Developing the Audit System
The Internal Control System (ICS) serves as the safety net of an organization. It is not merely a collection of rules and procedures, but a cohesive framework that safeguards assets, prevents errors, and ensures alignment with both organizational goals and regulatory frameworks.
For this reason, the proper development of the ICS should be a top priority not only for management but for all staff. The COSO Committee, an internationally recognized authority on providing the theoretical framework for any ICS, states that the system’s effectiveness stems from the Board of Directors and all levels of management and staff working together to ensure organizational objectives in three critical areas:
Effectiveness (ability to achieve objectives) and efficiency (achieving objectives with minimal resources) of operations
Reliability of financial and other reports
Compliance with laws and regulatory frameworks
Developing an ICS involves designing and implementing a set of control mechanisms, which can be an extremely complex and time-consuming task. However, it is absolutely necessary. According to the latest Report to the Nations (2024) by the Association of Certified Fraud Examiners (ACFE), 51% of fraud cases are due to the absence or circumvention of control mechanisms, meaning ineffective controls.
But how can we implement resilient and effective controls that align the organization’s operations with its strategic goals? Here’s how:
- Cultivate a culture of compliance
This refers to improving the Control Environment. It starts at the top, with senior leadership setting the “tone at the top,” placing significant emphasis on the existence and strict implementation of control mechanisms. This tone trickles down the management chain to all staff levels.
- Assess risks
We can’t build a safety net without recognizing, analyzing, and evaluating the risks our organization faces. Effective control design requires a full understanding of the risk it is intended to address. Thus, it’s essential to document both the potential impact and likelihood of each risk.
- Document control mechanisms
Controls must be formally established and documented so they can be executed by employees (first line of defense) and monitored by control owners (second line of defense). This facilitates the work of Internal Auditors (third line of defense), who test the controls to verify proper functioning.
- Communicate controls to all stakeholders
The organization should adopt a communication and training program so employees are prepared to implement the adopted controls in the best possible way.
- Automate controls where possible
Automation can offer real-time information and expand control testing to cover the entire population.
Mapping the Audit Universe
To appreciate the importance of the Audit Universe in developing the Audit System, we must first define it:
“The Audit Universe refers to every unit, area, function, program, project, or process that could potentially be subject to an audit.”
It consists of auditable units, areas, or entities that can be independently audited. In statistical terms, these units represent the Audit Population.
With a documented Audit Universe, the Internal Audit function essentially has a “menu” of potential audit activities. This makes the Audit Universe a vital tool in preparing the Annual Audit Plan, where the Internal Audit team selects audits based on risk assessments.
Is documenting the Audit Universe mandatory?
The short answer: NO.
According to Standard 2010.A1 of the International Professional Practices Framework (IPPF, 2017):
“The internal audit activity’s plan of engagements must be based on a risk assessment, conducted at least annually. The input of senior management and the board must be considered in this process.”
While the Annual Audit Plan must be risk-based, there is no requirement that this risk assessment must originate from a documented Audit Universe. The Institute of Internal Auditors (IIA, 2023) confirms this:
“The International Standards do not require the documentation of an Audit Universe. The Chief Audit Executive (CAE) may choose whether to document it…”
But what are the factors that will influence the decision of the Chief Audit Executive (CAE) regarding the documentation of the Audit Universe?
According to the Institute of Internal Auditors (IIA), they are the following
- Geographical expansion of the organization
- Instability of the sector in which the organization operates
- Nature of the commercial activity
- Extent of organizational change
The above factors necessitate the documentation and continuous updating of the Audit Universe. An organization undergoing significant changes over time requires both the mapping and ongoing updating of the Audit Universe, making it a dynamic process.
Assurance requirements from the Audit Committee, the Board of Directors, and external regulatory bodies
For example, central banks in many countries, as regulatory authorities in the banking sector, impose mandatory documentation of the Audit Universe. Other organizations may develop a Risk Register instead, bypassing the documentation of the Audit Universe.
Maturity of the Internal Control System (ICS)
Documenting the Audit Universe adds value in cases where the ICS is weak, operates informally, and in a fragmented manner. A strong ICS with automated controls, integrated risk management, and effective oversight does not necessarily require the documentation of the Audit Universe. In such cases, Internal Audit can rely on reports from management, the risk manager, and information systems.
