Auditing Ethics

Auditing Ethics
Ethics is the foundation of any successful organization and internal audit has a key role to play by auditing the organization's ethical program. By AlShareef Marwan AlKhouli

Auditing Ethics

By: AlShareef Marwan AlKhouli

Edited by: Andrew Cox

Auditing Ethics

Ethics is the foundation of any successful organization and internal audit has a key role to play by auditing the organization's ethical program.


Ethics is all about behavior, choices and doing what is right.


Internationally there have been developments around ethics and how organizations handle this. Many multinational companies have, over the past few years, appointed a senior executive with the responsibility for promoting ethical behavior throughout the company.  While such appointments are more common in the United States than the rest of the world, this does not mean that ethics is not one of the priorities of a company. The ‘Tone at the Top’ is all about the board, chief executive officer and senior executives demonstrating their personal commitment to ethical behavior.


Ethics is the basis of good governance and ultimately the basis for the success of an organization. The lack of ethics can be safely described as the reason for many high profile corporate fraud cases.


Most organizations have a code of ethics for their workforce which prescribes expectations of the behavior expected of employees. In some cases, the code of ethics extends to consultants, contractors and suppliers.  However, a robust ethics program is more than just a code of conduct; it also includes policies, regular communication, response protocols for ethical violations, etc.  Regardless of who is responsible for the ethics program, the effectiveness is not always assessed. Therefore an audit of ethics becomes important to provide an independent view on the state of the organization’s ethics program.


The Role of Internal Audit

Internal auditors have often avoided the challenge of auditing ethics because it is difficult. Far easier to do a simple compliance or financial audit where hard controls are easier to audit than soft controls. However, the International Standards for the Professional Practice of Internal Auditing (The Standards) issued by the Institute of Internal Auditor (IIA) state that (Standard 2110.A1):


“The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.”


In 2011, as part of a global IIA survey, a research report1 showed that ethics audits were one of the top five topics for internal auditors to focus on over next five years. These results were fairly consistent across the type of organization (private, publically listed or government) and its location. Surprisingly, the region with the highest percentage of respondents expecting ethics audits to be performed in the next five years was the Middle East.


The Scope of an Ethics Audit

The IIA Practice Guide ‘Auditing Ethics-Related Programs and Activities’2 states that the four pillars of organizational governance are the board, management, internal audit, and external audit, and that ethics is an integral part of this organizational governance structure. This means that any assurance provided around governance needs to take into account ethics. Internal audit needs to audit ethics in order to provide an opinion to the audit committee and senior management on its effectiveness.


An audit of ethics should at least cover the following:

  • Tone at the top – commitment of the board and top management to ethics.
  • Ethical principles – how well these are adhered to by all levels of the organization, including stakeholders and suppliers.
  • Risk management – recognition of the need for risk management and effective implementation of risk management throughout the organization.
  • Information – availability of information relating to ethical conduct such as a documented ethical program, awareness activities, and breaches of ethical guidelines.
  • Sharing – active sharing of information relating to the ethical program and its results.
  • Alignment – risk management alignment with the organization’s ethical culture.


Key Considerations to Auditing Ethics

There may be several approaches to take when carrying out an ethics audit such as reviewing ethics policies and procedures, reviewing the work of the ethics or compliance department or surveys / interviews with employees. Regardless of the approach taken, there are several considerations that should be taken into account:


  1. The audit committee should identify specific ethics-related issues on which to focus. In some settings, the committee may decide to conduct a comprehensive ethics audit. In other organizations, the committee may focus on specific ethical issues that are especially important in those settings.
  2. An audit of ethics needs to be risk-based and based on a risk assessment. The internal auditor must establish the key risks to the organization’s ethics program which will help to focus the audit objectives.
  3. Realistic audit objectives need to be set, which are likely to include such things as whether:
  • There is compliance with laws, regulations and policies.
  • The organization has a documented ethics program and adequate means of measuring its effectiveness.
  • There has been effective implementation of the ethics program.
  • Breaches of the ethics program have been properly investigated and adequate sanctions imposed on offenders.
  • Lapses in ethical behavior have an impact on the efficiency, effectiveness and economy of business operations and, if so, what is the impact on the organization.
  • Assets are properly safeguarded from unethical conduct.
  • Opportunity for fraud and corruption is minimized.
  1. Determine how to audit controls around ethics:


