How do you define your Audit Universe and Auditable Entities? Are you still doing an annual Audit Plan? Do you have an audit cycling requirement in your methodology?
Sort by:
We have defined the frequency of audit for various sub-functions of Finance & Accounting. We have defined cycle for ALL, 1, 2 and 3 depending upon the potential risks. The areas which have the history of out of period adjustments are covered in ALL cycle. The other areas are covered in cycle 1, 2 or 3. So, areas earmarked cycle 1, 2 or 3 are covered in year 1, 2 and 3 respectively so that we cover all areas in 3 years cycle.
We no longer use the Audit Universe and Auditable Entities concepts in the development of our audit plan. We leverage a comprehensive annual risk assessment, combined with ongoing risk updates throughout the year, to identify the likely audits we present to our Audit Committee for approval. The approved audit plan has flexibility built in so that we are able to adapt during the year and focus resources on those areas that will have the most impact and value for the organization.
Hi Martin - do you mind sharing how you report insights from the risk based auditing if you are not using auditable entities. Thanks in advance.
Hi Martin - do you mind to share how you kept the audit plan with flexibility and does your AC approve a higher level plan or down to the projects planned for the year? Thanks!
Audit universe means all auditable legal entities. We do annual audit plan for sample collection mythologies and target entities.
We have an audit universe covering the Group. We look at it with two different axes. The first is to recognize each fully consolidated company that we've got part of our audit universe and then we match that against our ICS control framework. We have 14 processes within the ICS control framework. As part of the risk assessment, we assess the fully consolidated company against each ICS process. So you can imagine that's quite a large spreadsheet that we've got but that will then give us both the audit universe and the risk evaluations of those entities and ICS processes within those entitles. We use that as a basis of our audit planning in terms of identifying where best we can use audit resources.
Yes, we do have an annual audit cycle, but what I've agreed with the board and the audit and risk committee recently is that for any audits that we do in what we've defined within the audit risk universe as a red risk area, we will keep to those unless there's a great business reason for not doing them. That accounts for about 50% of our audit plan. With the other 50% of audits in the plan i.e. for any areas where we've defined the risk as medium or low.
I have full flexibility to change and move audits in and out without having to refer back to the Board or Audit and Risk Committee. Given the planning cycle, some of the audits that we plan may be scheduled to be completed 12 months into the future. I want the flexibility to change the plan, as the risk profile of our organization changes regularly.
We’re going through a lot of change at the moment and therefore, we may not know about some things that subsequently appear as risks when we're developing the audit plan, and different risks might materialize that we never envisaged at the time of the audit plan. So I want the flexibility to change audits on the audit plan without going back and referencing the audit and Risk Committee or the Board. And they've given me that authority to do so which allows me to focus audit resources in the most value-adding places.