:
1. IT access controls
2. System security configuration
3. Monitoring and incident response
4. Security management and administration
Similarly, the four audit focal points for an IT infrastructure universe element
might be:
1. Structure and strategy
2. Methodologies and procedures
3. Measurement and reporting
4. Tools and technology
Assessing Internal Audit Capabilities and Objectives
A detailed list of enterprise units showing all of the areas that internal audit could review is of little value
unless internal audit has the skills and resources to launch audits in those areas. This author once joined a
large enterprise where the existing internal audit group spent time preparing audit universe lists of all of the
entities and units at the enterprise, as part of its annual internal audit planning exercise.

The result was extensive and impressive-looking lists of auditable entities, but this internal audit function
had neither the capability nor even actual objectives to perform internal audits at some of these units.

This enterprise, for example, had a large group of remote distribution units as well as businesses run by
independent franchisees and contractors. An audit universe document included all of these franchisee
businesses as auditable units, even though most had never been visited by corporate internal audit. An
example of these businesses was a small group of home improvement units whose whole function was to
perform home pest removal services. On a contract basis, this franchisee unit would visit a home and
remove rats, mice, or bats living in attics.

This relatively small chain of operations had little impact on overall parent enterprise operations. Aside
from signing proper contracts and paying commissions to the parent, these franchisees had little connection
with parent corporation operations and presented minimal risks. Did internal audit know anything about
this type of business? Aside from commission transactions, was there any financial impact?
The answer to these questions should have been no. Units like this should never be
included on internal audit universe lists.

Based on the preliminary list of auditable units and candidates, internal audit should go a step further to
develop and enhance its audit resource lists. Although there still may be some uncertainly regarding the
nature of some of these business units and their internal control issues, internal audit should analyze each of
these potential internal audit candidates in this way:

 Establish high-level control objectives for each of the audit universe candidates. The idea is to
determine why a unit is on such a list as well as internal
audit’s potential control objectives for such units. Our previous example of a
franchisee household pest control service probably would be eliminated in such
an exercise.
 Assess high-level risks for audit universe candidates. Following the Committee of Sponsoring
Organizations Enterprise Risk Management (COSO ERM)
approach discussed in Chapter 6, internal audit should review each of these
audit universe candidates and estimate the high-level risks to the enterprise if
there was a major internal controls failure associated with the candidate.
 Coordinate the internal audit activity with other audit and governance
interests. While internal audit is or should be the prime reviewer of enterprise
internal controls, any planned audit work should be coordinated with other
interested parties.
 Develop high-level control objectives for audits designated by the audit
universe. While this will become more important in an annual planning process,
as discussed in Chapter 15, a high-level audit objective should be identified for
each item included in the audit universe.
  Develop a preliminary control assessment questionnaire for each audit.
In many cases, items listed on the audit universe are repeats of internal audits
from the prior periods. In those situations, this audit guidance should be updated
as processes change and reevaluated for future audits in each area. In other
cases, internal audit should develop some high-level questionnaires to get started
on these potential audit universe reviews.

Audit Universe Time and Resource Limitations

It is sometimes easy to build an audit universe document that includes many—too many—potential internal audits
that will never be executed. Our Global Computer Products example illustrates this problem. Global Computer
currently has a headquarters-based internal audit group that does not have any international presence. That is,
internal audit does most of its work at the home office and rarely travels. Based on the size of this internal audit
function, the audit committee should recognize and advise the audit committee that some of the auditable entities on
the universe list essentially can never be reviewed, given internal audit’s size, scope, and budget. The idea is to
demonstrate potential review activities over upcoming periods and what can realistically be included in internal
audit’s scope of planned activities. A next step should be to look at the preliminary audit universe list and determine
those audits that are required on an annual or a semiannual basis. These are audits, such as SOx Section 404 internal
controls update reviews, that must be completed during a current period. Other regular internal audits are not
mandated but are expected by senior management and the audit committee.

Although we are still dealing at a very high level here, a next step is to look at the remaining items in the
preliminary audit universe and determine if time and resources are available for reviews of these items. In some
situations, there may be just too many audit entity items left in the audit universe to complete over a reasonable
period of time. Because of the ongoing enterprise and market changes that we all experience, a time span here
should not be more than five years, and more preferably three years. In addition, these internal audits set for
scheduling in the current period or in a three- to five-year cycle may require specialized internal audit skills. More
internal audit resources need to be on board for such areas as IT network security or continuity planning and testing.
Where additional internal audit skills or resources will be needed, they should be documented and
scheduled.

All of these gathered data and planning assumptions will help internal auditto build and publish a preliminary audit
universe. This document shows the areas where internal audit plans to perform audits over upcoming periods, the
highlevel objectives of those audits, and their relative risks.

