ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Internal Audit: Understanding the audit universe and the journey to risk maturity

Auditing
  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Steve Bruce CA

17 April 2018

Key points

  • An internal audit universe is made up of a range of distinct auditable entities which can run to several hundred or even thousands depending on the scale and complexity of the organisation.

  • The decision to create an internal audit universe is often based on internal audit’s independent view of the risk maturity within the organisation.

  • Benefits to all type and size of organisation can be achieved by implementing an internal audit universe although common pitfalls should be considered.

Is an internal audit universe required and if so, how do you establish and maintain this universe? Steve Bruce CA finds out.

This article is the first in a series with the aim of stimulating discussion and providing insight for Audit Committees, executive management and internal auditors about the internal audit cycle.

Firstly, not all internal audit functions will develop an internal audit universe, but more of this later.

An internal audit universe comprises several distinct auditable entities which can range from a few to several hundred or perhaps even thousands depending on the scale and complexity of your organisation.

These auditable entities are often constructed according to business unit, product or service line, legal entity, regulatory required audit, processes, programmes, or systems. Alternatively, an auditable entity may simply be constructed according to a key risk or key control. In practice, the internal audit universe is often a combination of all or most of the above.

Put simply, if you think of your organisation as a big cake; how best do you slice that cake to arrive at sensible bite-sized chunks that can be easily and effectively audited? Each chunk is an auditable entity and collectively the chunks are known as the internal audit universe. It’s a subjective process.

Once the nature and scope of these auditable entities are determined, internal audit will assess the risk of each auditable entity to assist in producing a risk-based internal audit plan which lists the internal audits to be carried out (this process of assessing the risk will be discussed in a follow-up article).

Is an internal audit universe required?

The short answer is: no.

Section 2010 – Planning – 2010.A1 of the International Standards issued by the International Professional Practices Framework (IPPF) state: ‘The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process’.

However, this documented risk assessment does not need to originate from an internal audit universe but can originate from an enterprise-wide risk identification and assessment process.

The Institute of Internal Auditors (IIA) confirmed that ‘The International Standards do not require audit activities to maintain an audit universe. The head of internal audit can choose whether or not to create and/or maintain an audit universe ….’.

However, there are significant benefits to internal audit and often the wider organisation in creating an internal audit universe including:

  • An internal audit universe helps provide transparency to internal audit and the Audit Committee over the audit coverage of key businesses or functions at a point in time. For example, internal audit can easily calculate and report that 100% of high risk-rated auditable entities have been, or are planned to be, audited during the financial year;
  • Internal audit will improve their knowledge of all parts your organisation including not only the risks and controls but also the business strategies, therefore, improving their commercial awareness. Specifically, internal audit will better understand the roles of each department or function within an organisation to help start discussions where there may be control gaps or duplicated effort. Additionally, internal audit can determine which departments or functions are already providing assurance within your organisation and develop an approach to determine if internal audit can rely on their work; and
  • Internal audit can better determine their future headcount and skillset requirements including possible hiring, or co-sourcing to obtain a skill-set.

So, should internal audit create and maintain an audit universe?

Internal audit’s decision to create an internal audit universe is often based on their independent view of the risk maturity within your organisation.

The IIA provides useful guidance on how internal audit can assess an organisation’s risk maturity. The table below provides a summary of this guidance:

Risk maturity table

 Risk maturityRisk-awareRisk definedRisk managedRisk defined
Key characteristics

No formal approach developed for risk management

Scattered silo-based approach to risk management

Strategy and policies in place and communicated. Risk appetite defined

Enterprise approach to risk management developed and communicated

Risk management and internal controls fully embedded into the operations

Internal Audit approach

Promote risk management and rely on alternative audit planning method

Promote enterprise-wide approach to risk management and rely on alternative audit planning method

Facilitate risk management / liaise with risk management and use management assessment of risk where appropriate

Audit risk management processes and use management assessment of risk as appropriate

Audit risk management processes and use management assessment of risk as appropriate

Although the final decision to create an internal audit universe lies with the Audit Committee and the Head of Internal Audit, internal audit is more likely to create an internal audit universe if they assess your organisational risk maturity to be Risk naïve, Risk-aware, or Risk defined.

The below graph demonstrates that an organisation’s risk maturity is usually an evolving process over time.

Assuming internal audit agree with executive management that overall your organisation is Risk enabled, or Risk managed then it’s more likely that internal audit would leverage the enterprise-wide risk identification and assessment process and decide not to create their own audit universe.

As always, the board and executive management own your organisation’s risks and risk maturity, but sometimes internal audit may have a different opinion from management on the risk maturity rating.

Source: IIA - Risk appetite and internal audit (published 22 March 2018).

What should your audit universe look like?

It’s an art, not a science.

Assuming internal audit establishes an audit universe, a decision needs to be made on the number of auditable entities to be created. As is often the case, there is a fine balance between too many and too few with an organisation’s hierarchy, scale and complexity often helping to determine the ‘optimal’ number.

By creating too many auditable entities, internal audit may spend excessive time completing and updating the background information and risk assessments for each auditable entity.

Alternatively, by creating too few auditable entities, some granularity could be lost, and the risk assessments may therefore not be sufficiently detailed to help inform internal audit where best to focus their audit plan and consequently their audit work.

As discussed above, the structure of the internal audit universe is best tailored to your organisation’s scale and complexity.

For example, separate auditable entities may be created for separate lines of business (let’s call them vertical auditable entities) but some controls may apply to each of these lines of business performed by centralised control functions such as Finance (let’s call them horizontal auditable entities).

Does it make sense for internal audit to include these Finance controls in each line of business auditable entity, or create a separate auditable entity for all the Finance controls that apply to the business lines?

The answer is subjective but needs to consider avoiding potential duplication of assessing the same risk, against arriving at the most complete and accurate risk assessment for each line of business.

How do you know the internal audit universe is complete?

This question is often asked of internal audit by Audit Committees, executive management, external auditors and regulators.

The standard answer is to broadly reconcile the auditable entities within the internal audit universe to organisation charts and to socialise the auditable entity structure with the Audit Committee, executive management, and external audit.

In addition, a useful but potentially time-consuming exercise is to reconcile the auditable entities to the general ledger maintained by Finance at an appropriate granularity of revenue and cost centres. All the above should be clearly documented and retained as evidence by internal audit.

How do you govern the internal audit universe process?  

Within the internal audit function, there needs to be effective governance and approval processes over the adding, combining or deleting of auditable entities.

This is especially important to help maintain consistency across the larger organisations and internal audit functions which may span the globe.

The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this consistency.

Once you have agreed to establish an internal audit universe and decided on the auditable entities to create, the next stage is to focus on different ways to risk assess these auditable entities which ultimately leads to the production of an annual audit plan or rolling audit plan. This will be discussed in my next article.

Audit building

Internal audit: three lines of defence model explained

By Steve Bruce CA

6 November 2017

Should Internal Audit perform a culture audit?

By Steve Bruce, CA

26 January 2018

2022-11-mitigo 2022-11-mitigo
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: