Audit Universe: What It Is, How to Build One & Examples [2026]
Audit Universe
An audit universe is the comprehensive inventory of all auditable entities, business processes, and risk areas within an organisation that the internal audit function could potentially examine. It forms the foundation of the annual audit plan and ensures the chief audit executive can allocate audit resources to the areas of highest risk under a risk-based internal audit approach aligned with GIAS 2024.
💡 Key Takeaways
- The audit universe is a master list of every auditable entity — business units, processes, systems, projects, and compliance areas — that internal audit could examine.
- It is the starting point for risk-based audit planning: you risk-score each entity, then prioritise high-risk items for the annual audit plan.
- GIAS 2024 requires the CAE to develop a risk-based audit plan informed by an enterprise-wide risk assessment — the audit universe makes this possible.
- A well-maintained audit universe typically contains 50–200+ auditable entities depending on organisational size and complexity.
- This guide includes a step-by-step process, an audit universe template, and worked examples for different organisation types.
Table of Contents
- What Is an Audit Universe and What Does It Include?
- Why the Audit Universe Matters for Risk-Based Internal Audit Planning
- How to Build an Audit Universe: Step-by-Step Process
- Audit Universe Template: Columns and Structure
- Audit Universe Example: Corporate and CMS Audit Universe
- From Audit Universe to Annual Audit Plan: Risk Scoring and Prioritisation
- Common Mistakes When Building an Audit Universe
- Frequently Asked Questions
What Is an Audit Universe and What Does It Include?
An audit universe is the complete catalogue of auditable entities within an organisation. It includes every business unit, process, system, project, compliance requirement, and geographic location that the internal audit function could potentially audit. The audit universe answers the question: what is the total scope of things we could examine?
Typical components of an audit universe include:
- Business units and subsidiaries: Each legal entity, division, or regional office.
- Business processes: Procure-to-pay, order-to-cash, hire-to-retire, financial close, treasury management.
- IT systems and infrastructure: ERP, CRM, cybersecurity controls, IT general controls (ITGC), cloud environments.
- Compliance and regulatory areas: Anti-money laundering, data protection (GDPR), health and safety, environmental compliance, regulatory compliance.
- Projects and programmes: Major capital projects, transformation programmes, M&A integration.
- Third-party and outsourcing arrangements: Key vendor relationships, outsourced functions, joint ventures.
- Risk domains: Fraud risk, cybersecurity risk, operational risk, financial reporting risk, strategic risk.
"The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals." — GIAS 2024, Standard 13.2
The audit universe is not the audit plan itself — it is the population from which the plan is drawn. The CAE uses the audit universe to perform a risk assessment, score each entity, and then select the highest-risk items for inclusion in the annual audit plan. This risk-based approach is a core requirement of GIAS 2024 and is tested extensively in the CIA Part 2 exam.
Why the Audit Universe Matters for Risk-Based Internal Audit Planning
A well-maintained audit universe is essential because it ensures audit resources are directed at the organisation’s most significant risks rather than being spread evenly across low-risk and high-risk areas. Without an audit universe, the CAE cannot demonstrate that the annual audit plan is risk-based — a fundamental requirement under GIAS 2024 and a governance expectation of the audit committee.
Specific benefits of maintaining a formal audit universe include:
- Risk-based resource allocation: Focus limited audit hours on high-risk and high-impact areas, maximising the value of the internal audit function.
- Audit coverage tracking: Monitor which auditable entities have been audited recently and which have coverage gaps, supporting internal audit KPIs such as audit universe coverage ratio.
- Board and audit committee communication: Provide the committee with a clear picture of audit scope, coverage, and the rationale behind audit plan priorities.
- Enterprise risk management alignment: Map auditable entities to the organisation’s enterprise risk register, ensuring internal audit and the three lines model work in coordination.
- Continuous updating: As the organisation evolves (new acquisitions, regulatory changes, digital transformation), the audit universe is updated to reflect emerging risks.
