I just responded to a LinkedIn question about Audit Universe.
Audit universe contain all the auditable areas. Is it defined anywhere in how many years the entire Audit universe should be covered i.e., all the areas should be audited at least once? Is it defined in any IIA standard or any other pronouncement? what is the best practice?
This is what I had to say:
The concept of "audit universe" is outdated.
Instead, internal audit should be focused on providing assurance on the organization's governance, risk management, and related controls. We do that by focusing our engagements on the more significant risks to the business — as a whole, not at a lower level.
We should be working with management to ensure there is a robust risk management program, and that should then be the driver for a risk-based (top-down) audit program.
Building the audit plan based on an audit universe instead of the top risks to the organization is likely to result in auditing risks that are not significant.
See "What is 'Risk-based' Auditing?", "Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls", and "What Is Assurance? Does Your Department Provide It?"
Are you ready to leave this universe?