An Audit Universe can be extremely valuable to any Internal Audit function. Regardless of the maturity of an organisation, how robust and well developed the entities controls are, or the size of an internal audit function, an audit universe can provide many benefits, such as:
- Identification of each business unit (otherwise process or auditable entity);
- Mapping of risks, controls and regulations to each business unit;
- History of audits performed and time / cost associated with each audit, as well as the audit rating; and
- Assistance in the development of a strategic audit plan.
This blog post will explain how an Audit Universe can be beneficial to the annual planning process.
The IIA does not state that an Audit Universe is required by an audit function, however the benefits, particularly during the annual planning processes, of having an audit universe can be insurmountable. The lack of guidance or standards on how an Audit Universe should look, means it can be developed and tailored to suit the needs of your business and audit function. There is a large amount of guidance available on the internet about how you can set up an Audit Universe; my favourite being this article from the ICAS which can be read here.
It is important to note that the Audit Universe is a living document, and as such, should be updated regularly. My personal preference are 6 monthly updates to coincide with the half year review and annual planning processes.
To follow along, a copy of the Audit Universe template can be downloaded here.
The Audit Universe
From reading the guidance and from personal experience, I have developed my own Audit Universe. A breakdown of the Audit Universe and it’s various components are detailed below:
Overview
Audit Universe Overview – An extract of what the Overview section could look like.
The overview section provides a simple breakdown of audits per auditable entity or business area. Personally, I find building your universe around the relevant business areas / division and the audits that sit within each area is the most relevant and easy to use way to build your universe. This will also help with any dashboard or management reporting you perform elsewhere.
Alternatively approaches include building the Audit Universe around entity risks, however as the risk register is constantly involving, this (in my opinion), is not the most stable basis to build the Universe on.
As all good auditors, we should be referencing each audit on our Audit Universe. This will become extremely valuable later on. Additionally, we would want to ensure that the Universe is complete. A check back to the company organisation chart, risk registers, or accounting cost centres can help as a starting point to ensure completeness. A simple Google of other Audit Universe templates will also help as a completeness cross check.
Risk
Audit Universe Risk – Inclusion of the Risk Register in the Universe can help show what areas may or may not be covered by the Risk Register, and the appropriateness of the current risk threshold.
Building a risk based audit plan is essentially in ensuring the audit activity and resources are best allocated to those high risk areas of the business. Inclusion of the Risk Register into the Audit Universe and aligning this directly to the individual audit topics or business processes can really assist in the development of a risk placed audit plan. Furthermore, it can help identify areas of the business which may not currently be considered by the Risk Register. Particularly for maturing businesses or those with a high risk appetite, mapping the risk register to business processes can help high light or emphasis how risk adverse a business may be and can help challenge the appropriateness of the current risk thresholds.
Previous Audits
Audit Universe Previous Activity – An example of how the previous audit activity breakdown can look.
Mapping previous audit activity against each audit activity identified within the Overview section of the Audit Universe can help annual planning on multiple fronts, such as:
- Identify what activity has been performed against high risk areas;
- Audit coverage per business area;
- Assistance in audit resourcing and budgeting; and
- Audit outcomes from previous activity for each area.
By identifying and understanding the above, we are better placed to develop a more informed annual and strategic audit plan. It will also help with effectively using audit resources.
Compliance and Regulations
Understanding the current control framework in the business and where assurance is currently obtained can help in prioritising and directing audit activity. Furthermore, understanding the regulatory or legal requirements associated with each topic area can help in identifying where there may be gaps in current compliance programs or high risk areas where have historically not provided positive audit results.
Dashboard Reporting
The Audit Universe, if developed and maintained well, is a powerful tool for dashboard reporting. Applying a ‘cycle’ to each audit topic, and using the information already in the Universe, you are able to develop a more strategic audit plan, or have more meaningful discussions with business area leaders / executives. As a starter, an example Dashboard can look similar to the below.