“Selling” the Audit Universe to the Audit Committee

and Management
The CAE and the main internal audit team can go through a massive effort to establish and maintain an internal
audit universe and may have requested assistance and advice from senior management in the contents and
assumptions of the audit universe, but the audit committee is the entity responsible for reviewing and approving the
document. In the end, the audit committee is responsible if there are questions regarding why the internal audit looks
at a field, and the CAE must carefully notify members of the audit committee and explain the main assumptions.

fully brief the audit committee members and explain key assumptions. The audit universe schedule should be
prepared and updated on an annual basis for audit committee review and approval. Where the audit committee
suggests different areas of emphasis or involvement, the CAE should initiate these internal audit planned changes
and make appropriate adjustments to the internal audit annual plan and schedule. In addition, this is often the time
for internal audit to seek authorization for changes to internal audit’s budget, manpower, or other function
changes. Internal audit would be operating under an annual enterprise budget, but it is the audit committee that can
make a midstream change

Assembling Audit Programs: Audit Universe Key Components

An audit universe and its supporting information describe internal audit’s high-level review objectives in an area.
We have discussed how internal audit should define and document some high-level objectives for each planned
review, but it will not be enough to assign internal audit work to a staff-level auditors; they will need some
step-by-step guidance to perform internal audits. Internal audits should be organized and performed in a consistent
manner with an objective of minimizing arbitrary or unnecessary procedures. To provide help and guidance, internal
auditors use audit programs to perform their internal audit procedures in a consistent and effective manner for
similar types of audits. The term program refers to a set of auditor procedures similar to the steps in a computer
program, which go through the same steps every time the process is run. For example, a computer program to
calculate pay will include instructions to read the time card file of hours worked, look up the employee’s rate stored
in another file, and then calculate the gross pay. The same steps apply for every employee unless there are
exceptions, such as overtime rates coded into the payroll program. Similarly, an audit program is a tool for planning,
directing, and controlling audit work and a blueprint for action, specifying the steps to be performed to meet audit
objectives. It represents the auditor’s selection of the best methods of getting the job done and serves as a basis for
recording the work steps performed.

In order to prepare this program, the internal auditor first should have an understanding of the characteristics of what
constitutes an adequate audit program.

(a) Audit Program Formats and Their Preparation

An audit program is a procedure describing the steps and tests to be performed by
the auditor when actually doing fieldwork. The program should be finalized after the
completion of the preliminary and field surveys and before starting the actual audit
fieldwork. It should be constructed with several criteria in mind, the most important
of which is that the program should identify the aspects of the area to be further
examined and the sensitive areas that require audit emphasis.
(b) (b) Types of Program Audit Evidence
As discussed in Chapter 8, Institute of Internal Auditors standards state that an
internal auditor should examine and evaluate information on all matters related to the
planned audit objective. The internal auditor should gather audit evidence in support
of the evaluation, what internal audit standards call sufficient, competent, relevant,
and useful. An audit program, properly constructed, should guide the auditor in
this evidence-gathering process. An internal auditor will encounter multiple types
of evidence that can be useful in developing audit conclusions. Actually observing
an action or obtaining an independent confirmation is one of the strongest forms of
evidence. An auditee’s often-casual response to an auditor’s question covering the
same area will be the weakest for of evidence. It is not that an auditor thinks the
person is not telling the truth; actually observing some event is far superior to just
hearing about it. Internal auditors will encounter different levels of audit evidence
and should attempt to design their audit procedures to look for and rely on the best
available audit evidence.
Audit Universe and Program Maintenance
The audit universe document is a general description of all of the audit units that anenterprise internal audit function
may review. It is a plan that defines the breadthand scope of internal audit activities. To some extent, if questioned
after the fact whyan internal audit group has never scheduled a review in some area, internal auditcan point out that
the area was not included in annual internal audit plans but, moreimportant, was never defined as part of the internal
audit universe description. Theuniverse is the big-picture map covering internal audit’s territories and boundaries.
It should be used as a basis for communicating with the audit committee and for planning ongoing internal audit
activities.

The audit universe document is not something that should be changed ona regular basis whenever there is some
small enterprise change. However, internalaudit should have processes in place to keep the audit universe current
and updatedwith perhaps regular quarterly reviews. These reviews often are good times for theCAE to explain to the
audit committee any changes in internal audit’s scope andoperations. An effective audit universe defines internal
audit annual planning and becomes a vehicle to describe an internal audit function’s activities.

This chapter has introduced some formats and discussed the importance of effective audit programs. An effective
internal audit function needs to establish a series of standard audit programs covering all regular audit activities.
While some internal audits are done on a specialized, almost one-time basis, many others cover regular internal audit
activities that may be repeated annually or even quarterly. Internal audit needs to develop a standard audit program
format for all reviews as well as standard procedures for some regular, repetitive internal audits. Audit programs
were once paper documents that were sometimes lost or improperly modified. Today, however, they are organized
as electronic documents that are centrally controlled and located on auditor laptops. They can be a learning tool for
incoming internal auditors and a mechanism by which to prepare consistent and more effective internal audits.

An understanding of how to build and use an audit universe for an internal audit function as well as supporting audit
programs is a key internal audit CBOK requirement. Senior members of the internal audit team should have an
overall understanding of how to build and use these tools. Internal audit staff members should understand their use
and how they fit in overall internal audit processes. Perhaps even more important, internal auditors at all levels
should have a strong CBOK understanding of building and using audit programs that are consistent with
their audit department’s established standards.