The Audit Universe

Conventional wisdom and common practice have resulted in the development of the … drum roll please … audit universe — the starting point for internal audit plan development. The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams. It is a big list, and we measure coverage against this list. Math can get a little tricky, but we forge forward nonetheless.

Now let me pose this question: What happens to the rest of the risk universe? Is the audit universe equal to the risk universe? Probably not. So, who is providing assurance over the rest of the population of risks — things like geopolitical risk, economic recession and recovery, and brand risk? As an internal audit function, is it our role to go find out? Maybe we just assume that it’s management’s role, not ours. Or maybe it’s the role of enterprise risk management, the legal team, or other assurance services within your company.

Is internal audit just assuming that someone else will point out that there are gaps between the audit universe and the risk universe? Perhaps it’s our role to shine light on the gaps, so our stakeholders know what’s not on our radar. I’m not suggesting that internal audit must provide assurance beyond the audit universe. We may not have the skills or resources to do so. But I am suggesting that we take a look, if we haven’t already, to make sure our company’s risk universe is covered. And if not, then that’s a good starting point for a conversation with management and the audit committee.

Posted on Jun 27, 2011 by Kiko Harvey

Share This Article:    

  1. I agree with how you define the Audit Universe; however, you do have to look at how the Inherent Risks affect that audit universe.   These are two separate universes.  One denotes your responsible areas of concern (business and processes), and the second (risk universe) denotes the risks that affect each entity of the business (Audit Universe). 

    As I see it, the Geopolitical risks may not adversely effect a mom-and-pop grocery store in Brooklyn, NY or the lemonade stand set up in the neighborhood as much as it will effect the multi-national manufacturing firm or those businesses out-sourcing certain aspects in foreign ports.

    The Risk Universe and the Audit Universe are intertwined, but not one.  If you want you can also consider the Control Universe and inter-twine that into a Triad, maybe we should.  The Audit Universe is or can be affected by portions of the risk universe while the control universe items that have been activated tries to protect the audit universe from those risk universe risks.

    I can live knowing that there can be multiple universes, each intertwined at certain points.

    What do you think?

  1. As Internal Auditors we are required to provide an annual assessment on the adequacy and effectiveness of the organization's processes for controlling its activities and managing its risks.

    One organizational process for controlling risk should be an effective enterprise risk management program. I believe the analysis and strategizing to deal with external risks (geopolitical, economic, market) as well as opportunitites, is a management function that should be included in the ERM program. As auditors we should be assessing the adequacy and effectiveness of management's ERM process.
  1. It would depend on how you build out your audit universe.  If you include both activities and functional driven areas, you should have all risks covered.  Taking your example, geopolitical risk could fall under a Corporate Governance activity, of which could be done any number of functions.  Some guidance is provided in practice advisory 2010-1, which state's that the audit universe can include component’s from the organizational strategic plan, which in short is saying that the CAE must consider all risk when compiling the audit universe.

  1.  I would describe the risk universe as all those risks which could impact on the achievement of organisational objectives at the respective organisational levels.

    I would describe the audit universe as those significant risks asserted to be under control - that is with residual risk ratings equal or below their specified risk appetites - on which assurance should be provided.

    I would describe a third universe, the consulting universe, for  those significant risks asserted to be NOT under control - that is with residual risk ratings above their specified risk appetites - on which consulting should be provided.

    The assumption on all of the above is that management are competent in conducting the appropriate assessments and if not, then internal auditors should provide consulting services on those aspects management is not competent in so that they can rely on the management assessments.

  1. Interesting discussion about risk and and audit universes.  Risk universe usually is defined in the ERM and as someone else pointed out, it falls under the risk group ( if you have one) or senior management to assess the different internal and external risks that an organization is exposed to. 

    Our role, in my opinion, is assessing the logical process used to determine those risks, to identify their impact and likelihood.  Once the assessment is done, Internal Audit should also comment in any risk not included (gaps) in the universe and suggest, advise, and comment on what management should do in that respect.  Once the risk universe is defined, internal audit can and should develop its audit universe which would be a result of the first process.   



  1. Great thoughts, everyone.  I agree that the universes are intertwined (risk, audit, and control). 

  1. Hello Kiko,

    Wow! Excellent! Superb!

    I appreciate the way you have interpreted Audit Universe. My two cents:

    - While mapping the Audit Universe, as an Internal Auditor, I do take a stock of various Risks;

    - Audit Universe mostly comprises of "auditable" areas, while I do agree that external factors are equally important but because of contingency in nature, these are not given priority.

    Your views please.



