Developing and maintaining the audit universe

The structure of the audit universe in each organization typically reflects the way the organization itself is structured and managed. The audit universe may be arranged or categorized by business unit hierarchy, enterprise architecture, busi- ness process model, governance framework, service catalog, or any other functional decomposition that best matches the way organizations view their operations and assets. Regardless of how the organization describes the different structural, func- tional, or technical elements corresponding to items in the audit universe, there is almost always some level of common overarching entity-level controls subject to audit. As described later in this chapter, audits of entity-level controls often required the use of multiple audit approaches because they usually span many dif- ferent types of internal controls. The broad scope of these audits and their appli- cability at all organizational levels also means that entity-level audit reports have

a wider audience than those produced in other types of audits. In addition to enterprise-wide controls used throughout an organization, the inventory of con- trols and auditable items in the audit universe can also identify common controls shared across business units, facilities, operating environments, processes, or sys- tems. Auditors performing audits at any level below the entire organization need to ensure that the scope of their audits includes entity-level and other shared controls as well as those implemented specifically for components the audit examines.

Most organizations have too many auditable elements to make it feasible to pro- duce an audit universe as a simple list; instead, organizations need some sort of categorization or organizing scheme to align the audit universe with governance and risk management functions and facilitate the use of the information in audit planning and prioritization. In addition to categorizing auditable elements by busi- ness or technical function, location, control type, purpose, or other attributes, many source of guidance on internal controls also recommend distinguishing among the different levels within organizations at which controls apply. For instance, the Internal Control—Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) categorizes inter- nal control components by purpose (operational, reporting, or compliance) and by applicability (entity level, division, operating unit, or function) [2] .Organizational elements typically included in the audit universe include:

units of organizational structure such as business units, operating divisions, facilities, or subsidiaries;

accounting structures such as cost centers, lines of business, or process areas;

strategic goals, objectives, and outcomes, which are evaluated in part by auditing the resources allocated for their achievement;

mission and business processes, services, and operational functions executed by the organization;

assets—including IT assets—the organization owns, operates, manages, or controls;

108 CHAPTER 6 IT Audit Components

programs, projects, and investments to which the organization commits funding or other resources;

internal and external controls implemented by the organization or on its behalf;

management functions or programs such as governance, risk management, quality assurance, certification, and compliance as well as internal auditing.

Internal controls explicitly itemized in the audit universe or implicitly refer- enced through their implementation with other organizational elements may be fur- ther categorized by type and subject area in a manner conceptually similar to the decomposition shown in Figure 6.1 . Organizations also try to align assets identi- fied in the audit universe with similar asset inventories developed in support of risk management activities, since risk assessment results strongly influence the prioriti- zation of elements the audit universe includes.