Annual Planning Discussions
The Audit Universe can be filtered to show a list of audits per business area, when audit topics were last performed, what the outcome was, and what regulations currently impact each audit topic within the business area. This list can be further filtered to highlight what audits may be good to include on the upcoming Annual Plan. I call this list “The Menu”, and using the Menu as a conversation starter with the business area leads or executive can help in developing a well rounded audit plan that not only address risk, but also has the buy in or senior management
It should be noted that this is only one part of the Annual Planning process. There are many other items or reports which should be considered when developing the annual and strategic / long term audit plans.
To gain a copy of the Audit Universe, simply CLICK HERE to download your free template. Please note, this document is available in Excel, however when saved onto PDF, worksheets are automatically adjusted to fit on one page.
How we have attempted to make our templates meet the criteria of the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards)
Over the past year, I have been uploading a variety of templates covering all aspects of the audit process. The templates are a way for me to share my audit knowledge, skills, and templates; whilst also providing an opportunity to help other auditors not only become more diligent and efficient, but also help others meet some of the requirements of the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards).
It is important to note, that without an independent assessment, I cannot say that these templates conform to the Standards. Similarly, anyone using these templates in a review cannot state in their final report that the audit has been conducted in accordance with the Standards without an independent assessment also. However, the templates have been built off best practice from across the industry, with particular attention being paid to the requirements of both the Internal Audit standards and Auditing Standard – ASA 230 – Audit Documentation.
Our audit overview shows how each of our templates can be linked to the audit standards. Snippets of our audit process and how it links to the audit standards is included below:
The Standards
The Global Institute of Internal Auditors have put together standards, aimed at guiding adherence with the mandatory components of the International Professional Practices Framework (IPPF), providing a framework for performing audits, establishing a basis for evaluation and, encouraging improved business processes and operations.
As the IIA states, “The Standards are a set of principles-based mandatory requirements…”. These should form the minimum of all your workpapers.
The Standards can be accessed here.
Planning
Your audit will only be as good as your planning. Failure to appropriately plan and scope the review can potentially result in risks not being appropriately reviewed, or improvement opportunities within the business not being identified.
The Standards reflect how important the planning phase is, with the Standards considering everything from current risks and governance processes, through to current control frameworks within the business, and even the objectives of the review. The templates we have developed will help guide you throughout the Planning process and help you consider parts of the Standards.
As always, be sure to check the Standards for yourself to make sure you have considered all the minimum components.
Our planning templates can be accessed here.
Fieldwork
This is the guts of it. By now, you have done all the planning, worked out what your risk areas are, and now built a Work Program around how you are going to test and address each of the identified risks.
Throughout the fieldwork phase, it’s important to ensure that all of your work is appropriately documented. If it’s not documents, it’s not done. At a minimum, each workpaper should include:
- Scope area being addressed
- Purpose/objective of the workpaper
- Methodology – how we have performed the work
- Tests
- Outcome / conclusion
Our fieldwork templates can be accessed here.
Reporting
The audit report phase is important for so many reasons. Not only is it the one major output of your work, but it is also a direct reflection of the effort and attention to detail which has been undertaken during the audit.
An audit report also has the potential to value add by identifying opportunities or future considerations which may not have otherwise been surfaced.
It is important that reports are communicated to the relevant stakeholders and appropriate management. Additionally, reports should be clear and concise as they will be constantly referred to for the action tracking / audit follow up process.
Our reporting templates can be accessed here.
If you want to know how well you have truly done on an audit, its best just to ask those you have audited. Enter, the audit satisfaction survey.
Internal Audit satisfaction survey’s are often overlooked, or seen as a tick box exercise, however if done well, can provide real value to any internal audit team. Additionally, it is quite common for business area’s or clients to not respond to feedback requests, and internal audit don’t necessarily follow up on this, further demonstrating how much we actually value feedback.
For me, there are a few components to an effective internal audit survey, such as:
- Length and form of the survey
- Quality and relevance of the survey
- Timeliness of the survey
- After the survey – KPI’s, performance monitoring and embedding feedback
Length and form of the survey
Ain’t nobody got time to be completing survey’s, let alone one about audit. Further, unless they have something to complain about, why would they want to provide feedback? Given this, we need to give reason for the survey, without boring them before they have even made it to the first question.