✅ Pro Tip: Review and update the audit universe at least annually, ideally before the annual audit plan cycle. Involve senior management and the risk function to capture changes in the business, new regulatory requirements, and emerging risks like AI-enabled fraud.
How to Build an Audit Universe: Step-by-Step Process
Building an audit universe requires a systematic approach that combines top-down organisational mapping with bottom-up risk identification. The process below follows GIAS 2024 engagement planning principles and represents best practice for internal audit functions of any size.
- Map the organisational structure: Start with the org chart. List every business unit, subsidiary, division, department, and geographic location. These form the first layer of auditable entities.
- Identify key business processes: Within each business unit, list the major processes (e.g., revenue recognition, procurement, payroll, treasury). Use process maps and interviews with process owners.
- Add IT systems and infrastructure: Catalogue the critical systems supporting each process (ERP, CRM, payment systems), including IT general controls and cybersecurity domains.
- Include compliance and regulatory obligations: Add sector-specific regulatory requirements, data protection, anti-corruption, health and safety, and other compliance areas.
- Layer in projects and third-party arrangements: Add major in-flight projects, M&A activity, outsourcing arrangements, and key vendor relationships.
- Assign risk factors to each entity: For each auditable entity, assess inherent risk across dimensions such as financial impact, operational complexity, regulatory exposure, change (new systems/processes), time since last audit, and control environment maturity.
- Calculate a composite risk score: Weight each risk factor and calculate a total risk score per entity. This score drives the prioritisation for the annual audit plan.
- Validate with stakeholders: Present the draft audit universe and risk scores to senior management, the risk function, and the audit committee for input and approval.
⚠️ Important: The audit universe should be a living document, not a one-time exercise. Update it whenever significant organisational changes occur (restructuring, acquisitions, regulatory changes, new product launches). A stale audit universe leads to audit plans that miss emerging risks.
Audit Universe Template: Columns and Structure
An effective audit universe template captures enough information to assess and prioritise each auditable entity without becoming overly complex. Below is a recommended column structure that you can implement in Excel, Google Sheets, or your audit management system.
Audit Universe Template Structure
Column A: Entity ID (unique identifier)
Column B: Auditable Entity Name
Column C: Category (Process / Business Unit / IT System / Compliance / Project)
Column D: Process Owner / Responsible Executive
Column E: Inherent Risk — Financial Impact (1–5)
Column F: Inherent Risk — Operational Complexity (1–5)
Column G: Inherent Risk — Regulatory Exposure (1–5)
Column H: Inherent Risk — Rate of Change (1–5)
Column I: Control Environment Maturity (1–5, inverse: 5 = weakest)
Column J: Time Since Last Audit (months)
Column K: Composite Risk Score (weighted average of E–J)
Column L: Risk Rating (High / Medium / Low — based on score thresholds)
Column M: Planned Audit Cycle (Annual / Biennial / Triennial)
Column N: Last Audit Date
Column O: Next Planned Audit Date
Column P: Notes / Comments
This template can be downloaded as a spreadsheet and adapted to your organisation. The risk scoring columns (E–J) should use consistent 1–5 scales with defined criteria for each score level. The composite risk score (K) is typically a weighted average, with weights reflecting the organisation’s risk appetite and strategic priorities.
For CIA candidates, understanding the relationship between the audit universe, risk assessment, and internal audit report format is essential for Part 2 engagement planning questions. The Surgent CIA Review course includes scenario-based MCQs on audit universe development and risk-based planning.
Frequently Asked Questions About the Audit Universe
Written by
Founder, Eduyush. Chartered accountant with 15+ years in audit, risk advisory, and professional education. Passionate about making complex audit concepts accessible to aspiring CIAs and internal auditors worldwide.
Ready to Master the Audit Universe for Your CIA Exam?
The Surgent CIA Review course covers audit universe development, risk-based planning, and engagement execution with adaptive learning technology and 2,000+ practice questions.
Explore Surgent CIA Review Course →Trusted by 50,000+ candidates worldwide | Pass guarantee included
Leave a comment