Chapter 10

A U D IT P R O G R A M S A N D
ES TA B LIS H IN G
TH E A U D IT U N IV ER S E

internalaudit areas
reviews of financial process internal

controls,
operational areas in the enterprise,
safety and security issues,
controls related to information
technology (IT) systems,
etc

after internal audit get its scope of

potential areas to review, the chief
audit executive (CAE) and other
members of the audit team can
subject areas to risk analysis and
develop overall internal audit
activity plans.

audit universe
list of all of the potential areas to

audit
CBOK : Internal auditors at all levels
should understand the importance of
having an enterprise-specific internal
audit universe as a basis to guide
their internal audit activities. That
audit universe will help internal audit
to better present planned activities
to the audit committee

 all members of an internal audit

function should perform their internal

audit procedures in a consistent and
orderly manner. They will accomplish
these audit procedures through
documents called audit programs

D efi
ning the Scope and O bjectives of
the InternalAudit Universe
To define its audit universe, internal

audit should review or understand

the number of potential audible
entities (business units / areas of
operations) within the enterprise and
across those business units

Exam ples ofauditable

activities include
Policies, procedures, and practices both on an

enterprise level and those specific to locations,

such as at international units
Manufacturing, distribution, or supply chain
units
Information systems on infrastructure and
specific application levels
Major contracts or product lines
Functions such as purchasing, accounting,
finance, marketing and mothers

 The internal audit team should also

define several audit focal points to

ensure consistency in their execution
of all potential internal audits.

Focalpoints
For an information security universe
1. IT access controls
2. System security configuration
3. Monitoring and incident response
4. Security management and administration
For an IT infrastructure universe element
1. Structure and strategy
2. Methodologies and procedures
3. Measurement and reporting
4. Tools and technology

II

Assem bling Audit Program s :Audit Universe

Key Com ponents
To provide help and guidance, internal

auditors use audit programs to perform

their internal audit procedures in a
consistent and effective manner for
similar types of audits.
The term program refers to a set of
auditor procedures similar to the steps
in a computer program, which go
through the same steps every time the
process is run.

Exam ple
Computer program to calculate pay will include

instructions to read the time card file of hours worked,

look up the employees rate stored in another file, and
then calculate the gross pay. The same steps apply for
every employee unless there are exceptions, such as
overtime rates coded into the payroll program.
Similarly, an audit program is a tool for planning,
directing, and controlling audit work and a blueprint
for action, specifying the steps to be performed to
meet audit objectives. It represents the auditors
selection of the best methods of getting the job done
and serves as a basis for recording the work steps
performed.

Audit Program Form ats and Their Preparation

An audit program is a procedure

describing the steps and tests to be

performed by the auditor when
actually doing fieldwork.
The program should be finalized after
the completion of the preliminary
and field surveys and before starting
the actual audit fieldwork.

 The format is Depending on the type

of planned audit, programs usually

follow one of three general formats:
a set of general audit procedures,
programs with detailed instructions
for the auditor, and a checklist for
compliance reviews

 The questionnaire-format audit

program tends to cause auditors to

overlook necessary evidential matter.
Inexperienced auditors can too easily
check yes on the questionnaire without
determining.
The approach allows audit
management to recognize what
procedures the auditors did or did not
perform

 There is no best or set format for an

audit program; however, the

program should be a document that
auditors can use to guide their
efforts as well as to record activities.

Types ofProgram Audit

Evidence
An audit program, properly

constructed, should guide the auditor

in evidence-gathering process.
An internal auditor will encounter
multiple types of evidence that can
be useful in developing audit
conclusions.

Audit Universe and Program M aintenance

The audit universe document is a general

description of all of the audit units that an

enterprise internal audit function may
review.
It is a plan that defines the breadth and
scope of internal audit activities
An understanding of how to build and use
an audit universe for an internal audit
function as well as supporting audit
programs is a key internal audit CBOK
requirement.