What Is an Audit Universe?
An audit universe is the complete set of auditable entities within an organisation's scope. These entities can be processes, departments, systems, legal entities, projects, or any other unit of work that carries risk and can be subjected to audit scrutiny. The universe forms the foundation of the annual audit plan — you cannot plan well from a poor universe.
The problem is that most audit universes are built once and then updated minimally. They become static lists rather than living documents that reflect how the organisation's risk profile actually changes over time. When the universe stops reflecting reality, the audit plan follows suit — and internal audit starts auditing the past instead of the present.
The Most Common Failure: Copying Last Year's List
The single most common audit universe failure is copying and lightly editing the previous year's version. This approach assumes that the organisation's risk profile is essentially unchanged, that no new processes or systems have been introduced, and that the relative risk ranking of existing entities is still valid. None of these assumptions are reliably true — especially in organisations undergoing change.
New products, acquisitions, regulatory changes, system implementations, leadership transitions, and strategic pivots all affect where risk actually sits in an organisation. An audit universe that does not capture these shifts will produce an audit plan that systematically misses emerging risk areas while repeatedly revisiting stable ones.
Building a Dynamic, Risk-Aligned Universe
A well-built audit universe starts with a comprehensive inventory of auditable entities — every process, system, function, and business unit that falls within the audit charter. This inventory should be broad enough to capture all relevant risk areas, including those that are traditionally under-audited, such as HR processes, strategic planning, culture, and change management.
Once the inventory exists, each entity must be assessed against a consistent risk scoring framework. Common scoring dimensions include:
- Inherent risk: The risk present in the entity before any controls are applied, considering factors such as transaction volume, regulatory exposure, and complexity.
- Control environment: The maturity and effectiveness of existing controls, informed by prior audit results, management self-assessments, and external audit findings.
- Rate of change: How much the entity has changed since it was last audited — new systems, new leadership, new processes, and new regulatory requirements all increase risk.
- Strategic importance: How closely the entity is linked to the organisation's strategic priorities. High-priority strategic initiatives warrant audit attention regardless of their historical risk profile.
- Stakeholder concern: Areas of concern raised by the board, audit committee, senior management, or external auditors deserve elevated weighting.
The Role of the Audit Committee
The audit universe and the risk scores assigned to each entity should not be developed in isolation by the internal audit function. The board and audit committee have a critical role in validating the universe and confirming that the CAE's understanding of organisational risk aligns with the governance body's own perspective.
Presenting the risk-scored universe to the audit committee annually — not just the resulting audit plan — gives governance bodies visibility into the logic behind audit prioritisation and creates an opportunity for informed challenge. When the audit committee can see which areas have been de-prioritised and why, they can provide meaningful input rather than simply approving a plan they do not fully understand.
Keeping the Universe Current
The audit universe should be reviewed at least annually as part of the audit planning process, but the most effective CAEs maintain a rolling update process. Whenever a significant organisational change occurs — a major system implementation, an acquisition, a regulatory development, or a strategic pivot — the universe should be reassessed to determine whether new auditable entities have emerged or existing ones have materially changed in risk profile.
A stale audit universe is an invisible risk. It shapes every prioritisation decision the function makes — and most audit teams do not realise how out of date theirs has become until they miss something significant.
The audit universe is not an administrative document. It is the intellectual foundation of the audit function's contribution to governance. Treat it that way, and the audit plan that flows from it will reflect actual risk rather than audit habit.
Practical Steps to Get Started
If your current audit universe is outdated or was inherited without documentation of how it was built, the right approach is to rebuild it deliberately. Start by conducting structured interviews with senior leadership across all business functions to understand where they see emerging risk. Layer this against the organisation's strategic plan, recent regulatory communications, external audit findings, and internal incident data. Build a scoring model that is transparent and consistently applied. Validate the scored universe with the audit committee. Then build the plan from the result — not the other way around.