In today's corporate environment, a company may have several lines of business with operations across the globe, and may exhibit a myriad of authority/responsibility and reporting structures. In order that the auditor not get lost in the complexity of corporate structures, an organized "inventory" of all significant auditable units should be compiled. The definition of auditable units must depend on specific organizational characteristics; e.g., whether the enterprise is functionally organized or product-centered.
Example
Figure 2 represents a banking organization, one of the case studies described in Planning for the Internal Audit Function. by J. E. Boritz (IIARF, 1983).
Figure 2: Defining the Audit Universe
This organization consists of 90 locations (branches). Within each branch there are 10 units (departments). In addition, there are 20 corporate-wide audit modules (programs) that are conducted within each location. Technically, this structure can be considered to have 20 x 90 x 10 = 18,000 auditable units, representing a very large number of potential audit activities.
There are many reasonable ways of defining the audit universe in this organization. One way to define the audit universe is to establish each location as an audit unit category, with the departments viewed as subsets of each location and the corporate-wide audit programs viewed as further subsets of those departments. A different way of defining the audit universe is to identify the departments as the audit unit categories, with locations being subsidiary to them, and the audit programs as further subdivisions at locations. Yet another way of defining the audit universe is to define the corporate-wide audit programs as the audit unit categories, with the 90 locations and their respective departments subsidiary to them.
Don't: simply accept the existing list of audit projects and activities, or worse yet, just list the names of audit files to compile the audit universe. Don't treat your audit universe as one big list -- applying one risk model to heterogeneous audit units is likely to yield poor results.
Do: look at the entity the same way that management views the organization to identify the most appropriate definition of the audit universe and its elements to permit an effective evaluation of risks and concerns. Analysis of business objectives, management processes, organizational relationships, information systems, and interviews with top management could all help in establishing appropriate definitions of auditable units. Typically, this will mean identifying families of audits within the universe that share similar risk characteristics so that different risk models can be applied to them.
A critical step in any risk assessment approach is to identify the risk factors which will be used for assessing risk. An auditable unit's Risk Score should reflect the unit's potential for causing or permitting losses to the enterprise, including the likelihood, magnitude, and imminence of potential losses.
Example
The following risk factors were identified in a survey conducted by James M. Patton, John H. Evans and Barry L. Lewis in their 1983 IIA Research Monograph A Framework for Evaluating Internal Audit Risk. as the most commonly used criteria for assessing risk.
• quality of the internal control system
• competence of management
• time since last audit
• liquidity of assets
• complexity of transactions
• distance from the main office
• changes in accounting systems
• unit size
• level of employee morale
Additional criteria based on case studies may be found in Planning for the Internal Audit Function by J. E. Boritz, published by the Internal Auditors Research Foundation in 1983, and the auditMASTERPLAN® documentation.
Don't: base risk factors on auditors' considerations alone.
Do: involve management personnel in identifying risk factors and ranking them according to their relative importance. This will improve communications between the internal audit department and management and help to ensure that the audit coverage plans and staffing requirements that result from the risk assessment process will be more credible and better accepted.
After relevant criteria for establishing relative loss riskiness of auditable units have been identified, the next step is to use them in an organized fashion to arrive at a Risk Score for each auditable unit. There are two fundamental ways, not necessarily mutually exclusive, of estimating the riskiness of an auditable unit: 1) Objective assessment methods, and 2)Subjective assessment methods.
It is possible to set priority scores objectively by reference only to quantitative attributes of auditable units (e.g., dollars of throughput, value of assets, number of personnel, volume of transactions, the time elapsed since last audit). By making the largest attribute value represent the highest number on a rating scale (e.g., 100 on a 1-100 rating scale), and taking a simple ratio for each unit relative to this value, all units can be easily ranked.
Figure 3 illustrates the use of five risk factors: revenues, expenses, assets, transaction volume and time elapsed since the last audit.
Figure 3: Risk Assessment Based on Objective Factors
| Risk/Exposure/Concern Factors | ||||||||||||||||||
| Auditable Unit | Revenues | Expenses | Assets | Trans Volume | Time since last audit | Total | ||||||||||||
|
|
|
|
|
|
|||||||||||||
| Auditable Unit | ||||||||||||||||||
| ABC | 3 | 2 | 2 | 3 | 4 | 14 | ||||||||||||
| ABD | 2 | 2 | 2 | 2 | 2 | 10 | ||||||||||||
| ABE | 4 | 2 | 3 | 3 | 4 | 16 | ||||||||||||
| etc. | etc. | |||||||||||||||||
These risk factors are equally weighted; that is, each risk factor is worth the same number of points. Furthermore, they are objectively determinable. A computer program uses the objective values of the revenues, expenses, assets, transaction volumes and time elapsed since the previous audit for each auditable unit and simply assigns them a relative score using a 5-point scale. These scores are then totaled, with the unit with the highest score representing the unit with highest degree of concern.You will notice also that four of the five specific factors can be considered to be subsidiary to an implicit risk factor category we could call size.
In this particular organization, overriding importance and prominence is given to measures of audit unit size, with only one other factor being used, time since last audit. No subjective factors are used. The internal audit department from which this illustration was obtained wanted a simple and relatively mechanistic risk assessment approach because it was deemed not possible to make meaningful judgmental ratings for its more than 4,000 auditable units.
There are four main ways of making subjective assessments of risk factor importance; i.e., direct assessments, pairwise comparisons, base rate comparisons, and group judgments. These methods are not necessarily mutually exclusive, and can be used in various combinations.
Using a subjective method of evaluation, for each risk factor for each auditable unit, a subjective assessment about risk is made using an importance scale (e.g., a scale ranging from 1-10) representing degrees of concern. These ratings may be simply totaled, or first weighted, then totaled, arriving at each unit's priority score.
Example
Figure 4 illustrates this approach for a banking organization with several departments at each of about 100 branches.
Across the top are listed the risk factors: asset size, the quality of internal control, the recency of the last audit, personnel quality within a branch, whether there are planned conversions, expansions, etc., and whether there are any overriding audit staff considerations.
These factors provide much more scope for subjective judgment than the previous example. In this case, asset size accounts for only 10 out of a possible 100 points, with another 20 out of 100 points being allocated to another relatively objective measure, recency of last audit. Together, the two objective factors account for 30% out of a possible 100% score, with the other factors being relatively subjective. Another interesting aspect of this example is that the risk factors are themselves constructed in a hierarchy. That is, the quality of internal control score, which is the most important score, having a value of 30 out of 100 points, has a subsidiary set of factors which are evaluated in order to arrive at the quality of internal control rating.
For example, for location ABD, internal control would be rated using 5 sub-factors. In this particular case, all the sub-factors are equally weighted. Each is worth 10 points. For each location, each of the different departments is rated on a scale of 1 to 10 as to the strength of the plan of organization, policies and procedures in force, and so forth. Eventually, the overall grand average of the 5 scores, over all the departments within the location, would be carried forward and converted to a score out of 30; for example, if a rating averaged 4 out of 10 on ABD internal control features, then this would translate into 12 out of 30 on the quality of internal control score. The scores on all of the factors for location ABD would be combined to arrive at a score out of 100, and this score would be compared against similar scores derived for each of the locations in the audit universe.
Figure 4: Risk Assessment Based on Objective and Subjective
Factors 
by
School of Accountancy, University of Waterloo, Waterloo, Canada N2L 3G1
© Copyright 1992, 1993 All Rights Reserved
