What is an Audit Universe?

Audit Universe or Risk Universe or also called Risk-Based Auditing” determines the potential of auditable areas and audit activities for carrying out the auditing review as regard to the schedule of the audit period.

The audit universe prepares it in various ways for the types of businesses. In general,  it consists of the auditable areas, departments or units to be audited, risk(s) shall be reviewed, process(es), activities to be audited, and general ledger of accounting of the entity. Additionally, this document also includes the essential information to perform the risk assessment and setting the priority in conducting audits such as regulatory requirement, geographic location, program, system, and risk register.

The list of the auditable areas or activities should be aligned with the entity’s strategy and operational plan.  Normally, the audit universe will be prepared and it allows the audit committee and Chief Audit Executive (CAE) to evaluate, and value, and priorities assigned to auditable activities.

The CAE is responsible for updating the audit universe continually to determine all risk inherence in the business’s operation and also the needs of key stakeholders. Executive auditors also evolve when they carry out the engagement review by setting the priority of audit engagement, defined of key risk in risk assessment, resource allocation, and timeable as represented in the audit plan.

In real practice, the audit universe is not a mandatory requirement document but it is a good practice to maintain the audit universe because this CAE or management in charge could oversight on the risk management and decide which auditable areas of high, medium, or low risk are to be more focused.

Performing this risk-based auditing entitles finding out the auditable areas or activities to be audited due to the reviews result from oversight the significant risks to the risks that have little or no significance to the entity. In this result, the audit universe is determined with regard to the risk prioritization and the critical of the risk areas. The list of the possible audit engagement is subjective to prepared and present possible areas that could be performed during the next fiscal year.

As a result of the oversight review, some defined areas in the audit universe could never be audited due to there are no significant risks, timing constraints, limited resources, and maybe there are reviewed by other assurance parties within the first, second or fouth line of defense.  

The audit universe also determines the maximize of resource allocation to be consistent with the assigned audit engagements in order to achieve the result in the audit plan.

The audit universe might be subject to change due to cause by internal or external factors so that risk assessment and audit plan are subjected to change as well. While these factors impact the creation of consistent changes in the entity and audit universe, this is important that the management in charge or execute auditor clearly understand and focus on the defined key risk and risky areas in the extent of coverage scope.

In general, the audit universe groups the auditable areas and activities in the arrangement in Tiers. These planned coverages are classified into three Tiers.


  1. Tier 1: High Risk – Full Coverage Audit Activities
  2. Tier 2: Medium Risk – Medium Coverage Audit Activities
  3. Tier 3: Low risk – No Coverage audit Activities