I’ve been taking this week to learn from colleagues and fellow professionals on the international arena. A thought that prompted me to consider what I do was about an audit universe.
Now in general I don’t like audit universes. They measure gross risk; they are often overly metrics based; they are often based on what can be measured, not what matters; they tend to be static (usually because of the gross risk nature of them); and they are bottom up of business or geographic units.
In short my view is that they make a claim to a scientific reality and systematisation of the world that simply does not exist and are often banal and two-dimensional ways of claiming to be risk based.
Yet two additional components have come to my attention that prompted me to think. First that an audit universe can be applied to corporate processes. Second that one could also systematise the response side of the audit equation in a risk universe manner.
Let’s deal with the first element, that corporate processes could be put into an audit universe. Yes of course in theory. I suppose in IIA terminology it would be an ‘auditable entity’ (whatever that means). Yes I guess one could use this to drive a corporate audit strategy. One could be less crass about it and instead of auditing corporate departments (HR, Payroll, Accounts Payable etc) one could audit those processes. One could use impact and likelihood criteria (feels a bit like a risk assessment) to prioritise these in a risk universe.
Turning to the second element one could also systematise the response to this risk and audit universe. For those auditable entities one could then apply a systematised response. One could categorise audit responses. For instance one could say – full site review, site review of design of controls only, or desktop office based review.
Now these approaches have merit, but they feel two-dimensional. Why? The artificial cutting up of risks into auditable units that are not bespoke would seem to belie the complex reality of the world. Yet the alternative, professional human judgement feels somehow lacking when explaining why things are in the plan (or not) to audit committees.
As an example. Think about a straightforward audit of HR. What risks would perfectly match the HR department. Most HR processes manage a number of risks. Most HR departments do not deliver and control all HR processes. So why would HR be an auditable corporate entity. Perhaps then think about it in processes. Take procurement. Again this process manages many different risks, across many different business objectives. So how risk based is this?
So in reality can an audit universe be useful. Well I think yes for bottom up audits, but not for a risk based audit. I think they also help to (broadly) categorise audit responses. They must not be treated as science fact. They are science fiction. The realist reality of life is that the world is complex and messy, sorry.
So perhaps an audit universe and supporting methodology does have a place as a tool to justify, in macros terms, the overall areas of coverage and plan content. It is not, sadly, a scientific answer to a socially scientific world.