Cutting Through the Complexity of Audit Universe and Auditable Units
As we enter a new financial year, Audit Committees often ask two closely related questions. How does internal audit ensure that the audit plan delivers impactful, value-adding assurance? And just as importantly, is the current plan still relevant in helping the organisation achieve its objectives?
These are fair questions. Like any function, internal audit operates with finite resources. Choices have to be made about where time and effort will have the greatest impact. From my experience, the focus should always be on areas that truly matter to the business, so each engagement delivers measurable value.
The challenge is that arriving at a carefully considered answer is rarely straightforward. Audit leaders are often faced with a vast and complex audit universe: a mix of quantitative and qualitative data, financial and operational information broken down by countries and business lines, and risk themes that cut across functions and silos. Pulling all this together into a coherent, risk-based plan can feel overwhelming.
The IIA’s 2024 Global Internal Audit Standards, together with the supporting practice guidance, provide a helpful framework for building audit plans and promoting greater consistency in methodology. This blog does not restate the standards. Instead, it highlights practical considerations that I have observed often make the difference between an audit plan that looks good on paper and one that delivers value.
Start with Business Objectives and Strategy
Before defining the audit universe and deciding what constitutes an auditable unit, it is worth stepping back and grounding the discussion in business objectives. These objectives are typically translated into goals and performance targets, such as annual key performance indicators, and they provide a clear view of what the organisation is trying to achieve.
There is no single “correct” way to define an audit universe. Organisations differ widely in their strategies, operating models, regulatory environments, and risk appetites. An audit universe that works well in one company may be entirely unsuitable in another. The key is to ensure that the way internal audit frames its universe reflects the organisation’s unique context rather than applying a one-size-fits-all approach.
Identifying the Audit Universe and Auditable Units
Defining the audit universe and identifying auditable units is often the most critical and challenging part of audit planning. Auditable units can take many forms, from business units, functions, and legal entities to branches, processes, programmes, projects, systems, or even supply chains. The key question is not whether these are valid auditable units but which structure best supports the organisation’s objectives and risk profile.
In practice, three broad approaches tend to emerge. Some organisations define auditable units around business units or functions. This approach often drives clear accountability, allows the audit team to build deep domain expertise, and fosters strategic conversations with accountable leaders. The trade-off can be a perception that audits are critiques of individual functions, and it may leave gaps in coverage of horizontal, end-to-end risks.
Others focus on legal entities or branches. This lens works well in highly regulated environments, supporting statutory requirements, regulatory assurance, and visibility over jurisdiction-specific risks. The downside is that alignment with enterprise strategy can weaken, and cross-functional process risks may be overlooked.
A third approach is process-based. This perspective highlights horizontal, end-to-end risks, often revealing opportunities for standardisation, automation, and clearer root-cause analysis. It also supports scalable testing and the use of analytics. In matrixed organisations, however, process ownership may be unclear, and audit findings can span multiple teams and budget owners.
None of these approaches is inherently better than the others. Each drives different outcomes and carries trade-offs.
Practical Considerations for Choosing the Right Approach
Rather than seeking a universal answer, three practical considerations often help shape the right structure for the audit universe.
First, continuous engagement with management is critical. Planning should not be a once-a-year exercise. Regular dialogue with the C-suite, business leaders, and the Audit Committee ensures that short- and long-term strategic priorities are understood. I usually recommend assessing new or expanded functions carefully, as they may require new auditable units and a reassessment of related risks and dependencies.
Second, the audit universe must clearly align with business objectives and strategy. Insights from management conversations help determine whether the current structure still makes sense. If the organisation is pursuing a multi-year strategy focused on enterprise-wide process optimisation and standardisation, a process-driven audit universe may provide the most meaningful coverage. In more complex environments, a hybrid approach often works best, combining process-based units with targeted coverage of legal entities or countries where regulatory obligations are significant.
Finally, it is important to reflect how the organisation operates, including how people and systems are structured. Organisation charts can provide a useful proxy for accountability and decision-making. Consider a technology function led by a CIO, with teams responsible for cybersecurity, IT operations, and data privacy. From a functional perspective, these areas could form auditable units. From a process perspective, the same landscape could be viewed through access provisioning, incident detection and response, or vendor onboarding and offboarding. I often find that considering multiple perspectives in this way helps clarify ownership, coverage, and scalability.
Bringing It All Together
A well-constructed audit universe and carefully defined auditable units do more than satisfy a planning requirement. They anchor the audit plan in strategy, balance vertical accountability with horizontal, end-to-end coverage, anticipate regulatory obligations without losing sight of enterprise priorities, and enable scalability in testing, analytics, and reporting. Most importantly, they remain flexible enough to evolve as the organisation changes.
When these elements come together, the Audit Committee can be reasonably assured that the audit plan is relevant and delivers impact.
Guoquan Li, CIA, CA, is the Head of Internal Audit at a real asset management group. His experience spans finance, real estate, technology, and utilities, with a strong interest in process excellence.
