The identification of the auditable universe in the organization is the first step in the internal auditing

cycle. All auditable entities, accounts, programs, procedures, and systems relevant to the organization
are included in this audit universe. "An audit universe represents the potential range of all audit actions
and is comprised of a number of auditable entities," according to Western Economic Diversification
Canada. These organizations are made up of a variety of programs, activities, roles, structures, and
initiatives that work together to meet the department's strategic goals."

This audit universe should be examined and updated on a regular basis to determine the risk level of
each of these things, which determines the priority that should be given to each of them and the review
schedule. Internal auditors have generally done this as part of their annual risk assessment and as part
of their annual audit preparations. While these activities are extensively practiced and offer numerous
advantages, they also have significant drawbacks. The biggest one is that by the time auditors conduct
risk assessments, establish audit plans, and evaluate systems, flaws may have existed for a year or two,
and losses or damages may have built up over time. Examining the dynamics connected with
constructing computer systems can explain the awareness that this series of events has some inherent
flaws.

Internal auditors have always assessed computer systems after they were implemented. The costs of
correcting the faults highlighted by the auditors and making suggestions for corrective action were
significant. The anticipated cost of fixing flaws after production is at least ten times that of detecting and
fixing defects before production. As a result, internal auditors are now conducting pre-construction
reviews of computer system development projects. This allows faults to be discovered sooner and
recommendations for rapid remedy to be made.