Defining an Audit Universe

In auditing, it is a common practice to define an audit universe based on the risk assessment and conclusions as a starting point for the development of an internal audit plan. The goal of the risk assessment is to obtain an in-depth understanding of the organizational entity to be audited, and its environment, including its internal controls. An audit universe contains all of the areas of interest derived from the risk assessment, such as the following: lines of business, systems, and processes that are considered auditable. Audit Universe in SAP Audit Management consists of auditable items.

All creation, maintaining actions for auditable items are usually done by an audit manager and/or a chief audit executive (CAE).

Auditable items are created and stored in the Audit Universe app, and can be assigned to an audit for examination. You can use the enhanced search based filter to define complex filtering, grouping and sorting combinations.

Create an auditable item in the Audit Universe app by selecting the + button. An auditable item is delivered with a set of standard attributes as shown on the screenshot. The only mandatory fields are Title and Group. Custom defined fields can be added to the General attributes of an auditable item.

For more information on how to create custom defined fields for auditable items and other SAP Audit Management objects, refer to the following link: https://help.sap.com/docs/SAP_ASSURANCE_AND_COMPLIANCE_SOFTWARE_-_SAP_AUDIT_MANAGEMENT and navigate to: Implement [section]→Extensibility Guide for SAP Audit Management→Fields→Custom Fields (CDFs)

You can also mass upload auditable items through the Audit Universe app using an Excel template.

Use tags to classify the auditable item and make it easier to find. You can define any tag or use existing tags that were defined earlier in the system by other users.

You can optionally estimate a risk score for an auditable item between 0 and Max Risk Score value defined in Customizing.

There is a field to specify risk level for an auditable item. In addition to risk levels, each auditable item can be defined with the appropriate level of likelihood to occur as well as the rated level of the possible impact.

Only released auditable items can be assigned to audits and audit plans. After any change, you need to release an auditable item to make the change come into effect. There is an option to release several auditable items at once using the Mass Release functionality.

Additionally, it is possible to enable an approval process for auditable items to ensure that changes are aligned with management. In the configuration settings, administrators specify which auditable items are eligible for release to prevent releasing of unapproved changes.

You can close an auditable item if it is no longer relevant to a company. The closed auditable item can be reopened.

The figure below shows one of predefined auditable Item workflows.

There are following steps of the auditable item workflow:

• Submit Auditable items

  When an audit manager creates an auditable item, the auditable item obtains the following status: Draft. When an auditable item is finalized, the audit manager submits it to a CAE for review in the Audit Universe app. The status of the auditable item changes to Submitted. The CAE will receive an audit e-mail notification to review the auditable item.

• Accept Auditable items

  In the Audit Universe app, the CAE reviews the auditable item, changes it if necessary and then accepts it. After accepting, the auditable item has the following status: Open. Then the CAE releases the auditable item to make the current version available for audits and audit plans. If the audit manager needs to change the released auditable item, s/he can make changes and resubmit the auditable item.

• Close Auditable items

  The CAE or audit manager closes the auditable item to exclude it from use in audits. The status of the auditable item changes to Closed. Then it is necessary to release the auditable item to make changes effective. Closed auditable items cannot be added to audits.

• Reopen Auditable items

  The CAE or audit manager reopens the closed auditable item if the audit team wants to use it again. The status of the auditable item changes to Open. Then the CAE or audit manager releases the auditable item to make changes effective.

All actions above are performed in the Audit Universe app.

An auditable item can have several lifecycle statuses, a lifecycle status indicates if current auditable item version is active to assign it to audits and audit plans. A lifecycle status of the auditable item can be viewed in the Administrative Data section of the auditable item.

The auditable item lifecycle statuses are as follows:

• New Master: no released version of the auditable item exists. All just created auditable items have this status before the first release.
• Released Master: the auditable item is released and no updates exist.
• Released and Updated Master: the auditable item has an update since its last release but the update is not released yet.

The following figure shows how status and version of the auditable item changes after actions for the auditable item.

After an auditable item status transfer from Released and Updated Master to Released Master, all audits, released, archived audit plans to which the auditable item is assigned have the auditable item in outdated version (version from a previous release). In the following screenshot, find the location where you can see a notification about an outdated auditable item version in a released audit plan.

In the following screenshot, you will find another example in which an audit has an auditable item in outdated version. To update the auditable item version in a particular audit, you can press on the circle symbol before ID, then the auditable item will be updated till the last released version. Update of the auditable item functionality is available in audits of Draft status and statuses of audit preparation phase where general data of an audit is editable.