 “Internal auditors should help a company improve its ethical culture”

  • Tone at the top from the board, chief executive officer and senior executives.
  • Employee awareness.
  • Assurance regimes to identify unethical conduct and its impact on the organization.
  • Code of conduct and treatment of breaches.
  • Reporting arrangements for alleged unethical conduct.
  • Investigation protocols and if these are independent.
  • Effectiveness of whistleblower mechanisms and treatment of whistleblowers.
  1. Report the audit results without fear or favor to the audit committee and senior management.
  2. Monitor and follow-up to ensure recommendations are effectively implemented and meaningful change occurs in a timely way.

The IIA’s Practice Guide2 gives more guidance on how to audit ethics and to evaluate the maturity of an ethics program.


7 Elements of a World Class Ethics Program

 In a maturity model2 provided by the IIA, the following elements are considered to be an integral part of a world class ethics program (not a comprehensive list):

  1. Detailed guidance on key components of the Code of Ethics including the use of an anonymous reporting hotline.
  2. Periodic surveys of employees to understand perceptions on the organization’s ethical climate.
  3. Review of disciplinary action in response to ethical violations takes place by an independent party to ensure consistency.
  4. Openly praising employees for demonstrating ethical conduct.
  5. Regular communication on the importance of the code of ethics and reporting on the ethics program in the company’s annual report.
  6. Investigations are conducted by experts in accordance with a defined investigation protocol.
  7. Ethics related metrics are included as part of an employee’s performance goals.



Conducting an ethics audit requires a team effort as well as a clear definition of ethical behavior.  Auditing ethics is not only required by the IIA’s Standards but it is essential for the overall health of the organization.  Even though there is no “one size fits all” approach to auditing ethics, the internal audit department should still take steps to audit the ethics program. Just because it is a difficult audit to do is no reason to ignore it especially when the risk of not carrying out an ethics audit can be severe.



  1. What’s Next for Internal Auditing?, The Institute of Internal Auditors Research Foundation (2011)
  2. The Institute of Internal Auditors’ Practice Guide: Evaluating Ethics-Related Programs and Activities (June 2012)



AlShareef Marwan AlKhouli, CPA, MBA, CPA, CFE, CPM, CRA, CRP, CFC  is General Manager – Head of Internal Audit Group at Oman Arab Bank.

The Increasing Relevance of Continuous Auditing

The Increasing Relevance of Continuous Auditing
Internal auditors need to change their approach to keep up with a fast-paced business environment. By Porus Pavri

The Increasing Relevance of Continuous Auditing

By: Porus Pavri

Edited by: Asem Alnaser

The Increasing Relevance of Continuous Auditing

This article seeks to explain some of the key concepts of Continuous Auditing, some important benefits as well as do’s and don’ts, so as to get you to start thinking about introducing Continuous Auditing initiatives in your organizations.

For several years now, management experts have been emphasizing the following key attributes of organizations of the future, in order to strengthen Corporate Governance and enhance Corporate Performance through changes in culture, structures and processes:

  • Flat organizations with few hierarchical arrangements;
  • Open, flexible, nimble, but nevertheless resilient environments; and
  • Distributed rather than centralized decision-making structures

The foundations of both Corporate Performance and Corporate Governance are built on the following FOUR PILLARS:

  • Measuring and Managing Information Integrity Risk
  • Achieving Operational Efficiency
  • Striving for Business Process Optimization
  • Leveraging Business Intelligence for Strategic Decision Making

If it is true that organizations today, whether proactively or reactively, are looking to strengthen the four pillars supporting Corporate Performance and Corporate Governance, it means Internal Audit departments needs to evolve in order to achieve their core mission. The Core mission of any Internal Audit department, large or small (as explained by the IIA) is – the provision of independent, objective assurance and consulting services that (a) add value (b) improve operations and (c) help the organization achieve its objectives, by bringing a systematic, disciplined approach to evaluating the adequacy and improving the effectiveness of its governance, risk management and control (GRC) processes.

Stated differently, the aim of IA is NOT to audit GRC processes for their own sake, but to audit them to help the organization achieve its objectives!

In order to achieve this core mission, it is obvious that an audit framework that is reactive, backward-looking, based substantially on labor-intensive, manual verification of a small, statistically correct, representative sample of records will not help internal audit departments much in adding value to the organizations of the (near?) future, nor help those organizations achieve their objectives.  Instead, what Internal Audit departments need is a risk-based audit framework that, while forming part of an overall risk-based Internal Audit plan, provides a complete, consistent and continuous method, wherever possible, of providing assurance to the board of directors or equivalent.

According to Norman Marks, prolific thought leader and an authority on Internal Audit, in these days of rapidly changing risks, when businesses are moving faster and faster, IA needs to be able to “audit at the Speed of Business”!

Throughout the next decade, the value of the controls-focused approach that has dominated internal audit is expected to diminish.  Internal audit will provide its customers – the board of directors and executive management – with ongoing assurance that those risks which impact the achievement of its objectives, are subject to appropriate and effective governance, risk management and control processes. This ongoing assurance will be enabled primarily through continuous risk and controls assurance, with a much reduced set of traditional audit projects and more reliance on continuous auditing methods.

Continuous Auditing or Continuous Assurance – let’s call it CA, is defined very simply by the IIA as “any method used by auditors to perform audit-related activities on a more continuous or continual basis”.

While there is a specific, detailed methodology for planning and executing CA, the objective of the remainder of this article is not to detail the methodology, but to explain the core concepts of CA, the key business benefits, and some key implementation perspectives.

CA comprises the following two broad components:

  1. 1. Continuous Risk Assurance (let’s call it CRA) – which provides ongoing assurance that the organization is addressing all its current and emerging key risks, including Fraud Risks, and their risk levels.
  1. 2. Continuous Controls Assurance (let’s call it CCA) – which provides ongoing assurance that all controls that respond to current and emerging key risks (“key controls”), including controls that respond to Fraud Risks, are suitably designed, established and operating as intended.


One of the key terms in these definitions is “ongoing” – which does not mean 24 x 7 x 365, but rather a more continual process for identifying and assessing key risks to the achievement of objectives, monitoring changes in their levels, a more frequent testing of key controls that respond to those risks, and just as importantly, more continual reporting of findings.  Another key term is “current and emerging”. What is the use of monitoring risks that no longer impact the achievement of the enterprise’s objectives, but are listed in a legacy Risk Register?  And, what is the use of testing controls that are listed in a legacy Controls matrix, but which do not address an existing or emerging risk to an enterprise objective?

A concept related to Continuous Risk and Controls Assurance is the review / monitoring of (i) data that acts as an indicator of the level of risk i.e. risk drivers, and (ii) transactions that have already been subjected to a control.  Ongoing review or monitoring of data relating to key risk drivers is the means by which Internal Audit provides Continuous Risk Assurance.  And ongoing review or monitoring of transactions that have been subjected to a key control(s), is an additional line of defense, which not only provides a more comprehensive level of Continuous Controls Assurance, but also significantly increases the probability that if any out of control processes or fraudulent transactions did slip through the “control net”, they will be detected on a timely basis.

Technology may or may not be used in Continuous Assurance – in fact it would be a mistake to think that Continuous Assurance can be provided only through the use of technology.  For instance, monthly physical attendance by Internal Audit at a stock count to ensure that it is performed in accordance with predefined company policies and procedures, is an equally valid example of Continuous Assurance.  Technology is a great enabler of Continuous Assurance, no doubt, and should be used as such – i.e. as a means to an end, and not as an end in itself, by purchasing, for instance, an off-the-shelf GRC software just because it seems the in-thing nowadays, or because a competitor bought it!  So, follow the methodology, understand if and where IT (ie. CA software) would add most value, check for availability of in-house solutions, and then go out into the market to check what IT solution, if any, best fits your enterprise’s specific IT environment and CA requirements.

Let’s consider a couple of examples of CA….

