The Audit Universe
Conventional wisdom and common practice have resulted in the development of the … drum roll please … audit universe — the starting point for internal audit plan development. The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams. It is a big list, and we measure coverage against this list. Math can get a little tricky, but we forge forward nonetheless.
Now let me pose this question: What happens to the rest of the risk universe? Is the audit universe equal to the risk universe? Probably not. So, who is providing assurance over the rest of the population of risks — things like geopolitical risk, economic recession and recovery, and brand risk? As an internal audit function, is it our role to go find out? Maybe we just assume that it’s management’s role, not ours. Or maybe it’s the role of enterprise risk management, the legal team, or other assurance services within your company.
Is internal audit just assuming that someone else will point out that there are gaps between the audit universe and the risk universe? Perhaps it’s our role to shine light on the gaps, so our stakeholders know what’s not on our radar. I’m not suggesting that internal audit must provide assurance beyond the audit universe. We may not have the skills or resources to do so. But I am suggesting that we take a look, if we haven’t already, to make sure our company’s risk universe is covered. And if not, then that’s a good starting point for a conversation with management and the audit committee.
Posted on Jun 27, 2011 by Kiko Harvey
Share This Article: