Identifying Audit Universe of Auditable Activities

Type: Executive Summary

Date: 6/23/2008
Number of invitations sent: 1,600
Total number of responses collected: 275 (17.19%)

1: Is your organization’s management involved in identifying auditable activities?

(Respondents could only choose a single response)

Response Chart Frequency Count
No, internal audit identifies
with no management 16.7% 46
involvement
Yes, internal audit
identifies and validates 76.4% 210
with management
Yes, management identifies 6.9% 19
Valid Responses 275

Total Responses 275

2: How are auditable activities grouped in your organization?

(Respondents were allowed to choose multiple responses)

Response Chart Frequency Count

Department 48.0% 132

Function 71.6% 197
Risk 40.0% 110
Executive 10.5% 29
Location 33.1% 91
Other (specified below) 21.1% 58
Valid Responses 275

Total Responses 275

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
1
2a: In what other ways are auditable activities grouped in your organization?

Response

Processes – 26 responses

Lines of business / Divisions – 17 responses

Hybrid

Cobit objectives

Hyperion and/or Legal Entity

Computer application, accounting policy

Materiality

Integration with ERM program is depicted in audit plan.

By Contract

Hybrid of projects/offices, and processes

Shared Service, Regulatory, IT, Location

In the US - by plant location and by department; international by location

Hybrid of function and process

My prime two sources: 1) Organization Structure 2) Management Accounts Reports

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
2
3: Is there an overlap of any activity between subsidiaries or departments? (Example:
If subsidiary has accounts payable, is accounts payable listed once as an activity, or is it
listed by subsidiary?)

(Respondents could only choose a single response)

Response Chart Frequency Count

Listed once as an activity 46.2% 126

Listed once by subsidiary 16.5% 45

Listed in both places 26.4% 72

Other (specified below) 9.5% 26

Not sure / do not know 1.5% 4

Not Answered 2

Valid Responses 273

Total Responses 275

3a: Other

Response
we do a little of both depending on the activity; we perform organization wide audits of certain
activities while auditing other activities during the auditable entity's audit; based on efficiency of
performing the audit and assignment of responsibilities for activity
If the controls and processes are the same and performed by the same persons it will be included
in the Accounts Payable audit. If the persons or controls are different at a subsidiary then
Accounts Payable will be included as part of that subsidiary.
Listed in the Corporate universe and then inclusive of entity (Hyperion/Legal) audit
considerations.
listed once if it is a corporate-wide process however, subs are listed underneath
Subsidiary: primarily as audit objective of audit. Activity: how is control / oversight from head
office organized
listed once as an activity but is cross-referenced to the applicable entities (the entities each have
a column in the spreadsheet)
listed once either under the location or function if centralized
Is a component of every review for compliance and is audited as a process, for example,
accounts payable, accounts receivable, travel.
In your example, of Accounts Payable will be audited as part of a single audit that it is only in the
universe once. If it is to be audited as part of each subsidiary audit then it would be listed
multiple times.
GAIN – The IIA and IIARF’s Premier Benchmarking Program
Copyright © 2008 The Institute of Internal Auditors
3
listed once as a process

listed in both- if deemed risky in both

Depends on whether the activity is independent. If independent, then it is listed as an activity
within the sub. If it's part of an enterprise wide process, then it is not included in the subsidiary.
Once under shared service, then could also be part of a site audit.

Risk

Listed in each subsidiary

listed by primary accountability - sometimes by activity, sometimes by subsidiary, but only listed
in one or the other
Primarily as activity but referenced by entity

depends on whether activity is the same or separately managed

Once as a shared service at the corp. level and once for the subsidiary

Listed in both places sometimes

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
4
4: Are IS/IT activities included as separate auditable activities or part of operational
areas? (Example: If an operational unit utilizes a particular system, is that system listed
as an auditable activity by itself, or would it be covered more generically as part of an
IT activity?)

(Respondents could only choose a single response)

Response Chart Frequency Count
Included as a separate
55.7% 152
auditable activity
Included as part of
23.4% 64
operational area or function
Other (specified below) 19.4% 53

Not sure / do not know 1.5% 4

Not Answered 2

Valid Responses 273

Total Responses 275

4a: Other

Response

Both (depending on activity) – 26 responses

We audit risks!

we outsource IT audit and the provider does a completely separate Risk Assessment and plan

Our IT audit group would perform a separate IT controls review of the IT system.
General ICT controls are audited separately. In operational areas we include access control and
relevant application controls
Mixed approach; specific applications are not listed separately as these are considered in
connection with the process audit; general IT activities like change control or security
management are listed separately
Included in the IT auditable activities75
IT general controls are separately audited, while application security is audited as part of the
business process/operational area reviews.
IT includes an application controls section, but usually considers the related system when looking
at a specific process to audit.
part of an IT activity

