Internal Audit Universe Template: IIA-Aligned Guide

The internal audit universe is the foundation of risk-based audit planning. The IIA's International Standards (Standard 2010.A1) require the Chief Audit Executive to base the annual audit plan on a documented risk assessment of the auditable population. The audit universe is the structured inventory that makes that assessment possible. Yet many Saudi internal audit functions still operate without a formal universe — and the ones that do often run it in a single tab on a single spreadsheet that has not been refreshed since the previous Head of Internal Audit left.

This post is the internal audit universe template Saudi internal audit functions can use as a working starting point. It is IIA-aligned, dimensionally tagged, and structured to support the kind of risk-based planning that audit committees and external quality assessors expect to see. A downloadable working copy is available at the end.

What an audit universe is — and is not

The audit universe is a structured inventory of every auditable unit in the organisation. Each auditable unit is a discrete area the function could audit — a process, a system, a function, a product, a geography. The universe tags each unit with the dimensions that connect it to the rest of the organisation, scores it for risk, and feeds the annual planning exercise.

The audit universe is not the audit plan. The plan is what falls out of the universe after risk rating and capacity allocation. The universe is the population from which the plan is drawn.

A function that builds a plan without a universe is, in effect, choosing what to audit by intuition and history. That may produce plausible audits but it cannot defend the choices to the audit committee or to an external quality assessor.

Template structure

The template is built as a single sheet with one row per auditable unit and the columns below.

Identification columns

• Unit ID. Stable identifier that does not change when the unit is reorganised or renamed.
• Unit name. Plain-English name as the business knows the unit.
• Description. One-line description of the activity, system or function.
• Type. Process, business unit, legal entity, product, system, function, geography, regulatory exposure.
• Owner. Named individual on the business side who owns the unit.
• First-line owner contact. Email or other reference.

Dimensional tags (one column per dimension)

The tags allow the universe to be filtered and grouped in multiple ways:

• Process tag. Order-to-cash, procure-to-pay, customer onboarding, credit decisioning, claims handling, treasury, payroll, etc.
• Business unit tag. Operating division, subsidiary, branch, joint venture.
• Legal entity tag. For groups operating multiple Saudi or international legal entities.
• Product tag. Major product line, regulated product, new launch.
• System tag. Core banking, payment switch, identity, cloud workload, OT environment, end-user computing.
• Geography tag. Riyadh, Dammam, Jeddah, branch network, international.
• Function tag. Finance, HR, IT, security, compliance, legal, procurement.
• Regulatory tag. SAMA CSF, NCA ECC, PDPL, ISO 27001, sectoral regulators.

A single auditable unit can carry multiple tags in the same dimension. A retail payments process might be tagged to retail banking (business unit), retail payments (product), core banking and payment switch (systems), Riyadh and branch network (geography), SAMA CSF and PDPL (regulatory).

Risk rating columns

• Inherent risk score. Driven by transaction value, volume, complexity, regulatory exposure, public visibility, recent change. Typically a 1-5 scale.
• Inherent risk rationale. One-line justification for the score.
• Control environment score. Assessed from the most recent compliance assessment, audit result and self-assessment. Typically a 1-5 scale (5 = strong control environment, 1 = weak).
• Control environment rationale. One-line justification.
• Recent change indicator. New systems, new leadership, recent reorganisation, recent incident history. Typically Y/N or 1-3 scale.
• Stakeholder concern indicator. Concerns raised by senior management, audit committee or regulator. Typically Y/N or 1-3 scale.
• Time since last audit. Years since the unit was last audited. Aging itself adds implicit risk.
• Composite risk rating. The output rating, derived from the components above using a documented formula. Typically a 1-5 scale or High/Medium/Low/Very Low.
• Composite risk rationale. One-line summary of why the rating is what it is.

The composite formula should be documented in the function's audit charter or a methodology paper, approved by the Chief Audit Executive, and applied consistently across the universe.

Planning columns

• Mandatory audit indicator. Some audits are required by regulation or by the audit committee independently of risk rating. Mark them.
• Audit days target. Estimated audit days required for a full audit of the unit.
• Audit cycle target. Target frequency — annual, every two years, every three years — based on the risk rating.
• Last audit date. When the unit was last audited.
• Next planned audit. From the multi-year plan.
• Last audit rating. The opinion issued at the last audit.
• Open findings count. Outstanding findings against the unit.
• Aging findings count. Findings open beyond their target closure date.

Tracking columns

• Plan year. Which year's plan the unit is currently scheduled into.
• Plan status. Planned, in progress, complete, deferred, removed.
• Notes. Free text for the audit director's working notes.

How to populate the template

A first-time population of the universe in a Saudi mid-sized enterprise typically takes two to four weeks. The sequence we see work best:

1. Scope the population. Decide which dimensions matter most. For a bank, processes and systems are usually the primary axes; for a government entity, functions and geographies often dominate.
2. Workshop the inventory with senior management. Walk through the operating model and identify the auditable units. Avoid over-decomposition — units that are too small produce a noisy universe.
3. Apply dimensional tags. Tag each unit on every applicable dimension.
4. Rate inherent risk. Apply the documented criteria. Be honest — a universe in which everything scores 5 is useless for prioritisation.
5. Rate control environment. Pull from the most recent compliance assessment and the most recent audit result. Where neither exists, mark the rating as "no current data" rather than guessing.
6. Compute composite risk rating. Apply the formula consistently.
7. Review with the Chief Audit Executive. Spot-check the highest- and lowest-rated units for plausibility.
8. Present to the audit committee. The universe should be visible to the committee, not hidden inside the function.

Maintenance cadence

The universe is a living document. Refresh:

• Annually, as part of the annual planning cycle.
• When the organisation changes — restructure, acquisition, new product, new system.
• When external context changes — new regulation, new threat landscape, supervisory change.
• When an audit completes — update the last audit date, last audit rating and open findings.

A universe that is unchanged for two years is a universe that no longer reflects the organisation it was built for.

How this template links to risk-based planning

The audit universe feeds the annual plan in three steps:

1. Sort by composite risk rating. Highest first.
2. Allocate audit days in priority order, respecting mandatory audits and stakeholder commitments, until available capacity is exhausted.
3. Reserve unallocated capacity (typically 10-20%) for unplanned work and emerging issues.

The result is a plan in which every audit is on the plan because the risk rating warranted it, the high-risk units are not unaudited, and the unallocated capacity is explicit.

Get the downloadable template

The full template — as an Excel workbook with all columns, formulas for composite risk rating, conditional formatting for the heat-map view, and a worked example — is available on request. Contact us to receive a copy.

For the wider context this template sits within, read our risk-based internal audit guide and our audit management software guide. To see the same audit universe running as a live, dimensionally-tagged inventory inside a unified GRC platform — with risk rating computed from your live compliance and risk data, and the annual plan generated from it — read about GRC Vantage's audit module, supported from our offices in Riyadh and Dammam.