- There are a couple of ways in which a survey can be distributed:
- Survey Monkey
- Poll within Microsoft Teams
- Word Document form
- Form embedded into an email
- Face to face feedback session
With all of these options, the request for feedback can either be sent via the report transmission email, via a separate email, or in the case of face to face feedback, via a phone call. With each of these options, the intro to the survey needs to be exciting, engaging and show that we desire and use their feedback. A great example of this is a picture directing people to the survey being included in the email. It pop’s out more, and once clicked, will take people directly to a site such as Survey Monkey. Another option I have seen work quite well, is a form embedded into an email. It lands directly into the recipients inbox and when they see it’s only five questions, its likely to get a quick response.
Quality and relevance of the survey
I recently completed a survey from Sainsbury’s. It was introduced as a survey about new products and what my opinions are, as this would help them with their marketing. Frustratingly, the survey ended up taking 10 minutes and talked about a new yogurt they had introduced; a product which I have never bought from Sainsbury’s. In fact, I have not bought any yogurt from any of their stories. The point here is, although I completed the entire survey, recipients of an internal audit report and satisfaction survey probably don’t have 10 minutes to answer a survey.
A simple check box exercise over key audit areas, or a text box survey questioning what was done well, what can be improved, and what we should start and stop doing, are probably all you really need to know.
Ultimately, focus on what your KPI’s are (whether or not these are quality KPI’s is another question), what your end goal is (is this for reporting to the Exec or audit committee, or generally improving the audit function), and what you are going to use this information for (i.e. process / methodology improvements or staff performance reviews). Understanding what you want to achieve from your survey will help you ensure you are asking the right questions and not overburdening the respondent.
Our example survey has been prepared in Microsoft Word and includes an abundance of questions. This has been done intentionally, allowing you to move it to a format which suits you and also cut out the questions which you don’t think are necessary. The whole survey can be used if desired, but this goes against our concise / to the point approach we have just spoken about.
Timeliness of the survey
The sooner the better. Once issuing the report, if you’re not already including the survey link / document / invite in the transmission email, your next email immediately after should be the survey email. A lag between when the report is issued and when the survey is issued can result in a lower response rate.
It should be the responsibility of the lead auditor to ensure all responses have been received, with a follow up sent one week after the initial email. After two follow up’s without success, it would be reasonable to not expect a reply. By actively following up, or offering a phone chat / face to face discussion, it shows that we do want to know their thoughts. It also gives us the opportunity to show why we want their feedback and where previous feedback has actually been incorporated into our ways of working.
After the survey
As mentioned earlier, the design of our survey should take into consideration what we actually want from it, and what it is going to be used for. The first, and most obvious answer, is satisfaction / audit quality KPI’s. Often, survey results will align to internal audit KPI’s, and therefore, our questions will often be geared to answer our KPI’s rather than our audits. This is a personal bug bear of mine as simply saying X% of a survey responded saying our audit exceeded their expectation, is hardly insightful. Additionally, is someone who receives a critical or failed report, really going to say that your audit exceed their expectations? Audit KPI’s are a whole other issue I might write about another at another time, however its a great example of making sure our survey’s have a purpose.
Additionally, if we are required to include in our quarterly updates to the audit committee the results of any survey’s, we should ensure that the questions give us good insights, but also something which can be easily summarised and presented.
Finally, the last real big component is implementing change. Where a survey does give good feedback, what do we do with it? Sure, we might not action the feedback if its only one person recommending the change, but we should still investigate it nonetheless. Personally, I believe the lead auditor should be bringing audit feedback to the audit team meetings. The feedback can then be discussed, then if necessary, action taken for it to be implemented. Whilst not entirely necessary, an email back to the business stating that you have addressed their feedback and undertaken a range of actions, shows that their feedback has’t gone straight to the recycle bin and can help build audit / business relations.
Although an older article, the team at That Audit Guy have also provided some comments on good internal audit survey’s. You can check out their article here.
Be sure to check out our survey template and steal some of the questions for inclusion in your own survey.
Simply CLICK HERE to download your free template.
