11 October 2019

How to derive an IT audit universe

Chartered Institute of Internal Auditors

You asked us a question via the technical helpline ...

Question

How do you derive an IT audit universe?

Answer

The Global Technology Audit Guide (GTAG), Developing the IT Audit Plan, has a recommended
approach to compiling an IT audit universe. The sections below (using the GTAG numbering) explain
the steps involved.

5.1 Understand the business model

The first step is to examine the business model of the organisation. The organisation can have
different lines of business. For example, a property development company can also have business
interests in hospitality (eg hotel, golf course) besides the construction and selling of apartments.

5.2 Understand the supporting technologies

Next, the internal auditor needs to understand the supporting technologies used in the business
operations. For example, the sales department of the property development company may invest
heavily in smart phones to take photographs of the housing projects. Thereafter, the photographs
will be uploaded into a private IT portal for sharing among the colleagues.

5.3 Understand the business strategy and IT strategy

The internal auditor should also strive to understand the business strategy and IT strategy in order
to derive the IT audit universe. The IT function exists to support the business strategy. For example,
a financial IT system is currently used by the property development company to capture the sales
of the housing projects. The IT strategy of the property development company is to ensure the
timely and accurate reporting of the financials.

5.4 Understand the model of the IT function

The IT function may be centralised, decentralised or outsourced. While there may be a centralised
IT function in the corporate HQ, there may be decentralised satellite IT resources.

Another common IT model is to outsource the IT function to an external provider. For example, the
property development company may use a combination of centralised corporate IT HQ as well as
satellite IT resources to support the overseas property development projects.

5.5 Understand the IT support processes

1
© Chartered Institute of Internal Auditors
 It is also important to understand the IT support processes. Examples of the IT support processes
include the IT helpdesk support, backup management, user administration process, etc. In the
context of the property development company, examples of the key support processes include IT
helpdesk support, backup management as well as IT disaster recovery processes.

5.6 Understand the laws and regulations

Lastly, laws and regulations may affect the IT audit universe of the organisation. If an organisation is
listed on a particular stock exchange, it is possible for the stock exchange to introduce a set of
listing requirements that concern the internal IT controls. For example

The Sarbanes Oxley act states that public companies must show that controls over financial
reporting are designed and operating effectively. If the property development company is listed in the
United States, the company is required to demonstrate to the regulators that it has effective IT
controls on the financial system.

How to structure your research and information gathering

What this series of steps highlights is that it is best to take a strategic, top down approach to build
an IT audit universe.

One simple reason for this is that it provides an indication of what is important rather than trying to
build the detail from the bottom up from a wide range of IT activities, processes, procedures,
products and services.It will also give an indication of the most important risks are around IT and
where assurance is most needed.

We therefore suggest that you structure your research and information gathering using a set of
heading similar to the GTAG steps that might work for your organisation.

Here is an example with a brief and simple set of supporting tables to illustrate how you can begin
to build the universe:

• IT governance areas
• IT infrastructure review areas
• IT infrastructure assets
• Business application review areas
• Business applications

IT auditable areas Area(s) where assurance may be

required

IT governance

IT business strategy review Corporate HQ

IT resourcing Corporate HQ

IT sustainability review Corporate HQ

2
© Chartered Institute of Internal Auditors
 IT infrastructure

BCP / IT DR review Corporate HQ

Data centre review Corporate HQ

IT network architectural review Corporate HQ and satellite office

IT infrastructure assets

LAN (local area network) Corporate HQ and satellite office

Local servers (eg file servers) Corporate HQ and satellite office

Local workstations Corporate HQ and satellite office

Switches Corporate HQ and satellite office

Business application

IT general control environment for Corporate HQ and satellite office

applications

IT incident / problem management Corporate HQ and satellite office

review

Business application assets

SAP Corporate HQ

Portal applications Corporate HQ

How does it fit within the audit universe?

It is important to appreciate that the IT audit universe will probably form part of the overall internal
audit universe so using the same structure and approach is likely to help and ensure consistency.

Whilst the International Standards do not require internal audit activities to maintain an audit
universe, the head of internal audit can choose whether or not this is a useful thing to do. However,
the Standards do require the head of internal audit to establish a risk based internal audit plan
(Standard 2010 Planning).

One of the advantages of having an audit universe is that it enables the audit activity to be clear
about the extent of coverage of key risks and other risk areas each year. It can also provide a
degree of rigour around areas not being audited.

3
© Chartered Institute of Internal Auditors
 Further reading

Audit universe

4
© Chartered Institute of Internal Auditors