Internal Audit: Understanding the audit universe and the journey to risk maturity

By Steve Bruce CA

17 April 2018

Is an internal audit universe required and if so, how do you establish and maintain this universe? Steve Bruce CA finds out.

This article is the first in a series with the aim of stimulating discussion and providing insight for Audit Committees, executive management and internal auditors about the internal audit cycle.

Firstly, not all internal audit functions will develop an internal audit universe, but more of this later.

An internal audit universe comprises several distinct auditable entities which can range from a few to several hundred or perhaps even thousands depending on the scale and complexity of your organisation.

These auditable entities are often constructed according to business unit, product or service line, legal entity, regulatory required audit, processes, programmes, or systems. Alternatively, an auditable entity may simply be constructed according to a key risk or key control. In practice, the internal audit universe is often a combination of all or most of the above.

Put simply, if you think of your organisation as a big cake; how best do you slice that cake to arrive at sensible bite-sized chunks that can be easily and effectively audited? Each chunk is an auditable entity and collectively the chunks are known as the internal audit universe. It’s a subjective process.

Once the nature and scope of these auditable entities are determined, internal audit will assess the risk of each auditable entity to assist in producing a risk-based internal audit plan which lists the internal audits to be carried out (this process of assessing the risk will be discussed in a follow-up article).

Is an internal audit universe required?

The short answer is: no.

Section 2010 – Planning – 2010.A1 of the International Standards issued by the International Professional Practices Framework (IPPF) state: ‘The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process’.

However, this documented risk assessment does not need to originate from an internal audit universe but can originate from an enterprise-wide risk identification and assessment process.

The Institute of Internal Auditors (IIA) confirmed that ‘The International Standards do not require audit activities to maintain an audit universe. The head of internal audit can choose whether or not to create and/or maintain an audit universe ….’.

However, there are significant benefits to internal audit and often the wider organisation in creating an internal audit universe including:

  • An internal audit universe helps provide transparency to internal audit and the Audit Committee over the audit coverage of key businesses or functions at a point in time. For example, internal audit can easily calculate and report that 100% of high risk-rated auditable entities have been, or are planned to be, audited during the financial year;
  • Internal audit will improve their knowledge of all parts your organisation including not only the risks and controls but also the business strategies, therefore, improving their commercial awareness. Specifically, internal audit will better understand the roles of each department or function within an organisation to help start discussions where there may be control gaps or duplicated effort. Additionally, internal audit can determine which departments or functions are already providing assurance within your organisation and develop an approach to determine if internal audit can rely on their work; and
  • Internal audit can better determine their future headcount and skillset requirements including possible hiring, or co-sourcing to obtain a skill-set.

So, should internal audit create and maintain an audit universe?

Internal audit’s decision to create an internal audit universe is often based on their independent view of the risk maturity within your organisation.

The IIA provides useful guidance on how internal audit can assess an organisation’s risk maturity. The table below provides a summary of this guidance:

Risk maturity table

 Risk maturityRisk-awareRisk definedRisk managedRisk defined
Key characteristics

No formal approach developed for risk management

Scattered silo-based approach to risk management

Strategy and policies in place and communicated. Risk appetite defined

Enterprise approach to risk management developed and communicated

Risk management and internal controls fully embedded into the operations

Internal Audit approach

Promote risk management and rely on alternative audit planning method

Promote enterprise-wide approach to risk management and rely on alternative audit planning method

Facilitate risk management / liaise with risk management and use management assessment of risk where appropriate

Audit risk management processes and use management assessment of risk as appropriate

Audit risk management processes and use management assessment of risk as appropriate

Although the final decision to create an internal audit universe lies with the Audit Committee and the Head of Internal Audit, internal audit is more likely to create an internal audit universe if they assess your organisational risk maturity to be Risk naïve, Risk-aware, or Risk defined.

The below graph demonstrates that an organisation’s risk maturity is usually an evolving process over time.

Assuming internal audit agree with executive management that overall your organisation is Risk enabled, or Risk managed then it’s more likely that internal audit would leverage the enterprise-wide risk identification and assessment process and decide not to create their own audit universe.

As always, the board and executive management own your organisation’s risks and risk maturity, but sometimes internal audit may have a different opinion from management on the risk maturity rating.

Source: IIA - Risk appetite and internal audit (published 22 March 2018).

What should your audit universe look like?

It’s an art, not a science.

Assuming internal audit establishes an audit universe, a decision needs to be made on the number of auditable entities to be created. As is often the case, there is a fine balance between too many and too few with an organisation’s hierarchy, scale and complexity often helping to determine the ‘optimal’ number.

By creating too many auditable entities, internal audit may spend excessive time completing and updating the background information and risk assessments for each auditable entity.

Alternatively, by creating too few auditable entities, some granularity could be lost, and the risk assessments may therefore not be sufficiently detailed to help inform internal audit where best to focus their audit plan and consequently their audit work.

As discussed above, the structure of the internal audit universe is best tailored to your organisation’s scale and complexity.

For example, separate auditable entities may be created for separate lines of business (let’s call them vertical auditable entities) but some controls may apply to each of these lines of business performed by centralised control functions such as Finance (let’s call them horizontal auditable entities).

Does it make sense for internal audit to include these Finance controls in each line of business auditable entity, or create a separate auditable entity for all the Finance controls that apply to the business lines?

The answer is subjective but needs to consider avoiding potential duplication of assessing the same risk, against arriving at the most complete and accurate risk assessment for each line of business.

How do you know the internal audit universe is complete?

This question is often asked of internal audit by Audit Committees, executive management, external auditors and regulators.

The standard answer is to broadly reconcile the auditable entities within the internal audit universe to organisation charts and to socialise the auditable entity structure with the Audit Committee, executive management, and external audit.

In addition, a useful but potentially time-consuming exercise is to reconcile the auditable entities to the general ledger maintained by Finance at an appropriate granularity of revenue and cost centres. All the above should be clearly documented and retained as evidence by internal audit.

How do you govern the internal audit universe process?  

Within the internal audit function, there needs to be effective governance and approval processes over the adding, combining or deleting of auditable entities.

This is especially important to help maintain consistency across the larger organisations and internal audit functions which may span the globe.

The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this consistency.

Once you have agreed to establish an internal audit universe and decided on the auditable entities to create, the next stage is to focus on different ways to risk assess these auditable entities which ultimately leads to the production of an annual audit plan or rolling audit plan. This will be discussed in my next article.


  • Audit and Assurance
  • Committees and boards
  • Corporate Governance
  • Private sector

Previous Page