  1. This is great ! It really shows me where to expand my blog. I think that sometime in the future I might try to write a book to go along with my blog, but we will see.Good post with useful tips and ideas.door handles
  1. Nice information, many thanks to the author. I believe that anyone who wants to know something about this topic will like the post.I really loved reading blog
  1. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can’t wait to read lots of your posts.water damage dallas
  1. You may have not intended to do so, but I think you have managed to express the state of mind that a lot of people are in. The sense of wanting to help, but not knowing how or where, is something a lot of us are going through. godaddy coupon
  1. As auditors we should be assessing the adequacy and effectiveness of management's ERM process.9 Day Cleanse
  1. Very Useful information, this is both good reading for, have quite a few good key points and I learn some new stuff from it tooExpedia
  1. My friend asked where she could order research paper and I referred her to your site. I have been able to find useful information and tips on where to go to find good writing services and how to go about it. I am looking forward to a narration of her experience.
  1. It's possible many of us simply suppose which it’s management’s function, not necessarily ours. Or even it’s the particular function involving enterprise risk management, the particular lawful group, as well as some other confidence services as part of your organization. powered essays
  1. It represents many entitys (barriers of partnership, subsidiaries, fusions, further processes) that are considered “auditable” by domestic investigate clubs. It is a bulky specify, besides we rhyme insurance along this schedule. Math can secure a slight shifty, however we counterfeit encourage still. photography tips
  1. This is really fantastic details We have been on your site to find a essential issue clear along with When i significantly covet individuals function internal the process. Cloud 7 dog beds
  1. residual risk ratings above their specified risk appetites - on which consulting should be provided.Wedding Cufflinks
  1. My husband plus i was opportune for this methodical contemporary markets information to procure a desire to acquire organist. MA.Strum
  1. Fantastic internet site along with also Most of people are preparing to combined with number of create. Lengthy ago i the following appreciate Blog Engine also. Feed the poor
  1. That is with residual risk ratings above their specified risk appetites teleios tutors
  1. We provide kitchen worktops throughout the Doncaster area. Kitchen Worktops Doncaster
  1. Boudoir photo shoots are a fun and creative way to celebrate your womanhood. You may be petite or curvaceous, but a boudoir photo shoot is for every woman. Choosing Shane Miller Studios for your boudoir photo shoot will ensure that your photographs will be fabulous. boudoir photo shoots
  1. Buy steroids online of the highest quality with 48 Hour Free UK delivery. Buy only the best Top brand Orals and Injectables. in the UK with free delivery
  1. Specifics products the appropriate along with efficient prerequisites concerning a real really make a difference. Regards regarding working with the thought inside the legible along with easy program. kamineinsätze
  1. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors.
  1. Really i appreciate the effort you made to share the knowledge.The topic here i found was really effective to the topic which i was researching for a long time
  1. Thank you for the work you have put into your nice blog. We will bookmark to your blog because it is very informational. We love the site and will come back to see your new posts.
  1. Thanks for posting! I really like what you've acquired here; You should keep it up forever! Best of luck
  1. I would very much like to agree with the previous commenter! I find this blog really useful for my uni project. I hope to add more useful posts later.
  1. What a great web blog . I like this blog because of its design and interface. It is user friendly and it is nice to visit the blog.
  1. I absolutely respect and appreciate your point on each and every object.
  1. I am really very happy to find this particular site. I just wanted to say thank you for this huge read!! I absolutely enjoying every petite bit of it and I have you bookmarked to test out new substance you post.
  1. I am so pleased I found this blog, I really got you by an accident, while I was searching for something else. The story and blog you have published is very interesting as well as informatics, Thanks for sharing such type of informatics thing.
  1. Hi, I think now I have a strong hold over the topic after going through the post. The subject that you have discussed in the post is really amazing; I will surely come back for more information.
  1. I enjoyed your entries on Toxic Words - such great thoughts and a wonderful reminder to watch the words I use - to be positive and kind and use words to build up rather than tear down. :)
  1. It is nice to read the information provided in your blog and i like this information because it is based on reality and i like this information. And it provides knowledge and useful information to the visitors of this site and i would like to visit this site again.
  1. This is very nice blog because information provided here through the article and the pictures are very effective. Because sometimes words cannot explain the things that pictures can and here the words and pictures both are expressing the things in balance.
  1. This blog is providing beautiful news about about the Liberian Educational Sector. It is nice to know about it this is useful information. And such blogs makes us familiar with the whole world.
  1. Couldn't be written any better. Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!
  1. This article gives the light in which we can observe the reality. I like this kind of blog. Thanks for sharing informative information with us