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
5
Centralized systems are reviewed as a separate auditable unit and distributed systems are
included in the operational area.
If the IT activity is significant in terms of size / impact of risk, it is listed separately. Otherwise it
is grouped as part of the operational area.
may be part of a larger, non-IT process
All application controls audits are performed as part of an integrated process review that includes
financial, ops, IT and compliance controls. SDLC and technical IT areas stand alone.
Looked at both ways. Some systems are unique to a Business Unit, while other are corporate-
wide systems. Our approach ID's the system and shows it in one location only.
System audits and Process audits (that include System aspects)

It depends on the engagement, sometime independent, sometime separate

Depends on the criticality of the system

IT depends on the system/process relationship

sometimes stand alone audit, sometimes an integrated audit depending on several factors
applications are reviewed as a part of the operational review, other IT activities that support
general computer department processes (i.e. change management, security, etc.) are separate
auditable entities for IS/IT
Applications covered under function they support, general IT controls listed as separate auditable
activities
Identified as a separate unit with in the department
What I do if the system is not big and complicated will be covered part of operational areas. My
IS auditor carries out audit the core and complicated systems
some risks covered centrally (program change, access), some risks covered within the operational
area
Generally as part of the operational function, with some exceptions, such as large system
implementations
It depends on the area under audit. Some audits are integrated and the IS activities are included
as part of the area. Other IS activities that are corporate wide or that belong to one of our subs
are audited as a separate activity.
general controls are included in the scope; system controls are separately reviewed

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
6
5: Please provide any additional comments you have regarding this survey topic:

Response
I have found that the processes of conducting a Risk Assessment helps tremendously in identifying
auditable entities with the additional benefit of rating the risk associated with it
I'm not particularly satisfied that our audit universe is complete. While the list wasn't validated by
management, at any time they can request IA review a particular area.
We should be auditing risks. The concept of auditable entities is old-fashioned. If you like, we have an
infinite number of them.
We set up a process classification scheme that serves as the foundation for our audit universe. This
universe is then linked to our risk universe.
On #6, the 9000 number includes our affiliate corporations, their branches and all of the independent
agents. Full scope financial audits are performed on the affiliates and a more limited scope, risk
detection audit is performed on the independent agents.
I started our audit universe initially by looking historically at what we had audited in the past 2-3 years.
Then I looked at how we were doing our financial reporting and went from there. Once I identified the
lines of business, I then listed each function within that line of business.
However, there will also be generic general computer control reviews, application control reviews and
IT governance reviews.
Our in-house developed "audit universe" owns a lot to a CobiT-like pyramid structure in domains -
functions - processes. Auditable activities are either on the level of processes or one below, sub-
processes or activities.
We may do application security and access audit work both globally and on a module by module basis
when auditing certain functions.
Primary auditable activity is the business unit, but within each business unit, we would audit separate
cycles as applicable (i.e. financial close process, payables, purchasing, revenue recognition, accounts
receivable, etc.)
We have been asked to complete audits of all High Risk activities within five years. This means that
most if not all medium/low risk activities will not be addressed for some time. This process was
initiated by our audit committee so I have their support in taking this approach.
Based on feed back from our recent Quality Assessment Review, we plan to break the IT areas into a
separate auditable areas universe with its own risk assessment.
We identify by department each activity that has operational, financial or negative publicity risk.
The character of the function, activity or process will oftentimes determine whether we split a function
between departments or treat an IT issue as a business process. It really depends on who manages
the function and what process it most closely relates to. Which approach will be the most efficient for
internal audit, the business unit and create the best benefit / cost results.
COSO solved the challenge it appears you are facing a long time ago by developing the three
dimensional cube, which was extended into the larger COSO ERM cube. As you know, all data in the
audit universe is relational, so your challenge is to determine how to best define the layers and
interfaces between objects in the audit universe. Using COSO, at least in the U.S., is a good place to
start, tailoring the content in "your cube" to your organization's objectives, risks and controls.
We have basically taken our org chart and expanded it where necessary to develop our universe. My
next step is to start adding processes (that may span different departments) to get the complete list of
auditable activities.

