There’s such a huge difference between basing the (continuously updated) audit plan on an “audit universe[1]” from using a “risk universe[2]” that I want to spend some time explaining it.
Let’s start with the premise that our job is to provide our customers on the board and in top management with (reasonable) assurance that the system of internal controls over the more significant risks to the enterprise and its objectives is effective.
This is going a necessary (IMHO) step further than the IIA’s Purpose Statement:
Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
The extra step is to distinguish assurance on random risks from assurance on the risks that matter to the success of the organization – as GIAS says, “Internal auditing enhances the organization’s… successful achievement of its objectives”.
While we can add value by auditing risks to individual processes and business units, the resulting assurance is more relevant to the managers of those business units (often “middle management”). It only has serious value to top management and the board if they can translate our (micro) assurance on individual parts of…
