What is an Audit

Universe?
Published September 16, 2021

An audit universe is a document that details all the audit activities to be carried out
by the internal audit function.
It consists of multiple and distinct auditable entities, processes, and activities,
which can be considered “auditable units.” The number of these auditable units
varies depending on the organization’s size, business complexity, and operational
scale. In some cases they can run into the hundreds or even thousands.
There are multiple ways to create auditable entities. One is to construct them as per
the key risks or controls. Another is by product or service lines, business units,
functional teams, business processes or systems, legal entities, or regulatory audits
required.
The audit universe is a “living document” and should be updated regularly based
on business needs, risk exposure, and other relevant risk factors.

Do I Need to Establish an Audit Universe?

There are no legal requirements or international standards to maintain an audit
universe. The organization’s audit head or chief audit executive (CAE) can decide
whether to create and maintain an audit universe, based on his or her view of the
organization’s risk maturity. The CAE can also make the decision based on several
factors, such as the organization’s:

 Size
 Geographical reach
 Industry
 Market or sector volatility
 Activity types
 Risks and risk appetite
The CAE may also consider creating an audit universe based on the assurance
requirements of the company’s board, audit committee, or other relevant
stakeholders.
An audit universe has proven to be beneficial for many organizations. One reason
is that it can inform an organization’s risk management practices and strategic
internal audit plan. Creating an audit universe can help with mapping the various
risks, internal controls, and regulations to each business unit. There’s also the
added benefit to reviewing audit history.
For each internal audit activity, an audit universe clarifies and documents the
extent of coverage of key risks by internal auditing. This information can help the
risk management and compliance teams during resourcing discussions, hiring, and
allocations. It also helps to establish which group (or “line of defense”) provides
assurance in which area.
An audit universe improves transparency to the internal audit function. It provides
audit committees and other stakeholders with a greater cyclical awareness of audit
management.
It also enhances the audit committee’s knowledge about the organization’s specific
risks, controls, and business strategies. By increasing the committee’s
understanding of the different functions and departments, the committee can better
identify control gaps, form overall audit opinions, and create a consolidated,
enterprise-wide assurance map.
An audit universe is particularly useful for organizations with a large or growing
network of outlets, depots, branches, stores, and subsidiaries. It enables managers
of such companies to mitigate the risks created by this ecosystem in a systematic,
priority-based manner. They can conduct regular audit reviews to address and
manage all significant risks that might affect the organization.
This ability to perform risk-based auditing (see next section) is invaluable for
organizations since the internal audit function can’t perform all possible audit
activities due to limited resources. Instead, the audit team can determine and
update the audit universe based on the criticality of the risks that should be
addressed on priority.
 How to Create an Audit Universe
There is no standardized approach to developing an audit universe, because its
structure should be tailored to the organization’s scale and complexity. As a
general best practice, however, the audit universe should strive to include an
“optimal” number of auditable units.
Too few auditable units can lead to a loss of granularity because the groupings are
too broad. On the other hand, too many auditable units may result in too much time
spent (or wasted) completing internal audits and risk assessments for each entity.
It can be helpful to refer to the organization chart, risk registers, or accounting cost
centers to reconcile the auditable entities within the audit universe and assure its
completeness.
Some critical components to building an audit universe include:

Overview Section
For maximum usefulness, the audit universe should include an Overview section.
This section should consist of a list of all the audits per auditable entity or business
area.

Risk Register
The audit universe should include the “risk register” (that is, a formal catalog of
risks) directly aligned with individual audit topics or business processes. This
mapping helps with the creation of a risk-based audit plan that, in turn, can help
with the proper allocation of all audit activities and resources to the most high-risk
areas.
The mapping can also reveal how risk-averse the organization is and whether its
existing risk thresholds are appropriate.

Previous Audits
Mapping previous audits against the audit activities identified in the Overview
section can help the organization:

 Determine audit coverage by each business function or area

 Identify what actions (if any) have been performed against high-risk areas
 Simplify audit budgeting
 Optimize resource allocation
 Tighten the annual audit plan
Additional Elements
Other components that can be included in an audit universe:

 Internal components
o Strategic plan and goals
o Business model
o Legal entities and geographic locations
o Risk profile and appetite
o Internal reviews: First and second lines of defense (operating units in the First Line;
compliance and risk management teams in the Second Line)
 External components
o External reviews
o Industry trends
o Regulatory compliance obligations/responsibilities