Follow a standard framework to increase visibility and lower risk.
- Gartner client? Log in for personalized search results.
Facilitate an audit plan with an audit universe
Constructing an audit universe — an internal collection of different business components that might be subject to audit — is an essential yet complex task in audit planning. Its use lies in easing the audit planning process and identification and assessment of risks in the organization.
Gartner 2025 benchmarking finds that companies’ audit universes vary widely in the number of entities, ranging from as low as 33 to as high as 435. This suggests that there is no one-size-fits-all way to organize an audit universe. An effective audit universe is one that aligns with the organization’s top risks and strategic objectives and helps chief audit executives (CAEs) to determine the most critical areas and risks to include in the audit plan.
Create an audit plan with a three-step plan to build an effective audit universe
Use this framework to navigate key decision points in audit planning, building or revamping an audit universe — and periodically maintain or adjust it and its organizing elements in light of organizational changes.
Step one: Determine the optimal structure of the audit universe
Audit universes can take many forms, but they are most commonly structured by business unit or process. Other possibilities include organizing by strategic programs, projects, IT systems, regulations and legal entities. Sixty-eight percent of companies use multiple elements to organize their audit universe.
To decide how to layer the organizing elements in the audit universe, consider questions like:
Is geography a necessary organizing element (e.g., are audits necessary at different locations)?
If the audit universe has multiple elements, how will they relate to each other?
How will the audit department’s approach to risk coverage affect the structure of the audit universe?
Does the audit universe need to include elements beyond business units, processes, risk type or geographical location?
Step 2: Reach the right altitude of auditable entities
The audit universe should cover the entire organization, so CAEs must decide the correct altitude for the universe’s components. At a higher altitude, the universe will contain fewer entities, but there is a greater risk of missing coverage. At a lower altitude, more entities could impact the risk assessment process, making it too complex.
Rightsizing the altitude of the audit universe is a vital part of audit planning, helping CAEs communicate with stakeholders, especially when it comes to conversations about resources and budget.
To help determine the right altitude for the organization’s audit universe, consider:
Is a particular entity too granular to deserve being its own entity, or is it too complex to be a single entity?
What are regulators’ and the audit committee’s expectations around the universe’s altitude and level of detail (e.g., geographical locations as distinct entities)?
How does the chosen altitude align with how business units’ organize themselves?
Step 3: Check for gaps in the audit universe
Finally, as part of comprehensive audit planning CAEs must carefully check the audit universe for gaps and adequate coverage across the organization. This includes:
Risk coverage
Organization chart comparison
Laws and regulations
IT systems
Major business processes
Using a matrix that compares auditable entities against various risks (financial and regulatory reporting, intellectual property, etc.) can help audit leaders consider whether a component deserves to be its own entity, or whether anything is missing from the entity.
Audit plan FAQs
What is an audit plan?
An audit plan is an overview of the assurance and advisory activities an internal audit department will undertake in a given period of time. Audit plans typically cover a fiscal year, but they may also be structured on a 6-month or quarterly timeline, or as a rolling plan. Audit plans communicate the coverage internal audit provides over the organization’s risks and also aid in resource planning, as they often include an estimate of the hours dedicated to each audit and when they will occur in the year.
What are the key compononents of an audit plan?
The key components of an audit plan ensure that the audit process is structured, effective and aligned with organizational objectives. Essential elements include:
Audit Objectives: Clearly define what the audit aims to achieve, ensuring alignment with strategic goals and addressing key risks.
Scope of the Audit: Specify the boundaries of the audit, detailing what is included and excluded to focus on critical areas.
Risk Assessment: Identify and prioritize risks based on their potential impact to guide audit focus.
Resources and Budget: Outline the necessary personnel, time and budget to ensure the audit is adequately supported.
Timeline: Provide a schedule for planning, fieldwork and reporting phases to ensure timely completion.
Methodology: Describe the approach, data collection, analysis techniques and reporting formats to maintain consistency and quality.
Engagement Team: Identify team members, roles and responsibilities to clarify accountability.
Communication Plan: Establish how findings and updates will be shared with stakeholders for transparency.
Quality Assurance: Implement mechanisms such as peer reviews to ensure adherence to professional standards.
Follow-Up Actions: Detail plans for addressing audit findings, including timelines and responsible parties to drive improvements.
Incorporating these elements ensures the audit plan is comprehensive, focused and supports effective risk management and organizational improvement.
What is an audit universe?
An audit universe is the complete set of entities within an organization — including processes, systems and departments — that may be subject to an audit. Defining an audit universe helps internal audit departments prioritize entities with the highest risk and allocate their resources efficiently.
Attend a Conference
Accelerate growth with Gartner conferences
Gain exclusive insight on the latest trends, receive one-on-one guidance from a Gartner expert, network with a community of your peers and leave ready to tackle your mission-critical priorities.
Drive stronger performance on your mission-critical priorities.