Annual Audit Planning Without an Audit Universe

What if an Internal Audit function chooses not to use a formal Audit Universe? How would they approach their annual planning? While more challenging, it's certainly possible, though it requires a strong focus on other risk identification and assessment methods. Here's how they might proceed:

1. Direct Engagement with Management and the Audit Committee: Without a predefined universe, the internal audit team would need to engage more frequently and deeply with senior management and the audit committee to understand their key concerns, strategic objectives, and perceived risks across the organisation. This ongoing dialogue becomes crucial for identifying areas requiring audit attention.

2. Review of Strategic and Business Plans: The internal audit team would need to thoroughly analyse the organisation's strategic plans, business plans, and performance reports to identify key priorities and potential risks that could impact the achievement of these objectives.

3. Bottom-Up Risk Identification: Engaging with various departments and process owners to understand their operational challenges, key controls, and perceived risks at a more granular level. This could involve workshops, surveys, and individual interviews.

4. Analysis of Organisational Data: Reviewing financial data, performance metrics, incident reports, regulatory updates, and other relevant information to identify trends, anomalies, and potential areas of concern. Data analytics can play a significant role here.

5. Consideration of External Factors: Keeping abreast of industry trends, regulatory changes, economic conditions, and other external factors that could impact the organisation's risk profile.

6. Focus on Key Processes and Projects: Instead of a broad universe, the audit plan might focus on specific high-risk processes, critical projects, or areas undergoing significant change.

7. Continuous Risk Assessment: Risk assessment becomes an ongoing activity rather than a periodic exercise tied to updating the Audit Universe. The audit plan would need to be flexible enough to adapt to emerging risks identified throughout the year.

8. Leveraging Risk Registers and Frameworks: The internal audit function would likely rely heavily on the organisation's existing risk registers and risk management frameworks to inform their audit planning.

While these methods can help identify key audit areas, the absence of an Audit Universe can make it harder to ensure comprehensive coverage and a consistent approach to risk assessment. It also increases the reliance on individual knowledge and relationships, potentially leading to biases or oversights.

In conclusion, while an Audit Universe requires effort to establish and maintain, its structured approach to risk assessment and audit planning offers significant benefits. Without it, internal audit functions need to be highly proactive, maintain strong relationships across the organisation, and employ robust continuous risk assessment techniques to ensure they are focusing their efforts on the areas that truly matter.