A global company sells its products to, among others, customers in a country currently experiencing turmoil owing to international sanctions and a plunging currency, thus exposing the company to reputational and credit risk.  One of the “drivers” of that risk will be the pipeline of sales orders to customers in that country.  As that pipeline grows, so does the risk.  Technology is used by the Internal Audit function to continuously review /monitor the level of sales orders by country and send an alert to the pre-defined recipients/decision makers if sales to that country exceed a predefined level.

Another example….In order to test the quality of authorization controls over Corporate Credit Card expenditures in a more efficient and effective manner, internal auditors develop a series of continuous, data analytic tests to identify corporate credit card policy violations, such as personal expenses (travel,. jewelry, alcohol, clothes, home furniture, etc.), use by unauthorized cardholders, split purchases to avoid authorization limits, transactions involving prohibited merchants, etc.  The above data analysis tests are turned over to the Corporate Credit card manager who runs them on a monthly basis, as a control over credit card usage.  Internal Audit verifies on a monthly basis that the manager has run this control (i.e. these analytic tests).

The Business Case for CA is built around several benefits, the most important among them being:

    1. Comprehensive validation of the efficiency and effectiveness of the current internal control system, with prompt notification of control breakdowns, process deficiencies, data errors, missed SLAs with clients, IT security violations, Segregation of Duties violations, non-compliance with internal policies & procedures – which allows management to respond promptly with corrective action that prevents or minimizes losses.


    1. More effective and efficient risk assurance, focusing on key risks, both current and emerging, for business operations, reporting and compliance
    1. Prompt identification of non-compliance with external laws & regulations across diverse systems, geographies, summarizing them into an enterprise view of regulatory compliance, and enabling the organization to reduce the costs of compliance (penalties, etc), over time
  1. Deterrent against fraud owing to real-time, or near real-time audit activity
  2. Greater risk & controls coverage by Internal Audit within budget constraints

Finally, a few key implementation perspectives, Do’s and Don’ts….

  • Whether you are monitoring a risk or testing a control, and whether you do it sitting at your computer, or by physically visiting a location, it must be remembered that under CA, you are providing a much deeper level of assurance, since the monitoring, testing and reporting is ongoing / repeated as per a pre-defined schedule, throughout the audit cycle. As a result of this ongoing / repeated testing, it is vital within a CA framework, to diligently follow the pre-defined continuous audit plan, to validate all potential findings with process owners, to summarize repeat audit findings into common trends, and to perform root cause analysis for each finding.


  • It should also be noted that there are certain types of controls that are suitable for continuous controls testing – for instance, controls over high volume transaction processing, and certain others that are not suitable for continuous testing – for instance authorization controls over judgmental areas.
  • Get Board sponsorship – this is not an IT project – it is a Business Improvement Program – position it, and treat it as such
  • The Head of Internal Audit / CAE provides the vision, and a “CA Champion” is needed to provide the push and the glue that keeps different stakeholders moving towards the common goal of program success
  • Start small, with “low-hanging fruit”, build confidence, then gradually expand areas covered by CA
  • When CA is first implemented, you will likely find a lot of exceptions. The exceptions were there yesterday, but no-one knew.  Encourage recognition of the fact you have moved the inspection ‘microscope’ from 1x to 1000x magnification
    • Report continually – No surprises


CA is the way forward, and while it may be at the “cutting-edge” of developments in the internal audit profession today, it is soon expected to become one of THE MOST IMPORTANT ways in which the Internal Audit profession remains relevant to organizations of the future!

PORUS PAVRI, CRMA, CIA, CA is a partner at Logos Consultants in Dubai.

Managing the Risks Facing Internal Audit Department

Managing the Risks Facing Internal Audit Department
Internal audit departments also need to manage their own risks. By Christian Thurow

Managing the Risks Facing Internal Audit Departments

By: Christian Thurow

Managing the Risks Facing Internal Audit Departments

Most articles written about internal audit and risk management focus on internal audit’s role in ensuring the effective management of risk within the first and second lines of defense. Little attention is given to managing risk within the third line itself.