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
7
We identified about 125 business processes/functions and have used these for key control
identification and documentation
My department took a step backwards on IT when we went to having IT being separate auditable
entities. Prior to a merger, my legacy department had IT risk covered as part of each business line
audit.
Our universe is high level and broken into functional areas of the Company. There are activities that
cross Bus Unit lines or across the Company while others are solely within a Bus Unit. Our universe
considers all Bus Units that comprise the entire Company.
Full audit staff (6 people) participates in development and scoring. Makes for a good 1-day off site
activity.
When evaluating risk for determining our audits for the upcoming year, we have several sets and
subsets of categories of auditable activities. For example, expenditures had several subsets such as
purchased services, Accounts Payable & Disbursements, and Purchasing & Materials Management.
Payroll is divided into Processing & Check Distribution, Benefits Management & Reporting, and
Personnel Production & Attendance Reporting. We try to keep the categories in auditable segments but
sometimes we still have to divide one of the segments into smaller audits, such as for purchased
services, we reviewed architectural fees spent on projects. Purchasing & materials Management.
We are moving to a process view this year and my audit universe will re-align to that approach. So, for
example, Purchase to Pay is considered a corporate Core (Level 0) process made up of three level (1)
primary processes and process owners, Supply Chain Management (Procurement), Finance (Accounts
Payable) and Operations (Warehouse Management). Each of these three Level 1 processes would
appear as an auditable entity in my universe. We would then use risk assessment and scoping to set
the specific audit project we would perform in any given year. I couldn't imagine us ever auditing at
Level 1 due to the size and complexity of the overall process but you never know.
IT activities that are infrastructure in nature are listed as separate IT entities (e.g., change
management, SDLC, Incident Management). Only business-specific applications are included as part of
operational unit
Managing the audit universe is a challenge when the organization is changing drastically. Any changes
in the organizational structure will have an impact on the audit universe and also risk priorities.
Audit universe is reviewed with Gen Mgr & CFO of each business area at least once per year
We are refining our audit universe and dealing with some of the same questions. In relation to
questions 3 and 4, I believe there is value in being more detailed in defining your auditable entities as
there are times when you may choose to audit these items separately (for example, auditing IT specific
controls but not the entire process). You can always combine multiple areas into one audit (auditing IT
controls as part of an operational audit). It seems easier to combine when needed than it would be to
evaluate in total and then try to break out when appropriate. Ultimately, this whole process is more an
art than a science, and trying to make it too quantitative or exact can lead you down the wrong path
IT is becoming more integrated into operational auditing
We have identified IT as a separate auditable entity, but also have made a separate IT audit plan with
sub auditable entities
We do not have standard activities - we identify risk and define them by an annual assessments or
define them on an event related base. Moreover we have production, sales and multi sales
organization as well as service entities with different duties.
Our universe is a work in process right now as the audit department is new.

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
8
6: Approximately how many subsidiaries and auditable activities do you have in your
organization?

Subsidiaries
Range Responses Responses
(#) (%)
1-5 74 33.6%
6-10 32 14.5%
11-25 41 18.6%
26-50 20 9.1%
51-100 27 12.3%
101-500 17 7.7%
500+ 9 4.1%

Auditable Activities
Range Responses Responses
(#) (%)
1-25 23 9.7%
26-50 37 15.6%
51-75 31 13.1%
76-100 34 14.3%
101-250 63 26.6%
251-500 32 13.5%
500+ 17 7.2%

7: Is your organization?

(Respondents could only choose a single response)

Response Chart Frequency Count

Local/regional 40.0% 108

National 24.4% 66

International 35.6% 96

Not Answered 5

Valid Responses 270

Total Responses 275

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
9
8: Select the industry that best describes you organization:

(Respondents could only choose a single response)

Response Chart Frequency Count
Aerospace and defense 1.1% 3
Communication /
1.9% 5
telecommunication services
Construction / engineering /
2.2% 6
architecture
Distribution 1.9% 5
Educational services 3.3% 9
Energy / oil and gas 3.3% 9
Financial services /
21.2% 57
banking / real estate
Gaming / lotteries 1.1% 3
Health services 5.6% 15
Hospitality / entertainment /
0.7% 2
restaurant
Insurance carriers / agents 10.4% 28
Local government 2.2% 6
National / federal government 0.7% 2
Manufacturing 13.8% 37
Mining 0.7% 2
Nonprofit sector 3.3% 9
Pharmaceuticals 0.7% 2
State / provincial government 4.1% 11
Technology 3.0% 8
Transportation 1.9% 5
Utilities 6.7% 18
Wholesale / retail 5.9% 16
Other 4.1% 11
Not Answered 6
Valid Responses 269
Total Responses 275

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
10
9: What is the size of your internal audit activity?

(Respondents could only choose a single response)

Response Chart Frequency Count

1-2 13.9% 37

3-6 36.3% 97

7 - 15 28.5% 76

16 - 20 7.5% 20

21 - 30 4.1% 11

More than 30 9.7% 26

Not Answered 8

Valid Responses 267

Total Responses 275

GAIN – The IIA and IIARF’s Premier Benchmarking Program

Copyright © 2008 The Institute of Internal Auditors
11