Professional Documents
Culture Documents
Response
Processes – 26 responses
Hybrid
Cobit objectives
Materiality
By Contract
Not Answered 2
3a: Other
Response
we do a little of both depending on the activity; we perform organization wide audits of certain
activities while auditing other activities during the auditable entity's audit; based on efficiency of
performing the audit and assignment of responsibilities for activity
If the controls and processes are the same and performed by the same persons it will be included
in the Accounts Payable audit. If the persons or controls are different at a subsidiary then
Accounts Payable will be included as part of that subsidiary.
Listed in the Corporate universe and then inclusive of entity (Hyperion/Legal) audit
considerations.
listed once if it is a corporate-wide process however, subs are listed underneath
Subsidiary: primarily as audit objective of audit. Activity: how is control / oversight from head
office organized
listed once as an activity but is cross-referenced to the applicable entities (the entities each have
a column in the spreadsheet)
listed once either under the location or function if centralized
Is a component of every review for compliance and is audited as a process, for example,
accounts payable, accounts receivable, travel.
In your example, of Accounts Payable will be audited as part of a single audit that it is only in the
universe once. If it is to be audited as part of each subsidiary audit then it would be listed
multiple times.
GAIN – The IIA and IIARF’s Premier Benchmarking Program
Copyright © 2008 The Institute of Internal Auditors
3
listed once as a process
Risk
Once as a shared service at the corp. level and once for the subsidiary
Not Answered 2
4a: Other
Response
We audit risks!
we outsource IT audit and the provider does a completely separate Risk Assessment and plan
Our IT audit group would perform a separate IT controls review of the IT system.
General ICT controls are audited separately. In operational areas we include access control and
relevant application controls
Mixed approach; specific applications are not listed separately as these are considered in
connection with the process audit; general IT activities like change control or security
management are listed separately
Included in the IT auditable activities75
IT general controls are separately audited, while application security is audited as part of the
business process/operational area reviews.
IT includes an application controls section, but usually considers the related system when looking
at a specific process to audit.
part of an IT activity
sometimes stand alone audit, sometimes an integrated audit depending on several factors
applications are reviewed as a part of the operational review, other IT activities that support
general computer department processes (i.e. change management, security, etc.) are separate
auditable entities for IS/IT
Applications covered under function they support, general IT controls listed as separate auditable
activities
Identified as a separate unit with in the department
What I do if the system is not big and complicated will be covered part of operational areas. My
IS auditor carries out audit the core and complicated systems
some risks covered centrally (program change, access), some risks covered within the operational
area
Generally as part of the operational function, with some exceptions, such as large system
implementations
It depends on the area under audit. Some audits are integrated and the IS activities are included
as part of the area. Other IS activities that are corporate wide or that belong to one of our subs
are audited as a separate activity.
general controls are included in the scope; system controls are separately reviewed
Response
I have found that the processes of conducting a Risk Assessment helps tremendously in identifying
auditable entities with the additional benefit of rating the risk associated with it
I'm not particularly satisfied that our audit universe is complete. While the list wasn't validated by
management, at any time they can request IA review a particular area.
We should be auditing risks. The concept of auditable entities is old-fashioned. If you like, we have an
infinite number of them.
We set up a process classification scheme that serves as the foundation for our audit universe. This
universe is then linked to our risk universe.
On #6, the 9000 number includes our affiliate corporations, their branches and all of the independent
agents. Full scope financial audits are performed on the affiliates and a more limited scope, risk
detection audit is performed on the independent agents.
I started our audit universe initially by looking historically at what we had audited in the past 2-3 years.
Then I looked at how we were doing our financial reporting and went from there. Once I identified the
lines of business, I then listed each function within that line of business.
However, there will also be generic general computer control reviews, application control reviews and
IT governance reviews.
Our in-house developed "audit universe" owns a lot to a CobiT-like pyramid structure in domains -
functions - processes. Auditable activities are either on the level of processes or one below, sub-
processes or activities.
We may do application security and access audit work both globally and on a module by module basis
when auditing certain functions.
Primary auditable activity is the business unit, but within each business unit, we would audit separate
cycles as applicable (i.e. financial close process, payables, purchasing, revenue recognition, accounts
receivable, etc.)
We have been asked to complete audits of all High Risk activities within five years. This means that
most if not all medium/low risk activities will not be addressed for some time. This process was
initiated by our audit committee so I have their support in taking this approach.
Based on feed back from our recent Quality Assessment Review, we plan to break the IT areas into a
separate auditable areas universe with its own risk assessment.
We identify by department each activity that has operational, financial or negative publicity risk.
The character of the function, activity or process will oftentimes determine whether we split a function
between departments or treat an IT issue as a business process. It really depends on who manages
the function and what process it most closely relates to. Which approach will be the most efficient for
internal audit, the business unit and create the best benefit / cost results.
COSO solved the challenge it appears you are facing a long time ago by developing the three
dimensional cube, which was extended into the larger COSO ERM cube. As you know, all data in the
audit universe is relational, so your challenge is to determine how to best define the layers and
interfaces between objects in the audit universe. Using COSO, at least in the U.S., is a good place to
start, tailoring the content in "your cube" to your organization's objectives, risks and controls.
We have basically taken our org chart and expanded it where necessary to develop our universe. My
next step is to start adding processes (that may span different departments) to get the complete list of
auditable activities.
Subsidiaries
Range Responses Responses
(#) (%)
1-5 74 33.6%
6-10 32 14.5%
11-25 41 18.6%
26-50 20 9.1%
51-100 27 12.3%
101-500 17 7.7%
500+ 9 4.1%
Auditable Activities
Range Responses Responses
(#) (%)
1-25 23 9.7%
26-50 37 15.6%
51-75 31 13.1%
76-100 34 14.3%
101-250 63 26.6%
251-500 32 13.5%
500+ 17 7.2%
7: Is your organization?
National 24.4% 66
International 35.6% 96
Not Answered 5
1-2 13.9% 37
3-6 36.3% 97
7 - 15 28.5% 76
16 - 20 7.5% 20
21 - 30 4.1% 11
Not Answered 8