You’ve done the planning, you’ve done the fieldwork, and now you have to deliver the outcomes of your work to the business area. How you go about delivering your audit observations is important, particularly to gain the buy in from management.
Whilst sometimes referred to as a Close Out meeting, I much prefer the term “Findings and Actions Workshop”. Whilst essentially the same thing, the term workshop come across as being much more collaborative than “close out”. In my opinion, it is almost worthless just telling the business areas what the observations are. Failure to have a collaborative workshop can possibly result in resistance to internal audit, dismissal of our findings, and failure for any chance to occur. It’s for these reasons, I much prefer to call the meeting a workshop.
Before we get to the Findings and Actions Workshop, there are a few things which need to occur throughout the audit journey. Firstly, as we progress through fieldwork we should be communicating and clarifying our observations as we go. Its often during fieldwork that an issue may ‘go away’ when you talk to the relevant business area, gain more information and work through the situation. Its important to do this, as there is nothing more embarrassing then presenting something as an issue to management which doesn’t actually exist.
Secondly, we want to document our observations as we go. For me, I find using a Potential Issues List is a great way to keep track of any potential issues, which can also double as a ‘to do’ tracker for you to work through and confirm your findings during the fieldwork phase.
Lastly, we want to discuss our observations internally. Using the Team Wrap Up Meeting template, we can discuss our Potential Issues List and ensure there is no other information our there which we may not have been privy to during the review, which may impact our final observations. Once we have done this exercise, we are ready to go to our workshop.
When setting up the Findings and Actions workshop, I personally find it best to refer to findings as ‘Potential Observations’ and to only provide a high level agenda in the meeting invite. Providing the business area the full list of observations can be a distraction, and rather than discussing the issues and underlying risks, business areas can become focused on just clearing away the issue.
During the actual workshop, its important to encourage a positive and productive environment. By this point, we should have already confirmed out potential issues list, so the focus of the workshop should be to jointly craft meaningful recommendations for each issue which will not only address the risk, but are easy for management to implement. By crafting recommendations together, we are able to automatically gain management buy in, plus hopefully speed up the report finalisation process as management have essentially just written their on recommendations.
Depending on the size of your review, you may want to think about who you invite and how you present the potential issues. In a more ‘standard audit’, the template which I have prepared is a good hand out to walk through and use as a discussion point for each item. For larger workshops, Thinking Audit has developed a great free guide to workshops which you can download here.
Simply CLICK HERE to download your free template.
Prior to conducting a Findings and Actions Workshop with the business and key audit stakeholders, its important to make sure all components of the audit have been covered, workpapers have been reviewed, and preliminary issues have been discussed to make sure they are reasonable, or not mitigated by other items from across the business. Because of this it is important that there is a Team Wrap Up Meeting.
The purpose of the Team Wrap Up Meeting is to:
- Discuss the Potential Issues List. This list should have been kept up to date throughout the audit and will become central to discussions with the business during the Findings and Action Workshop, and the final report;
- Determine what extra work needs to be performed (if any); and
- Plan for the Findings and Actions Workshop.
This meeting provides the opportunity for the audit team to come together and ensure the a good quality audit has been completed which considers all the necessary risks Additionally, by having the correct audit team members (Directors, Heads of, etc) present in the Team Wrap Up Meeting, we are able to better understand the broader business impacts of our audit observations. For instance, a finding identified through fieldwork may be mitigated by a control or process performed elsewhere in the business which may have been accidentally overlooked, or the team was simply unaware of. This meeting also gives the opportunity to make sure our work considers the company strategy, or any larger business changes which may not currently be known to people outside of senior leadership teams. Whilst all of this may not change your audit observations, it will help the audit team to provide better context and have more meaningful discussions during the Findings and Actions Workshop.
Aside from making sure we have delivered a quality audit, this Team Wrap Up Meeting will help ensure there are no awkward moments or last minute surprises when the audit team is conducting the Findings and Actions workshop.
As good auditors, its not done unless its documented, and therefore, good audit practice means you should document your meeting minutes.
Simply CLICK HERE to download your free template