MODULE 3B:

RISK ASSESSMENT IN AUDIT PLANNING- Categorizing the audit universe for

risk-based planning

The phrase “audit universe” is a simple way of referring to all the totality of all things that an internal auditor
could separately examine.

• The universe consists of the totality of “auditable objects” which is a way of identifying and describing discrete
part of the business, system or process, which can be separately audited. Auditable objects need to be large
enough to justify an audit and small enough to be manageable.

The elephant approach - cutting the audit universe down into small chunks

The answer to the question: “How to eat an elephant?” is “One bite at a time”. This is the way we need to treat
the audit universe by cutting it into specific systems, processes, programmes or organizational units that can be
audited – auditable objects.

Traditionally, auditable objects were categorised by organizational structure and were defined from the top down
- a “vertical” analysis. Often an auditable object equated with one or a number of organizational units. This
remains a useful first cut of the audit universe that most IA units use.

However, this may not be the most effective way to plan all possible audits. It is therefore also important to
design audit coverage from a horizontal or cross-functional view of the organization - that is ‘horizontal’ audits
based on entire business processes. For example, an organization’s accounting or business management systems
can be said to operate horizontally because that affect all organizational units. These systems may pose critical
risks across several processes and should therefore be examined horizontally.

Typically therefore the audit universe is a mix of a number of top down (vertical) and cross-functional (horizontal)
slices. Procurement is often a key cross-functional activity. However it could be split for audit purposes into
location and type of purchase. In the UN World Food Programme, for example, procurement could be split into
four audit objects: headquarters procurement, local office procurement, procurement of food, and procurement
of non-food items. This would be appropriate because each element has different rules regulations and internal
controls.

Ultimately it is for the Internal Auditor to decide how to categorize the audit universe and how many slices it
makes sense to use. Most IA units will therefore want to consider the following as the minimum categorizations
needed:

• By organizational structure (Departments, Divisions, Units, Stand-alone Projects);

• By common processes (Payments, Receipts, Asset Management, Procurement, Contracting, Inventory, Human
Resource Management);

• By location (Headquarters, Regional offices, Local offices);

• By operational programmes (e.g., in a transport agency or department these could include: construction of new
roads, maintenance of roads, issue of licences for drivers, collection of speeding fines, etc.);

• By service lines (e.g., in a social security department these could include: services for the elderly, services for
the handicapped, services for the care of children which may be handled by a number of different departments
or units).

1|Page
 OUR LADY OF THE PILLAR COLLEGE CAUAYAN
COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

Seek senior managers’

Senior managers must be consulted for their views on the importance of the systems identified, and the existing
controls and general control environment. Discussions with these managers should be conducted in an open
manner and focus on:

• Clarifying the organization’s main objectives and the role of individual departments in achieving

• Identifying the main risks they face in achieving the organization’s and their departmental

• The results of internal and external audit work carried out during the year;

• Any areas of concern that the managers may have over internal control or efficiency within their department or
the organization’s priorities for assurance and audit attention.

2|Page