  1. There are 2 types of audit . 1st audit we can explain in own words. In this work we can check every work accounts . However i should be follow.For see at essay writing service . I hope it is informative for you.
  1. I truly do sense your course of action another person develop may possibly get there as well as having a good deal factor for that reason you obtain rub it in a indicates everyone may grasp. Need to value your effective publish you may have developed the next. Urgent Document Delivery Bristol
  1. I simply want to tell you that I am new to weblog and definitely liked this blog site. I have been meaning to write something like this on my website and you have given me an idea. Turnkey TV Channel Solutions
  1. Guar protein offer a wide selection of products for your specific requirements. Established in the year 2008, we are one of the leading Manufacturer, Exporter and Supplier of Compound Guar Protein Meal Feeds and Poultry Feeds.
    Guar Meal churi
    Organic Poultry feed
    Roasted korma
  1. High PR Link Directory is a pure SEO friendly web directory. This web directory provides useful resources and promotes the international exchanges on all topics by connecting visitors to all resources in this directory High PR Link Directory is arranged in a simply hierarchical structure to help users find the categories they're looking for easily.
    cheap paid link directory
  1. Maybe we hardly affect that it’s charge’s part, nay ours. Or maybe it’s the duty of spirit hazard management, the legitimate club, or further confidence utilitys interior your fellowship. PCB Factory China
  1. Such a exceptional website developed enable I did so to get which authorities maintain seem next to nothing. Mainly because generally is usually this kind of cherished write-up. I must manual to lots take care this is why extensive recognize with all the current supposed layout. digital games
  1. It's really a efficient application. This type of areas offers revealing having lots of people while using the application. Naturist massage
  1. Manure feedback was less complicated and much more natural when there s more pen gestation, due to the fact there was more chance of to get exposed to manure from other sows than there's in crated gestation. water clean up dallas
  1. The love of beauty in its multiple forms is the noblest gift of the human cerebrum. buy xanax online legally
  1. You should acknowledge are unable to, your own non-public introduction actions you can take using your nitty-gritty within expected format. Entire lucidity in fact in essence brings to many you thinking about more. Merely for this reason an additional individual acknowledge, my personal, private modest company can be almost every one little one easily receive wonderful permit preserve to date using your on-line web page. Debt Advisors Ireland
  1. When everything else physical and mental seems to diminish, the appreciation of beauty is on the increase.
  1. When everything else physical and mental seems to diminish, the appreciation of beauty is on the increase. Personal injury lawyers Port Hope
  1. Very efficiently written information. It will be priceless to anybody who uses it, together with myself. Sustain the good work for positive.
  1. Here i found nice environment to get new ideas and views and the i have read the comments of this blog and these are really nice and it is glad to comment here.
  1. Thank you for posting this.You most absolutely have built this blog website into something special.
  1. Terrific way of expressing those things in your post. Clear cut meanings.
  1. That is a good idea, I am very happy to read this article, and I agree with the issues of this post. I think this is the best impression. I am going to do something after read.
  1. This web site is really a walk-through for all of the info you wanted about this and didn’t kn Jobs in Delhi
  1. I have found very useful information over there, thanks for sharing this. please try to add more informative posts in order to keep us in touch.
  1. All the contents you mentioned in post are too good and can be very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.
  1. I acknowledge the same best work from you at some point or an alternate later.
  1. Ha ha, this website is too great, make me happy. Website decoration is very elegant, content is very full, continuously outstanding theme, let a person gutty want to continue down at feeling, and I am enjoying it.
  1. I found this post very exciting. I think you will have any other post on this topic? I am also sending it to my friend to enjoy your working style. Cheers!
  1. I m saving your blog in my personal folder to visit again You made legal points within this article that I sense need further examination. I agree with most all of this info. amazing work.
  1. I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!
  1. This blog is great i love reading your posts. Keep up the great work! You know, a lot of people are hunting around for this info, you could help them greatly.
  1. Hello, how’s it going? Just shared this post with a colleague, we had a good laugh.
  1. nice blog,can you teach me how to creat it!
  1. Great! Thanks for your documents, its been very helpful. Thanks again for sharing your information.
  1. Thanks for sharing so significative article with us. I agree with your idea competely.I am looking forward to another great article from you.
  1. Sometimes it is very hard to find good content on this topic. But your blog is my way to desired information, my problem is solved now. Thanks for posting something worth reading.
  1. I feel there may possibly become a couple of duplicates, but an exceedingly helpful listing! I've tweeted this. Numerous thanks for sharing!...
  1. This is very good comment you shared.Thank you so much that for you shared those things with us.I am wishing you to carry on with your achievement.All the best..Thanks for sharing.

Leave a Reply