Ask any Chief Audit Executive (CAE) for the Risk Register of his Internal Audit function and there is a fair chance he or she will show you the risks relating to the audit universe. That’s all good except for the fact that Internal Audit is not part of that universe. Management is expected to define a set of controls to ensure that the business operates as planned.  Regular Control Self Assessments or similar techniques are implemented to monitor the ongoing effectiveness of these controls. In a nutshell, that’s what Internal Audit expects to see when auditing a business unit. But does Internal Audit live up to the same standards? Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity 1states that “the internal audit activity is not immune to risks. It needs to take the necessary steps to ensure that it is managing its own risks”. So where is the Risk Register for the Internal Audit Department, including gross risk assessments, controls and residual risks? Where are the regular Control Self Assessments for the Internal Audit department? Is there an established Risk Management process within the Internal Audit function? Typically such a process, like any risk management process, should include the following stages:

  • Risk Identification: What are the risks Internal Audit is facing?
  • Risk Assessment: How severe are those risks? Often assessed by applying an impact / likelihood matrix.
  • Risk Mitigation: Accept, mitigate or transfer of risks depending on their severity.
  • Risk Monitoring: Look out for new risks, changes to the risk assessment for existing risks and effectiveness of mitigation actions put in place.

Take the example of People Risk, a subset of Operational Risk. When asked about People Risk, CAEs might think of staffing, lack of skills etc. All those risks that might impact the timely execution of the audit plan. But that is only one side of People Risk. The other side is the risk the Internal Audit staff is facing or causing while performing their job. The following scenarios, most based on incidents that appeared in the news, help to raise the awareness for that type of People Risk.



An Internal Auditor is sent from the United States to audit a subsidiary in rural China. On the evening of his arrival, his appendix ruptures and he needs urgent medical treatment. Think of:

  • Who will bring the auditor to the hospital and help with translation?
  • Who will inform the company?
  • Who will secure the personal belongings and the company assets (Laptop, Smartphone) from the hotel room?
  • Who will authorize any payments if the hospital wants to see cash?



What do the Standards Say?

The Standards advise1 chief audit executives to address risks related to internal audit department and its objectives and specify 3 categories of risks:

  1. Audit Failure: This refers to the in ability or “failure” of the internal audit department to identify or make recommendations to prevent control failures. The question asked is usually “Where were the internal auditors?”.  Reasons for Audit Failure include poor risk assessments, improperly designed audit procedures, auditors who are not skilled in the area they are auditing, etc.
  1. False Assurance: This occurs when the management believes that the internal auditors is covering a particular area or risk when in fact it is not. It is important to make sure that the risks being audited are clear and that internal audit’s involvement in projects is clearly defined. 
  1. Reputation Risk: While chief audit executives worry about having a reputation of being a policeman, there can be far worse labels which result from various control failures in the organization, the quality of internal audit staff, the attitude of auditors, etc

Source: The IIA’s International Professional Practices Framework



Local laws and regulation

An Internal Auditor is sent from the Europe to audit a subsidiary in Singapore. While waiting for a taxi he spits out his chewing gum and is fined SGD 1000 (USD 800) by a nearby Police Officer. Think of:

  • Do Internal Auditors travelling abroad receive briefings on local laws and regulations?
  • Is there an agreement about who has to carry the costs for fines for misconduct that is not a criminal act in one’s home country?


Emergency procedures

A UK Internal Auditor is conducting an audit at an oil drilling site in Russia. While he is there, a fire breaks out. All emergency signs are in Cyrillic. Think of:

  • Do Internal Auditors receive a briefing on local emergency procedures while working in a different location?
  • Is there a general procedure how Internal Auditors should react in case of a disaster?



An audit team is investigating a suspicion of fraud at a branch. After returning from lunch they find a letter in their room telling them to leave immediately or they will be killed. Think of:

  • Who needs to be informed within the company?
  • Should the police be informed?
  • Should the audit team be evacuated or stay on site and finish their investigation?



An Internal Auditor who is travelling a lot is fiddling with his expense claims. Think of:

  • Internal Auditors are in a position of trusts. Are there ways how they could abuse this? Are there controls in place?
  • Does Internal Audit receive the same level of scrutiny like other members of the workforce when submitting claims etc.?

“The internal audit department is not free from risks”


Data Protection

A German Internal Auditor attends an IIA Conference in the US. He takes his business laptop with him. During his last audit assignment in Germany he audited the HR function of his company including the payroll process. A lot of the payroll information is stored on his laptop. By taking the laptop to the US he is physically taking this information out of the European Union. That might be a violation of European Data Protection law and can lead to Reputational Risk. Think of:

  • What information is stored on Laptops or Smartphones?
  • How is that information protected?
  • Are there any restrictions for moving the information to other countries?

The internal audit department faces more than just People Risk. The CAE needs to document and identify these risks and how to respond to them. Also, depending on the size of the department & complexity of operations, he could 1) provide a gross risk assessment, map existing controls to the identified risks and analyze root causes, and 2) put controls in place to bring risks within the stated Risk Appetite,, and 3) Implement ongoing Control Self Assessments to ensure control effectiveness.



Evaluating the effectiveness of risk management and first line of defense is an important part of Internal Audit’s work. But it is equally important that Internal Audit apply the same standards of Risk Management that it expects to see during an audit to itself. Every CAE should have a departmental Risk Register for the Internal Audit function that shows all risks Internal Audit is facing and the steps required to manage these risks.


  1. IIA Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity (April 2009)


CHRISTIAN THUROW, CFSA is a lead auditor at a major European bank based in the United Kingdom.

Modern Risk-based Internal Auditing

Modern Risk-based Internal Auditing
The äudit-universe"is a thing of the past. Internal auditors need to focus on the risks that matter in order to be more effective. By Norman Marks

Modern Risk-based Internal Auditing

By: Norman Marks

Modern Risk-based Internal Auditing

Norman Marks, one of the most highly regarded thought leaders in the global profession of internal auditing, explains how companies in the Middle East can add more value to their stakeholders by applying a modern risk-based approach to internal audit planning.


I remember talking to an internal audit leader for whom I have great regard. I was stunned to hear him say that you do two risk assessments: one when you develop the audit plan to identify the processes, locations, and business units to audit, and a second when you start each audit so you can identify the risks to assess in each area. That is the way I learned to build the audit plan more than 20 years ago!

I had a few discussions with some internal audit colleagues at an event last year and I learned that some companies in the Middle East develop their internal audit plans in the same way. I moved away from this process in the early 1990’s because I didn’t believe it was helping me address the areas of significance to the board, top management, and the company. If internal audit is to be “relevant” (a term increasingly being used to question whether internal audit is delivering what the organization needs most), it is important to ensure that the engagements it will perform focus on the risks that matter to the organization today.


What does “risk-based” mean?

The concept of risk-based planning comes from The International Standards for the Professional Practice of Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA). They require the chief audit executive to “establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” (Standard 2010). This concept has also been included in governance-related thought leadership. Principle 7.2 of The King Report on Corporate Governance for South Africa1 states that “Internal audit should pursue a risk-based approach to planning as opposed to a compliance approach that is limited to evaluation of adherence to procedures”.

While IIA Standards and other guidance, from internal audit thought leaders and the consulting firms, advocate a “risk-based” approach to internal auditing, they generally don’t provide a great deal of guidance on what that means and how to accomplish it. However, there is one thing in common with all the guidance and approaches; they all need to begin with an assessment of risk.


Traditional Risk-Based Audit Planning

This approach was all about building a “risk”-ranked audit universe. The first step was to identify all the potential areas for audit, including business processes, locations, data centers, etc. A frequent question among auditors was “how large is your audit universe?” You then considered various factors such as:

  • Revenue generated or accounted for at that location, by that process.
  • Asset size.
  • Time since last audit.
  • The significance of any findings in the prior audit.
  • The level of change in systems, process, and personnel.
  • Management and board input on risk.

The audit plan included engagements at these locations or of these processes.

For example, one might rate the following as higher risk areas:  The factories in Saudi Arabia and Qatar; the Corporate Shared Services Center in Dubai; and, the general controls over the IT Data Center in Oman. The scope of the Saudi Arabia audit would be based on a risk assessment of the factory’s processes, assets, etc. The audit might include the higher risk areas of inventory management, quality control, and code of conduct training. The scope of the Qatar factory audit would be different, as the risks in that location are not the same: payroll, procurement, and accounting for inventory. A similar local risk assessment would be performed for the other audits.

