An audit universe is a document that details all the audit activities to be carried out by the internal audit function.

It consists of multiple and distinct auditable entities, processes, and activities, which can be considered “auditable units.” The number of these auditable units varies depending on the organization’s size, business complexity, and operational scale. In some cases they can run into the hundreds or even thousands.

There are multiple ways to create auditable entities. One is to construct them as per the key risks or controls. Another is by product or service lines, business units, functional teams, business processes or systems, legal entities, or regulatory audits required.

The audit universe is a “living document” and should be updated regularly based on business needs, risk exposure, and other relevant risk factors.

Do I Need to Establish an Audit Universe?

There are no legal requirements or international standards to maintain an audit universe. The organization’s audit head or chief audit executive (CAE) can decide whether to create and maintain an audit universe, based on his or her view of the organization’s risk maturity. The CAE can also make the decision based on several factors, such as the organization’s:

  • Size
  • Geographical reach
  • Industry
  • Market or sector volatility
  • Activity types
  • Risks and risk appetite

The CAE may also consider creating an audit universe based on the assurance requirements of the company’s board, audit committee, or other relevant stakeholders.

An audit universe has proven to be beneficial for many organizations. One reason is that it can inform an organization’s risk management practices and strategic internal audit plan. Creating an audit universe can help with mapping the various risks, internal controls, and regulations to each business unit. There’s also the added benefit to reviewing audit history.

For each internal audit activity, an audit universe clarifies and documents the extent of coverage of key risks by internal auditing. This information can help the risk management and compliance teams during resourcing discussions, hiring, and allocations. It also helps to establish which group (or “line of defense”) provides assurance in which area.

An audit universe improves transparency to the internal audit function. It provides audit committees and other stakeholders with a greater cyclical awareness of audit management.

It also enhances the audit committee’s knowledge about the organization’s specific risks, controls, and business strategies. By increasing the committee’s understanding of the different functions and departments, the committee can better identify control gaps, form overall audit opinions, and create a consolidated, enterprise-wide assurance map.

An audit universe is particularly useful for organizations with a large or growing network of outlets, depots, branches, stores, and subsidiaries. It enables managers of such companies to mitigate the risks created by this ecosystem in a systematic, priority-based manner. They can conduct regular audit reviews to address and manage all significant risks that might affect the organization.

This ability to perform risk-based auditing (see next section) is invaluable for organizations since the internal audit function can’t perform all possible audit activities due to limited resources. Instead, the audit team can determine and update the audit universe based on the criticality of the risks that should be addressed on priority.

See also

Automating GRC: The Next Frontier in Risk Management

How to Create an Audit Universe

There is no standardized approach to developing an audit universe, because its structure should be tailored to the organization’s scale and complexity. As a general best practice, however, the audit universe should strive to include an “optimal” number of auditable units.

Too few auditable units can lead to a loss of granularity because the groupings are too broad. On the other hand, too many auditable units may result in too much time spent (or wasted) completing internal audits and risk assessments for each entity.

It can be helpful to refer to the organization chart, risk registers, or accounting cost centers to reconcile the auditable entities within the audit universe and assure its completeness.

Some critical components to building an audit universe include:

Overview Section

For maximum usefulness, the audit universe should include an Overview section. This section should consist of a list of all the audits per auditable entity or business area.

Risk Register

The audit universe should include the “risk register” (that is, a formal catalog of risks) directly aligned with individual audit topics or business processes. This mapping helps with the creation of a risk-based audit plan that, in turn, can help with the proper allocation of all audit activities and resources to the most high-risk areas.

The mapping can also reveal how risk-averse the organization is and whether its existing risk thresholds are appropriate.

Previous Audits

Mapping previous audits against the audit activities identified in the Overview section can help the organization:

  • Determine audit coverage by each business function or area
  • Identify what actions (if any) have been performed against high-risk areas
  • Simplify audit budgeting
  • Optimize resource allocation
  • Tighten the annual audit plan

Additional Elements

Other components that can be included in an audit universe:

  • Internal components

    • Strategic plan and goals
    • Business model
    • Legal entities and geographic locations
    • Risk profile and appetite
    • Internal reviews: First and second lines of defense (operating units in the First Line; compliance and risk management teams in the Second Line)
  • External components

    • External reviews
    • Industry trends
    • Regulatory compliance obligations/responsibilities

Audits and Risk Management Are Easy With ZenGRC

Robust auditing and risk management start with better risk visibility. ZenGRC shows these risks and where they’re changing in your organization, so you can better manage risks and mitigate business exposure.

You can operationalize risk management, calculate risks, and remediate them with real-time updates from one application. A visual dashboard creates a clear view for monitoring performance, while reporting and insights reveal more details about your risk posture.

Need help setting up a successful risk and audit program with ZenGRC? Contact the audit and risk experts at Reciprocity.

Automating GRC: The Next Frontier
in Risk Management