Audit scope

Audit scope
See also

Audit scope defines the coverage and the extend of testing activities of an assurance review. The scope of an audit should be sufficient to satisfy the objectives of the engagement (audit). The Institute of Internal Auditors (IIA) established a framework of key Internal Audit Scope Standards to provide guidance for setting appropriate audit scope objectives. The five key objectives include the following items:

  1. “Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.

2. Determine whether the systems designed to comply with operating and reporting policies, plans, procedures, laws, and regulations are actually being followed.

3. Review how assets are safeguarded, and verify the existence of assets as appropriate.

4. Examine company resources to determine how effectively and efficiently they are utilized.

5. Review company operations and programs to determine whether they are being carried out as planned and whether they are meeting their objectives”[1].

The IIA Chicago Chapter argues that audit scopes should also include strategic issues. Research shows that much of financial reporting problems stem from strategic issues[2].

Audit planning phase

Determination of audit scope is part of the planning phase in the audit process. There are four audit process stages: audit planning, collection of audit evidence, evaluation of audit evidence, and communication of audit results. The purpose of the planning phase is to establish the scope and objectives, organize audit team, develop the knowledge of business operations, review prior audit results, identify risk factors, and prepare audit program[3].

Risk-based approach to audit scopes

Audit scopes are typically based on a risk assessment that focuses on key risk areas or uncertainties related to the activity that is reviewed. Risk is measured in terms of the likelihood of occurrence of adverse outcomes arising from the subject activity (inherent risk). Risk is mitigated by the existence of internal controls (mitigating factors). The level of residual risk (the difference between inherent risk and mitigating factors) drives audit requirements. Higher risk areas receive more frequent or more comprehensive reviews (higher extend of testing). A risk-based audit approach steers the audit process in a way that maximizes the benefit of assurance work by ensuring resources are allocated to the highest risks confronting the organization. This approach is aimed to improve the effectiveness and efficiency of audits, as it ensures that key risks are addressed with an optimal usage of audit resources[4].

The impact of the COSO framework

The scopes of internal audits are heavily influenced by the framework for evaluation of internal controls established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This unified approach for the assessment of internal control systems has five control components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The Sarbanes Oxley Act of 2002 (SOX) has shifted the purpose of the internal audit function to focus on testing for compliance with SOX, which requires evaluation of effectiveness of internal controls, which are “the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives”[5].



  1. Romney, M. B., Steinbart, P. J. (2003)
  2. Bariff, M. (2003)
  3. Romney, M. B., Steinbart, P. J. (2003)
  4. Spencer Pickett, K. H. (2006)
  5. Martin, K., Sanders, E., Scalan, G. (2014)

Author: Daniel Gaura