​​​​​A Word on ​Aud​it Unive​rse​​​​

Comments Views

I just responded to a LinkedIn question about Audit Universe.

Audit universe contain all the auditable areas. Is it defined anywhere in how many years the entire Audit universe should be covered i.e., all the areas should be audited at least once? Is it defined in any IIA standard or any other pronouncement? what is the best practice?

This is what I had to say:

The concept of "audit universe" is outdated.

Instead, internal audit should be focused on providing assurance on the organization's governance, risk management, and related controls. We do that by focusing our engagements on the more significant risks to the business — as a whole, not at a lower level. 

We should be working with management to ensure there is a robust risk management program, and that should then be the driver for a risk-based (top-down) audit program. 

Building the audit plan based on an audit universe instead of the top risks to the organization is likely to result in auditing risks that are not significant. 

See "What is 'Risk-based' Auditing?""Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls", and "What Is Assurance? Does Your Department Provide It?"

Are you ready to leave this universe?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • FSE-September-2020-Premium-2
  • Auditboard-September-2020-Premium-3