Updated: Oct 13, 2020
An Audit Universe can be extremely valuable to any Internal Audit function. Regardless of the maturity of an organisation, how robust and well developed the entities controls are, or the size of an internal audit function, an audit universe can provide many benefits, such as:
Identification of each business unit (otherwise process or auditable entity);
Mapping of risks, controls and regulations to each business unit;
History of audits performed and time / cost associated with each audit, as well as the audit rating; and
Assistance in the development of a strategic audit plan.
This blog post will explain how an Audit Universe can be beneficial to the annual planning process.
The IIA does not state that an Audit Universe is required by an audit function, however the benefits, particularly during the annual planning processes, of having an audit universe can be insurmountable. The lack of guidance or standards on how an Audit Universe should look, means it can be developed and tailored to suit the needs of your business and audit function. There is a large amount of guidance available on the internet about how you can set up an Audit Universe; my favourite being this article from the ICAS which can be read here.
It is important to note that the Audit Universe is a living document, and as such, should be updated regularly. My personal preference are 6 monthly updates to coincide with the half year review and annual planning processes.
To follow along, a copy of the Audit Universe template can be downloaded here.
The Audit Universe
From reading the guidance and from personal experience, I have developed my own Audit Universe. A breakdown of the Audit Universe and it's various components are detailed below:
The overview section provides a simple breakdown of audits per auditable entity or business area. Personally, I find building your universe around the relevant business areas / division and the audits that sit within each area is the most relevant and easy to use way to build your universe. This will also help with any dashboard or management reporting you perform elsewhere.
Alternatively approaches include building the Audit Universe around entity risks, however as the risk register is constantly involving, this (in my opinion), is not the most stable basis to build the Universe on.
As all good auditors, we should be referencing each audit on our Audit Universe. This will become extremely valuable later on. Additionally, we would want to ensure that the Universe is complete. A check back to the company organisation chart, risk registers, or accounting cost centres can help as a starting point to ensure completeness. A simple Google of other Audit Universe templates will also help as a completeness cross check.
Building a risk based audit plan is essentially in ensuring the audit activity and resources are best allocated to those high risk areas of the business. Inclusion of the Risk Register into the Audit Universe and aligning this directly to the individual audit topics or business processes can really assist in the development of a risk placed audit plan. Furthermore, it can help identify areas of the business which may not currently be considered by the Risk Register. Particularly for maturing businesses or those with a high risk appetite, mapping the risk register to business processes can help high light or emphasis how risk adverse a business may be and can help challenge the appropriateness of the current risk thresholds.
Mapping previous audit activity against each audit activity identified within the Overview section of the Audit Universe can help annual planning on multiple fronts, such as:
Identify what activity has been performed against high risk areas;
Audit coverage per business area;
Assistance in audit resourcing and budgeting; and
Audit outcomes from previous activity for each area.
By identifying and understanding the above, we are better placed to develop a more informed annual and strategic audit plan. It will also help with effectively using audit resources.
Compliance and Regulations
Understanding the current control framework in the business and where assurance is currently obtained can help in prioritising and directing audit activity. Furthermore, understanding the regulatory or legal requirements associated with each topic area can help in identifying where there may be gaps in current compliance programs or high risk areas where have historically not provided positive audit results.
The Audit Universe, if developed and maintained well, is a powerful tool for dashboard reporting. Applying a 'cycle' to each audit topic, and using the information already in the Universe, you are able to develop a more strategic audit plan, or have more meaningful discussions with business area leaders / executives. As a starter, an example Dashboard can look similar to the below.
Annual Planning Discussions
The Audit Universe can be filtered to show a list of audits per business area, when audit topics were last performed, what the outcome was, and what regulations currently impact each audit topic within the business area. This list can be further filtered to highlight what audits may be good to include on the upcoming Annual Plan. I call this list "The Menu", and using the Menu as a conversation starter with the business area leads or executive can help in developing a well rounded audit plan that not only address risk, but also has the buy in or senior management. The
It should be noted that this is only one part of the Annual Planning process. There are many other items or reports which should be considered when developing the annual and strategic / long term audit plans.
To gain a copy of the Audit Universe, simply CLICK HERE to download your free template. Please note, this document is available in Excel, however when saved onto PDF, worksheets are automatically adjusted to fit on one page.