The Audit Universe

Conventional wisdom and common practice have resulted in the development of the … drum roll please … audit universe — the starting point for internal audit plan development. The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams. It is a big list, and we measure coverage against this list. Math can get a little tricky, but we forge forward nonetheless.

Now let me pose this question: What happens to the rest of the risk universe? Is the audit universe equal to the risk universe? Probably not. So, who is providing assurance over the rest of the population of risks — things like geopolitical risk, economic recession and recovery, and brand risk? As an internal audit function, is it our role to go find out? Maybe we just assume that it’s management’s role, not ours. Or maybe it’s the role of enterprise risk management, the legal team, or other assurance services within your company.

Is internal audit just assuming that someone else will point out that there are gaps between the audit universe and the risk universe? Perhaps it’s our role to shine light on the gaps, so our stakeholders know what’s not on our radar. I’m not suggesting that internal audit must provide assurance beyond the audit universe. We may not have the skills or resources to do so. But I am suggesting that we take a look, if we haven’t already, to make sure our company’s risk universe is covered. And if not, then that’s a good starting point for a conversation with management and the audit committee.

Posted on Jun 27, 2011 by Kiko Harvey

Share This Article:    

  1. I agree with how you define the Audit Universe; however, you do have to look at how the Inherent Risks affect that audit universe.   These are two separate universes.  One denotes your responsible areas of concern (business and processes), and the second (risk universe) denotes the risks that affect each entity of the business (Audit Universe). 

    As I see it, the Geopolitical risks may not adversely effect a mom-and-pop grocery store in Brooklyn, NY or the lemonade stand set up in the neighborhood as much as it will effect the multi-national manufacturing firm or those businesses out-sourcing certain aspects in foreign ports.

    The Risk Universe and the Audit Universe are intertwined, but not one.  If you want you can also consider the Control Universe and inter-twine that into a Triad, maybe we should.  The Audit Universe is or can be affected by portions of the risk universe while the control universe items that have been activated tries to protect the audit universe from those risk universe risks.

    I can live knowing that there can be multiple universes, each intertwined at certain points.

    What do you think?

  1. As Internal Auditors we are required to provide an annual assessment on the adequacy and effectiveness of the organization's processes for controlling its activities and managing its risks.

    One organizational process for controlling risk should be an effective enterprise risk management program. I believe the analysis and strategizing to deal with external risks (geopolitical, economic, market) as well as opportunitites, is a management function that should be included in the ERM program. As auditors we should be assessing the adequacy and effectiveness of management's ERM process.
  1. It would depend on how you build out your audit universe.  If you include both activities and functional driven areas, you should have all risks covered.  Taking your example, geopolitical risk could fall under a Corporate Governance activity, of which could be done any number of functions.  Some guidance is provided in practice advisory 2010-1, which state's that the audit universe can include component’s from the organizational strategic plan, which in short is saying that the CAE must consider all risk when compiling the audit universe.

  1.  I would describe the risk universe as all those risks which could impact on the achievement of organisational objectives at the respective organisational levels.

    I would describe the audit universe as those significant risks asserted to be under control - that is with residual risk ratings equal or below their specified risk appetites - on which assurance should be provided.

    I would describe a third universe, the consulting universe, for  those significant risks asserted to be NOT under control - that is with residual risk ratings above their specified risk appetites - on which consulting should be provided.

    The assumption on all of the above is that management are competent in conducting the appropriate assessments and if not, then internal auditors should provide consulting services on those aspects management is not competent in so that they can rely on the management assessments.

  1. Interesting discussion about risk and and audit universes.  Risk universe usually is defined in the ERM and as someone else pointed out, it falls under the risk group ( if you have one) or senior management to assess the different internal and external risks that an organization is exposed to. 

    Our role, in my opinion, is assessing the logical process used to determine those risks, to identify their impact and likelihood.  Once the assessment is done, Internal Audit should also comment in any risk not included (gaps) in the universe and suggest, advise, and comment on what management should do in that respect.  Once the risk universe is defined, internal audit can and should develop its audit universe which would be a result of the first process.   



  1. Great thoughts, everyone.  I agree that the universes are intertwined (risk, audit, and control). 

  1. Hello Kiko,

    Wow! Excellent! Superb!

    I appreciate the way you have interpreted Audit Universe. My two cents:

    - While mapping the Audit Universe, as an Internal Auditor, I do take a stock of various Risks;

    - Audit Universe mostly comprises of "auditable" areas, while I do agree that external factors are equally important but because of contingency in nature, these are not given priority.

    Your views please.



  1. This is great ! It really shows me where to expand my blog. I think that sometime in the future I might try to write a book to go along with my blog, but we will see.Good post with useful tips and ideas.door handles
  1. Nice information, many thanks to the author. I believe that anyone who wants to know something about this topic will like the post.I really loved reading blog
  1. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can’t wait to read lots of your posts.water damage dallas
  1. You may have not intended to do so, but I think you have managed to express the state of mind that a lot of people are in. The sense of wanting to help, but not knowing how or where, is something a lot of us are going through. godaddy coupon
  1. As auditors we should be assessing the adequacy and effectiveness of management's ERM process.9 Day Cleanse
  1. Very Useful information, this is both good reading for, have quite a few good key points and I learn some new stuff from it tooExpedia
  1. My friend asked where she could order research paper and I referred her to your site. I have been able to find useful information and tips on where to go to find good writing services and how to go about it. I am looking forward to a narration of her experience.
  1. It's possible many of us simply suppose which it’s management’s function, not necessarily ours. Or even it’s the particular function involving enterprise risk management, the particular lawful group, as well as some other confidence services as part of your organization. powered essays
  1. It represents many entitys (barriers of partnership, subsidiaries, fusions, further processes) that are considered “auditable” by domestic investigate clubs. It is a bulky specify, besides we rhyme insurance along this schedule. Math can secure a slight shifty, however we counterfeit encourage still. photography tips
  1. This is really fantastic details We have been on your site to find a essential issue clear along with When i significantly covet individuals function internal the process. Cloud 7 dog beds
  1. residual risk ratings above their specified risk appetites - on which consulting should be provided.Wedding Cufflinks
  1. My husband plus i was opportune for this methodical contemporary markets information to procure a desire to acquire organist. MA.Strum
  1. Fantastic internet site along with also Most of people are preparing to combined with number of create. Lengthy ago i the following appreciate Blog Engine also. Feed the poor
  1. That is with residual risk ratings above their specified risk appetites teleios tutors
  1. We provide kitchen worktops throughout the Doncaster area. Kitchen Worktops Doncaster
  1. Boudoir photo shoots are a fun and creative way to celebrate your womanhood. You may be petite or curvaceous, but a boudoir photo shoot is for every woman. Choosing Shane Miller Studios for your boudoir photo shoot will ensure that your photographs will be fabulous. boudoir photo shoots
  1. Buy steroids online of the highest quality with 48 Hour Free UK delivery. Buy only the best Top brand Orals and Injectables. in the UK with free delivery

Leave a Reply