While this approach was “risk”-based, it was not talking about risks to the objectives of the organization as a whole. “Risk” was about the potential for any deficiencies in internal control to have an impact (in monetary terms) of some size to one location. The difference may be subtle, but it is important. I want to focus my audits on ensuring the organization has the ability to achieve or surpass its objectives.





Modern Risk-Based Audit Planning

My approach today — my definition of modern risk-based auditing — is different. Instead of starting with an assessment of the audit universe, I start with understanding the risks to the enterprise as a whole. The more significant risks might include: our implementation of a new enterprise resource planning (ERP) system; the start up of a new factory in Jordan; the expansion of the business into Iraq; compliance with health & safety regulations; reliance on single source vendors for critical components; and the timeliness and accuracy of monthly management reporting to the executive committee.

My goal is to provide assurance on how well management’s processes are able to manage the more significant risks. My audit plan includes projects to identify and assess the controls that management is relying upon to manage the ERP implementation, to comply with health & safety rules, sourcing of critical components, and to ensure the integrity of monthly management reports.

The concept of “audit universe” is outdated.

So instead of using risk assessment to determine which “audit universe” elements I will include in the audit plan, I moved to an approach where I identified the top risks to the achievement of the company’s objectives (a “risk universe”), and then identified the engagements I could perform to provide assurance that the controls were adequate with respect to those risks and to provide advice where they are not.

This, for me, is modern risk-based audit planning.

When I first explained my modern risk-based internal audit plan to the audit committee of an oil company where I was the chief audit executive, they were very surprised. The CEO asked whether I had considered risks relating to the blending of gasoline, diesel, and jet fuel. As it happened, I had — but it was not considered high risk; it was more a compliance issue than anything else. The discussion continued around the top risks that I had identified and after the audit committee was satisfied with the quality of the proposed internal audit plan, they approved it. This internal audit plan was one that truly addressed the risks that matter to the organization, its audit committee and CEO.

Thinking has shifted increasingly to that of looking at the “risk universe” and using that as the basis for deciding where to focus audit areas.


The Challenges & How to Overcome Them

Now that I have explained the importance of a modern approach to audit planning, it is time to understand why some companies in the Middle East have still not applied this approach.  In a discussion I had with an Abu Dhabi-based Chief Audit Executive, he mentioned several challenges (which I have not substantiated) that include:  not having the ability or business acumen to identify the risks that matter; the traditional mindset of the chief audit executive and the audit committee; and a reliance on audit planning processes set by regulators or audit software providers which seem to be built around the traditional approach to audit planning.

When it comes to companies that have already implemented a robust risk management process, the best way to overcome these challenges is to use the risks identified by the risk management team and provide assurance on these risks.  If this is not available, the chief audit executive needs to train himself and his team as well as the audit committee and top management.  As for software, this is an enabler to the audit planning processes which should not hold back the progress of an internal audit department: either work with the provider to upgrade it or change it, or do your audit planning in Excel.



The audit plan has to be designed to address the major risks to the enterprise. The traditional audit planning process must die a quick death (assessing risk levels based on an audit universe, and then performing audits of the controls designed to address risks to the achievement of objectives for those areas, locations, business units, etc.) A modern risk-based approach will take its stead. Here the more significant risks to the enterprise are identified and targeted in audit engagements. Rather than focus on risks to objectives at a process, department, or location, audits will focus on risks to the objectives of the organization.

Building the audit plan based on an audit universe instead of the top risks to the organization is likely to result in auditing risks that are not significant. Chief Audit Executives need to have the confidence to build a risk-based audit plan that is agile and designed to address the risks that matter to the organization. When internal auditors provide assurance and insight on the risks that matter, their work matters to the board and top management. Instead of finding problems and being perceived as an overhead activity that adds to management’s task list, they are helping the board and management deliver value to stakeholders.



The King Report on Corporate Governance for South Africa (The Institute of Directors in Southern Africa) September 2009

Change to:

As for software, it is an enabler to the audit planning process and should not hold back the progress of an internal audit department: you can either work with the provider to upgrade the software or do your audit planning using MS Excel.

Back to Top